Our Terms of Use and Privacy Policy have changed. We think you'll like them better this way.

Protecting Your Intellectual Property-Sonia Luna Interviews Robert Smallwood

  • Broadcast in Business



Follow This Show

If you liked this show, you should follow AvivaSpectrum.

With the New COSO Framework be sure to ask, who will be touching and handling your intellectual property?  Does your company outsource and does the outsourcing company have a confidentiality agreement?  Robert addresses these and other issues in this informative and compelling interview. 

Robert is an Information Governance and e-records consultant, speaker, and noted author of the new book Information Governance: Concepts, Strategies, and Best Practices.  It was just published last month. His other publications include, Managing Electronic Records: Methods, Best Practices and Technologies and Safeguarding Critical E-documents: Implementing a Program for Securing Confidential Information Assets.


0:05 Sonia Luna

Hi! I'm Sonia Luna, CEO and founder of Aviva Spectrum, an internal audit and compliance consulting firm headquartered in Los Angeles, California. I'm also well-known speaker on topics like COSO 2013, SOX 404, Quality Assessment Reviews, Internal Auditing and related topics. Today's interview is with Robert Smallwood. Robert is an information governance and records consultant, speaker and a noted author of a recently published new book titled, Information Governance: Concepts, Strategies, and Best Practices. His other publications include Managing Electronic Records: Methods, Best Practices, and Technologies and also Safeguarding Critical E-Documents: Implementing a Program for Securing Confidential Information Assets. Welcome, Robert.

0:55 Robert Smallwood

Thank you. Appreciate it. I'm glad to be here.

0:58 Sonia Luna

We're excited to have you as well and I wanted to get started about terms that I hope that already as members can gravitate towards which is intellectual property, in terms of the IT definition, can you share with our listeners how do you define intellectual property?

1:18 Robert Smallwood

Well, you know, the, short of the formal definition is typically work that's created by a creative work like a patent to a copyright or a manuscript, or a design, blueprints those kind of you know patentable and can be protected by law. And this could include even just the packaging of your product or other trade secrets, but I guess for purposes of protection and auditing and security, I would expand that definition a little more to include any confidential information in an organization that helps it maintain its competitive position. So this could include strategic plans, your internal strategic plans, marketing plans, price list, your vendor list, your customer and prospect mailing list even your company internal best practices. So if these were leaked or your competition got a hold of these things it would give them advantage. So they would know really what you're doing or what perhaps you're planning on doing. So although those confidential documents don't represent IP -- I believe that they need to have the same level of care and protection because it can threaten your competitive position if they leak out.

2:38 Sonia Luna

Right. So really it's not only just a list type of term but it's also kind of putting your competitive advantage inventory list of items like you said, those best practices, customer list, core strategies or who knows, maybe even financial modeling that you've come up with that are confidential. So it seems like the definition is pretty broad.

3:05 Robert Smallwood

It's pretty broad in my view, but I guess the reason to be wary of that is, is there are incidences of hacking left and right and there was an incident in the UN in Geneva where they found out that the Chinese had hacked in and had been monitoring the UN's emails and all their activities in the Geneva office for three or four years. So you could have an intrusion or a breach and not be aware of it. It could be going on right now and you could not be aware of it because there are certain techniques that hackers can use to cover their track. So you really need to focus on protecting that intellectual property directly -- that confidential information directly so that even if it does get accessed they're not able to actually read it and view it. Now, I give some examples of some technologies that can do that.

4:02 Sonia Luna

Okay. Now, great. I think our listeners would love in and also just to kind of switch gears about the new 2013 COSO framework. We've now seen a more comprehensive view of corporate governance impacting outside service providers. Can you share with our listeners some key best practice solutions of how to successfully outsource the management and monitoring of their intellectual property?

4:30 Robert Smallwood

Yes. My recommendations would be similar to when you select a Cloud provider or outsourcing most anything IP related. So you're gonna wanted to ask questions like, is this outsourcing company, this provider, do they subcontract or are they allowed in your contract to subcontract and are those subcontractors in what sort of scrutiny are they under, are they obligated to comply under US laws. For instance, one firm outsourced the management of their electronic medical records to a company in India unbeknownst to the original company, the original hospital. And later the employees of that company decided they have something that they could reveal to the public and was worth them, so they demanded to be paid much more or they would reveal all these medical records publicly which should be in our country glitches violation of HIPPA and health care privacy laws, but they're not bound by that and there was no way to stop this because the subcontracting was done without the hospital knowing originally. So you need to know can they subcontract, this is a contractual issue up front but can they subcontract and then how are those subcontractors scrutinized. That's one key thing. Another key thing if you're outsourcing the handling of your IP and this could also mean just shipping blueprints or designs to China for use but you still want to protect them after that. Well, what is that company's employees screening process? Are the employees bonded? Or do they sign confidentiality agreements? And are they US based and subject to US laws, that's another question to ask. Who's gonna be touching and handling by IP? Another question to ask is, do they handle the IP of perhaps any of your close competitors?

6:23 Robert Smallwood

And if you're a bank and there's a bank across the street, are you both customers of the same outsourcing firm -- what safeguards are in place to ensure that your IP cannot be hacked by that competitive firm or insider. So what measures are in place? Do we have a dedicated server for instance or are they using virtual machines where perhaps our data could be sitting next to our competitor's data and they have access to it, perhaps through a backdoor they could access it. So you need to ask those kinds of questions. Where is the IP gonna physically reside and what security measures are in place. Another thing I would recommend is that one of their security audit processes. Our IP security standards being employed, there are standards like ISO 2701 that series through 2706 -- 27001 I believe which is an IP security standard, or are they using ISO 38500 or IP governance frameworks like COBIT or ITIL. So what sort of standards and best practices are they using in their shop? And are they using best practices, for instance in database security and then what technology is being used. So are they encrypting your databases, are they masking the databases? Do they encrypt communications to you or do they use technology that I'd like to introduce that most people don't really know about called information rights management. You're familiar with probably digital rights management which is protecting the ability to copy with music or videos and that's sort of in the retail marketplace. But in the enterprise marketplace information rights management means protecting any kind of confidential documents or any kind of IP.

8:16 Robert Smallwood

So information rights management to software that can, upon creation of a document, can secure that document and you assign the rights at that time, the right to view, the right to print, the right to edit.

8:29 Sonia Luna

Edit. Yeah.

8:31 Robert Smallwood

That type of thing. And even the rights to forward that document, or there is contextual information rights management software now. This is, some of this development is coming out of the military applications on the Tel Aviv and contextually they develop the ability to -- maybe you are allowed to print here or report in your accounting department but someone from human resources or from purchasing can view the reports but they can't print them, so it's contextual. Or maybe you can view them from your desktop but not from your laptop, or maybe you can view them during the business day but not after hours, that type of thing. So it controls all of the access to the use of information rights even after that IP leaves the company. So, in the example if you have an employee that might have all of your trade secrets and IP on their laptop, as soon as they're terminated or they quit you can switch off the access to those documents and they are lying there encrypted. So if they try to open them the next time it has to go to the Cloud or to a server to get authority to open those documents. So you have instantly turned off access to those encrypted documents upon termination. So you can still have control of documents once they leave the organization using information rights management technology. We can talk about that a little bit more, but other questions I would ask is, are they using the Cloud, is this outsourcing provider that's managing your IP gonna use the Cloud? Cloud is very popular, it's very economical. They may be using it, they probably are, what kind of matches are they using in terms of security. And I guess one more would be the backup and disaster recovery plans and had those been tested.

10:25 Robert Smallwood

I lived in New Orleans for 25 years and I was in the midst of Hurricane Katrina. In fact that's when I wrote my first book about was my Hurricane Katrina experience and there was an internet company downtown that had tested their disaster recovery plan, they had a generator in the basement that they'd actually run on their entire data center for a week and this was just what they did every year. Well when Hurricane Katrina hit they were the only ones that were up and they were still servicing their customers, and they were still keeping hospitals going...

10:56 Sonia Luna


10:58 Robert Smallwood

So they tested their plan and the biggest problem they have was after a week there just wasn't any fuel coming in to town. So they were over the radio in any other way trying to ask people to bring in diesel fuel to keep their generator running because they were keeping the information systems at some hospitals running at the time. So all of those kinds of things need to be considered when you're outsourcing your intellectual property.

11:24 Sonia Luna

Wow. I mean that's an amazing story or a success story actually of how testing and running a disaster recovery system, the importance of it and the fact that it worked. Obviously you can't think of every single thing that could go wrong like the diesel fuel issue. I mean who would really expect that they're gonna be down for weeks or months at that time, right?

11:51 Robert Smallwood

Right. Nobody expected that a hurricane had ever hit New Orleans directly and I know guys that are in the disaster recovery continuity business could not get anybody to buy into creating a plan because it's just never happened. Well, same thing really along the East coast and they had superstorm Sandy last year. So it can really happen so you really do need to have plans and they really do need to be tested.

12:15 Sonia Luna

Right. And I love the one that you list the things of questions to ask about, you know, can that service provider you hire subcontract, is that a key term in condition of your contract. I know cause to put out a Cloud service provider guidance out there and when I go out speaking sometimes I mention it's not just the fact that you picked a provider but you need to understand their security policies and procedures of that provider and also what are they doing to ensure that your assets, right, corporate assets are being protected because not all of them view your data the same way. Some providers think, "Oh well, you're in this geographical location" therefore everybody gets submitted this way. They don't think about portioning out, let's say buy customer tied sometimes or by let's say security-related issues or the type of data that you have. So it's critical to start asking those questions. Some of them are in that guidance but I like the fact that you've mentioned COBIT, well that's a very key framework for IT auditors. And then there's also that ISO -- it was a 2000 and -- was it 7 that you mentioned which is an IT security.

13:34 Robert Smallwood

Security, 27001.

13:36 Sonia Luna

Yeah. 27,000. Thank you.

13:38 Robert Smallwood

And it goes from 1 to 6 and then there's one for IT governance which really, COBIT is in line with which is ISO 38500. So are they employing those -- are their auditors finding that they're following or are they compliant with those?

13:54 Sonia Luna

Yeah. No, no. I really appreciate those little tidbits for our listeners and I wanted to switch gears of something that -- well, the wow factor for me is the fact that you've published three books in 21 months which is a graded inspirational for me, number one, I've always wanted to write a book but what was your inspiration for this latest book on information governance it's called Information Governance: Concepts, Strategies, and Best Practices?

14:21 Robert Smallwood

Well I actually signed a contract with Wiley three years ago to write a series of thrift books and the third one was this last one, Information Governance and actually I had a mirror or a scope proposed originally. I was gonna just concentrate on documents and records but as I progressed through the writing and research and publication of the other two books, one on protecting confidential E-documents and the second one on managing electronic records, and then as the information governance reference model came into play, which identifies five key impact areas of information governance, I brought that scope of that book but really my motivation was to formally define the field and to bring some clarity and actionable plans in the IG space and it identified best practices out there in what is really a __15:13__ field. Information governance is something that -- I spoke in LA a couple of weeks ago at a meeting and people who -- this audience is supposed to be concerned with information governance and I asked them who here can tell me the definition of information governance, who has a clear idea. Not a single hand went up. And so that's the problem. I have developed a 10-word definition of information governance, which is control of information to meet legal regulatory and business demands. So control meaning your processes, your policies and controls, and legal meaning e-discovery or FRCP rules, any kind of legal requirements, regulatory would be external requirements to retain records for a certain period of time, five years, seven years whatever it might be and your business demands which should be your -- what your goals are in your internal business plans.

16:19 Robert Smallwood

And so you can do all that with information governance by controlling the information and really who has access to what information went, but when I started writing a book the definition of information governance the ones that were out there were -- I mean I'll give you a couple of examples. Gardner's definition which is still on their website is the specification of decision rights and an accountability framework to ensure appropriate behavior and evaluation, creation, storage use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals. Well, all that's true but nobody can remember it. It's just sort of...

17:04 Sonia Luna

Right. And your 10-word version is a lot simpler.

17:08 Robert Smallwood

Yeah. It's sort of too early and I just sort of tried to boil that down and then an association of records, managers and administrators, they jumped in in their definition and this is still what they hold through and it's a strategic frame and these are true but they're just worthy. A strategic framework composed of standards, processes, roles and metrics that whole organizations and individual is accountable to create, organize, secure, maintain, use and dispose of information in ways that align with and contribute to the organization's goals. Again, nobody can remember that. So in short, information governance to me is just control of information to meet legal, regulatory and business demands. We can break it down and add to it from there but you need to have somewhat of a more succinct definition, I believe. So that was, the key problem really is bring clarity into the marketplaces, information governance matures as a discipline because it's a cross functional multidisciplinary approach to managing information that involves legal people, it involves auditing people, it involves records managers, it involves IT, it involves your privacy and security of people and your business units as well. So it crosses really a big swatch of the organization.

18:31 Sonia Luna

Yeah, I know. I agree. I mean it's not jut one aspect of the organization. I mean it covers all the major departments. Because if we think of objectives it's not just one objective, it's the reason why the organization exists. So it's gonna cross all key departments.

18:49 Robert Smallwood

And one big thing, one big problem was the CIO, the IT department there is this responsible for sort of the pipes in the infrastructure and they're cranking out reports and so forth. But in the organization who gets access to that and who can use it and when, all of those policies need to be enforced by IT but the policies had to come from the business units, from the people and the functional departments, from the people and legal, from the people and records management. So it's something that's gone sort of unheated and really information governance would have -- politics aside it would have saved the NSA a lot of heartaches, because your policy should be that the lower-level employee shouldn't have access to certain documents and your policy should be that you're running things like document analytics where you can see, where if a person normally downloads 20 documents or 30 documents a day and suddenly they're downloading thousands or in this case, millions, a big red flag should go off. There should be technology in there that's leveraged to be able to audit and control what your policies are and obviously in that case the government failed there and same thing with the WikiLeak scandal on the DOD. Low level private has access to confidential information and spills it. Well, policy should have been in place and they should have been enforced and audited by using technology.

20:19 Sonia Luna

Yeah. There's a couple of stories also, I mean locally here in Los Angeles. I believe, in the UCLA or Cedars-Sinai DOM. It was a brand name health care provider and in short there was an audit done on who has access and why would they need access to certain healthcare records. And it turns out that certain celebrities, their healthcare records were being accessed by people that shouldn't have had access and they were being monitored and viewed, etc. So when things leaked out to the press it was kind of like, "Well, wait a minute maybe we should do an IOS as how certain things at the hospital's facility, how did they leak out?" Because the patients were like, "Hey, I never told my friends any of this detail" but yet it's getting out in Los Angeles to some of this TMZ and these other websites and other reporters about what was going on until an audit was conducted and churned up. It was because no one was actually auditing the process of the monitoring of who actually needs access to certain files. They have more of an open policy and so that's actually one of the common failures we see. It's not only the access rights but its changing role. So someone in let's say, accounting, they assume that this accounting function needs certain rights and then what often happens and this is where they get an audit failure is based on, let's say, performance evaluations or their function, or there has been a reduction in force or maybe an increase in the business unit and they need to increase their rights to certain things but no one is ever informed of IT of a changing role, you follow? And how something needs to be reviewed. An IT -- they should not know unless you tell them.

22:15 Sonia Luna

How were they gonna know that someone's function, their day-to-day activities and their job responsibilities have changed because there are so many different people running around doing in other departments. So it's more of a reactive mode in it. It's always one of those audit tests that takes forever for us to get the details on in terms of department head or supervisors. It is your job function to evaluate that person's role and their job responsibility and do they need to be switched on or off in these areas when it comes to access. And arguably it takes some months for them to get to back to us in terms of the evidence because it's one of those pinpoints. They would love an automated solution just to kind of pay them thing. This is what you had last year, here's the new change for this individual, if they were granted any new changes because they shouldn't been aware of them anyway. But more of a -- instead of us doing it annually or sometimes quarterly, there should be a better process to kind of evaluate and it's always a pinpoint that I notice in a typical audit.

23:18 Robert Smallwood

Yeah, that's one thing I wanted to bring up later, that's what I call credential creep where personnel and organization as they get promoted or transferred they continue to gather credentials which have -- the access that they have continues to grow and there are automated solutions of that, it is called IAM, Identity and Access Management software, so if your listeners look up IAM or Identity and Access Software and Access Management they will find out that there is a way to automate that. One example of that is that a guy in a bank, I think it was maybe a credit line in __23:55_, it was __23:56__ and he just kept moving through the bank and getting promoted and transferred and each time he gathered more and more credentials to the point where he had access to billion of dollars (laughs) he was making his bucks on the side with billions of dollar so. You know, what, have credential creep like that were people gather credentials as their role changes through the organization, so you're right on about that.

24:19 Sonia Luna

Yeah. Yeah. And another kind of item that I know our listeners want to hear more about and this is actually our topic in a recent discussion I had with __24:26__executives her locally in terms of a risk-based approach. So, you know, both auditors and the company want a risk-based approach when they are auditing like accounts or disclosures, etc, but what do you recommend to accomplish the most effective risk-based approach to auditing intellectual property?

24:50 Robert Smallwood

Well, I would use a structured planning approach that -- you know to, just basically any kind of risk management -- you identify the risks, evaluate the risks and mitigate the risks and borrowing from chapter 4 of my new book, which is titled Information Risk Planning and Management, these are some steps: Create a risk profile which is the basic building block of a risk management and that, to assist your managers and executives in understanding the risks associated with your stated business objectives and resources that are allocated, put in a structured way, so -- you know could just be a table a listing of say, the top 10 potential risks but it involves identifying, documenting and assessing and prioritizing those risks that you may face in meeting a business objectives. You might well look out not just for that year but to look out three to five years. And like I said, it could it just be top 10 lists and then you have your risks and then you gonna perform a risk analysis, so what is the potential impact? So are we talking about the major breach of our intellectual property, are we talking about loss of designed plans of Ford Motor Company a few years ago, had some employees deal some design for Hybrid motors and sell them to the Chinese. Ford's loss was calculated to be $50 million to $100 million just on that one breach.

26:14 Sonia Luna


26:15 Robert Smallwood

You kind of can't it get it back once you lose it so what's the worst that can happen? So you'll determine the impact and then you evaluate the risk levels of -- in terms of, you know, how likely is that to happen and then you make your report, the recommendations and you try to review that periodically and update it. And then you have a risk mitigation plan, so what are your counter measures? What policies are in place, what technologies are you gonna leverage and then develop metrics and measure those results and then execute that plan and audit about that. I'll give you an example, just a very simple one, really for your listeners. What I had to do when I launched the series of online training classes just last month. So, I'm actually talking to you from Mexico right now and so -- which is, what are my risks, I've got online video that I'm gonna broadcast and we have kind of a plucky power sometimes, so power audit is a real possibility. I can't have that when I am conducting a five-hour class. So, I bought a back-up UPS Uninterruptible Power Supply. I tested it over one weekend. It gave me more than 90 minutes worth of time on the modem and computer so that's great, and then I thought what happens, if something happens to that UPS. Okay. That's a risk...

27:30 Sonia Luna


27:31 Robert Smallwood

I bought another one, a backup to my backup. Okay. So, they're both connected and they're both running. Now I've got that problem pretty well at rest. Then, I had software challenges, brand new software don't really know how to run it, not sure, I can't have a failure when I have students in class online that, so this is a big risk. My initial classes, I have to go well, so I hired additional tech resources from the provider to be there for the first one to two hours each day to make sure things got connected and everything was working.

28:04 Sonia Luna


28:05 Robert Smallwood

And the result was I've had two classes 15 hours a piece for three days and I have had 100% of the time. So, that worked, and I more comfortable now. I don't think I need the tech resources anymore, maybe a little bit. Then I had platform risks, I was using XP because some kind of ThermoGen dragged me along fine. So, the XP announced they came out they're ending that. And same thing with the software provider at the end of the year, so I bought a Win 7 machine but what happens if something goes wrong with that. Okay. I bought a backup Win7 machine, so I am using Window 7. I've got a laptop and a desktop. Now I'm gonna broadcast video and I've got a potential problem, a single point of failure if I have a webcam that goes out or does not work or USB connection does not work. So, I have two backup webcams and I have tested them, they work. Another risk was just losing my IP, losing the content that I created in 30-hour class, so I do not publish the PowerPoint of that to the public domain and now, the training sessions are closed and this is a secure network. The only single point of failure I was left with is the network and so far, knock on wood, it's been reliable. I just - you know, I can't remember it being down, maybe once or maybe twice for a short period in the last year or two. So, I just decided that was a risk that I'm willing to take, so I could have installed the second network from a different provider which would really give me redundancy there. But I felt the risk, felt it was okay to take the risk, all I did was my backup is, I'll just walk outside and make a phone call with the US cellphone and let one of my colleagues know that -- you know, I've got a problem. So, that in my simple way, that was my way of identifying my risks and protecting my own intellectual property and making sure that these classes came off without a hitch.

30:05 Sonia Luna

Without a hitch. Yeah. I know, I mean that's a very (laughs) true -- you know story about how you in crisis are identifying your own risk and then obviously what your risk appetite -- you know this whole network thing. You are willing to take on that risk because your risk appetite was there to take it and most companies, they don't start from that point. They start from. "Hey, were in business were making some money and these are our customers, we need to service them and then in terms of those types of risk assessments, which needs to be monitored actually, frequently not just the one annual year, (laughs) yearly exercise. Because risks do change and it is actually something that I noticed in the new COSO framework and some of the guidance materials. They put out the case study where a company, it's a financial institution, they have different divisions and in the case study they talk about -- you know, this one division takes off like a rocket. Right! And everybody would naturally kind of say "Hey, grade upload that division for making more money" and then --very effective, but in the assessment of the COSO framework, in the case study that COSO puts itself in terms of an example, they say "Well, wait a minute," the problem here is that nobody assessed the risks properly for that division doing a quick uptake and then also the risks of, the changes in the business that's one of the key indicators in principal mind of the new framework. So what's happening in the market place people are trying to identify this practice in a risk assessment and in the materials that COSO put out they said, "You have a material weakness not only in terms of the controls of this division" C or D whatever letter they gave it, but you also failed in the risk assessment process itself and it is because you don't wait until this one annual review of controls you follow. It is something that should have been brought about on a regular basis and that was in the case study, so whenever I present that particular case in the risk assessment, it could cause a material weakness in your risk assessment process. I bring that up and then the people naturally think it was a control failure of just revenue recognition of the case study, but in reality it's not only that, but the failure to even have a good process in your risk assessment analysis. So it's something that I know a lot of our listeners are trying to get this hard, this has been a hot topic actually for a number of years. I wanted to switch gears on areas of improvement or some people would call it like the most common mistakes auditors seem to do when they are auditing the management and protection of intellectual properties. So what advice would you give our listeners who need audits. Okay, intellectual property. What advice would you give them to audit IP better?

32:51 Robert Smallwood

Uh-um. Well, I think some of this is gonna be really a review about what we talked about today and offer a couple of more of insights, I believe. And really, I think one thing is that auditing really, it should be postured as they, continuous process improvement sort of tool in the organization, not so much punishment so, when people are worried about getting audited I mean they just -- you know audit, audit -- they get scared, they get nervous. So, one thing is just posturing the audit as a way to see where we are and how we can improve and it is in your process of securing your IP is gonna be an ongoing one because the business department changes and technologies change. It should provide feedback on how well you're doing and where you need to fine tune certain policies or maybe there are gaps in technology. So, you know, sore of more how are we doing and how do we get better, not so much --you guys messed up and here it is. But I would say critically to that, perhaps a mistake that auditors might make is to narrowly define intellectual property. To define it only as those things that are patentable or a copyright or can be registered legally. So, I would broaden that definition into confidential documents and internal plans and that includes data bases and records and software. I think another potential mistake is not considering some of the newer technologies where a lot of people are not familiar with these technologies. It appear _34.33__ and you are not following this stuff all day long like I do. You do not really know about to some of these things, so maybe you want to consider evaluating document analytics and implementing that in your organization. So, you can see who is printing documents and how long. Document analytics, you can actually tell how long someone spends reading a document. If they are spending an inordinate amount of time reading a certain document you will know it or if they are downloading an inordinate amount of documents or printing. All these things, it will set up red flags and you will be able to detect those anomalies and those are ways to use leveraged technology to help you in the auditing process. Another key technology, I believe, that can be employed to protect IP is information rights management, and that's where you are protecting that document from its creation, all the way through. It's entitled life cycle, so it's like a security wrapper that goes around the document upon creation and you gonna sign the rights to it and those rights will be assigned generally by roles and responsibilities in the organization. The higher level you are, the more you have access to those internal documents. So, I would say, make sure you keep on eye out for newer technologies that can emerge, and that are emerging and they can help you. And I think another risk is not considering just people training people, the loss of IP is often and really the majority time can be unintentional. It can be just people are unaware that if they send an email from their business account to their personal account suddenly now it is out on an unsecured network and it could be hacked and so people need to be aware of what the email policy is and that should be enforced and should be monitored and audited. So, you need -- this all involves training and communications. So you should audit not just the numbers and the metrics, you should audit -- do you have a training program? Are people regularly being communicated that we need to protect your IP and here are some ways that you can accidentally link IP and you may not even know it. Another one is the credential creep which you mentioned before were people move from different positions in the organization, but you don't identity access and management IAM software to track exactly that the credentials meet their responsibilities in their current job. And I believe also that an auditing plan and the approach should continue to evolve and change as technology in the business environment changes and I think it's an ongoing program. It's a way to provide input back in the organization and how well you're doing and a way to continue to improve.

37:24 Sonia Luna

Yeah. Yeah. I know, I hear you, on kind of not only understanding some key technology sources as a potential solution but it is also kind of one aspect I have noticed in terms of my career. It's people sometimes fail to ask other colleagues that are trying to address the same issue. Not everybody sees certain risks or the goals the same way and also I would argue, do you know the solutions to it. Some people might have a great budget to better audit IP and then some people could say "Look I just don't have the budget, how do I do it on a shoestring, so to speak?" and reaching out the colleagues like other chief audit executives or CIOs, etc., to have confidential discussion without giving out too many details of how they are doing it? What are the some of the risks that they are seeing, what are some of the best practices that they are seeing? So, kind of everything you said including -- reach out to other colleagues that are probably addressing the same issues that they are.

38:32 Robert Smallwood

Uh-um. Absolutely.

38:33 Sonia Luna

Yeah. So, I want to, first all, thank you so much Robert. I mean I think this is just a great interview for a lot of the compliance concerns here today and I know everyone listening is very grateful for your very technical insights. I really appreciate it and just as a reminder to our listeners you can find Robert Smallwood's latest book entitled Information Governance, Concept Strategies and Best Practices on Amazon.com and please visit our website at www.avivaspectrum.com/podcast for the video version of this and other compliance interviews. This is Sonia Luna, CEO and Founder of AVIVA Spectrum signing off.