1. Session 602 Exploring the Evolution of Access: Classified, Privacy, and Proprietary Restrictions

2. The Proprietary Nature of Private Enterprise Sarah A. Polirer SAA Conference August 27, 2011

3. 3 SAA - August 27, 2011Sarah A. Polirer, CA, CRM Talking points  Define  Information types & examples  Risk management & impact of loss  Information classification  Access matrix

4. 4 SAA - August 27, 2011Sarah A. Polirer, CA, CRM Food for thought ASIS 2007 study  “75% of most organization’s value and sources of revenue creation are intangible assets, intellectual property competitive advantage… and likely to be bought, sold, disseminated, shared, licensed, or traded as part of the transaction.” Ocean Tomo Intellectual Capital Equity 2011 study  “estimates the value of intangibles at around 81% of S&P 500 companies’ value – a significant portion of which is represented by patented technology, trade secrets, proprietary data, business processes and go to market plans”.

5. 5 SAA - August 27, 2011Sarah A. Polirer, CA, CRM Food for thought Foley, Foley & Lander 2006 findings  “In the 1970s, a typical company’s market capitalization was 80% tangible assets and 20% intangible assets. Now the typical market capitalization is 15% tangible assets and 85% intangible assets.”  “Trade secrets are estimated to comprise 80% of the assets of ‘New Economy’ companies.”  “estimated that the value of trade secret information held by US publicly-traded companies alone is more than $5 trillion.” –

6. 6 SAA - August 27, 2011Sarah A. Polirer, CA, CRM Defined  Proprietary – “belonging to ownership; belonging or pertaining to a proprietary (owner) who has legal right or exclusive title to property, business, etc.”  Proprietary Information – “in trade secret law, information in which the owner has protectable interest”  Proprietary Rights – “those rights which an owner of property has by virtue of his ownership… title and possession and is an interest or right of one who exercises dominion over a thing or property”

7. 7 SAA - August 27, 2011Sarah A. Polirer, CA, CRM Legal Definition  Federal Acquisition Regulation (48 CFR 27.402 Policy) – “A property right or other valid economic interest in data resulting from private investment. Protection of such data from unauthorized use and discloser is necessary to prevent the compromise of such property right or economic interest.”  Economic Espionage Act (18 USC 1831-39) – defines trade secrets and gives them protection under federal law along with patents, creative works and copyright  39 U.S. laws – remedy under theft of trade secrets  State laws and Case law

8. 8 SAA - August 27, 2011Sarah A. Polirer, CA, CRM Information Types  Financial information – pre-released information  Marketing & Advertising – market share and planning information  Sales & Product specifications – demographics – customer-related information (also HIPPA related) – strategic business planning  Legal and Compliance – mergers, acquisitions, divestitures – Minute books – patents, trademarks, trade secrets, copyrights  IT information – system information  Research & Development – technical specifications  Human Resources – personnel information

9. 9 SAA - August 27, 2011Sarah A. Polirer, CA, CRM Examples  Financial Information – accounting including assets, expenses, costs, profit, margins – audit – pre-released financial reports – budgets, quotas and targets – tax information – sales and order volumes prior to quarterly/annual releases – specific products sales information, orders or projections  Marketing & Advertising – product-introduction plans and dates – market share and competitive position – short and long term market strategy or customers  Sales & Product information – vendor names/relationships/ demographics – production and inventory levels – future plans and sites – material costs – statistical information – chemical formulas – manufacturing processes – sales demographics & prospects lists – business processes

10. 10 SAA - August 27, 2011Sarah A. Polirer, CA, CRM Examples  Legal – merger, acquisition, divestiture plans and related data – litigation information – pre-released business strategies – pending investments and investment strategies – Board meeting minutes – shareholder information  IT information – systems information – product descriptions & standards – source codes – business plans – security plans  Research & Development – technical and performance specifications – technical reports – product plans – projects in progress – project problems or product code names  Human Resources – benefits – employee identification information – payroll – personnel personal information – philanthropy

11. 11 SAA - August 27, 2011Sarah A. Polirer, CA, CRM Impact of loss  Reputation  Image  Goodwill  Competitive advantage  Core technology  Profitability

12. 12 SAA - August 27, 2011Sarah A. Polirer, CA, CRM Risk Management  Identify the information – Quantify the information’s value – Cost-benefit analysis – Regulatory requirements (e.g. SOX, FASB)  Assess threats vulnerability  Assess impact of loss if disclosed  Identify existing/planned security controls  Determine information rank  Prioritize risk

13. 13 SAA - August 27, 2011Sarah A. Polirer, CA, CRM Classify Information  Based on findings of Risk – Impact of disclosure – Ownership/Access Rights – Security Mechanism – Examples Public Private/Confidential Proprietary – Levels of Proprietary

14. 14 SAA - August 27, 2011Sarah A. Polirer, CA, CRM Information Classification Matrix

15. 15 SAA - August 27, 2011Sarah A. Polirer, CA, CRM Rate Risk Factors

16. 16 SAA - August 27, 2011Sarah A. Polirer, CA, CRM Handling Access

17. 17 SAA - August 27, 2011Sarah A. Polirer, CA, CRM THANK-YOU