Let`s Talk

Trade Secret Governance: Content Security

THE TRADE SECRET GOVERNANCE MODEL

Information Security is hardly a new topic, but as technology continues to develop and business-related content morphs into ever-new and ever-expanding formats, the responsibility to control and secure Trade Secret data moves beyond IT’s traditional role of securing corporate infrastructure.


It is no longer enough for content-intensive business units to assume the INFOGOV protocols put in place by IT will automatically cover every instance and one-off.  While perimeter-edge security, anti-hacking and intrusion detection all remain purely technical responsibilities, data protection and custodianship must be shared by both content owners/creators and those charged with overseeing how sensitive content is handled properly.  This brings it directly into the purview of Trade Secret Management.

TOOls of the Trade (Secrets)

There are a number of industry standard tools that should be vigorously applied to trade secrets and the systems and processes used to access them.

  • Encryption – Cryptographical encoding to secure content at the document/database/network/physical drive level.
  • Multifactor Authentication – Process by which user identification requires 2 or more pieces of evidence, typically where only one is knowledge (something they know like a password) and the other is either something they have (secure token or smart card), something they are (biometrics) or something independent from them such as a confirmation code sent via a separate communication.
  • Pessimistic Access Control – File or system level access protocol where access is universally restricted by default and granted only on a minimum-requirement level and on an as-needed basis based on specific role or documented business need.
  • Certified Hosting – A verification protocol where all hosting systems, internal and external, are required to meet applicable certification standards such as ISO270001, SSAE-18 SOC Type 2/3, etc)
  • Retention Control – An established policy governing how data is proactively removed on a scheduled basis after it is no longer needed or when granted access has expired or been revoked.

 

ENcrypt, encrypt, ENCRYPT

Click for Case Study

Encryption can be a powerful tool but it must be diligently applied and managed.  The assumption that data is secure simply because the file is encrypted is a dangerous one to make.  Encryption must occur in as automated a fashion as possible and across as many aspects of the data’s lifecycle as possible.

Rather than rely on users to actively take steps to save files through an encrypting system, policies can be set to enforce all devices (including mobile phones, tablets and personal devices) be configured to encrypt their drives at the physical layer.  Most standard manufactures of laptops and mobile devices offer this setting.  By using user policy rules, a company can push this out as a requirement and deny access completely to unencrypted devices.

And yet still, this only addresses files when they are stored on an encrypted drive.  Data, even the most sensitive data, is legitimately shared and transmitted on a daily basis.  It is important to make sure that those transmission options are also encrypted through the use of VPN tunnels, encrypted email clients, private file sharing protocols and the like.

Lastly, like any strong lock, encryption is only as strong as the security around its keys.  Every type and level of encryption comes with its own unique cryptological key.  These must be carefully tracked and administered with the same level of accountability as the data they are used secure. 

Oversharing encryption keys out of convenience is a common bad practice that undermines the global level of data protection throughout the system as well as every business and compliance assumption made about the governance process.

Proper key management also includes the replacement of keys, either routinely based on a key’s scheduled expiration date (which is set in proportion to the sensitivity of the data it protects) or proactively due to a suspected compromise. Symantec’s market research reported that 50% of employees take confidential information with them when leaving a company.  By properly refreshing and archiving keys throughout the enterprise, the risk of old keys maintaining unwanted access can be mitigated.

 

READ THE CASE STUDY

Click for Case Study

 

 

Back To Top