There's an interesting article in the August 22 online Computerworld magazine called Intellectual Property is Focus at New Job.
In it, a newly hired security professional at a computer product
manufacturing company, writing anonymously, describes an assignment to
figure out how to keep the company's intellectual property, such as
engineering drawings and service manuals, from "walking out the door."
promises to be an interesting series, and readers have an opportunity
to comment on the article. Here's the comment that I supplied:
My guess is you’ll need to justify an increase in staff to oversee the management of the systems and modified processes that emerges from your project. Managing and updating privileges in relationship to document access levels, especially given the constant churn of products, people, customers, and vendors, could be a time-consuming ongoing task. Management will want to see the business cases here and the distinctions between one-time and ongoing costs.
That’s the mechanical stuff. There’s another issue: how some alternatives might require a modification of corporate culture.
Some organizations are more amenable to hierarchical distinctions and bureaucratic influences than others. You can’t expect a highly creative R&D outfit, for example, to put up with the same types of controls and restrictions as, say, a field service organization. You also don’t want to make the monitoring systems and document access controls so onerous as to restrict the horizontal and informal communications that are critical to a healthy organization.
Another challenge could be maintaining perceptions of fairness. You mentioned monitoring use of documents as one element of the mix. Does that include the CEO, CFO, etc.? If not, there may be fairness issues to deal with.
If the churn of service personnel is causing issues with manuals walking out the door and providing the basis for competing servicing, have you considered making updated service manuals available for a fee to outsiders? That way at least you can recapture some of the revenue stream. You’ll never be able to control completely “unauthorized” servicing as your customers will always be looking for deals. (Do you already have a certification process in place to enable customers to know who is and is not an authorized -- and up to date -- service technician?)
Probably the only way to control this area of revenue leakage is to make the best of a bad situation and try to generate revenue and convince vendors of the value of your proprietary services. If your services are not viewed as worth a premium, well, that’s not your fault. It’s unreasonable to think that you can come up with a security scheme to close ALL loopholes.
As far as vendors are concerned, you’ll have to work with your legal people and your manufacturing engineers on that. Watermarking and embedded features that would provide telltale evidence of copying and remanufacturing will have to be combined with legal enforcement – and that’s another cost benefit analysis.
How you manage all this will be an interesting discussion. I agree with a previous commenter that the business processes are key. How you manage these on an ongoing basis, given all the different departments and functions that will be involved, will be the key to success.