Information Asset Protection

Digital Rights Management - Part IV

IPR protection requirements shape complex and challenging management issues. Audio and visual material protection is especially problematic due to the existence of the various known vulnerabilities, and there are even suggestions that effective DRM is logically impossible. Common techniques for audio and video file infringement include unlawful interception, decryption, reverse engineering, authentication manipulation, and analog format capture. Therefore, additional information asset protection mechanisms are required to ensure adequate safeguarding controls, such as instituting continuous security improvement plans for IPR information.

“View Part I of the Digital Rights Management series here“

Digital Rights Management - Part III

As previously stated, DRM software is generally considered an access control technology deployed to limit unauthorized usage. However, arguably, a technology cannot in principle, know what legal restrictions and rights apply in a specific jurisdiction, allowable usage context, contractual conditions, or the individual author, owner, or publisher without human intervention. Therefore, as with other information assets protection related software, vulnerabilities may exist that can be exploited by unscrupulous or curious individuals.

Even if adequate IPR security protection is deployed, based on the laws of judgmental probability, widely-used DRM systems eventually yield to hackers and crackers intent on defeating or circumventing deployed access controls. Supporting this projected outcome is Internet advertised software allowing DRM circumvention. However, those with an interest in preserving DRM systems have attempted to initiate proceeding restricting the distribution and development of information piracy enabled software.

“View Part I of the Digital Rights Management series here“

Digital Rights Management - Part II

Intellectual property protection has ushered in an era of technological solutions that attempt to prevent asserted rights infringement. Digital Rights Management (DRM) can be considered a response to legal requirements which criminalize the production and dissemination of technology that allows individuals to circumvent technical copy-restriction methods. Specifically, as a preventive control, DRM software usually manages the downloading of sound files, movies, and other copyrighted materials through diverse security features. Globally, DRM systems have received international legal reinforcement through the World Intellectual Property Organization (WIPO) Copyright Treaty (WCT) and the World Trade Organization (WTO) Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) national implementations.

“View Part I of the Digital Rights Management series here“

Digital Rights Management - Part I

Intellectual property right (IPR) issues affect Information Security Governance as well as Internet Governance deployments through a direct impact on ‘ Trust Management ‘. Since knowledge and ideas are an important part of cultural heritage, social interaction and business transactions, they retain a special value for many societies. Logically, if the associated electronically formatted information is valued, preventive and detective measures are necessary to ensure minimum organizational impact from an IPR security breach.

Developing Objectives - Part IV

MBO is a participative behavioral approach to managing employees. One of the primary MBO assumptions is that employees prefer to work hard once they are provided with employer expectations. Intuitively, sustaining accepted expectations necessitates employees believe stated intentions are achievable. Therefore, MBO imposes consideration and incorporation of employee views concerning objectives to enable effective and efficient information assets protection processes.

“View Part I of the Developing Objectives series here“

Developing Objectives - Part III

A system for disseminating information security management objectives is considered fundamental to obtain employee commitment. One way to communicate entity-centric information security objectives is clear and concise policies. Information security management’s role in policy formulation includes considering the control environment, risk assessments, information, communication, and activities. Though policies are an important means to convey expected behavior, even more critical is determining the effectiveness of adopted IT safeguarding objectives. Effectiveness evaluation requires measurement against established information security standards. Consequently, ratiocinative information security standards must be designed and implemented.

“View Part I of the Developing Objectives series here“

Developing Objectives - Part II

Within behavioral management theory, entity leaders have alternative approaches available to accomplish information assets safeguarding objectives development — including participative, consultative, free rein, and autocratic models. Participative behavioral management emphasizes consideration and incorporation of employee views in decisions, while maintaining managerial decision authority. Consultative behavioral management stresses consideration of employee views, without incorporation, while maintaining managerial decision authority. Free rein management allows employees to make their own decisions concerning subject matters. Lastly, autocratic management underscores dictating decisions to employees. Based on empirical evidence, most entities currently prefer deploying a participative approach to managing entity-centric objectives development.

Setting objectives and establishing processes to accomplish designed objectives is a managerial responsibility. Tactically, the manager responsible for a plan’s implementation should set objectives with advice obtained from the entity’s planning committee, top-level executives and line subordinates. To this end, the Management by Objectives (MBO) methodology normally drives employee consensus building. However, an entity’s planning committee and top-level executives may be too removed from daily information security operations to yield reasonable objectives. Furthermore, line subordinates may have limited knowledge concerning organizational intricacies to permit adopting recommended information security objectives. Therefore, a security manager may have to rely on evaluating generally accepted information security frameworks to develop entity-centric objectives.

“View Part I of the Developing Objectives series here“

Control Assessments - Part IV

Arguably, data security is the most significant domain supporting information reliability. Entity oversight committees should monitor control activities for on-going relevance and effectiveness as well as responses to information security recommendations. If installed systems are inadequately protected, data may not be properly processed. An entity’s IT employees need to bring a fundamental understanding of operational requirements and security to their respective professional duties to ensure sustained confidentiality, integrity, and availability are achieved through appropriate consideration of control assessment results.

“View Part I of the Control Assessments series here“

Control Assessments - Part III

Information security managers should prepare for audits utilizing control self-assessments to verify compliance with laws, regulations, policies and procedures. It is always a sound idea to strategically plan annual control self-assessments. Beneficially, information security practice testing assists in evaluating designed processes and validates deployed controls are functioning as intended. Following a cyclic approach to control self-assessments cannot guarantee clean audit reports. It will, however, aid in ensuring the security department is briefed on governance expectations.

There are a few traditional events that occur once a year, some are considered cheerful, while others are considered dreadful. Regarding IT audits, enlighten security managers approach the assurance process as a periodic assessment of the way business is conducted throughout the year that enables obtaining an extraneous view of the current state of IAP controls from knowledgeable professionals. IAP managers that normally encounter difficulties during audits are those that adopt an adversarial posture. IT auditors are not storm troopers sent to dismantle departmental efficiency, and security managers that build communication firewalls and ‘honeypots’ based on a perceived organizational threat premise have misinterpreted generally accepted IT audit objectives.

“View Part I of the Control Assessments series here“

Control Assessments - Part II

Management needs to understand the status of the entity’s IT systems to decide what safeguarding mechanisms should be deployed to meet business requirements. When IAP monitoring is built into the entity’s operating activities, and process performance is reviewed on a real-time basis; control degradation can easily be ascertained for expeditious remediation. Characteristically, productive monitoring activities dynamically adapt to environmental factors with each control assessment being performed according to an authorized plan reflecting the evaluation type, assurance level, and information classification.

Monitoring and evaluating the current state of implemented controls may take a variety forms, including control self-assessments and IT audits. Furthermore, an IT auditor may not be the individual who executes an entity’s information security internal control review (ICR). However, an IT auditor may subsequently assess an ICR for effectiveness and/or efficiency. In the regulatory arena, a negative finding, coupled with prompt corrective actions can mitigate civil and criminal enforcement penalties, thereby potentially reducing or avoiding legal risks.

“View Part I of the Control Assessments series here“