7 Elements of a Holistic IP Protection Plan
Sixth in a Series from Former DuPont CISO on Trade Secret Protection for Manufacturers
As I began explaining in my last post, the best programs for intellectual property protection take a holistic approach, where everyone in the organization and the extended enterprise has an equal stake in its success. The IP protection framework outlined in this blog series takes effective governance, risk and compliance programs as its model.
Your program should have the following seven elements to organize and manage risks, objectives, and reporting:
Written Policies & Procedures
It goes without saying that IP protection relies on unambiguous, clearly communicated policies and procedures. These define what is required of employees, outsourcers, suppliers, contractors, consultants, vendors, and all other third parties when accessing, utilizing, and properly handling the company’s trade secrets. These rules need not be draconian, just reasonably capable of reducing the risk of mistake or misconduct. Compliance with these policies must be a condition of employment, contracting, and procurement by the corporation.
- Regular Risk Assessments
Audit, Monitor, & Report
Borrowed from compliance programs, the next two elements of our framework focus on routine measurement and course correction. Are the recommended IP protection procedures being followed? Are our policies too confusing? Are corporate standards too strict or too loose? Once a year, risks to trade secrets should be reassessed and reprioritized. The IP risk committee can use metrics, audits, and incident reports to make improvements to the program as necessary, over time.
The quickest route to success is to create an ownership culture where all are committed to safeguarding secrets. Anyone who handles sensitive or proprietary data in the course of their jobs should be trained on company standards, policies, and procedures. Communication methods range from mandatory computer-based training to newsletters, bulletins, and videos. Educate everyone on the realities of both outsider and insider threats such as the disgruntled employee, careless contractor, or honest mistakes by the loyal supplier. Users can be human detectors watching for phishing attacks and other IP loss red flags. A truly committed trainee goes beyond doing the minimum necessary, understanding that their livelihood is at stake when trade secrets are lost.
- Delegation of Authority
- Consistent Enforcement
Response to Violations
The last three elements describe effective administration of a consistent IP protection program. Strict “need-to-know” guidelines should be implemented, granting IP access authority only to those who have earned that trust. Maintain multiple avenues for reporting potential breach incidents (e.g. a hotline and email). It’s everyone’s responsibility to be on the lookout for violations of data protection policy. Corrective actions should be taken swiftly and consistently at all levels – assuming the violator was previously trained, of course. Don’t be shy about reporting these incidents across the company. This is not to instill paranoia but rather to teach by example. Recognize and reward those involved for their vigilance.
You might want to download my e-book covering 5 key IP protection tips to follow based on the practical experience of Digital Guardian’s manufacturing industry customers.
Read the full series:
- The Threats to Your Trade Secrets are Real
- Why Offshoring Complicates IP Protection
- Calculating the True Cost of IP Theft
- Make the Case for Investment in Ongoing IP Protection
- How to Form an IP Risk Committee
- 7 Elements of a Holistic IP Protection Plan
- Defining Intellectual Property
- Lock up your IP and Control Access to it
- Discover the Weaknesses in Your IP Security
- Improve Your Ability to Detect Cyber-Attacks
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business