Secure Collaboration in A&D

Has regulatory compliance affected your efforts to achieve secure collaboration?

April 13th, 2009 | Secure Collaboration in A&D | Posted by Richard Prince

Almost all A&D organizations have different classes of IP which must be secured and managed.  These classes are typically designated based on the nature of the underlying content and the degree to which regulations or internal policies dictate processes for controlling access.  Some typical content designations include the following:

• Proprietary Information subject to Proprietary Information Agreements (PIAs)
• Confidential Information subject to Non-Disclosure Agreements (NDAs)
• Secret or Top Secret content
• Classified or Unclassified content
• ITAR or Export Control regulations, subject to US State Dept. authorized agreements

This week’s discussion is focused upon understanding which types of regulations and requirements are prevalent within your organization and within your industry segment as it relates to secure collaboration.  The goal of this discussion will be to identify different forms of regulatory requirements and to discuss some of the challenges related to managing content in these classes.  Specifically:

• Are there specific classes which are more difficult to manage than others?
• Are some classes very technical and as such more difficult to understand and manage?
• How does your organization continuously train and educate employees regarding these regulations and their associated requirements as they evolve?
• What are some of the typical problems you see with how your IP is managed according to these regulations?
• In general terms, what are some best practices you would be willing to share regarding how your organization manages content subject to regulatory requirements?

Please share your experiences and best practices regarding regulatory compliance.

Permalink | April 13th, 2009

Comments

1. Richard Prince Says:
   April 14th, 2009 at 3:56 pm

   My experience in the A&D industry has shown that many organizations have deep concerns and fear about regulatory compliance. The fear largely manifests from the knowledge of financial penalties associated with ITAR non-compliance as well as concerns about industrial espionage. Clearly, recent news reports about the significant Chinese threat of the theft of IP and military knowledge only serves to heighten these concerns.

   Most companies simply adopt a “closed” door policy where their digital environment and infrastructure is a DMZ where internal access is the ONLY form of access. In this event, the only means for exchange of data and IP outside the enterprise is through ad hoc and undocumented channels. In my opinion, this is the worst possible consequence. We fear the inadvertent or incorrect transfer of technology or IP yet we accept that users across your enterprise can simply e-mail data to an external source with no form of security or traceability.

   We need to safeguard these assets. We need the means through which to identify users by organization, citizenship and location, and we need the means through which to tag data according to IP classifications such as PIA, NDA, ITAR, etc. We need the means through which to securely exchange data and record who sees what data, when and the exact type of disclosure.

   I know these issues fester in the hearts and minds of your Export Control Officers, your Technology Control Officers and your IT specialists. As an industry, we need some dialog so we can begin to share best practices and lessons learned for the benefit of our organizations and our country.

Leave a Reply

You must be logged in to post a comment.