Security Executive Blog: proprietary

Showing posts with label proprietary. Show all posts

Saturday, December 29, 2012

Protecting Proprietary Data and Intellectual Property-FSO Task

The Opportunity

If employed by a defense contractor, chances are that you perform work on

goods and services for research and development of a weapon system or other new capabilities. That being the case the DEFAULT focus as a Facility Security Officer (FSO) or security specialist is on technical data.

The problem is: while there is abundant guidance on protection of classified information (proscriptive regulation aka NISPOM) bridging the GAP between classified and sensitive, protecting unclassified is of utmost concern. Here is where FSOs can really provide value to the enterprise.

The Problem

Take a look at this paraphrase from Allen Dulles' book The Craft of

Intelligence:

In the 1950's the US Congress was concerned that there was just too much technical information available on government programs. From that concern, they commissioned researchers to assemble as much information from public domain about a particular program as they could. The group scoured libraries, newsstands, TV, radio and other media common to the decade and provided a report. As a result, the government determined the information to be classified, safeguarded the information and disbanded the group. The lesson; intimate program details were not properly identified, marked and protected.

The best result is we learned a valuable lesson and no longer have to worry about sensitive information appearing in the public domain, NOT. Here is a modern day example:

Recently the State Department reacted to an ITAR violation where Georgia Tech Research Institution made ITAR protected training available on their website.

In this case, the US Government had identified the information as ITAR controlled, but GTRI mistakenly made it available to both US and foreign nationals. See story here:

http://www.bloomberg.com/news/2012-04-30/military-secrets-leak-from-u-s-universities-with-rules-flouted.html

In the first example, sensitive information was not properly identified and therefore could not be handled appropriately. As a result, compiled information became classified. The second example demonstrates what can happen when information is properly identified and marked, but handling is not fully understood.

There are many other accounts of technology that is passed through theft, public release, presentations, white papers, patents and etc. How do we solve such problems?

Incorporate an enterprise-wide, comprehensive system of identifying sensitive information by owner and technology, then limiting distribution. For example, where NISPOM gives guidance on how to protect information already identified as classified, Proprietary information, ITAR controlled technology, intellectual data and others aren't always given the same level of scrutiny.

Protecting company sensitive information

This may need to be performed at the contractor level. Once sensitive items are identified, intimate program details should be cataloged and documented. Those who work with and handle the technical information can fully understand who owns it, how to get access to it and how to properly limit distribution.

Be sure to include technical information owned by customers and vendors.

Employees should understand how to properly handle sensitive information of outside organizations. If it's not clear, ask.

Finally, any technical information that is legitimately distributed should only be done so with a joint understanding of how to use and further distribute the technical data.

Jeffrey W. Bennett, SFPC, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Friday, November 30, 2012

Cleared Contractor FSOs Can Create Impact Outside of the NISPOM

Facility Security Officers (FSO) have a tremendous responsibility developing a security program to protect classified information. After all, they (individual or staff) are the link between the government oversight (cognizant security office), customer (prime contractor or Government Contracting Activity) and the cleared defense contractor to ensure that classified information is properly protected.

However, if FSOs focus solely on the classified responsibilities, they are missing great opportunities to increase their effectiveness. That’s right, focusing solely on the single task of protecting classified information may reduce chances of being more effective. Providing value added outside of the National Industrial Security Program Operating Manual (NISPOM) actually helps the FSO create a better security program.

FSOs can expand their influence by providing lessons learned and best practices to integrate security into all enterprise areas. These areas become part of a holistic approach to security of information across the facility. Few controls are in place to protect unclassified but sensitive info. The FSO can be a rock star in this area. FSO could use skill to protect government and other customer supplied sensitive products as well as internally created

Here are a two ways FSOs can use their skills to identify and protect proprietary information, intellectual property, and other sensitive information.

1. Government and other customer provided products:

Classified information-Government information that is identified and protected based on levels of potential damage to national security. Classified information is protected with guidance found in the NISPOM. It is prescriptive, meaning, if information is SECRET, it must be stored, handled, transported and destroyed according to regulations and policies. The government appointed original classification authority (OCA) uses a 6 Step OCA process to identify and protect classified information. Follow policies of NISPOM, contract and other applicable regulations to build your security program.
OPSEC- A process to deny potential adversaries information about capabilities and/or intentions. OPSEC plans are required on many classified and UNCLASSIFIED contracts. You can see the requirements in the DD Form 254 section of classified contracts and in the contract of unclassified contracts. Use the 5 Step OPSEC process to identify OPSEC indicators, determine threat, determine vulnerability, assess risk and implement countermeasures.
Technical information- scientific information, that relates to research, development, engineering, test, evaluation, production, operation, use, and maintenance of munitions and other military supplies and equipment. Information falling under this category are protected by export compliance and International Traffic in Arms Regulation (ITAR). You may see this information in program tests, work breakdown structure and other program related materials.
Critical Technology - technologies are so fundamental to national security or so highly enabling of economic growth that the capability to produce these technologies must be retained or developed in the United States. The government has identified this information and is also required to be protected.

2. Internally created company information
Company information is harder to identify and requires more proactive work. Where government and customer provided material should come with sensitivity level and protection requirements, internal secrets require proactive identification and protection requirements. The FSO can incorporate processes similar to the 5 step OPSEC process or 6 step OCA process to help accomplish the task. The following are examples of such items:

Trade Secrets-processes, procedures, formulae and etc that an enterprise produces and is not well known.

Proprietary information-Same as trade secrets and includes documentation, financial data, program details, test data, trade secrets that are not well known and that an enterprise would like to keep a secret.

Intellectual property-Something designed, written, published, built, and etc that belongs exclusively to an individual or corporation. These differ from trade secrets and proprietary information in that they are an exclusive creation such as music composition and not personal or financial information. Intellectual property covers trademarks, patents, copyrights and others.

Identification of trade secrets, proprietary information and in some cases intellectual property may require a working group of subject matter experts. The FSO can lead discussions to help determine trade secrets and use skills to protect it.

Personally Identifiable information (PII)-includes details that can help find or identify a person. This includes name, address, drivers license number, social security number, etc. This protection is required by law. The FSO can help determine who needs to maintain PII and how to protect it from unauthorized disclosure.

Once all internal information is identified and protection measures are implemented, employees can have left and right limits that help prevent unauthorized disclosure commonly found in events such as: conferences, papers, patent applications and press releases.

The FSO is a pivotal member of the cleared contractor facility. They are one of two employees absolutely required by NISPOM and their sole purpose is to protect classified information. However, this role can be expanded to protect all levels of sensitive information and make them a star when it comes to enterprise protection.

Find more about the role of the FSO and security specialist in DoD Security Clearance and Contracts Guidebook.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Subscribe to: Posts (Atom)

Sponsor us.

We offer advertising space on our Podcast, newsletter, website and blog, for $700.00 per year. Our products are targeted directly to your market; only those who are providing defense industry security subscribe to our newsletter.

Effective advertising positions your company for success. You’ll get:

Advertisement on our sites marketing exclusively to defense contractors

Announcement in Podcast http://dodsecure.buzzsprout.com and on podcast page. Podcasts are available on Apple, Amazon, Buzzsprout and more.

Linked banner @ http://www.dodsecurity.blogspot.com/

Linked banner in sponsor section of home page https://www.redbikepublishing.com/sponsors/

Linked banner in monthly email newsletter dedicated to training cleared contractors on protecting classified information.

Consider allowing us to provide a 1000 word article about your product to feature on our blog and newsletter for $500.00

If you would like more information, please contact us editor@redbikepublishing.com

Here is a wrap up of what we were able to do in 2020

We've outsourced a few tasks to provide better customer service. To provide better content for our security professional customers, we've funded the following efforts just for our newsletter and Podcast considerations:

• Upgraded email functionality for better newsletter distribution

• Upgraded website content

• Purchased high quality microphones and mixers for podcasts

• Purchased high quality cameras for YouTube videos and course content

• Upgraded to video conference capability with paid subscriptions

• Purchased software packages for better formatting

• Attended Podcast 2020 and brought back some tremendous lessons learned

• and much more.

We’ve completed the following milestones this year:

• 25% more newsletter subscribers with your services listed.

• Provided referrals to sponsors

• Released 36 articles in more than 24 newsletter editions

• Over 40 blog posts with thousands of visitors with your services listed

• Interviewed multiple people to provide over 20 podcast episodes. We've reached over 2000 downloads, which is huge considering our small niche. I hope you've had a chance to listen to Ray DICE Man Semko. Getting him on podcast was a huge success.

You will also be able to provide any articles, white papers or messages personalized to our audience. We could also include you or other employees in some strategic podcasts as well. Always looking for great guests.

Pages

Saturday, December 29, 2012

Protecting Proprietary Data and Intellectual Property-FSO Task

Friday, November 30, 2012

Cleared Contractor FSOs Can Create Impact Outside of the NISPOM