Sarbanes-Oxley and corporate OPSEC programs
The SEC, in a letter dated 5 August 2004, said “the Sarbanes-Oxley Act of 2002 and the Commission’s rules promulgated under the Act seek to strengthen pre-existing standards for internal controls, thereby potentially improving the ability of companies to track the costs and impact of economic espionage and theft of intellectual property.” This view was not anticipated by most companies, and has produced confusion as to what is required.
It appears clear from this letter that companies, independent of their size, now have a requirement under Sarbanes-Oxley to have a system in place – the “existing standards” which we rarely encounter in any company – to deal
with competitive intelligence and economic espionage, two primary sources of loss of critical information!
Confusion regarding this area is not surprising when one considers how completely this area has been neglected by the business community. Anti- espionage is not considered a mainstream business activity. You would be hard-pressed to find a corporation where a senior executive is tasked with the identification and protection of critical information from competitive intelligence and economic espionage. You would be hard-pressed to find any business school that deals with the issue. You would be equally hard-pressed to find a major consulting company with any anti-espionage experience. Very few people in academia, business, or consulting have ever heard of OPSEC.
Equally astonishing, even though there is an entire government agency (the Interagency OPSEC Support Staff, http://www.ioss.gov/ ), whose sole charge includes promulgating OPSEC, many former FBI and Secret Service folk hired as directors of security for major corporations are generally unaware of its this discipline. This is due to a combination of cultural approaches and considerations, not the least of which is that OPSRC includes systems analysis and planning, two traits rarely understood in the physical security community.
Based on the SEC letter, it appears that companies need to establish their own protocols to apply OPSEC analysis and planning within their companies. When your company finally takes the plunge into OPSEC, what should you expect? For a start, the disruption and cost of implementing an OPSEC program will be trivial compared with any other area of Sarbanes- Oxley compliance. In addition, an OPSEC program goes well beyond protecting the shareholder: It reduces the likelihood, costs, and repercussions of losses from competitive intelligence and economic espionage, so you can create an economic gain, rather than with a mere compliance cost.
Another benefit is that implementation of an effective OPSEC program can be done in stages. Although the process is not trivial – our custom-developed checklist is over 50 pages long – the concept is simple. A lot of what needs to be done comes with education, awareness, and making smarter decisions and small changes. Compare this to the costly technical investments needed to implement network security and information security programs.
Management buyin and executive training
First we start with training senior management and their staff, so that they understand the risks, the OPSEC process, and benefits. Once senior
management has bought into the process – and it will not otherwise work – we can work with your people to implement a program on the corporate level. This is usually quite straightforward, as the exposure here is less than lower down the corporate food chain.
Procedural and educational training
Once there is management buy-in, we work to help the company develop an in-house procedural and educational program, which comes in two parts. The first part is awareness training. If people are conscious of risks that can cost them their jobs, they tend to take things more personally, and will talk about the work with people who have some need to know, and be more restrained with those who don’t really need to know. Nearly all areas of the company need this information. One of the most often overlooked communities in an organization is the administrative or secretarial staff. These people handle nearly every document and travel schedule. If you want to understand where the boss spends his time and what the relationships are between the company and external entities, check out the secretarial pool.
The second part is the development of procedures and forms to assure employees, subcontractors, partners, OEMs, and associates, formally sign off that they understand what they are allowed to do and not do. And that when they are no longer associated they sign off on this again as part of their exit from the organization or project. These procedures also affect subcontractors, joint-venture partners, suppliers, and everyone else with whom you have relationships.
OPSEC audit and implementation of vulnerability reduction
We then work together to audit the specific threats and vulnerabilities that exist within the various parts of the company, as well as the impact from possible losses. From these, the risk level can be calculated, and a management decision made as to what countermeasures should be put in place. This largely falls to middle management, who most intimately understand the processes, some of the real threats, and many of the vulnerabilities. With a little focused training, they can make a reasonable decision as to where scarce dollars should be spent to most effectively minimize risk.
Ongoing audit and change
Threats and vulnerabilities change as business changes, and it is important that regular reviews be done to make sure that countermeasures are still appropriate in our dynamic world. By doing so, we can maximize our scarce resources, and minimize our ongoing exposure and loss.
While some are irked by the fact that Sarbanes-Oxley has forced them to do many new things, OPSEC will turn out to be the least painful, the least costly to implement, and the most likely to increase your bottom line.