Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module P6 Principle 6: Establish and Maintain a Management Process for Intellectual Property, Proprietary Information, and Competition-Sensitive Data Learning.

Published byClement Preston Modified over 5 years ago

Similar presentations

Presentation on theme: "Module P6 Principle 6: Establish and Maintain a Management Process for Intellectual Property, Proprietary Information, and Competition-Sensitive Data Learning."— Presentation transcript:

1 Module P6 Principle 6: Establish and Maintain a Management Process for Intellectual Property, Proprietary Information, and Competition-Sensitive Data Learning Objectives Understand DM roles and responsibilities for IP access and security Understand the various types of IP Learning Outcomes Apply security and access rules to all types of IP Apply IP negotiations to data rights for all contributors (internal and external) for deliverable data This module addresses the issues and responsibilities of managing intellectual property

2 IP = competitive edge = $!
Principle 6: Establish and Maintain a Management Process for Intellectual Property, Proprietary Information, and Competition-Sensitive Data Intellectual Property Comprised of real but intangible assets Patents Copyrights Trademarks Trade secrets Provides competitive positions Contributes to financial success Presentation: Text can be voice over, with graphic boxes automated to add through the voice material Explanatory Material: Paraphrased from ANSI/GEIA-859: Patents, copyrights, trademarks and trade secrets are some of the intangible assets that comprise Intellectual property (IP). These IP assets are at the center of an enterprise’s competitive position and ultimately contribute to financial success. Protection of these assets is necessary to maintain competitiveness. In many cases, it is necessary to comply with legal obligations to trading partners, including suppliers and customers. Since IP assets come from a variety of sources, suppliers, subcontractors, and trading partners, as well as internally developed items, the related data is identified and tracked for protection based on data rights. From a process standpoint, protection of classified data and protection of intellectual property are more alike than different, in that they both have stringent controls for management, storage and access to data. Here the emphasis is on intellectual property. The rules for management of classified data can be found in agency-specific government documents. References: ANSI/GEIA-859, Section 6. IP = competitive edge = $!

3 Principle 6: Establish and Maintain a Management Process for Intellectual Property, Proprietary Information, and Competition-Sensitive Data Presentation: Voice over, pop-ups, video, graphic, etc Explanatory Material: Paraphrased from ANSI/GEIA-859: How IP is managed is determined by the rights obtained from the provider through documented agreements, such as statements of work, license agreements, and contract negotiations. These documents also define the limitations, obligations and requirements for sharing the information to a third party. Information available to the general public, such as general business information, information to be used only within the enterprise, information developed by the enterprise that has monetary value, and enterprise-developed information that has been officially registered with a legal authority, are all examples of intellectual property. Competition sensitive data is that information which might be construed as providing an enterprise advantage within industry, such as best practices, proposal information, and tools implementations. Enterprise policies for management of IP provide a standardized way to type, mark, and identify the information; control and track ownership; manage rights to use and sell; control access; distribute; and dispose of IP within the enterprise. Management of IP requires the following: Identify items that need to be protected and tracked. Store items in a protected environment or repository with limited access. Control access to and distribution of data dependent on data type and source. Provide security as required by agreements and legal obligations. Transfers of IP should take place under stipulated conditions and be carefully controlled to protect the rights of the data originators and owners. Regardless of the type or source of IP, it should be managed as an asset of the enterprise. Failure to successfully manage IP can have personal, enterprise, national, and international implications. References: ANSI/GEIA-859, Section 6.1, Principle 4, Principle 5 and Principle 7

4 6.1 Enabler: Establish and Maintain a Process for Data Access and Distribution
Presentation: Voice over, pop-ups, video, graphic, etc. Explanatory Material: Paraphrased from ANSI/GEIA-859: A method for managing data access and distribution needs to be in place to effectively manage IP. The access to and distribution of data are critical to the protection of data rights. The process to support Enabler 6-1 is delineated in this figure. As the details of this process are discussed, keep in mind that in a manual environment, IP may be managed through limited access facilities such as locked files or areas. In an electronic environment, electronic methods such as organizational and role-based access control are generally required to limit the electronic access to data. When enterprise policies and procedures do not exist, the access constraints for the various types and varieties of data enterprise should be documented. Once this process is defined, it can be applied to all sources of data at all levels of the enterprise. References: ANSI/GEIA-859, Section 6.1

5 Verify and validate need-to-know!
6.1 Enabler: Establish and Maintain a Process for Data Access and Distribution Define Access Requirements Verify requirements Enterprise User Validate security process and procedures Protection of IP data Presentation: Voice over, pop-ups, video, graphic, etc. Explanatory material: Paraphrased from ANSI/GEIA-859: Review documented agreements to verify that access rights support the intended use by the enterprise. If rights to data are not authorized, evaluate data to determine the currency of the business need within the enterprise. Items no longer current or needed should be disposed of in accordance with the enterprise or department retention schedules and authorization for the intended use. If access is authorized through a documented agreement, verify the type of data needed by the user, as well as the distribution method and access level required to support the user’s needs. When interchange data environments are required or used, define the levels of and definitions for access rights and establish the mechanism for authorizing that access. The enterprise should ensure that the owner of the data (an organization or individual representative) has authorized or validated the user’s need for access. Maintain records of access rights granted, distribution methods, and account authorizations for verification and validation purposes. These records should be reviewed regularly to ensure that data remains secure and access rights are current. Before data is distributed, the enterprise should validate that the information is approved or authorized for use. If not authorized, the data should be evaluated to determine the reasons. Data is distributed or used only after authorization by a review authority. If authorized, the data should be distributed in accordance with the defined process and the user rights. This distribution may be performed manually, through , by means of an electronic interchange data environment, or any other method that meets the requirements of the process. Reference: ANSI/GEIA-859, Section 6.1, Principle 7. Verify and validate need-to-know!

6 Verify and validate need-to-know!
6.1 Enabler: Establish and Maintain a Process for Data Access and Distribution Ensure Entitlement to Access and Use of Data Is Validated and Documented by the Proper Authority Agreements validate legal rights, authorities and responsibilities Presentation: Voice over, pop-ups, graphics, etc. Explanatory Materials: Paraphrased from ANSI/GEIA-859: Contract negotiations, subcontract negotiations, licensing agreements, royalty payments, and similar legal documentation define the rights to data. Data is not distributed or used until the legal right to do so has been verified. It is particularly important to review contractual requirements and legal rights and responsibilities before providing access or distribution of data to trading partners, subcontractors, suppliers, and customers. Audit activities will validate the security of the data and should be performed periodically to eliminate the possibility of enterprise and individual monetary fines or penalties for allowing unauthorized use. An audit can address the following items: IP is properly identified by type and source. IP is properly marked and tracked. Patents exist where appropriate. Copyrights are registered where appropriate. IP rights granted are current and followed. Import and export evidence exists where appropriate. IP user access rights are reviewed. IP distribution is reviewed. IP disposition schedules and methods are followed. Disposition of data or information is handled in accordance with Principle 7. References: GEIA/ANSI-859, Section 6.1.2, Principle 7 Verify and validate need-to-know!

7 6.2 Enabler: Establish and Maintain an Identification Process for IP, Proprietary Information, and Competition-Sensitive Data Presentation: Voice over, pop-ups, graphics, etc. Explanatory material: Paraphrased from ANSI/GEIA-859: This diagram depicts the process to support enablers 6.2 and At the enterprise level, documented policies define the process for distinguishing IP from other data and managing it. A process should be used to determine the data requirements for development of the product. When products contain customer deliverable information, an evaluation occurs regarding IP and the legal responsibility to protect it. Negotiations must occur with potential suppliers to establish an agreement to use or resell the data. The documented outcome of those negotiations forms the basis for what can legally be contracted to another party. When a customer (potential or contracted) requests the delivery of data where legal rights for delivery of the data to a third party do not exist, resolution needs to be reached between the interested parties through negotiations. Even if data is not contractually deliverable, it must be identified and secured to protect the rights of the provider. The enterprise is responsible for the evaluation of the obligations and legal responsibility for data protection. Reference: ANSI/GEIA-859, Section 6.2

8 Identify, maintain and track in compliance with requirements!
6.2 Enabler: Establish and Maintain an Identification Process for IP, Proprietary Information, and Competition-Sensitive Data Distinguish Contractually Deliverable Data Establish and Maintain Identification Methods Establish and Maintain Tracking Mechanisms for Identification of Data Ensure Compliance with Marking Conventions and Requirements Presentation: Voice over, pop-ups, graphics, etc. Explanatory Material: Enterprise identification processes and methods should exist that address data within the enterprise. Unique identifier are used to identify data and data requirements, as delineated in Principle 4. At the project level, the identification methods should be documented if they deviate from an enterprise policy or if an enterprise policy does not exist. This includes an additional layer of identification for IP to ensure data is managed in accordance with IP policies and legal obligations. Data generated internally can be typed for protection and easily identified. Internally developed and funded data should be evaluated by the enterprise to determine if a patent, trademark, or copyright is feasible in the business environment. In the United States, patents and trademarks are registered with the U.S. Patent and Trademark Office ( Copyrights are automatic, but in some instances (e.g., protection of data rights in a global market), it is advantageous to register a copyright with the U.S. Copyright Office ( Review data obtained from an external source to determine if it is registered IP. Verify documented rights prior to use to ensure that the data is appropriately protected. An enterprise policy or process for import and export control should address the legal obligations for importing and exporting data outside the country of origin. Data should be reviewed before export to ensure compliance with enterprise processes and legal obligations. Additional information about and assistance with U.S. policies can be obtained through the Bureau of Export Administration, U.S. Department of Commerce ( Principles 4 and 5 address identification and control of data. However, additional elements of metadata need to be tracked for IP. Tracking mechanisms and evidence are fundamental for the following items: Distribution is appropriate to rights granted. Appropriate maintenance of data is possible. Configuration status of IP is maintained. Import and export forms are maintained. Licensed quantities and locations are tracked. Appropriate rights are negotiated or granted for updated items. Distribution (list of names, addresses, restrictions, etc.) is appropriate to rights granted. Once identified, IP should be marked appropriate to its type or variety. Proprietary information or IP provided to the U.S. government is marked using government notices or legends. Disclosure of proprietary information in any other context requires an agreement establishing the limits on disclosure. Such an agreement restricts the use and disclosure of the information being shared. If the information is provided to a non-U.S. citizen, export control requirements need to be satisfied prior to disclosure. This includes printed, electronic, or verbal disclosure of information. References: ANSI/GEIA-859 Section 6.2.1, Principle 4, Principle 5 Identify, maintain and track in compliance with requirements!

9 6.3 Enabler: Establish and Maintain an Effective Data Control Process
Establish and Maintain Control Methods Establish Mechanisms for Tracking and Determining Status of Data Presentation: Explanatory Material: Paraphrased from ANSI/GEIA-859: Within the enterprise, processes should exist for data control methods that ensure changes to data are reviewed and authorized by the appropriate personnel and results are provided on a need-to-know basis. See Principle 5 for details of the change process. Control methods may be different based on owners and use of data and include appropriate approval mechanisms and updated documented agreements for data rights. This provides another layer of IP control to ensure that the data is handled in accordance with IP policies and legal obligations. Internally developed and funded data should be evaluated to assess the impact of the change on a patent, trademark, or copyright. If appropriate, patents and trademarks should be reregistered with the U.S. Patent and Trademark Office and copyrights should be reregistered with the U.S. Copyright Office. When IP data changes, the enterprise should review documented agreements to assess the impact of the change. Areas of particular concern exist where the right to use the updated item is not part of the original agreement. In those instances, new agreements must be negotiated. Review and disposition methods for IP changes should be established based on the business needs. Methods for tracking IP continues when changes occur. The ability to trace users of IP data assists in determining the distribution for approved updates. As with other IP issues, changes need to be tracked and the data rights reviewed before distribution. At some point, rights to data expire or are no longer of value to the enterprise. If there is an enterprise retention policy, or a legal obligation to maintain the data, the enterprise should retain the IP information, including the documented agreements that define the data rights. Principle 7 provides guidelines for data retention and storage. Reference: ANSI/GEIA-859, Section 6.3, Principle 5, Principle 7. Ensures control process is in accordance with IP policies and legal obligations!

10 Quiz Questions – P6 Security and access in an integrated/collaborative environment is a data management task. True or false Intellectual property protection applies to which of the following data: a. Patents, copyrights, trademarks and trade secrets b. Supplier, subcontractor, trading partner data c. Financial and administrative data d. A and B e. A and C f. All of the above IP can only be obtained from internally developed data.

11 Quiz Questions – P6 Data is distributed or used when?
a. As soon as it is received b. After validation and authorization by a review authority c. Once a delivery method is established d. All of the above At the _____________level, policies are documented to define the process for distinguishing IP from other data and managing it. Enterprise Changes made to data do not impact documented agreements for data rights. True or false.

Download ppt "Module P6 Principle 6: Establish and Maintain a Management Process for Intellectual Property, Proprietary Information, and Competition-Sensitive Data Learning."

Similar presentations

Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.

Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
More CMM Part Two : Details.

More CMM Part Two : Details.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Security Policies Group 1 - Week 8 policy for use of technology.

Security Policies Group 1 - Week 8 policy for use of technology.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
How To Prepare To Sell Your Business: Steps To Take Now Susan Wissink Fennemore Craig.

How To Prepare To Sell Your Business: Steps To Take Now Susan Wissink Fennemore Craig.
Information Asset Classification

Information Asset Classification
QUALITY MANAGEMENT SYSTEM ACCORDING TO ISO

QUALITY MANAGEMENT SYSTEM ACCORDING TO ISO
Section Ten: Security Violations and Deviations Note: All classified markings contained within this presentation are for training purposes only.

Section Ten: Security Violations and Deviations Note: All classified markings contained within this presentation are for training purposes only.
Module 9 Configuring Messaging Policy and Compliance.

Module 9 Configuring Messaging Policy and Compliance.
Best Practices: Financial Resource Management February 2011.

Best Practices: Financial Resource Management February 2011.
Certification and Accreditation CS-7493-01 Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.
Data Protection Act AS Module 1 10.8 Heathcote Ch. 12.

Data Protection Act AS Module Heathcote Ch. 12.
Module 9 Configuring Messaging Policy and Compliance.

Module 9 Configuring Messaging Policy and Compliance.
Information Asset Classification Community of Practicerev. 10/24/2007 Information Asset Classification What it means to employees.

Information Asset Classification Community of Practicerev. 10/24/2007 Information Asset Classification What it means to employees.
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.

Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
ISO/IEC 27001:2013 Annex A.8 Asset management

ISO/IEC 27001:2013 Annex A.8 Asset management

Similar presentations

Ads by Google