Engaging with the business on Intellectual Property issues

Engaging with the business on Intellectual Property issues

To provide security over intellectual property, the information security team must interact with several departments within the organization. The responsibility encompasses defending the organization’s intellectual property and shielding the organization from legal liability from misusing others’ intellectual property.

A common governance model relies upon data classification, data owners, data custodians, and security professionals. Executive management provides sponsorship of the classification process and designates the responsible parties. As part of data classification, the type and nature of the intellectual property must be decided. The data owner (typically, mid-management) is responsible for the decision of the type of data and the value of the data.  The data custodians (typically, information technology team) is responsible for maintaining the data and its associated controls. Information security is responsible for designing the controls and auditing the technology team to ensure the data is protected.

As part of designing the controls, the security practitioner must be apprised of the legal mechanisms in which content can be protected. A basic understanding of IP law and the data classifications provides a framework for the security team to engage with the legal team on how the company’s IP can be protected. The IP can then be protected as it is published and distributed beyond the organization’s network systems.

Knowing the existing laws also comes into play when protecting the organization from intentional or unintentional infringement. Due care and due diligence must be demonstrated. Administrative and technical controls must be deployed. By engaging with human resources team, the information security team can provide employee training and explain in lay terms the employee’s rights and responsibilities with respect to other’s intellectual property. By the same token, technology must be deployed to detect and prevent piracy and digital theft. Demonstrating that the organization has taken these steps is crucial in situations that end up in court, where intent and diligence will be considered.

Posted by