Internal Compliance Program - Series (25) - Physical and information security
Today, in the hands-on practical advice series on Internal Compliance Programs for Export Control:
Part 25: Physical and information security
In this ICP chapter you should demonstrate that your company has adopted and is implementing robust security proceedings.
First, your employees and visitors should follow physical access control to your premises. Speak about your internal rules on identification badges, check-in at the reception or security desk, escort of visitors in non-public parts of your buildings. Also, loose a word about safe storage of paper and other hard copies of documents containing technical data and or license information.
Secondly, you should present your IT security policy and explain how you are storing technical data in electronic form, how you encrypting electronic transfers of technical data to third parties, if any, and how employees are accessing information and technical data.
In this framework, do not forget to expose specific process for transfer of technology (blueprints, plans, diagrams, models, formulae, tables, engineering designs and specifications, manuals and instructions. Take care especially of intangible technology transfer, meaning for example digital or oral transmission of documents irrespective of the medium, the management or remote maintenance of computer networks, training in any form whatsoever, activities of studies or scientific research and the transmission of know-how, practical technical or scientific knowledge and information in any form whatsoever. Attention must be drawn to control that portion of technology that is specific to export controlled items.
Demonstrate that you have processes in place on how to proceed in case a license is required for technology transfer, or for international travel (how you are managing laptops containing export-controlled technology). Eventually, also present the rules that apply before employees can make a presentation or participate actively in a conference or meeting in which export-controlled technology may be released.
