Tuesday, March 1, 2011

Technology Protection and Foreign Travel

Red Bike Publishing's NISPOM
Anytime an employee travels abroad, they should expect to be liberated from their computer at the host country's customs. They should also expect to have the hard drive duplicated, files read and etc. These are the contingencies for which astute technology control officers, export compliance officers and security specialists plan. Sensitive, and protected technology should not be contained within computer and related media without proper permissions.

Foreign governments want US Technology and aggressively seek it and defense contractors should make the information very difficult to get. However, they may spend too many resources on actions that don't address the real threat. For example physical security efforts may focus on fortifying businesses with barriers, alarms, access control, cameras and etc. Risk assessments indicate that technology is leaked through careless or malicious employee behavior or actions taken due to poorly understood responsibilities and security discipline.

Export compliance officers and Facility Security Officers should develop a culture within their organizations to prevent unauthorized disclosure of economic, classified or sensitive information. Such practices include destroying sensitive waste properly, locking all desk and cabinets drawers after work, and using access control to keep employees, vendors and non-US persons from accessing unauthorized areas.

Prior to cleared employee travel anywhere, they should be given a defensive security briefing. A defensive security briefing is for cleared employees who travel overseas and may be vulnerable to foreign entity recruiting methods. They could be tailored for protecting export controlled information and given to all employees who travel abroad. Briefings should be constructed to make the traveler aware of their responsibilities to protect employees, product, customers and those with which they do business.

If technical data and laptop computers will be travelling with employees, export controlled information not under license or TAAs should be removed from the computer. Some companies issue special travel computers with only the information needed to conduct business ensuring the information is authorized by license or agreement with the State or Commerce Department to prevent an exports violation.

Those conducting export operations should ensure that such actions are authorized with a license and or TAA before discussing technical data that falls under exports compliance. Employees should know the boundaries in advance before sharing any technical information with the foreign hosts. Additionally, a sanitized computer provides no threat of export violations or theft of economic or corporate data. An organization's information technology department or equivalent could provide a sanitized computer for the traveler's administrative needs. Travelers should keep technical information close at hand and prevent unauthorized disclosure of anything that could lead to export violations or the release of proprietary data.

When making corporate travel plans, a trigger mechanism should be in place to notify the security office of an employee's need to travel on international business or pleasure. This includes plans for Canada, Mexico and Caribbean Countries. The security department can then construct a defense briefing for the specific area after researching the area to be traveled. The State Department has a great website which can inform the business and the traveler on all necessary travel documentation and what to expect while abroad (www.state.gov).

Some threats an employee can face while abroad are economic and intelligence related. Economic Threat is the theft of technology and commerce. The agent may be after formulas, financial gain and etc. Foreign entities may target classified or company sensitive information to gain a competitive edge.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing http://www.redbikepublishing.com. You can register for our newsletter at our website.

No comments: