information security
DESCRIPTION
INFORMATION SECURITY. Proprietary Information. It can be anything that an enterprise considers relevant to its status or operation and that it does not to disclose publicly. It can be grouped into two broad divisions; a. Trade secret information b. Confidential information. Trade Secret. - PowerPoint PPT PresentationTRANSCRIPT
INFORMATION SECURITYINFORMATION SECURITY
Proprietary InformationProprietary Information
• It can be anything that an enterprise considers relevant to its status or operation and that it does not to disclose publicly.
• It can be grouped into two broad divisions;
a. Trade secret information
b. Confidential information
Trade Secret Trade Secret
• It may consist of any formula, pattern, device or compilation of information which is used in one s business and which gives him an opportunity to gain an advantage over competitors who do not know or use it.
• It may be a formula for a chemical compound, a process of manufacturing, treating or preserving materials, a pattern for a machine or other device, or a list of customers.
• It differs from a secret information as to single or ephemeral events in the conduct of the business. As for example, the amount or other terms of a secret bid for a contract or the salary of certain employees, or the security investments made or contemplated, or the date fixed for the announcement of a new policy or for bringing out a new model or the like.
• A trade secret is a process of device for continuous use in the operation or the business.
• It relates the production of goods, as, for example, a machine or formula for the production of an article.
• It may, however, relate to the sale of goods or to other operations in the business, such as a code for determining discounts, rebates or other concessions in a price list or catalogue, or a list of specialized customers, or a method of bookkeeping or other office management.
• The characteristics, then, of a trade secret as compared with other confidential information are continuous or consistent business application of a secret not known to others, from the use of which some advantage is gained by the user.
• To be secret, information must generally meet the following tests:
a. It must be identifiable.b. It must not already be available in
public sources.
c. It must be disclosed by its owner only to persons who are under
some duty to protect its secrecy.
d. Persons to whom it is disclosed must know that it is secret.
e. There must be some objective indications that the owner is
attempting to prevent its unauthorized disclosure.
Vulneralbitilities of Sensitive Data Vulneralbitilities of Sensitive Data
• There are three broad threats to sensitive data and information:
a. It can be lost through inadvertent disclosure by the order or a person in authorized possession.
b. It can be deliberately stolen by an outsider- an industrial espionage agent.
c. It can be deliberately stolen by an insider, one of those persons trusted
to have access to it.
d. Inadvertent Disclosure:- sales presentations- trade associations meetings- discussions with suppliers- off- premises statements by
employees- press and public regulations
e. Intentional Theft by Outsiders:- Industrial Spy
- Undercover Operator- Patsy- Intruder - Visitors- Customers- Trash and Scrap
f. Intentional Theft by Insiders:- Dishonest Employees
Protection of Sensitive Information
Effective programs of information security involve considerations touching on physical, personnel, and communication countermeasures. In general, total programs of data protection include the following elements:
- Policy and procedural statements on the recognition, classification, and handling of sensitive information.
- Pre-employment screening techniques and incubment employee review procedures to assure that persons trusted with sensitive data do not have any ascertainable motive or reason to exploit such data and are basically stable.
- Awareness programs in which all employees are made aware of the existence of sensitive data in the company, their responsibilities in protecting it, and the required procedures.
- Nondisclosure agreements from employees in which they acknowledge their fiduciary responsibility.
- Documented records of exposure for those employees to whom significant kinds and amounts of sensitive data are released. These records may also include periodic reaffirmation of nondisclosure responsibility.
- Noncompetitive agreements from specific classes of personnel to prevent their taking employment with defined competitors within a stated future period.
-Physical measures such as area and access controls, admittance controls, identification devices and routines, secure storage containers, regulated reproductive facilities, controlled trash disposal, and restrictions on use of communications media to minimize the probability that unauthorized persons will gain access to sensitive data on or off the premises.
- Follow-up efforts with new employers of former employees who were exposed to sensitive data but were not required to execute noncompetitive agreements. Such programs include notices to the new employee of the former employee s exposure and responsibility to protect.
- continuous and informed monitoring of routines activities in the field of detect appearance of one s sensitive data.
Industrial EspionageIt is the stealing of secret,
confidential, or sensitive commercial information belonging to a company so that a competitor company can benefit from it.
• Industrial Espionage may take many forms, including the direct theft of formulas, processes, and designs; sophisticated electronic surveillance <watching>;and the bribing or blackmailing of employees.
• The practice of stealing a business rival’s secrets or spying on a rival’s activities probably dates from the earliest period of human trade and commerce.
• But the rapid development of technology in the 1900’sand the dramatic expansion of computer and electronics technology since the mid-1900’s have made industrial espionage a major problem in the modern business world.
• Scope of Industrial espionage
Espionage techniques include the bribery or blackmail of employees in key positions, the tapping of telephone lines, and the bugging of executive boardrooms. Hacking, straightforward theft, and the interception of electronic signals from computers are other methods.
• Most industrial spies are trained specialists in the many techniques of electronic eavestdropping. Some experts hire out their services to the highest bidder. Organized crime syndicates may also be involved.
• Nevertheless, the greatest amount of damage is done not by trained spies but by careless, disgruntled, or greedy employees who talk too freely, sell information for quick profit, or seek a better job by offering their knowledge in the marketplace.
• Recruitment agencies are often paid to seek out people who are thinking of changing their jobs and have knowledge that would be of interest to a prospective employer. It is difficult to protect against employee dissatisfaction.
In some areas, spies carry out industrial espionage for foreign governments. A country seeking to modernize its industry and make it more competitive may steal advanced computer hardware <machines> and software <programs>.
• Industrial espionage affects the whole world, but it is particularly acute in the industrialized countries of North America, Europe, and the Far East. In this countries, competition in high technology is advanced and intense.
• Industrial security firms have quickly grown in numbers and importance.
Countermeasures to Industrial Countermeasures to Industrial EspionageEspionage
These are many and varied. They include the regular electronic sweeping of boardrooms to detect miniature microphones and telephone taps.
Computers and communications devices can be monitored to prevent unauthorized access or use. Computers may be screened and protected against the interception of their electromagnetic emission.
Computer and other telecommunications transmissions usually go through a process of encoding before being sent down insecure public lines or open channels.
Encoding is a procedure by which the telephone or computer signals are converted into a form that cannot be decoded except by someone with the correct equipment or a key to the code used.
Companies control access to secret restricted areas by employing special clearing devices, such as smart cards or code-only doors. To gain entry, an employee must possess a card that is inserted in a slot and computer-read to make sure it bears the right code.
Another form of code protection requires the employee to press a combination of numbered buttons to unlock a door. The combination is known only to authorized personnel.
Companies choose their personnel more and more on the basis of life histories and psychological profiles that are designed to reveal which employees may be vulnerable to bribery, blackmail or disloyalty.
The monitoring of employees activities goes on in many firms, although it raises fears of the invasion of personal privacy.
Reported by:
Jerome Jay C. Sapinoso
BS. Crim.221