I’m an operations manager for a new hedge fund start-up. Lots of fun, tons of work.
Our main asset is information, and I need to protect it as much as possible. I’ve done the basic CYA on server backups and virus protection and firewalls, etc. but I don’t know how to keep things protected internally. How do I keep stuff from being emailed out? Is there any way to do this besides sending out a ‘company guideline’ and praying that people follow it? I recognize that if someone REALLY wanted to send things out, they could, but I’d like to at least attempt to stem this potential problem.
What does your company do? How do it or you handle it?
One of the big things I learned is that the “tone at the top” of a company can make a huge difference.
A lot of people say that if someone is dirty or intends to do something unethical, whether with physical or intangible assets, they are going to find a way to do that. What you want to do is minimize the risk.
It works a lot like IT security. People should have the access they need to do their job, but not excess authority.
Some information on risk management for intellectual property can be found here (it’s on page 2 of the document, I believe).
The Canadian University Intellectual Property Group also has some information online at http://www.ualberta.ca/~univhall/vp/vprea/ip_pro/ip_pro.htm .
Hope those help. Intellectual property is a tough issue for internal auditors to consider as part of the control environment, because it is an intangible asset, and controlling it is often more difficult than controlling the physical assets.
#3 I’m sure a reasonably smart IT type can set up email servers to make copies of emails to people who are not part of the customer DB for “security review”
#2 Make sure policy manuals and or contracts state that release of proprietary information is an instant termination…period, you don’t care why.
#1 Take good care of your people. If they can make 20% more across the street they will be putting in notice shortly. Most loss of proprietary information leaves in peoples heads (best customers names for example) Since 80% of almost any business is tied to 20% of its customers it dosen’t take much to cripple a business by pissing off a sales rep who can make a nice niche for himself by bringing himself and his PDA to a competitor
Lock your company’s secrets up with the 11 herbs and spices recipe! Har Har Har
No seriously, I don’t have much knowledge on this subject, but I remember reading an article once. (Don’t a lot of responses start this way)
The article was in one of those IT trade mags that was laying on the table in the lobby at work. I grabbed it on my way out to smoke a cig (bad habit, I know, but not as bad as reading IT trade magazines!) and I read an article talking about precisely what you seek.
There are a variety of software “firewalls” that will look for certain general parameters or certain specific documents leaving your companies network. They can even be set with certain “permissions” to allow/disallow sending/receiving by specified departments/individuals. They can also send alerts to suspicious activity without necessarilly notifying the offender. Obviously, it can get complex, but is well worth it if your serious about security.