IMPLEMENTING PROPERTY CONTROLS IN THE ORGANISATION

Implementing the ethical information security awareness control of property is a daunting task for organisations. As with privacy, organisations need to implement the correct property controls. They need to reengineer their information systems and information handling practices. Five stages of property implementation for reengineering an organisation have been identified. These stages describe the “what” of implementing a reengineered system [EPIC 02]

[CRAN 00] [GOTT 00]. They are described in the following table:

Stages Description – What must be done to implement a property policy?

1 Property policy development

Active involvement from government institutions, virtual communities and individuals is needed for development. Initiated through a response from these participants.

2 Intellectual property handling assessment

IT department and the user departments must locate and identify all procedures for handling information and tangible resources, i.e. what information these departments possess, how they secure it, whether it is shared with third parties and the circumstances under which it can be replicated.

3 Compliance and risk assessment

A comparison must be made of the actual information and tangible resource handling procedures with the organisation’s property policy. What happens to obsolete hardware? Is there a discrepancy? How are discrepancies dealt with and by whom?

4 Enforcement If there is a discrepancy, there should be an enforcement and upgrading of their property policy, in line with the actual procedures.

5 Monitoring and auditing

All future transactions should be monitored for compliance with the upgraded property policy.

Table 5.1 Implementation of a property policy in an organisation

Adopting these five stages will help to correctly assess, develop and monitor intellectual as well as physical property protection. However, for each stage there is an implication. These are summarised in the table below:

Stages Implication – How can this be achieved?

1 Property policy development

It is necessary to design clear, effective and comprehensive property policies to gain support for policy development from employees within the organisation, its trading affiliates and its customers.

2 Intellectual property handling assessment

Information handling practices must also be digital. If property policies are in digital format, such as XML, it is easier to assess the information handling procedures based on written versus actual procedures.

3 Compliance and risk assessment

These digital property policies must be modelled on the actual practice of handling intellectual and tangible property so that true gap analysis and conflict identification can be done.

4 Enforcement Tools also need property intelligence for the effective enforcement of

policies. It is necessary to include intelligence in the systems so that there will be some degree of automation and adaptation to this changing environment. An example is correlating depreciated property with the correct destruction of the property. Disks should be completely destroyed whilst old monitors may be given to charities.

5 Monitoring and auditing

Standards and legislation will govern the implementation of a property policy. Interoperability among standards for intellectual property will assist in the further monitoring and implementation of property policies within the organisation as well as among organisations.

Table 5.2 Implication for each stage of property policy development

It is necessary for an organisation to adopt an automated stance in the development of a property protection policy. XML is an excellent programming language that can be used to automate a dynamic environment.

5.6 CONCLUSION

This chapter served to illustrate the essential need for organisations and individuals to control their intellectual property resources as well as tangible property. The main area of focus was the protection of intellectual property.

Individuals and organisations need to be made aware of this ethical information security control, all possible threats to their property and the corresponding solutions to aid in protecting them. The final section suggested a possible structure for implementing and controlling a property policy in an organisation.

The next chapter continues to assist in creating an ethical information security awareness. The obligation of the organisation and the individual to control the security of their property and private information is detailed.

CHAPTER 6 OBLIGATION

“Deceivers are the most dangerous members of society. They trifle with the best affections of our nature, and violate the most sacred obligations.” [CRAB 32]

6.1 INTRODUCTION

The final phase in the creation of an ethical information security awareness is obligation. The principal aim of this stage of this evolution process is to create an awareness of obligation rights. Obligation rights are a new area of concern and require a new form of understanding for organisations and individuals.

Organisational managers are at a distinct disadvantage. The obligation vocabulary and its terrain are often terra incognita or, worse still, wrongfully equated with the implementation of information security. Security, with its attendant information security services of identification and authentication, integrity, non-repudiation and confidentiality, are necessary prerequisites for obligation rights. Weak or inadequate security can easily compromise these obligation rights, but obligation entails more than merely providing these information security mechanisms; it entails an awareness of the consequences of breaching them.

The diagram below illustrates the ethical information security control of obligation, which will be the focus of this chapter.

Obligation

5. Ethical awareness property

7. ISM

6. Security policies and procedures

4. Adherence to the law − legislation 3. Standards

privacy obligation

Codes of conduct

1. E-business − external link

2. Technical services − firewall, IDS

Figure 6.1 Ethical control of obligation

In order to create a pillar of strength, the final ethical awareness control needs to be established. To do so, a definition of obligation will be detailed, followed by solutions to any form of breach to which organisations and individuals may be exposed.

6.2 OBLIGATION DEFINED IN TERMS OF ETHICAL INFORMATION