Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Cronkright Chuck Dudinetz Paul Jones Corporate Auditing The Dow Chemical Company February 16, 2012 Auditing Protection of Intellectual Property.

Published byJanet Whitney Modified over 10 years ago

Similar presentations

Presentation on theme: "David Cronkright Chuck Dudinetz Paul Jones Corporate Auditing The Dow Chemical Company February 16, 2012 Auditing Protection of Intellectual Property."— Presentation transcript:

1 David Cronkright Chuck Dudinetz Paul Jones Corporate Auditing The Dow Chemical Company February 16, 2012 Auditing Protection of Intellectual Property

2 Agenda About Dow What is IP and why do we care? Whats the risk? What are the key controls? How do we audit information protection controls? Questions & Answers

3 Agenda About Dow What is IP and why do we care? Whats the risk? What are the key controls? How do we audit information protection controls? Questions & Answers

4 IP is an asset to be protected… Technology Business intelligence Personal Data What is IP and why do we care?

5 IP can take a number of forms… Explicit –Electronically stored –Hardcopy –The object itself Tacit –Conversations –Presentations What is IP and why do we care?

6 Loss of IP can have significant consequences… –Loss of competitive advantage loss of business –Loss of licensing revenue –Loss of prospective M&A partner –Non-compliance with legal/regulatory requirements –Damage to reputation –Sabotage What is IP and why do we care?

7 About Dow What is IP and why do we care? Whats the risk? What are the key controls? How do we audit information protection controls? Questions & Answers Agenda

8 Whats the risk ? Risk = Threat x Vulnerability x Consequence

9 9 Whats the risk ?

10 Threats… Industrial Espionage Targeting & recruitment of insiders Cyber intrusions Dumpster diving Establishment of business relationships … Increasingly highly organized, funded, and resourced Hacktivism Politically or socially motivated Cause reputation damage Cyber Crime Profit motive Whats the risk ?

11 Potential Vulnerabilities… Inherent vulnerabilities Targeted industry ? Geographic presence Company culture Culture of trust ? Collaborative culture ? Education & awareness Weak policies & procedures … translate to behaviors Whats the risk ?

12 Potential Vulnerabilities (Contd) … Workforce dynamics Outsourcing Turnover Hiring practices Employee morale Facility Weak physical security Multi-tenancy 3 rd Party service providers Open work space Waste segregation and disposal Poor handling of printed documents, portable media Whats the risk ?

13 Potential Vulnerabilities (Contd) … I/T Weak computer room security Broadly accessible network ports Unsecure data transfer Inappropriate access to electronic repositories Network perimeter Susceptibility to malware Whats the risk ?

14 About Dow What is IP and why do we care? Whats the risk? What are the key controls? How do we audit information protection controls? Questions & Answers Agenda

15 Controls : Mitigate the likelihood and/or impact of the threat exploiting a vulnerability What are the Controls ?

16 Governance Assessing Risk Organization design/steering Communication Monitoring Preventive Secure the network perimeter (Firewalls, IPS) Secure the data (repository-level access control, DRM, DLP) Physical security (badge access) Confidentiality agreements Workforce education (culture, behaviors) Secure disposal of media (including hardcopy) Contractual verbiage/third party assurance (for outsourced data) What are the Controls ?

17 Detective –Intrusion detection (NIDS, HIDS) –Critical log review –Workforce monitoring (behavior changes, hoarding data) –Monitoring of information extraction/downloading What are the Controls ?

18 Preventive Detective I/T Non-I/T Information handling policies Confidentiality agreements Background checks Layering of Controls Workforce onboarding & offboarding Workforce behavior monitoring Badge access Work area segregation Clean desk policy Locked cabinets Document & media disposal Computer room security Secured network ports Encrypted data transfer Data Loss Prevention (DLP) Firewalls Intrusion Prevention Antivirus Information access monitoring Patching Intrusion Detection Information classification I/T access control - Repository level - Data level (DRM) Strong passwords Elevated access Network segmentation Egress traffic Security incident response Logging - Capture - Retention - Analysis Vulnerability scanning Asset identification & inventory Application whitelisting Workforce offboarding Employee education Physical security surveillance Investigative processes Vehicle inspections

19 –Network Perimeter audits Common Network access points VPN/RAS, Firewalls/Proxy Servers, Circuits, Modems, Physical Controls –Intellectual Property specific audits Where the data lives (ex: Crown Jewels) Site, Application, Project specific or Hybrid –Cyber Security audits Organizations ability to sense and respond to changing threat landscape Governance and Control assessments –Integrated audits (strategy going forward) How do we audit information protection controls ?

20 Network Perimeter Audit Preventive Detective I/T Non-I/T Information handling policies Confidentiality agreements Background checks Workforce onboarding & offboarding Workforce behavior monitoring Badge access Work area segregation Clean desk policy Locked cabinets Document & media disposal Computer room security Secured network ports Encrypted data transfer Data Loss Prevention (DLP) Firewalls Intrusion Prevention Antivirus Information access monitoring Patching Intrusion Detection Information classification I/T access control - Repository level - Data level (DRM) Strong passwords Elevated access Network segmentation Egress traffic Security incident response Logging - Capture - Retention - Analysis Vulnerability scanning Asset identification & inventory Application whitelisting Workforce offboarding Physical security surveillance Investigative processes Vehicle inspections Employee education

21 Intellectual Property Audit Preventive Detective I/T Non-I/T Information handling policies Confidentiality agreements Background checks Workforce onboarding & offboarding Workforce behavior monitoring Badge access Work area segregation Clean desk policy Locked cabinets Document & media disposal Computer room security Secured network ports Encrypted data transfer Data Loss Prevention (DLP) Firewalls Intrusion Prevention Antivirus Information access monitoring Patching Intrusion Detection Information classification I/T access control - Repository level - Data level (DRM) Strong passwords Elevated access Network segmentation Egress traffic Security incident response Logging - Capture - Retention - Analysis Vulnerability scanning Asset identification & inventory Application whitelisting Workforce offboarding Physical security surveillance Investigative processes Vehicle inspections Employee education

22 Much more than just I/T controls Sense and respond approach (peripheral vision) Consider effectiveness of controls as a whole –Layering of controls –Audit judgment required Position to avoid pre-audit window dressing Finding broader issues Intellectual Property Audit - Learnings

23 Cyber Security Audit Preventive Detective I/T Non-I/T Information handling policies Confidentiality agreements Background checks Workforce onboarding & offboarding Workforce behavior monitoring Badge access Work area segregation Clean desk policy Locked cabinets Document & media disposal Computer room security Secured network ports Encrypted data transfer Data Loss Prevention (DLP) Firewalls Intrusion Prevention Antivirus Information access monitoring Patching Intrusion Detection Information classification I/T access control - Repository level - Data level (DRM) Strong passwords Elevated access Network segmentation Egress traffic Security incident response Logging - Capture - Retention - Analysis Vulnerability scanning Asset identification & inventory Application whitelisting Workforce offboarding Physical security surveillance Investigative processes Vehicle inspections Employee education

24 External Threat – Cyber Security It use to be that each company was its own little cyber kingdom and physical access was the king of control for external threats Thanks to the internet - everything touches everything so vulnerabilities have increased The number, ability and motives of external threats are also increasing Updated External Threat audit programs two years ago

25 External Threat – Cyber Security While press releases of APT compromises were out there little else was available on APT what and how Lacked expertise / experience to understand threat termed APT (Advanced Persistent Threat) Researched several firms specializing in APT The project looked at the threat, its motives, processes used to compromise a target and the controls required to slow down, detect and eradicate it.

26 External Threat – Cyber Security The APT is real and has more time and money to get at your IP than you have time and money to secure it. It is a paradigm shift from a controls perspective. The logic is They will get to your data…. Preventive controls are there to slow them down so detective controls have time to identify the breach. Proper response is required to assure you get all of the comprise before they know youre on to them. To date espionage has been the primary objective

27 External Threat – Cyber Security Results - Two high level audit programs and insight into the new breed of Cyber Threat Governance Organization & strategy Key Relationships Training and Awareness Establishing the bar; COSO observations Control Assessment Preventive Detective Response

28 About Dow What is IP and why do we care? Whats the risk? What are the key controls? How do we audit information protection controls? Questions & Answers Agenda

Download ppt "David Cronkright Chuck Dudinetz Paul Jones Corporate Auditing The Dow Chemical Company February 16, 2012 Auditing Protection of Intellectual Property."

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
© Peter Readings 2007 1 Data Leakage Pete Readings CISSP.

© Peter Readings Data Leakage Pete Readings CISSP.
Www.accessdata.com Digital Investigations of Any Kind ONE COMPANY Cyber Intelligence Response Technology (CIRT)

Digital Investigations of Any Kind ONE COMPANY Cyber Intelligence Response Technology (CIRT)
The Threat Within September 2004. Copyright © 2004 Q1 Labs. All Rights Reserved Agenda Customer Pain Industry Solutions Network Behavior Enforcement Example.

The Threat Within September Copyright © 2004 Q1 Labs. All Rights Reserved Agenda Customer Pain Industry Solutions Network Behavior Enforcement Example.
Computer Fraud Chapter 5.

Computer Fraud Chapter 5.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03.

AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Peter Brudenall & Caroline Evans- Simmons & Simmons Marsh Technology Conference 2005 Zurich, Switzerland. Managing the Security Landscape – Legal and Risk.

Peter Brudenall & Caroline Evans- Simmons & Simmons Marsh Technology Conference 2005 Zurich, Switzerland. Managing the Security Landscape – Legal and Risk.
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.

Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
© BT PLC 2005 ‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005.

© BT PLC 2005 ‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep

Similar presentations

Ads by Google