Policy
* Segmentation—The basic foundation for protecting confidential data is the classic technique used by the military to protect secrets, classifying data according to its confidentiality and giving access only on a "need to know" basis. For example, a supplier designing a component that fits in your product usually only needs to know the physical envelope (attachment points and constraints) and electrical interface characteristics for their component, rather than receiving your entire design.
* Actionable Information—A promising approach is to scrub data into actionable information. Structured contracts, described in last month's issue (Parallax View), are a good example. Instead of sharing range forecasts, companies express future demand via structured contract terms like minimum firm commitments, lead times guarantees with different pricing for different lead times, capacity guarantees for upside flex at a higher price, etc.
* Escrow Account—At least one company had success with another creative approach; establishing an escrow account that is used if either party violates the agreement. The money is then reinvested in the relationship to fix the cause of the problem, for example, joint team education, fixing flawed processes, or new technology. This dramatically improved the level of trust in that relationship.
Process
It is critical that the policies are backed up by processes and controls to prevent, detect, and correct accidental or deliberate misuse of confidential information, such as:
* Physical Security—Controlled access to offices, receptionist diligence on who is allowed in the building, badges, questioning unknown people in sensitive areas, not leaving confidential documents out in the open, etc.
* Separation and Rotation of Duties—For example, having a different person control physical inventory than the one controlling information about that inventory.
* Training and Testing—Training employees on the procedures and importance of protecting confidential information (yours and other's under NDA). Testing awareness and taking corrective steps.
* Logs—Keeping accurate, tamper-proof records of who accessed what areas, what information, and when.
* Audits—Auditing your firm and trading partners to ensure safeguards and proper training. Some companies have computer-assisted "continuous auditing" of compliance. Particularly sensitive data may require structural organizational safeguards as well. For example, some engineering organizations establish a "clean room" approach that separates the people receiving the highly sensitive design information and restricts their interactions and communications with the rest of their engineering organization to prevent the partner's design information from leaking into their own proprietary designs.
Performance
Policy and process decisions must weigh trade-offs based on business performance impact:
* Business value of sharing information
* Cost of implementing proposed controls
* Consequences of compromising the information
* Segmentation—The basic foundation for protecting confidential data is the classic technique used by the military to protect secrets, classifying data according to its confidentiality and giving access only on a "need to know" basis. For example, a supplier designing a component that fits in your product usually only needs to know the physical envelope (attachment points and constraints) and electrical interface characteristics for their component, rather than receiving your entire design.
* Actionable Information—A promising approach is to scrub data into actionable information. Structured contracts, described in last month's issue (Parallax View), are a good example. Instead of sharing range forecasts, companies express future demand via structured contract terms like minimum firm commitments, lead times guarantees with different pricing for different lead times, capacity guarantees for upside flex at a higher price, etc.
* Escrow Account—At least one company had success with another creative approach; establishing an escrow account that is used if either party violates the agreement. The money is then reinvested in the relationship to fix the cause of the problem, for example, joint team education, fixing flawed processes, or new technology. This dramatically improved the level of trust in that relationship.
Process
It is critical that the policies are backed up by processes and controls to prevent, detect, and correct accidental or deliberate misuse of confidential information, such as:
* Physical Security—Controlled access to offices, receptionist diligence on who is allowed in the building, badges, questioning unknown people in sensitive areas, not leaving confidential documents out in the open, etc.
* Separation and Rotation of Duties—For example, having a different person control physical inventory than the one controlling information about that inventory.
* Training and Testing—Training employees on the procedures and importance of protecting confidential information (yours and other's under NDA). Testing awareness and taking corrective steps.
* Logs—Keeping accurate, tamper-proof records of who accessed what areas, what information, and when.
* Audits—Auditing your firm and trading partners to ensure safeguards and proper training. Some companies have computer-assisted "continuous auditing" of compliance. Particularly sensitive data may require structural organizational safeguards as well. For example, some engineering organizations establish a "clean room" approach that separates the people receiving the highly sensitive design information and restricts their interactions and communications with the rest of their engineering organization to prevent the partner's design information from leaking into their own proprietary designs.
Performance
Policy and process decisions must weigh trade-offs based on business performance impact:
* Business value of sharing information
* Cost of implementing proposed controls
* Consequences of compromising the information
No comments:
Post a Comment