IT, Export Control and Information Security: Learning to Speak the Same Language
By Magnus Bjorendahl
I believe that there is a gap between IT organizations and export control managers-and that this is just an old
story repeating itself in another area.
The story is the one where IT and business managers do not always understand each other or know the best way to
support each other. Businesspeople-in this discussion, the export control managers-often don't know what IT
solutions exist to solve a specific business problem, or understand the cost, effort and technical challenge
involved in delivering such solutions. Meanwhile, the IT organization typically doesn't appreciate the broad scope
and complexities of business needs-in this case, U.S. export and re-export requirements.
These problems are exacerbated by the fundamental communication barriers between the two groups. IT folks tend to
have a technically oriented, "Bachelor of Science" way of talking and thinking, and the export control managers tend
to have a business-oriented "Bachelor of Arts" way of talking and thinking. The only real way to address this
problem is to overcome those communication barriers. Fortunately, the IT industry is working toward doing just that
in a critical area-information security.
The Two Sides of Information Security
When I say information security, there are two types of security that I refer to. The first has to do with keeping
vital information from leaking to foreign countries-an especially significant concern in the Aerospace & Defense
industry. Regulations, such as the International Traffic in Arms Regulations (ITAR), establish rules requiring
companies to obtain licenses and clearance before distributing information classified as ITAR-relevant to foreign
nationals and foreign countries. Severe punishments in terms of fines and even imprisonment can be given to
violators of those rules.
The second type focuses on protecting the company from the leakage of information to competitors; this is typically
referred to as protecting your intellectual property (IP). These days, IP is a vital business asset, and often a key
differentiator in the marketplace. The loss of such information to a competitor can do significant harm to a
company. The reason I bring up the protection of IP here is because the challenges around it are in many ways the
same, and a potential solution should be able to protect information from being illegally exported to foreign
countries and from being leaked to competitors.
Today, simply managing the growing amount of information flowing through a company is a challenge in and of itself-
and managing the security of that information is even worse. By itself, IT is not really equipped to manage these
security issues; IT professionals usually don't have a solid enough grasp of which business policies should be
applied to what sensitive information-especially when it comes to the complexities of export control. Ideally,
export control managers should be able to define the rules they need right in the system. They need a business
language that works with IT.
Overcoming the Language Barrier
NextLabs, [http://www.nextlabs.com] an SAP software partner and developer of information risk management enterprise
software, has created such a language-the Active Control Policy Language [http://www.nextlabs.com/products/acpl.htm]
(ACPL). ACPL was designed to let users, such as export managers, develop information security rules and information
-handling procedures with relative ease. Those users can assemble "components"-that is, familiar business terms-
which are then automatically translated into a computer program language. For example, for the handling of ITAR
technical data, export managers could define various types of rules in fairly straightforward language.
For access control, they might write:
Allow only ITAR-certified users to access ITAR technical data from ITAR certified systems
Notify when non-certified users attempt to access ITAR Project Info
For leakage prevention, they might write:
Deny duplication or distribution of ITAR technical data outside of ITAR controlled project areas
Deny duplication of ITAR technical data to removable storage devices
For data mobility, they might write:
Deny user not in US Locations access to ITAR technical data
Log when any laptop users duplicate ITAR project info
Deny mobile or disconnected computers printing ITAR technical data
For export control, they might write:
When licensed technical data is exported encrypt ITAR technical data
When licensed technical data is exported, send export transaction to SAP Global Trade Services
Basically, with ACPL, export managers and policy experts can define information security rules and information-
handling procedures on their own, without a lot of technical help. At the same time, NextLabs' Compliant Enterprise
solution can incorporate those rules and enforce them consistently across servers, document management systems,
email servers, and endpoints such as desktops and laptops. For its part, IT only needs to define how the building
blocks of the language-the component business terms-should be interpreted. For example, IT might need to determine
where the ITAR technical data is to be stored, or the type of encryption program to be used when exporting ITAR
technical data.
I would argue that without ACPL or some other automated common language, and the ability to automatically enforce
defined policies, the information security issue around exports will always be a problem. IT and export control
managers need to understand each other, and that means speaking the same language. Now, software can bridge that
gap, and that will help us bring greater consistency and effectiveness to information security.
This is still not the complete story, as software such as NextLabs' does not manage export licenses. If you would
like to know more about how SAP, NextLabs, and IBM have worked together to built an end-to-end solution for managing
exports of information, please read the whitepaper, "Enterprise Governance, Risk, and Compliance Solution for
Information Export Control." [https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a050483b-3365-
2a10-99b1-d98b0044cff6]
Magnus Bjorendahl is an Industry Solution Manager for Aerospace and Defense at SAP. In this role, he is currently in
the lead for building out the partner ecosystem (IVN) for Aerospace and Defense. Over the past couple of years, he
has been working closely with partners such as IBM, BearingPoint, MCA Solutions, TechniData, NextLabs, and Lockheed
Martin. Prior to his 8 years at SAP, he was an IT consultant for a consulting company in Stockholm. He holds a M.Sc.
in Computer Science and Engineering from Linkoping's Institute of Technology and is currently studying business
part-time at Wharton Business School.
Magnus Bjorendahl is an Industry Solution Manager for Aerospace & Defense at SAP