When engaging with off-site/offshore service providers, one of the most frequently asked questions is how they will safeguard intellectual property (IP). IP protection will be the same as it is within those borders. When evaluating vendors, you should consider how well they measure up against the pillars of Human Practices, Technical Practices, and Compliance and Controls.
This article presents an overview of the procedures and controls required to safeguard IP to the best of your ability for each of these pillars. In general, the answer to this form of protection and security is not that you can eradicate the risk but make the activity incredibly challenging and unappealing for the would-be secret stealer.
Secure Human Practices
Each pillar is significant, but the Human Practices pillar is the most vital. It may be obvious, yet individuals steal IP. Thus, guaranteeing that your firm recruits qualified individuals are of the utmost importance.
Best practices in this area include:
- Background checks.
- Robust onboarding and offboarding processes.
- Proper training on appropriate policies (HIPAA/SOCS, Data Protection, Security, etc.).
- Frequent employee reviews.
- Random audits of all the above.
Secure Technical Practices
Infrastructure, Environment and Data comprise the three sub-components of the technological pillar. The objective of the technological pillar is to limit access and temptation both inside and outside the organization. This part is nearly identical to current IT security policies, if not the same.
Infrastructure and its security are optimal starting points. Please note that what follows is only a portion of a complete security policy, as security is not the focus of this section.
Infrastructure best practices include:
- Isolating networks.
- Local disk encryption.
- Audit logging.
- Data Loss Prevention (DLP) policies.
- Least Privilege based access policies.
The second area to investigate are the available working settings. Although the physical environment is essential, this document assumes that working remotely is appropriate and accepted.
Next, we discuss the ecosystems used to produce and maintain intellectual property. This ecosystem incorporates ideas such as production, staging, testing, and development environments in product development. The way you organize and provide access to environments is significant.
Environment best practices include:
- Keeping environmental variables under control by utilizing your own physical or cloud-based solutions.
- United States-hosted virtual machines and/or regional cloud infrastructures.
- Environments by type (test, production, etc.).
- Access restrictions to environments. Developers and testers, for example, should not have access to the staging and production environments, which include actual customer data.
The final section in the technical pillar is related to data. Modern data protection laws carry hefty fines for exposing PII and PHI data; thus, service providers and clients must pay extra attention to this area.
This section deserves its own briefing, and as a result, we will highlight a few key points as follows:
Manage tickets, code, and documents in-house.
De-identifying information that is transferred outside the United States not just for business continuity but also data that moves outside of production environments into development environments.
In addition to infrastructure, environment, and data, the secure engineering of applications is an excellent example of one of the technical pillars. Apps should be engineered in compliance with a Secure SDLC framework and alignment with industry standards and best practices, such as those published by NIST and OWASP. Otherwise, bad apps can put IP at risk.
Bringing it all together
The final pillar is managing the previous pillars and guaranteeing their implementation and enforcement. Formal compliance initiatives and a series of controls designed to protect consumer data and the company’s intellectual property are already in place for most firms.
Dealing with IP problems outside the United States should be a natural extension of these existing regulations and likely not need to be adapted for this circumstance. While it is true that there is significant overlap between the agencies and laws that govern the protection of data, there are differences in laws that make the handling of IP and sensitive data more restrictive than others, e.g., the EU’s GDPR vs. California’s CCPA. GDPR is significantly stricter and requires users to provide consent before having their personal data collected and processed. In contrast, CCPA requires consent for just data disclosure or selling to third parties.
Before engaging, check to verify if non-U.S. vendors have their own compliance-related certifications. When this is the case, your company’s auditing costs are drastically lowered, as the presence of this certification often suggests automatic compliance with several controls it employs.
This document provides an excellent foundation for building informal controls and rules if you are in a situation with no pre-existing controls.