Michael D. Moberly, in
Safeguarding Intangible Assets, 2014 Information asset protection professionals frequently use the 20-60-20 rule to characterize insider threats. According to this rule, approximately 20% of employees are
inherently honest and possess consistently high levels of personal and professional integrity; 20% of employees reside on the opposite end of the spectrum and are likely inherently dishonest and unethical individuals who possess little, if any, sense of professional and personal integrity or loyalty; and within the middle 60% lie employees who do not demonstrate a particular receptivity or proclivity to engage in dishonest, unethical, or illegal acts but do so based on their interpretation of
their employer’s reactions to either of the other employee groups. This chapter describes insider threats and what to look for. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128005163000100 Third-Party Risk ManagementTimothy Virtue, Justin Rainey, in HCISPP Study Guide, 2015 Assessment and audit supportWhile requirements for third-party information asset protection controls will vary by covered entity, scope of services and information, and regulatory requirements, they will generally align with the objectives of the covered entity’s information governance and risk management program. Figure 7.1 provides a sample from NIST Special Publication 800-66 Revision 1 of the key administrative, physical, and technical controls and activities required under the HIPAA Security Rule. While all controls may not be required for third parties, it can serve as a guide to assist covered entities with identifying applicable controls, communicating requirements, and monitoring ongoing compliance. Figure 7.1. Sample of NIST key activities for HIPAA Security Rule.
Communication of FindingsFindings resulting from completed third-party assessments should be clearly communicated to management at both the covered entity and third party. Treatment decisions and action plans should be agreed between the parties, documented in writing, and formally tracked until remediation has been completed. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128020432000070 Distinguishing Intellectual Property and Intangible AssetsMichael D. Moberly, in Safeguarding Intangible Assets, 2014 The Shortest and Least Expensive Path to Success Is InfringementThere is a well-used adage in the asset protection arena that is particularly apropos to intangible asset strategists and information asset protection practitioners: The shortest path to innovation/invention commercialization and monetization does not always lie in incurring the substantial time, resources, and costs associated with conventional (legal, ethical) R&D models. Instead, it lies in illegally acquiring the necessary data, information, intellectual and structural capital, or prototypes from the rightful asset holders and producing the product in an illegal manner, known as product counterfeiting, and inserting the counterfeits in legitimate supply chains globally. There are important asset preparations that should occur prior to launching any new innovation, product, or service, or handing off intellectual and structural intangible assets to IP/patent counsel. Examples of these preparations evolve around ensuring that companies have procedures and practices in place designed specifically to safeguard and monitor the assets’ value, materiality, and prevent or mitigate risk. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128005163000070 Reputation Risks and Their ManagementMichael D. Moberly, in Safeguarding Intangible Assets, 2014 Slow Access to Needed InformationThere is a perception, real or anecdotal, that CAs will limit or otherwise adversely affect the speed and collaborative necessities that come from sharing and disseminating information in a timely manner. Those actually responsible for information asset protection may not find this argument to be particularly credible. Another relevant, but often overlooked, reality related to that is the contributory value of an employee’s existing or future intellectual, structural, and relationship capital are indeed intangible assets, and exist as either standalone or in collaborative combinations. Therefore, companies may find proactive prudency in, at minimum, revisiting or rewriting then reexecuting an employee’s CA, versus assuming its initial one-time execution is a sufficient inhibitor for the duration of an employee’s employment. For new hires—particularly, those who have been recruited for possessing specific intellectual and structural capital, presumably to advance a new or existing company initiative or project—should be subject to regular review. Seldom does an employee’s intellectual and structural capital remain stationary relative to its contributory value. In most instances, such intangible (intellectual) assets will likely elevate and expand—that is, their contributory value will heighten—and, as such, become increasingly attractive commodities to economic adversaries globally. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128005163000069 New Dimensions for Company Management1Michael D. Moberly, in Safeguarding Intangible Assets, 2014 Information Security and Information Asset ProtectionIf a “hole” is found in a company’s or its client’s proprietary information “fence,” the job of information security is to patch the hole; but, the job of an information asset protection specialist is, in addition to helping patch the hole, to determine: ■What caused the hole in the fence to occur in the first place, and were there precipitating circumstance or triggering factors? ■Under what circumstances was the hole in the fence initially discovered? ■Who, if anyone, knew the hole in the fence existed before it was discovered, but did not report it? ■How long did the hole in the fence exist before it was discovered? ■What information assets moved through the hole in the fence before it was discovered and patched? ■Is there evidence that the information-based assets that moved through the hole in the fence before it was discovered and patched were specifically targeted or merely arbitrarily acquired? ■How much economic hemorrhaging or impairment to asset value, materiality, competitive advantage, brand, reputation, ownership, trade secrecy, and strategic planning occurred as a result of information assets moving through the hole in the fence? ■Is it known who the recipients of the information assets that moved through the hole in the fence are, before it was discovered and patched? ■How will the recipients likely use or exploit those information assets? The responsibilities of information asset protection specialists are now cross-functional and converge with risk management, human resources, IT security, intellectual property counsel, audits, valuation, R&D, reputation risk, and brand integrity, among others. To mitigate adverse effects of information asset losses, an important key is to collaborate with information security with a singular objective: to preserve control, use, and ownership, and monitor the value and materiality of a company’s information-based assets (Brenner). Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128005163000045 Information Security and CounterintelligenceKevin E. Peterson, in The Professional Protection Officer, 2010 The Role of the Professional Protection OfficerThe most effective protection officers are those who know their customer (the organization they serve) and tailor the way they provide security services to the customer’s mission and culture. In many organizations, information assets are absolutely crucial to the survival and success of the enterprise. Officers should recognize this aspect of the organization and factor it into the performance of their protection duties. It should be noted that many contemporary companies are centered on information as their core business function, hence our “information-based society.” It is our responsibility to remember that a key objective of information asset protection is to enable core business functions, rather than present obstacles. As the past Chairman of the ASIS Information Asset Protection Council puts it, “The ultimate objective is to enable business. Security’s role is to help organizations assess and address risk to enable ‘smart’ business transactions” (Heffernan, 2007). Emerging TrendsThree emerging issues that are relevant to the protection of information and intangible assets are the increasingly interconnected global business environment, the rapid advances in information technology, and the fact that we now have to consider—in a different way—the security of security systems. These issues are discussed in this chapter, but need to be constantly reviewed due to the unprecedented pace of change in today’s security environment. The advances in information technology have a number of implications. One is the new family of risks that are introduced by drastically increased use of information technology in business, organization, government, and home settings. As such use and popularity increases, systems and the data residing on them become more attractive targets for a variety of adversaries. These new technology tools can also be exploited by adversaries to support their illicit activities. The best examples at the moment are the new cottage industry of information brokers and the use of sophisticated data-mining tools and techniques to target sensitive information. This trend will expand in the future and newly introduced business tools such as cloud computing and wireless technologies will likely be “abused” by bad actors for nefarious activities. In general, professional protection officers place most of their emphasis on protecting people and property, but it is important to support the third asset category as well: information. Elements of information asset and intellectual property protection should be included in officer and supervisor training, as well as quality assurance standards for security programs. Security service providers should consider adding information asset protection services to their suite of protective service offerings. This might include conducting information protection assessments, specialized protection services, courier services, or other tools focused on this category of asset. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781856177467000213 Topics of ConcernPhilip P. Purpura, in Security and Loss Prevention (Sixth Edition), 2013 Technical Surveillance CountermeasuresASIS International (2007: 17) states the following:
The physical characteristics of a building have a bearing on opportunities for surveillance. Some of these factors are poor access control designs, inadequate soundproofing, common or shared ducts, and space above false ceilings enabling access. The in-house security team can begin countermeasures by conducting a physical search for planted devices. If a decision is made to contact a specialist, only the most expertly trained and experienced consultant should be recruited. The Countermeasures ConsultantOrganizations often recruit a countermeasures consultant to perform contract work. As a consumer, ask for copies of certificates of TSCM courses completed and a copy of the insurance policy for errors and omissions for TSCM services. What equipment is used? What techniques are employed for the cost? Are sweeps and meticulous physical inspections conducted for the quoted price? Watch for scare tactics. Is the consultant really a vendor trying to sell surveillance detection devices, or a PI claiming to be a TSCM specialist? Will the consultant protect confidentiality? The interviewer should request a review of past reports to clients. Were names deleted to protect confidentiality? These questions help to avoid hiring an unqualified “expert.” One practitioner offered clients debugging services and used an expensive piece of equipment to conduct sweeps. After hundreds of sweeps, he decided to have the equipment serviced. A service person discovered that the device was not working properly because it had no battery for one of its components. The surprised “expert” never realized a battery was required. For a comprehensive countermeasures program, the competent consultant will be interested in sensitive information flow, storage, retrieval, and destruction. Extra cost will result from such an analysis, but it is often cost effective. The employer should use a public telephone off the premises to contact the consultant in order not to alert a spy to impending countermeasures. An alerted spy may remove or turn off a bug or tap and the TSCM may be less effective. Techniques and EquipmentDetection equipment is expensive and certain equipment is subject to puffing, but useless. A company should purchase its own equipment only if it retains a well-qualified TSCM technician, many sweeps are conducted, and the in-house TSCM program is cost-effective. Equipment includes the nonlinear junction detector (NLJD), costing between $10,000 and $20,000. It is capable of detecting radio transmitters, microphones, infrared and ultrasonic transmitters, recorders, video cameras, cell phones, remote-controlled detonators, and other hidden electronic devices, even when they are not working. Gruber (2006: 284–285) offers the following on the NLJD. It transmits a microwave signal through its antenna and an internal receiver listens for a RF response that may mean a device is present. NLJDs are available in various power outputs to the restricted government version. The effectiveness of this equipment is poor in an area containing several electronic devices; in this case, a physical search is best. The telephone analyzer is another tool designed for testing a variety of single and multiline telephones, answering machines, fax machines, and intercom systems. The spectrum analyzer is still another tool. Basically, it is a radio receiver with a visual display to detect airborne radio signals. Other types of specialized equipment are on the market. Buyer beware. In one case, a TSCM specialist was conducting a sweep in a conference room of a major corporation when a harmless looking stapler sitting among other office supplies was found to contain a voice-activated recorder with memory. A pin-hole lense camera was then installed in the room and video showed an office worker exchanging the stapler every week for a similar looking one. When confronted and interviewed, the worker revealed who was behind the spying, that he was paid $500 for each stapler containing audio, and that he only transferred three staplers to the spy during his employment of five months. The worker was fired, police were not contacted, the media and stockholders never knew about possible leaks of information, and the spy was informed about the discovery and threatened with criminal and civil legal action. Some security personnel or executives plant a bug for the sole purpose of determining if the equipment of the detection specialist is effective. This “test” can be construed as a criminal offense. Alternatives are specially designed test transmitters, commercially available, that have no microphone pickup and therefore can be used without liability. Another technique is to place a tape recorder with a microphone in a drawer. A tool kit and standard forms are two additional aids for the countermeasures specialist. The tool kit consists of the common tools (e.g., screwdrivers, pliers, electrical tape) used by an electrician. Standard forms facilitate good recordkeeping and serve as a checklist. What was checked? What tests were performed? What were the readings? Where? When? Who performed the tests? Why were the tests conducted? Over a period, records can be used to make comparisons while helping to answer questions. The following list offers topics of consideration for TSCM (Gruber, 2006: 277–304; Kaiser and Stokes, 2006: 60–68): Because a spy who learns of a TSCM search may turn off or remove his or her equipment, the TSCM specialist should be discreet by disguising vehicles, dress, and equipment. A top executive may choose to establish a cover story to avoid alerting anyone to the TSCM. •An early step in TSCM is a physical search for devices, beginning from outside the building. The physical search, both outside and inside, is very important and time-consuming. On the outside, focus on items such as utilities, wires, ductwork, and openings (e.g., windows). A spy can tap into lines outside the building without needing to ever enter the building. •Inside the building, the TSCM technician should check cabling and inside individual office equipment (e.g., telephones, faxes, and computers). Is there anything in the office equipment that appears odd? •The technician should be knowledgeable about IT systems, computers, internal network or Local Area Network (LAN), and a connection to the outside or Wide Area Network (WAN). These systems can be bugged or tapped like telephone systems. For example, a LAN analyzer connected to a line can read all e-mail that travels through the line. The technician should have equipment to check what is attached to lines. •Besides traditional cable, fiber optic cable can also be tapped. A tap on a fiber optic cable can be detected through an Optical Time Domain Reflectometer. •Since devices may be hidden in walls, the technician can use an ultraviolet light to detect plaster repairs to walls. A NLJD or a portable x-ray machine can be used to detect devices in walls. •Items in walls that should be checked are power outlets, phone jacks, and network jacks. Tools to check these items and inside walls are a flashlight, dental mirror, and a fiber optic camera. •Plates at light switches, wall outlets, and HVAC vent covers should all be removed for the search and prior to the sweep. •If a bug or tap is found, it should be documented and photographed. Caution is advised because the device could be booby-trapped. Although police could be contacted for assistance, their response and expertise will vary widely. Difficult questions surface as to whether the device should remain and whether to apply an OPSEC approach (e.g., feed false information). Seek legal assistance. •The TSCM technician often finds nothing unusual. However, 100 percent protection is not possible. A spy may outfox the technician and the equipment. In addition, there are many ways to steal information. Security practitioners should be creative and think like a spy. Another strategy to thwart listening devices is “shielding,” also called electronic soundproofing. Basically, copper foil or screening and carbon filament are applied throughout a room to prevent acoustical or electromagnetic emanations from leaving. Although this method is very expensive, several organizations employ it to have at least one secure room or to protect information in computers. Equipment is available on the market that may frustrate telephone taps and listening devices. Scramblers, attached to telephones, alter the voice as it travels through the line. However, no device or system is foolproof. Often, simple countermeasures are useful. For instance, an executive can wait until everybody is present for an important meeting, and then relocate it to a previously undisclosed location. Conversants can operate a radio at high volume during sensitive conversations, and exercise caution during telephone and other conversations. Voice over Internet Protocol (VoIP) technology is popular with organizations and commercial telephony service providers because of lower costs and efficiency. VoIP enables voice to be transported digitally via a network using Internet Protocol standards. Such services may not even make contact with the traditional telephone network. One concern of VoIP technology relates to its inability to provide traditional location identification (i.e., Enhanced 911) for 911 emergency calls made to public safety agencies. Of particular interest for our discussion here is that traditional techniques for telephone intercepts and wiretaps are more difficult with VoIP, and end-to-end encryption compounds the challenges for the spy (National Institute of Justice, 2006). As we know, information assets can be collected in many different ways besides with physical devices. Losses can occur through speeches and publications by employees, in company trash, and by unknowingly hiring a spy. Comprehensive, broad-based information security is necessary. Who do you think has “the edge,” those who seek information assets or those who protect them? Search the InternetHere is a list of websites relevant to this chapter: ASIS, International: www.asisonline.org Business Espionage Controls and Countermeasures Association: www.becca-online.org Centers for Disease Control and Prevention: www.cdc.gov Institute for a Drug-Free Workplace: www.drugfreeworkplace.org National Association of Information Destruction, Inc.: www.naidonline.org National Institute for Occupational Safety and Health (NIOSH): www.cdc.gov/niosh/homepage.html Occupational Safety and Health Administration (OSHA): www.osha.gov OSHA: www.osha.gov/SLTC/workplaceviolence/index.html Strategic and Competitive Intelligence Professionals: www.scip.org Substance Abuse and Mental Health Services Administration: www.samhsa.gov U.S. Department of Labor: www.dol.gov/elaws/drugfree.htm U.S. Department of State: www.state.gov U.S. Drug Enforcement Administration: www.justice.gov/dea Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780123878465000188 |