intellectual property you own

Intellectual Propertyyou Own

Foundations of Information Security Series

Vicente Aceituno @vaceituno

(c)Inovement Europe 2014

Vicente Aceituno

[email protected] - Skype: vaceituno

Linkedin - linkedin.com/in/vaceitunoInovement Europe - inovement.esVideo Blog - youtube.com/user/vaceitunoBlog - ism3.comTwitter - twitter.com/vaceitunoPresentations - slideshare.net/vaceituno/presentationsArticles - slideshare.net/vaceituno/documents

Foundations of Information Security Series

Needs Secrecy

Intellectual Property you Own

Intellectual Property you Use

Privacy

Availability

Retention

Expiration

Quality

Obligations

Technical

Compliance

Legal

What is Information Security?

“Information Security” is an emergent property of people using information.

People have expectations about information.

If there is no people or no information, “Information Security” is meaningless, as there are no expectations to meet.


When expectations about information are met, there is “Security”.

When expectations about information are not met, there is an “Incident”.


Some expectations are things people (or organizations) want to happen for their own reasons. These are Needs.

Some expectations are things people (or organizations) want to happen in order to meet technical, legal or standard compliance requirements. These are Obligations.


Some expectations of people about informationare related to ownership, control and use of information over time.


Ownership is defined having legal rights and duties on something.

Control is defined as having the ability to: Grant or deny access to users.

Attribute to specific users their use of information.

Use is defined as having access to read, writeor modify information.


Creations of the mind are protected by law, granting certain exclusive rights to the authors, exclusive rights collectively known as intellectual property.

We use a synecdoche by calling this intellectual property rights “information”.


There are several types of intellectual property, for example:

Copyrights (movies, books, music, software, etc)

Trademarks.

Patents.

The legal use of intellectual property without a license under certain conditions is known as “Fair Use”.


There is an expectation that Intellectual Property you Own will be controlled by their owners or authorized administrators only, for as long as they are authorized.

There is an expectation that Intellectual Property you Own will be used by authorized users only, for as long as they are authorized.

There is an expectation that Intellectual Property you Own will be used by unauthorized users within the limits of Fair Use.


If these expectations are met or not is independent of the observer and repeatable.

Intellectual Property you Own expectations can be determined answering the following questions: Who should control the Intellectual Property you Own?

Who should not control the Intellectual Property you Own?

Who should use the Intellectual Property you Own?

Who should not use the Intellectual Property you Own?

Answering these questions renders lists that can be enumerated, measured and managed.

Intellectual Property you Own related incidents

When Intellectual Property you Own is controlled by people who are not or have never been the owners or the authorized administrators. For example: Granting access to unauthorized users. Denying access to authorized users. Lack of, or misattribution to specific users of their use of

information.

When Intellectual Property you Own is used by peoplewho are not or have never been authorized users.

For a more complete list of incidents check tiny.cc/incidents

Achieving Intellectual Property you Own expectations

Achieving Intellectual Property you Own expectations is exceedingly difficult, as once you provide with a user with read access, the user can write a copy (therefore losing control) of the Intellectual Property with a low cost and with high fidelity.

This difficulty is inherent to the nature of digital information.

Achieving Intellectual Property you Own expectations

In order to achieve Intellectual Property you Own expectations security, normally the following measures are taken: Access Control has been used with little success (CSS,

AACS and the like)

Digital watermarks.

Legal action after the incident.

Providing legal access at low cost, discouraging copying.

The related O-ISM3 process are: OSP-28: External Events Detection and Analysis

OSP-24: Handling of Incidents and Near-incidents

The O-ISM3 Challenge

This was an exercise designed to throw into sharp relief the inadequacy of traditional information security concepts.

Check the exercise in full at tiny.cc/indepth

A summary of conclusions from the exercise, in relation to Intellectual Property you Own, follow.

Secrecy Business Needs

Intellectual

Property

PrivacyConfidentiality

Business

Obligations

Confidentiality

Confidentiality

ISO Definition: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

ITIL Definition: A security principle that requires that data should only be accessed by authorized people.

CobIT Definition: Concerns the protection of sensitive information from unauthorized disclosure.

Intellectual Property you Own and Confidentiality

Confidentiality can’t be measured (it doesn’t have units). Therefore is not independent of the observernor repeatable like Intellectual Property you Own expectations are.

Intellectual Property you Own expectations can be used to measure, communicate and manage a specific expectation of people about information.

Confidentiality is not necessary to understand or measure Intellectual Property you Own expectations.

Intellectual Property you Own and Confidentiality

Intellectual Property you Own expectations and Confidentiality are not equivalent.

Confidentiality and Intellectual Property you Own expectations are not synonymous.

Confidentiality is not useful to understand Intellectual Property you Own expectations.

Follow the Foundations of Information Security Series by joining the LinkedinO-ISM3 Group at: tiny.cc/osim3LG

Learn Advanced Information Security Management, joining us at an O-ISM3 Course: tiny.cc/osim3

intellectual property you own

Technology