Contextual Security: Access Control to the Nth Power

In the 1990’s, the touch screen had its place on some niche markets, such as restaurant consoles, and other businesses that lend themselves to this type of user interface. Yet it was the Smartphone interface that garnered the first real breakthrough in touch screen usability, since reduced real estate forced innovative and efficient workflow designs. The next breakthrough had been inclusion of gesturing, made possible with new technologies in multi-touch sensing screens. In 2006, NYU research scientist Jeff Han[1] allowed the user interface to change lanes from “tasks defining user behavior” to “user gestures defining tasks”.

The innovative use of technology ushers in an astounding array of new input patterns. Input is no longer tethered to keypads, keyboards, smartcards or biometrics devices; rather it has become 4-dimensional – assimilating codes, gestures, motions and timing into a complex representation of user behavior. The time is ripe for new security paradigm to grow from these patterns. Security will not longer be defined by users following security access rules, but by devices “listening” to what the user wants [as security] and learning user behavior in context.

Security can be enhanced in three distinct ways: multi-modal, multi-factor, and cooperative extensions. Multi-modal enhancements increase security by introducing new inputs into an existing system, mathematically increasing its uniqueness. Multi-factor enhancements add additional dimensions of security – i.e. not just what a user knows, but what a user possesses. Finally, cooperative extensions allow security to use external (out-of-band) knowledge about a user to augment the security context in which the user operates.

Increasing Security with Simple Math

Shortly after reading how Synaptics has now introduced a multi-touch screen capable of ten-finger touch[2] for normal mobile phones, the thought of N^th level security came to mind.

Why? Simple math, of course… if a single keypad requires a password of 4 numeric digits, the possible combinations are 0000 to 9999, mathematically a combination of 10 items taken 4 at a time, or 10⁴ power. Imagine if each press of the keypad was replaced by a dual-key press. The combinatorial limit jumps to a staggering 65,610,000 – 90 items (00…99, minus 10 sets of duplicate digits) taken 4 at a time, or 90⁴ power.

Allowing single and double key-press codes, the 10K combinatorial security of a 4 digit pin is matched with just 2 combinations, 100 items taken 2 at a time, or 100². Add any number of gestures and the combinatorial limits jumps another factor.

This type of security does not just apply to computers and mobile devices, but everyday security such as home alarm keypads and car security systems.

Increasing Security through User-Defined Behavior

These new interface elements allows us to have better security through behavior. My expertise is in the keystroke dynamics world where behavioral biometrics is assessed from the rhythm of one’s typing pattern; specifically flight time and dwell time. This creates a pretty robust, albeit single faceted, behavioral mapping of a user.

Having multi-touch screens and gestures, incorporating the characteristics of the user input – not only timings from the keystroke dynamics realm but stroke patterns, angles and pressures from the handwriting recognition realm –the idea of security really becomes an unfettered medium.

Imagine allowing the user to set their security access method to be any behavior combination the user decides is appropriate for them. It could be as simple as allowing a multi-touch code of the keypad. Or perhaps it is the user drawing a custom gesture on the screen of the touch-based interface. On mobile phones with motion sensors, security can even be as natural as doing the Macarena (while holding the phone in one hand)! These phones can even detect if it is not in the pocket of the normal owner by calculating the innate stride and gait of the user from its gyroscopic sensors.

Increase Security utilizing Cooperative Information

Security through user behavior is not a novel concept. Behavioral biometrics has been studied at various times throughout modern history, as far back as WW-II with the U.S. government research on the “Fist of the Sender”. The most limiting factor of utilizing behavioral biometrics is the restriction of the input technology available on the device (or network) being protected.

Ideal security is reached when internal measures can be augmented by external factors. In Bruce Shneier’s security blog (and in his book “Beyond Fear”), there is a great anecdote about the lima bean plant’s natural defense mechanism[3]. To paraphrase this story, when the lima bean plant is attacked by a certain bug, it emits a pheromone that attracts the bug’s own predator. The unique characteristic here is that once one lima bean plants emits this pheromone, all surrounding lima bean plants are triggered to emit this chemical; thus proactively protecting the entire lime bean patch.

This “cooperative security” mechanism provides us with a novel approach to access security. In fact, there exists this same paradigm in some of the newer IPS’s (intrusion prevention systems) such as LayerX Technology[4], whereby a confirmed breach attempt on one edge device will share this information with other edge devices in that community, so that they may be aware and proactively prevent the same attempt across the enterprise.

With the advent in BlueTooth seamless connectivity, other devices can lend themselves to promoting access security by sharing their access meta-information with surrounding devices. For example, in an office where a rogue user has failed to access John Q’s mobile device several times, it may send out a distress signal to other listening devices (such as workstations or laptops) to beware of accessing the network as John Q. This can, in turn, trigger a notification to a security office to investigate this more closely – even so far as tracking which door access pads have used John Q’s access code for entry and exit.

Security in Context

Can we get better security by simply replacing passwords with gestures? Yes, for a period of time.

In the end, we must concede that all this technology leads us to understand that security is a process, not a product. There are no absolute safeguards for access control; but the methods presented here allow us to increase the capabilities of where security can grow.

We can no longer force security onto the user in an isolated medium; or expect security from a single dimension to be sufficient.

The shift presented here is to elicit security methods the user behavior and their surroundings. Like human to human communication, context is imperative to comprehension.

---

[1] Reference. http://www.ted.com/talks/jeff_han_demos_his_breakthrough_touchscreen.html

[2] Reference. http://www.betanews.com/article/Tenfinger-multitouch-headed-to-mobile-gadgets-this-year/1248280076

[3] Reference: http://www.schneier.com/news-063.html

[4] We do not promote LayerX above any other IPS, but use it as a reference point for illustration purposes only.

Microsoft Search Branding "Faux Pah"

Here is an interesting tidbit:

Microsoft has just rebranded its "Live Search" as "Bing", right? Well, I opened a Chinese fortune cookie that gave the definition of "Bing" to mean "disease".... Of course, this sounds too good to be true, so I looked it up on several sites -- here is the best explanation of the chinese word "bing": http://www.zhongwen.com/d/175/x102.htm

----

I admit it, I am late to the party... see the explanations given at http://liveside.net/main/archive/2009/05/29/some-quick-takes-on-bing.aspx...

"The actual Chinese characters are two characters, 'Bi' and 'Ing' and combined these two characters mean 'very certain to respond' and 'very certain to answer'," Dr Lu said. "That's a terrific representation of what our brand stands for in the Chinese language."

What Happens After the Lights Go Out?

2008 was not a good year by any standard. As many of us try to rebuild our careers, our finances and some semblance of normality,; data privacy and information security is probably farthest from any company’s (or any individual’s) objectives for 2009. And that’s when information theft becomes most opportunistic.

As companies fold, merge or experience massive reorganizations, there emerges an excess of unsupervised personally identifiable information (PII) – whether it be through former employees, surplus equipment or forgotten databases. Although every company has a legal obligation to destroy any sensitive data as part of their exit strategy, by the time an information leak has been discovered there may no contact information for the defunct company.

Consider the following distinct cases:

1) It was reported in January of 2009 that patients’ records for [now-defunct] Houston “Express EMS Services” was found in a parking lot and dumpster.[1]

2) Former employees of [now-defunct] L.G. Defelice Inc. had their Social Security Numbers posted on the web from improperly sanitized data retrieved from the DOT about the former company.[2]

3) The former NY United Hospital offered to make its records available to patients for six months while it was executing its closing procedure. As part of its exit process, the hospital prepaid a third party to store any remaining records for a period of seven years; upon which they will be destroyed.[3] The records are retrievable, but the only requirement for authorization is a signature; the verification of which is impractical.

4) Client records from a mortgage broker “Seaview Financial of Corona del Mar” were found in a recycling bin during the company relocation in February of 2009.[4]

5) A large consumer electronics firm, upon exercising its exit strategy, considered two alternatives for data disposal: electronic wiping or physical destruction of storage. (It was found more cost effective to physically destroy the disk drives.)[5]

And the list goes on and on… perusing “DataLossDB.org” will give one nightmares on the inefficacy of data protection in the real world. The fact that the volume of incidents is large enough to be aggregated by industry, breach type, and information type is a disturbing indication on how extensive the problem of information leakage is.

The Perfect Storm

This economy has created a “perfect storm” for identity fraud to thrive and grow.

Given three straight fiscal quarters of economic downsizing, the probability increases that companies which succumbed to the economic crisis will inadvertently fail to properly dispose of their sensitive data.

As the unemployment rate reaches record proportions, the propensity of identity misuse – even something as simple as parents using their children’s SSN to get more credit – increases as well. (A study in 2008 found approximately 5% of families surveyed had children with compromised identity information[6].)

From a market perspective, higher unemployment means the quality of current identity data decreases, poisoning the supply chain. As a consequence, the price of PII drops dramatically, so quantity needs to increase to maintain the present market levels.

Law and Responsibility

There are many regulations and guidelines specifying the protection and proper destruction of sensitive information.

HIPAA has long been criticized for its overly broad requirements prone to ambiguous and sometimes contradictory interpretation. Yet, this is one of the few regulations that mandates organizations to make accommodations for the proper storage and disposal of information for six years, even after an organization’s operations ceases[7].

There are several New York State laws that require businesses to follow a data retention schedule for information[8]. Although these retention and disposal requirements are subject to legal interpretation, conservative legal council should follow the path of least risk and provision for post-operational protection.

The Fair and Accurate Credit Transaction Act of 2003 (FACTA) Disposal Rule “requires disposal practices that are reasonable and appropriate to prevent the unauthorized access to – or use of – information in a consumer report”[9], but it fails to explicitly specify if “reasonable” includes contingency plans if the responsible party ceases operations.

The Gramm-Leach-Bliley Act Safeguards Rule is also quite specific about information protection with U.S.C. Title 15, Chapter 94, “Subchapter I: DISCLOSURE OF NONPUBLIC PERSONAL INFORMATION” and “Subchapter II: FRAUDULENT ACCESS TO FINANCIAL INFORMATION “[10]. There are specific rules for safeguarding nonpublic personal information as well as the communication of privacy protection practices. Yet, even in GLBA there is an interpretation loophole. Although the protection of PII extends to “information of those no longer consumers of the financial institution,[11]” it is unclear if it the responsibility applies if the “broken relationship” is caused by the company’s demise.

The reference to “internal controls” of Sarbanes-Oxley section 302 cannot be interpreted purely in the accounting sense; it pertains to information leakage if the lack of (or management overriding of) controls can lead to fraudulent activity or non-compliance. In Seaview Financial’s case above, there is a clear violation; but what about the similar situation with Express EMS Services? Do internal controls cease to be in effect if the company is no longer operating?

Some legal experts believe more specific regulations are detrimental and that bankruptcy courts should address the interpretation of existing regulations with regard to data protection extensions.[12]

The Sedona Conference – a consortium of legal experts – has created “Best Practice Guidelines & Commentary for Managing Information & Records in the Electronic Age”[13]. This guideline is followed by many legal professionals; and provides an ideal platform to specifically address these post-mortem data protection issues from a legal perspective.

The Reality

Most of the executives interviewed were not aware of any regulatory requirements for post-operational retention/disposal of data in their industries; although some were aware that their companies do have such plans and others have even exercised such plans with former employers.

Looking into the problem more deeply, the root cause comes down to human error in three distinct ways:

1) Lack of awareness or identification of sensitive information by employers, employees, vendors, clients and end users.

2) Explicit negligence to follow proper information protection and disposal procedures; where operational efficiency outweighs privacy rules and regulations.

3) Failure of technology to classify and protect electronic information by both technology developers as well as users.

We need to be aware of how information affects each and every one of us:

As keepers of the information: The information protection priority for every CIO (or CPO) should always be effectiveness before efficiency.

As users of the information: Every employee has an obligation to protect client information as well as ensuring their own PII is well protected and supervised.

As owners of the information: As vested clients of various financial, medical and other institutions, we need to reach out and request the formal policies for data retention and destruction. As with the case of United Hospital above, there was a court-approved plan in place for proper handling and disposal of client data.

The National Association for Information Destruction (NAID) provides a checklist for ensuring your company complies with the maximum set of regulatory requirements[14].

In Summary

Although very few regulations explicitly address post-operational conditions, there is an interpretative factor with any regulation that defines specific schedules for data retention and disposal:

Are records retention/disposal requirements in effect beyond the life of the organization?

There is no clear answer to this question. For records that transcend a company’s purpose – medical record being the most obvious example – there needs to be better data retention policies. Conversely, for consumer data that is only relevant to the operations of a company, common sense dictates the disposal of this information at the proper time.

Hence, we need a robust Information Lifecycle Management (ILM) initiative.

Information privacy, protection and governance are more difficult, more expensive and more costly in times of instability. Considering the frequency of information leaks in active companies; the exposure of PII gets exponentially greater once a company ceases operations. It is imperative that your enterprise’s protection plans outlive the company.

---

[1] References:

o http://datalossdb.org/incidents/1495-medical-records-of-defunct-ambulance-company-s-patients-found-in-parking-lot-and-dumpster

o http://abclocal.go.com/ktrk/story?section=news/local&id=6605230

[2] References:

o http://datalossdb.org/incidents/734-social-security-numbers-of-300-former-employees-of-defunct-l-g-defelice-inc-posted-on-ct-transportation-committee-website

o http://attrition.org/dataloss/2007/07/conngatc01.html

[3] References:

o http://www.allbusiness.com/health-care/health-care-facilities-nursing/10635002-1.html

o http://www.ironmountain.com/records/release/NYunited.asp

o Interview with Iron Mountain records release specialist for NY United Hospital

[4] References:

o http://datalossdb.org/incidents/1791-mortgage-broker-dumps-files-containing-clients-names-address-tax-forms-and-ssn-in-trash

o http://www.ocregister.com/articles/information-seaview-files-2316272-center-recycling

[5] Interview with CTO [person’s name removed by request] from [company name removed by request].

[6] Reference: http://www.debix.com/docs/Child_ID_Theft_Study_2008.10.pdf

[7] Reference: http://www.glrm-online.com/pdfs/HIPAA Record Retention Periods 2006.pdf

[8] Reference: http://www.archives.nysed.gov/a/records/mr_retention.shtml

[9] Reference: http://www.ftc.gov/opa/2005/06/disposal.shtm

[10] Reference: http://www.law.cornell.edu/uscode/uscode15/usc_sup_01_15_10_94.html

[11] Reference: http://en.wikipedia.org/wiki/Gramm-Leach-Bliley_Act#Safeguards_Rule

[12] Reference: Interview with legal experts [names withheld by request].

[13] Reference: http://www.thesedonaconference.org/dltForm?did=Guidelines.pdf

[14] Reference: http://www.naidonline.org/facts.html

Responsibilities of the Federal CTO and CIO

I applaud the new president for his awareness that information technology is as important as any other infrastructure in the government. By creating Federal level Chief Technology Officer (CTO) and Chief Information Officer (CIO) positions, there exists the opportunity to create a long-term direction among the myriad of existing systems and processes within the government.

Many articles have already dissected the proposed responsibilities of the Federal CTO and CIO. In the Feb 16^th issue of InformationWeek, for instance, twenty-six (26) business leaders in technology weighed in on the most pressing issues for the Federal CTO. As diverse as the expert opinions are, they all have merit. Congruent to the myriad of other articles covering this topic, this is indicative of how widespread the problems are that need attention.

All these issues can be extrapolated to three (3) ideals that should be addressed by the current administration with regard to the CTO and CIO:

1. Focus on the Organization Mission and Workflow, not Technology:

A CTO cannot possibly assume all of the responsibilities needed to lead an organization focus on technology alone. They must take into consideration the business value of the information issues that technology is trying to solve.

Conversely, the CIO must focus on the accuracy, confidentiality and security of information. But they cannot do so without in-depth knowledge of technology solutions used for the capturing, classification and dissemination of information.

To be an effective leader means to know what the organizations goals are, past efforts, and its current operations. Many times, the operations do not match the goals of the organization, and the technology matches neither the operations nor assists in attaining the goals’ objectives.

The Federal CTO and CIO must align themselves with the missions of the various organizations, their goals and objectives; and affect the strategies pursued to achieve these objectives in a way that fosters cooperation and effectiveness, which eventually leads to efficiencies.

For the Federal CTO and CIO, their customers are the agencies they support, not the OMB.

2. Synergies between the CTO and CIO:

The CTO’s responsibilities are not the same as the CIO’s. [We have yet to see the ramifications of the Obama Administration selecting a former CTO for the position of CIO.]

The CTO and CIO both start from the same basic question: “What information does each agency (or business unit) need to operate effectively?”

The goals of the CIO:

1. Identify essential information needed for proper business unit / agency operations.
2. Verify the accuracy of all data points.
3. Apply an Information Lifecycle Management (ILM) process for determining when information is the most useful and when/how it should be discarded.
4. Organize, normalize, aggregate, analyze and disseminate information to the appropriate operational entities.
5. Classify, protect and track usage of business critical information.

Contrary to popular practice, it should be the CTO supporting the CIO, not the other way around. The goal of the CTO is to effectively support the CIO’s objectives:

1. Design usable business processes and workflows to support data capture.
2. Provide solutions to minimize duplication of data; thereby minimizing overlap and extraneous work efforts by business operations.
3. Create effective and unambiguous views of information for each level of audience.
4. Support feedback channels for refining business processes and workflows.

Both need to focus on the business processes and workflows. Does the unit/agency garner the appropriate information? Do they properly store, organize and protect this data? How do they interoperate and share information?

Although the CTO and CIO may hold distinct views to such questions, they should eventually arrive at a complementary set of goals. This is one place where segregation and specialization can positively affect government operations.

3. Stimulus Investment in Technology Infrastructure:

During the 1930’s, the Federal plan to pull America out of the Great Depression was the creation of jobs through Federally-sponsored infrastructure expansion – specifically through the construction of bridges and roadways. America was primarily an industrial society and this plan answered two key problems: (a) the country lacked a viable transportation infrastructure to support industrial growth and (b) these projects needed the same (or similar) skills of our unemployed workforce at that time.

Post WWII saw the expansion of the housing, education and auto industries as a response to the multitude of military forces migrating back to peace-time. Again, this economic cycle took advantage of characteristics in our population – a mix of engineering and service-oriented demographics and a need for supporting the population explosion. However, it also recognized the need for retraining of America’s workforce, so education became a priority.

Today’s crisis consists of more complex problems. America can no longer be characterized as an industrial society, an engineering society or even a service society. We have become a society of deferment – managing and outsourcing our skills away. But there exists the opportunity to create a recovery effort that parallels those post-war times past.

Our government needs to rebuild its infrastructure; not its public works infrastructure but its information and technology infrastructure. The handling of information at the government level has grown and expanded haphazardly into a complex web of processing silos. Consider the lack of communication (electronic and human) between agencies such as the CIA and FBI. The creation of DHS simply places a wrapper on these problems and allows some cursory cooperation, but internal silos still exist.

The stimulus plans that have been implemented by both the Bush and Obama administrations are misguided; either they try to boost lending among a population that cannot repay its existing debt, buy off toxic debt to allow financial firms to operate with impunity, or try to create jobs through legacy public works projects. None of these approaches can have any long-term success.

To rebuild our economy with strength and longevity means to address our needs as a country and as a society. The stimulus packages should create large public infrastructure projects – but it should be focused on the information and technology infrastructure. This will employ the many Americans educated and skilled in technology (but unemployed due to off-shoring), increase the demand for higher education in technology areas and allow the government itself to be streamlined and efficient for the future.

Yes, it means the government will be paying more for technology services than the corporate world. The purpose here is to employ Americans, to stimulate the higher education of the population, and to launch the cycle of economic growth based on a solid foundation.

In Summary:

The CTO/CIO are first and foremost a strategic thinkers, thought leaders that can extrapolate needs from desires, and prioritize goals into tactical strategies. Secondly, they are business analysts which must address the realities of an organization against its objectives, understand where the gaps lie, and the mitigation options. Thirdly, they are enablers, knowing where change is needed and disseminate authority to the “natural leaders” in the organization to affect that change. Finally, the CTO/CIO must be accountable – to both those below them as well as to those above; they must provide the metrics, the ways and means to measure success.

My hope is that our new Federal CTO and CIO will have the foresight to envision the feasible future, the qualities needed to chart a course, the leadership needed to promote their strategies both up and down the chain of command, and the authority to make a difference.

Or perhaps printing another $800B will do the trick.

Offshore Outsourcing and Intellectual Property Protection

Entering into the world of IT some decades ago, the typical employment process consisted of a written comprehension exam, two days of interviews, drug screening and even fingerprint registration with local authorities. My most bizarre experience included a multi-task evaluation, where the candidate was enclosed in a small room with a written exam while new-age music was piped through room speakers at extraordinary levels, broken intermittently by verbal instructions to do some really odd tasks (i.e. “…put six pencils and two pens in the coffee mug labeled ‘Bob’ and place it in the bottom left-hand drawer, but only if you answered ‘yes’ to question 35…”). All this effort to ensure that as an employee, a candidate was proficient for the needs at hand as well as loyal to the employer; how times have changed!

“Offshore business process outsourcing (BPO) is expected to reach $3 billion in 2004, a 65 percent increase from the 2003 total of $1.3 billion. In 2004, offshore BPO is expected to represent 2.3 percent of the total BPO market.” - Gartner Research, May 18, 2004.

Given the exponential rise of IT outsourcing by U.S. corporations, it is easily justified to promote offshore outsourcing within your company for several well-known reasons, the majority being:

1. Breadth of knowledge can be adjusted dynamically to the needs of each project, so the technologies utilized merely become another variable to accomplish a business goal.
2. Cost of development moves from overhead budgets (full-time head-count) to operational budgets. This expense can now be justified by showing greater flexibility to increase/decrease manpower over the short-term.
3. Offshore manpower costs are often substantially lower than domestic rates.

For all inherent benefits of offshore outsourcing, there exists a powerful liability that, when left untreated, can have disastrous results. The dissemination of intellectual property occurs every time one business outsources another -- whether for payroll, advertising and especially IT development.

Consider these statistics. From the “2003 CSI/FBI Survey on Computer Crime and Security”, 61 of 398 respondents acknowledged theft of proprietary information which resulted in financial loss totaling $70M . In the “2003 BSI Computer Theft Survey” of 676 participants, 9.2% of respondents who acknowledged theft of proprietary information stated the financial loss at $1M and 2.3% valued the loss at $10M . Would any company hand over intellectual property to an unmitigated risk? Yet, it happens, as exemplified by the source code leaks for both Microsoft and Cisco. Could they have been avoided? Not completely, but it should serve as a wake-up call to all businesses to review their IP protection policies with all their partners, especially those which exist outside a company’s base operating country.

How one approaches intellectual property protection (IPP) can affect the overall effectiveness and efficiency of any outsourcing effort. A traditional project manager will start with a baseline savings of efficiency (time, expenses, et al) and reduce each benefit by applying the cost of risk factors in the 80/20 fashion. A security professional will always start with a baseline cost of protection planning and overlay the benefits to assess a spectrum of “best-case” to “worst-case” scenarios. From these scenarios, a risk / remediation analysis is presented to management, whereby the business can make an informed decision on the amount of risk it is willing to expose. Given the extra up-front planning efforts needed by multiple business branches to implement the security professional’s method, which would in reality get the most support from the decision-makers in your company?

IPP assessments for outsourcing can be daunting, but by breaking the effort down into the risk areas below, much of the assessment needs to be done only once, and can be re-used for subsequent outsourcing projects. Following is a pared-down checklist that can assist in the planning effort for IPP and outsourcing:

Business Assessment
(What are the official host company’s security policies for IPP?)

• Where is the company's base of operation?
• Does the company have international offices with legal representation?
• Does the company currently outsource IT development efforts?
• Within those countries with international offices?
• In countries without the company’s international presence?
• How does the current project rely on trade secrets or other intellectual property?
• Are these IP assets considered tangible or intangible?
• What amounts of risk are attached to these IP assets?
• What methods of assessment were applied to arrive at these figures?
• What existing policies are in place to protect IP during development?
• Does your company specifically address IP protection and outsourcing?
• What IPP compliance does the company require from outsourcing companies and other partners? (bonding, et al)
• What is the cost of creating/supporting such policies?
• What existing experiences with IPP can be drawn upon?
• Are these experiences formally documented?

Legal Assessment
(What legal tools support international protection of IP?)

• What types of legal agreements are in place for:
• Opening IP to outside parties? (NDA, et al)
• Doing sensitive business internationally?
• What legal options are available for non-compliance or breach of these agreements?
• What international laws are provided to pursue non-compliance?
• What protections does the outsourcing company’s host government provide?
• In what venue must legal proceedings occur?
• Have there ever been any accusations of breach or threat of legal action?
• If so, how was it handled?
• What internal actions were taken as a result (change of policy, et al)?

Outsourcing Assessment
(What are the official outsourcing company’s security policies for IPP?)

• How does the outsourcing company approach the topic of IP-based contracts?
• What internal policies are in place to protect their clients' IP?
• How do the outsourcing company’s protection policies compare to those of the host company?
• Where do the policies go above and beyond your policies?
• What specific points do the policies lack?

Accountability Issues

Accountability, as a management tool, is necessary to measure project flow, define remediation procedures for any fallout, and provide root cause analysis for future prevention. Accountability methods work best within controlled environments (i.e. within the enterprise). When uncontrolled factors are introduced, normal accountability methods can actually create a false sense of completeness. Two major issues exist when an accountability matrix includes outsourced personnel.

The first issue with accountability is the lack of host company presence at outsourced work offices. Much of traditional compliance validation comes implicitly from direct (formal and informal) contact with employees. Since the loss of intellectual property can cause irreparable damage to your company, careful planning is needed to validate compliance early and often, especially in the absence of direct contact with the outsourced employees. Scheduled as well as unscheduled onsite visits are crucial even if other travel budgets are frozen. First-hand documentation of compliance is a necessity. To highlight this point, the New York State Department of Environmental Protection relies almost solely on company-generated reports for water pollution control compliance; whereas in another realm, the Department of Defense has inspectors sent to every vendor facility to ensure spec compliance on each batch of materials purchased. Which method of compliance validation matches the needs of your project? (I personally avoid swimming in NYS waterways.)

The other major issue with accountability is remediation. An IT manager has not only the power but also the responsibility to enforce all company policies with respect to protecting company property. An IT manager may even have the power to choose outsourcing companies based on their policies and past experience. But once a contract is determined to be out of compliance, an IT manager may need to turn to the legal staff to enforce remediation. In other words, even if an offshore outsourcing firm has identical IPP guidelines as the host company, compliance is ultimately determined by the laws in the country of arbitration defined in the outsourcing contract. Accountability is no longer an issue of meeting deadlines, but rather a basis for possible legal action.

What Are the Next Steps?
(Document, Document, Document)

• Modify your accountability methods to ensure compliance by focusing on three areas: validate formally, validate consistently and validate often.
• Determine the measurement criteria that would positively identify an intellectual property breach. This cannot be overstated. These criteria become the pinnacle for any investigation or legal actions. Too ambiguous: no legal case can use them. Too detailed: a breach may not be caught because all the identifiers were not triggered.
• Ensure that these findings are well communicated with all decision-making parties.
• Ensure the legal support staff includes these aspects with all written contracts. The legal department will most likely define the company’s host country as the point for arbitration.
• Ensure the outsourcing parties understand these aspects. This is most effectively accomplished by having the outside parties present a formal document on how they comply with your IPP guidelines.

Creating your “IPP Guideline for Outsourcing” now can save many troubles years down the road. Regardless of any business partners’ guidelines and procedures for IPP, it is still your company that is held liable for compliance with SOX and HIPAA.

John C. Checco, CISSP (john.checco@checco.com) is a member of the American Society for Industrial Security (ASIS) NYC Chapter and president of bioChecTM (www.biochec.com), a division of Checco Services, Inc.