CYB 208: INFORMATION SECURITY POLICY LECTURE NOTES

Introduction
Information security policy is the foundation of an organization’s security
program and every organization must keep this in mind so as to protect
critical information assets. Information security prevents unauthorized
disclosure, disruption, access, use, modification, etc. of those critical
information assets using the three principles of Information security, or
the primary tenants, called the CIA triad: confidentiality (C), integrity (I),
and availability(A).
Confidentiality — the protection of information against unauthorized
disclosure
Integrity — the protection of information against unauthorized modification
and ensuring the authenticity, accuracy, non-repudiation, and completeness
of the information
Availability — the protection of information against unauthorized destruction
and ensuring data is accessible when needed.
At all level, organizations must prioritise sensitive data and ways to
adequately protect them from cyber criminals. At a high level, sensitive data
is information that a person or organization wants to keep from being publicly
available because the release of the information can lead to harm such as
identity theft or fraud. In some cases, sensitive data is related to individuals
such as payment information or birth date. In other cases, sensitive data can
be proprietary corporate information.
Introduction

The Federal Information Security Management Act (FISMA) defines
Information Security as “protecting information and information systems
from unauthorized access, use, disclosure, disruption, modification, or
destruction” and goes on to further define Information Security activities
as those “carried out to identify and address the vulnerabilities of a
computer system, or computer network”
The United States National Information Assurance Training and Education
Center (NIATEC) defines information security as “a system of
administrative policies and procedures” for identifying, controlling and
protecting information against unauthorized access to or modification,
whether in storage, processing or transit” (NIATEC, 2006).Information
security emphasizes the need to protect mission-critical information in the
IT arena, thus most of these institutions have described Information
security using three broad information security objectives:
The International Standard: ISO 27001 Code of Practice defines
Information Security as the preservation of three aspects of Information
Confidentiality:
Integrity:
Availability:

Confidentiality

1
Data confidentiality focuses on protecting sensitive information, and
ensuring that Information is only available to those that are authorised to
gain access. Information such as non-public personal information (PII) or
cardholder data (CD), are guided from unauthorized access or disclosure.
Because malicious actors often target confidential information to be used
for identity theft and perpetrating fraud. Confidential data can also include
sensitive corporate information such as trade secrets.

Confidentiality is the assurance that information is not disclosed to

unauthorized individuals, processes, or devices. This applies to data in
storage, during transit, and processing. Confidentiality is an extremely
important consideration for any organization dealing With information and
is usually discussed in terms of privacy. Information takes many forms. It
may be processed and stored on computers or in other electronic form,
printed or written on paper, shared through voice or video
communications, transmitted through post or electronic means such as e-
mail or fax, made available on corporate videos or websites. Whatever
form the information may take, or means by which it is shared, stored or
processed, it should always be appropriately classified and protected
according to that classification (Confidentiality) because, any loss of
computer systems or the information they contain could have serious
repercussions for the organization and / or its clients. A breach of
confidentiality during processing, storage or transfer of data could result in
financial loss, personal injury to a member of staff, or client, serious
inconvenience, embarrassment, or even legal proceedings against the
organization, and possibly the individuals involved.
Therefore, in order to ensure the confidentiality, an appropriate level of
security must be achieved and maintained. The level of security
implemented on each of the various systems will be consistent with the
designated security classification of the information and the environment
in which it operates.
Integrity
To ensure INTEGRITY OF AN INFORMATION SYSTEM, Integrity checks of
the authorized business systems and software are to be performed
regularly. System and information integrity provide assurance that the
information being accessed has not been tampered with or damaged by
an error in the information system. Examples of system and information
integrity requirements include:
Flaw remediation;
Malicious code protection;
Information system monitoring;
Security alerts;
Information input validation;
Error-handling; and
Memory protection.
Availability

2
 Data Availability is one of the information security objectives. It is a
component of Information security according to NIST 2003, Availability
entails timely and reliable access to data and information services for
authorized users. The United States Code Section 3542(b)(2) defined
availability as “Ensuring timely and reliable access to and use of
information. Information availability is a requirement that is intended to
assure that all systems work promptly and service is not denied to
authorized users. This should protect against the intentional or accidental
attempts to either perform unauthorized access and alteration to
organizational information or otherwise cause a denial of service or
attempts to use system or data for unauthorized purposes. A loss of
availability is the disruption of access to or use of information or an
information system.
 Data availability focuses on information accuracy, completeness, and
consistency to ensure users can access information when they need it.
Organizations need to establish procedures and processes for data
storage,
disaster recovery, and business continuity. There are other objectives of
Information security such as Accountability, Authentication, and
Non-repudiation
Business risk and other threats to an
organization assets
What is a risk? For the purpose of information security and this lecture, a risk
is any hazard or danger to which your information or equipment is subject.
Storing an expensive computer within reach of an open window is risky.
Allowing students to have access to computerized grade books might also be
considered risky. But even if you now know what a risk is, the question of
what is at risk still remains-and the answer is your critical information's
assets.
An asset is often defined as real property. But not always the case, it is very
possible that your organization's computer equipment is prominently listed on
the critical assets lists especially considering the large amounts of money
that the equipment may cost. But recall that the only reason all those money
were spent on technology in the first place was so that you could manipulate
your organization's information more efficiently-information like student
academic data, special support service files, staff health records, and
organizational financial figures. The equipment is important only because it is
the mechanism by which you access the files that are so essential to the
operation of the enterprise. Information is the real asset in any organization
and, of course, very valuable. Such information and the system that host,
support them must be guided against Risk, Threats and Vulnerabilities
Business risk and other threats to an organization assets

What is a Threat?

It is estimated that 67 percent of networked computers are infected with

one form of virus or another. Threats accounted for the growing
prevalence of virus attacks, more than half of all reported system damage
is caused by action, actor, or event that contributes to risk which are
referred to as a threat. Threats to an information system is also caused
unintentional employee action-in most cases, and simple negligence.
Apart from the Natural threats, there are Manmade Threats (Intentional
and Unintentional)

3

Manmade Threats (Intentional) Theft Hacking Computer Viruses
Vandalism File Sabotage Unauthorized Copying Arson Wire Taps
Man-made Threats (Unintentional) Equipment Failure Spilled Beverages
Computer Viruses Lost Documentation
Power Fluctuations User Error Heating Units Lost-encryption Keys
Magnetic Fields Air Conditioning Ducts Programmer Error Aging Facilities
Vulnerabilities : Vulnerabilities refer to points within a system that are
open
to attack or damage. What type of attack? That depends on the threat.
Vulnerabilities are the mechanisms by which threats access your system.
Think of a thief (a threat), for example, who is ready to strike your building
(which houses your assets). An open back window through which that thief
might enter the premises is a vulnerability.
Information security Policy Inclusion
 Information security policy entails certain control with a policy that
appropriately guides users behavior to reduce the risk. Organization don’t
just write a policy just for the sake of having a policy, Compliance
requirements also drive the need to develop security policies. For
instance, If an organization has a risk regarding Phishing or social
engineering, then there should be a policy reflecting the behavior desired
to reduce the risk of employees being phished or socially engineered. One
such policy would be that the organization must conduct security
awareness training (which includes social engineering tactics and phishing
tactics).
Moreover, a company information security policy (or policies) are
commonly written for a broad range of topics such as the following:
Access control
Identification and Authentication (including multi-factor authentication and
passwords)
Data classification
Encryption
Remote access
Acceptable use
Patching
Malicious code protections
Physical security
Backups
Server security (e. hardening)
Employee on/off-boarding
Change management
What Should You Keep in Mind When Writing an Information

4
 Security Policy?
Firstly, we need to understand the role of security policies in an
organization.
It Really Happens!
 Disaster at a University –
Turn Key University (TKU) is a medium sized public university located in
Idaho. The institution is situated on a beautiful 25 acre campus, just north of
a major city. The University has a reputation for producing quality graduates
for the surrounding community. Like a typical university bureaucracy, the
school has VC’s office overseeing the Academic Affairs, Administrative
Support Services , Human Resources, Finance, and Information Technology
divisions.

The role of security policies in an organization. Turn Key

University (TKU)
Disaster: The Data Breach Issue
 Early one morning, Don was ushered into a closed door meeting with the
Chief Finance Officer, the CIO, and an external security auditor he hadn’t
met before. In the meeting Don learned that large amount of data,
including the PII, was exported from the system. The previous day Gary
was going through the logs to see if the patch he applied worked correctly,
and he noticed that someone in the administrator group had exported a
large amount of data at an odd time. Gary reasoned that no one should be
accessing the system at 2am, and he was concerned because a large
amount of data was exported. After bringing up the issue to management,
it was decided that the Finance division would investigate the issue.
Therefore, the responsibility to figure out exactly what happened fell on
Don. He was asked to work with an auditor to find out exactly what
happened. Don left the meeting feeling overwhelmed and disconcerted;
he knew nothing about security practices and he wasn’t happy about
working with the auditor. He had recently inherited the system and didn’t
know much about it. He did know that he had to find the source of the leak
before more student information was lost and he knew his job might be on
the line.
The Investigation: Lax Security Policies and Culture
 A System Security and auditor decided to interview the users of each
business unit so as to figure out if the leak was an internal job or if TKU
had fallen victim to a hacker. He exploited different entry points that a
potential hacker could get access to the system. The auditor also deem it
necessary to check the user account structure, the business rules, and
department norms. Note that the Auditor could determine which user in
the administrator group was responsible for the data leak, if it was an
internal job. This involve Don so as to provide the required information for
the Auditor.
 The auditor and Don started the audit process by going through the
system. They checked the user accounts and found multiple points where
a hacker could have entered the system. They found over 50 orphan
accounts, which are accounts that had been set up but never used. When
an account is set up, the policy is for the system administrator to provide
the same generic password. Once a user logs into the system, they are
prompted to enter a new password. Since none of these accounts were
used,all of the accounts had the same password. A hacker could have
easily cracked the generic password and gotten access to the system.

5
 The role of security policies in an organization. Turn Key
University (TKU)
Disaster: The Data Breach Issue
 Another area of concern was with password complexity. The system didn’t
require users to have strong passwords. Passwords could be as short as
three characters long and didn’t need to include numbers or special
characters. The passwords could be kept forever and most had never been
changed. With the current sophisticated password cracking programs
available on the Internet, hackers could break into the system in seconds.
This seemed very likely as figuring out the system usernames was very
easy. The usernames were based on the name of the user. The first letter
of the username was the first letter of the person’s first name. The last
part of the username was the person’s last name. For example, Gary
Tolman’s username was gtolman. This type of username assignment is
very common, but it can also pose a threat. Each employee’s name was
listed on the TKU website, so a hacker could easily find a username.
 Lastly, the system was accessed by a variety of users. They were spread
out between Information Technology, Finance, and the Administrative
Support Divisions, so finding the exact users would be difficult. Anyone in
these divisions could be the source of the leak. Don and the auditor didn’t
know how they were going to trace the culprit, but they knew they had a
daunting task. They started off by interviewing people in the three
divisions. The Administrative Support Services division used the
transaction system to run reports, so the users only had permissions to
run reports. Don and the auditor found that in addition to the approved
users, more people accessed the system. Employees routinely gave out
their login information to student workers and temporary employees to
run reports when they were busy or on vacation. The employees shared
this login information on Post-it® notes,over the phone, and in email. The
department did not have rules explaining proper procedures, so
employees thought these practices were acceptable and the norm.
 Throughout the investigative process, the auditor found countless
examples of lax information security throughout the organization.
1. There was a lack of a coordinated security policy, and
2. The policies in place were not being followed.
The Implication:
TKU was very lucky with the outcome of the data breach. Only five hundred
students had their information compromised. While any loss of PII is
unfortunate, high profile data breaches, such as the ones at TJX, show how
losing large amounts of data can be very costly to an institution.
TKU estimated that the tangible costs associated with the breach amounted
to over $600,000 dollars. However, TKU will never know how the breach
affected the university’s reputation
The role of security policies in an organization. What to Keep in
Mind
Ensure The security policies are enforceable
 It is important that everyone from the CEO down to the newest of
employees comply with the policies. If upper management doesn’t comply
with the security policies and the consequences of non-compliance with
the policy is not enforced, then mistrust and apathy toward compliance
with the policy can plague your organization. An important element of
making security policies enforceable is to ensure that everyone reads and
acknowledges the security policies (often via signing a statement thereto).
Many security policies state that non-compliance with the policy can lead

6
 to administrative actions up to and including termination of employment,
but if the employee does not acknowledge this statement, then the
enforceability of the policy is weakened
Other important Factor to be Kept in Mind When Writing an
Information Security Policy?

Understand how policy exceptions are handled

Make your security policies brief and succinct
Information Security: Organization Structure, Roles, and
Responsibilities
 As stated earlier, it is imperative that individual roles, responsibilities, and
authority are clearly communicated and understood by all, and that an
organization assigns and communicates security-related functions to
designated employees or order for an organization to have a successfully
performing information security team: The following (below) is an example
outline of various functional roles and associated responsibilities that
make up and can help a new organization develop a standard information
security team structure.
. Executive Management:Assigned overall responsibility for information
security and should include specific organizational roles such as the CISO
(Chief Information Security Officer), CTO (Chief Technology Officer), CRO
(Chief Risk Officer), CSO (Chief Security Officer), etc. These executive level
roles generally are responsible for overseeing the enterprise information
security strategy that ensures information assets are protected.
. Information System Security Professionals: Responsible for the design,
implementation, management, and review of the organization’s security
policies, standards, baselines, procedures, and guidelines. Examples of
these roles can include but are not limited to the following: IT security
manager, IT Risk management manager, Compliance manager, IT security
analyst, etc.
. Data Owners:Owners (data owners, information owner, system owners
who have budgetary authority); responsible for:
 Ensuring that appropriate security—consistent with the organization’s
security policy—is implemented in their information systems
 Determining appropriate sensitivity or classification levels
 Determining access privileges
. Data Custodians: A function that has “custody” of the system/databases,
not necessarily belonging to them, for any period of time. Usually network
administration or operations (those who normally operate the systems for
the owners).
. Users:Responsible for using resources and preserving availability,
integrity, and confidentiality of assets; responsible for adhering to security
policy.
Information Security Auditors (ISA): Responsible for:
 Providing independent assurance to management on the
appropriateness of the security objectives
 Determining whether the security policy, standards, baselines,
procedures, and guidelines are appropriate and effective to comply
with the organization’s security objectives
 Identifying whether the objectives and controls are being achieved

Information Assurance and Service Development Life Cycle

7
 An information assurance and service development life cycle refers to a
structured process that incorporates information security considerations
throughout the entire lifecycle of a service development project, from
initial planning to deployment and maintenance, ensuring the
confidentiality, integrity, and availability of data at every stage.

Key aspects of this lifecycle:

Integration of security:
Security practices like threat modeling, risk assessment, secure coding,
and vulnerability scanning are embedded into each phase of the
development process, not just added at the end.

Early security planning:

Identifying potential security risks and vulnerabilities during the
requirement gathering stage allows for proactive mitigation strategies.

Design for security:

Architecting systems with security in mind, including access controls,
encryption, and data protection mechanisms.
Continuous monitoring and improvement:
Regular security reviews and updates throughout the service lifecycle to
address emerging threats and vulnerabilities.

Phases in an information assurance service development life

cycle:
Initiation/Planning:
Define project goals and security requirements
Conduct risk assessments and threat modeling
Identify relevant security standards and compliance needs

Requirements Analysis:
Gather detailed functional and security requirements
Prioritize security controls based on risk analysis

Design and Development:

Design system architecture with security considerations
Implement secure coding practices
Conduct security reviews of design documents

Testing and Validation:

Perform security testing (e.g., penetration testing, vulnerability
scanning)
Validate security controls against requirements

Deployment and Implementation:

Secure configuration management
User access control and training
Monitor for security incidents

8
 Operations and Maintenance:
Ongoing security monitoring and incident response
Patch management and vulnerability remediation
Security updates and configuration changes as needed

Benefits of integrating information assurance into the service

development lifecycle:
Reduced security risks:
Proactive identification and mitigation of vulnerabilities throughout the
development process
Improved system reliability:
Building security into the system from the beginning leads to a more
robust and secure product
Cost efficiency:
Avoiding costly security fixes later in the development cycle
Enhanced compliance:
Meeting regulatory requirements by incorporating necessary security
controls

The Ethical and Legal Implications of Information Systems

Introduction

Information systems have had an impact far beyond the world of business.
New technologies create new situations that we have never dealt with
before. How do we handle the new capabilities that these devices
empower us with? What new laws are going to be needed to protect us
from ourselves? This chapter will kick off with a discussion of the impact of
information systems on how we behave (ethics). This will be followed with
the new legal structures being put in place, with a focus on intellectual
property and privacy.

Information Systems Ethics

The term ethics is defined as “a set of moral principles” or “the principles

of conduct governing an individual or a group.”[1] Since the dawn of
civilization, the study of ethics and their impact has fascinated mankind.
But what do ethics have to do with information systems?

The introduction of new technology can have a profound effect on human

behavior. New technologies give us capabilities that we did not have
before, which in turn create environments and situations that have not
been specifically addressed in ethical terms. Those who master new
technologies gain new power; those who cannot or do not master them
may lose power. In 1913, Henry Ford implemented the first moving
assembly line to create his Model T cars. While this was a great step
forward technologically (and economically), the assembly line reduced the
value of human beings in the production process. The development of the
atomic bomb concentrated unimaginable power in the hands of one
government, who then had to wrestle with the decision to use it. Today’s
digital technologies have created new categories of ethical dilemmas.

9
 For example, the ability to anonymously make perfect copies of digital
music has tempted many music fans to download copyrighted music for
their own use without making payment to the music’s owner. Many of
those who would never have walked into a music store and stolen a CD
find themselves with dozens of illegally downloaded albums.

Digital technologies have given us the ability to aggregate information

from multiple sources to create profiles of people. What would have taken
weeks of work in the past can now be done in seconds, allowing private
organizations and governments to know more about individuals than at
any time in history. This information has value, but also chips away at the
privacy of consumers and citizens.

Code of Ethics

One method for navigating new ethical waters is a code of ethics. A code
of ethics is a document that outlines a set of acceptable behaviors for a
professional or social group; generally, it is agreed to by all members of
the group. The document details different actions that are considered
appropriate and inappropriate.

A good example of a code of ethics is the Code of Ethics and Professional

Conduct of the Association for Computing Machinery,[2] an organization of
computing professionals that includes academics, researchers, and
practitioners. Here is a quote from the preamble:
Commitment to ethical professional conduct is expected of
every member (voting members, associate members, and
student members) of the Association for Computing
Machinery (ACM).

This Code, consisting of 24 imperatives formulated as

statements of personal responsibility, identifies the elements
of such a commitment. It contains many, but not all, issues
professionals are likely to face. Section 1 outlines
fundamental ethical considerations, while Section
2 addresses additional, more specific considerations of
professional conduct. Statements in Section 3 pertain more
specifically to individuals who have a leadership role, whether
in the workplace or in a volunteer capacity such as with
organizations like ACM. Principles involving compliance with
this Code are given in Section 4.

In the ACM’s code, you will find many straightforward ethical instructions,
such as the admonition to be honest and trustworthy. But because this is
also an organization of professionals that focuses on computing, there are
more specific admonitions that relate directly to information technology:
 No one should enter or use another’s computer system, software, or data
files without permission. One must always have appropriate approval
before using system resources, including communication ports, file space,
other system peripherals, and computer time.
 Designing or implementing systems that deliberately or inadvertently
demean individuals or groups is ethically unacceptable.

10
 Organizational leaders are responsible for ensuring that computer systems
enhance, not degrade, the quality of working life. When implementing a
computer system, organizations must consider the personal and
professional development, physical safety, and human dignity of all
workers. Appropriate human-computer ergonomic standards should be
considered in system design and in the workplace.

One of the major advantages of creating a code of ethics is that it clarifies

the acceptable standards of behavior for a professional group. The varied
backgrounds and experiences of the members of a group lead to a variety
of ideas regarding what is acceptable behavior. While to many the
guidelines may seem obvious, having these items detailed provides clarity
and consistency. Explicitly stating standards communicates the common
guidelines to everyone in a clear manner.

Having a code of ethics can also have some drawbacks. First of all, a code
of ethics does not have legal authority; in other words, breaking a code of
ethics is not a crime in itself. So what happens if someone violates one of
the guidelines? Many codes of ethics include a section that describes how
such situations will be handled. In many cases, repeated violations of the
code result in expulsion from the group.

In the case of ACM: “Adherence of professionals to a code of ethics is

largely a voluntary matter. However, if a member does not follow this code
by engaging in gross misconduct, membership in ACM may be
terminated.” Expulsion from ACM may not have much of an impact on
many individuals, since membership in ACM is usually not a requirement
for employment. However, expulsion from other organizations, such as a
state bar organization or medical board, could carry a huge impact.

Another possible disadvantage of a code of ethics is that there is always a

chance that important issues will arise that are not specifically addressed
in the code. Technology is quickly changing, and a code of ethics might
not be updated often enough to keep up with all of the changes. A good
code of ethics, however, is written in a broad enough fashion that it can
address the ethical issues of potential changes to technology while the
organization behind the code makes revisions.

Finally, a code of ethics could have also be a disadvantage in that it may

not entirely reflect the ethics or morals of every member of the group.
Organizations with a diverse membership may have internal conflicts as to
what is acceptable behavior. For example, there may be a difference of
opinion on the consumption of alcoholic beverages at company events. In
such cases, the organization must make a choice about the importance of
addressing a specific behavior in the code.

Sidebar: Acceptable Use Policies

Many organizations that provide technology services to a group of

constituents or the public require agreement to an acceptable use policy
(AUP) before those services can be accessed. Similar to a code of ethics,
this policy outlines what is allowed and what is not allowed while someone
is using the organization’s services. An everyday example of this is the
terms of service that must be agreed to before using the public Wi-Fi at

11
 Starbucks, McDonald’s, or even a university. Here is an example of an
acceptable use policy from Virginia Tech.

Just as with a code of ethics, these acceptable use policies specify what is
allowed and what is not allowed. Again, while some of the items listed are
obvious to most, others are not so obvious:
 “Borrowing” someone else’s login ID and password is prohibited.
 Using the provided access for commercial purposes, such as hosting your
own business website, is not allowed.
 Sending out unsolicited email to a large group of people is prohibited.

Also as with codes of ethics, violations of these policies have various

consequences. In most cases, such as with Wi-Fi, violating the acceptable
use policy will mean that you will lose your access to the resource. While
losing access to Wi-Fi at Starbucks may not have a lasting impact, a
university student getting banned from the university’s Wi-Fi (or possibly
all network resources) could have a large impact.

Intellectual Property

One of the domains that have been deeply impacted by digital

technologies is the domain of intellectual property. Digital technologies
have driven a rise in new intellectual property claims and made it much
more difficult to defend intellectual property.

Intellectual property is defined as “property (as an idea, invention, or

process) that derives from the work of the mind or intellect.” This could
include creations such as song lyrics, a computer program, a new type of
toaster, or even a sculpture.

Practically speaking, it is very difficult to protect an idea. Instead,

intellectual property laws are written to protect the tangible results of an
idea. In other words, just coming up with a song in your head is not
protected, but if you write it down it can be protected.

Protection of intellectual property is important because it gives people an

incentive to be creative. Innovators with great ideas will be more likely to
pursue those ideas if they have a clear understanding of how they will
benefit. In the US Constitution, Article 8, Section 8, the authors saw fit to
recognize the importance of protecting creative works:
Congress shall have the power . . . To promote the Progress
of Science and useful Arts, by securing for limited Times to
Authors and Inventors the exclusive Right to their respective
Writings and Discoveries.

An important point to note here is the “limited time” qualification. While

protecting intellectual property is important because of the incentives it

12
 provides, it is also necessary to limit the amount of benefit that can be
received and allow the results of ideas to become part of the public
domain.

Outside of the US, intellectual property protections vary. You can find out
more about a specific country’s intellectual property laws by visiting
the World Intellectual Property Organization.

In the following sections we will review three of the best-known intellectual

property protections: copyright, patent, and trademark.

Copyright

Copyright is the protection given to songs, computer programs, books,

and other creative works; any work that has an “author” can be
copyrighted. Under the terms of copyright, the author of a work controls
what can be done with the work, including:
 Who can make copies of the work.
 Who can make derivative works from the original work.
 Who can perform the work publicly.
 Who can display the work publicly.
 Who can distribute the work.

Many times, a work is not owned by an individual but is instead owned by

a publisher with whom the original author has an agreement. In return for
the rights to the work, the publisher will market and distribute the work
and then pay the original author a portion of the proceeds.

Copyright protection lasts for the life of the original author plus seventy
years. In the case of a copyrighted work owned by a publisher or another
third party, the protection lasts for ninety-five years from the original
creation date. For works created before 1978, the protections vary
slightly. You can see the full details on copyright protections by
reviewing the Copyright Basics document available at the US Copyright
Office’s website.

Obtaining Copyright Protection

In the United States, a copyright is obtained by the simple act of creating

the original work. In other words, when an author writes down that song,
makes that film, or designs that program, he or she automatically has the
copyright. However, for a work that will be used commercially, it is
advisable to register for a copyright with the US Copyright Office. A
registered copyright is needed in order to bring legal action against
someone who has used a work without permission.

First Sale Doctrine

If an artist creates a painting and sells it to a collector who then, for

whatever reason, proceeds to destroy it, does the original artist have any
recourse? What if the collector, instead of destroying it, begins making

13
 copies of it and sells them? Is this allowed? The first sale doctrine is a part
of copyright law that addresses this, as shown below:
The first sale doctrine, codified at 17 U.S.C. § 109, provides that an
individual who knowingly purchases a copy of a copyrighted work
from the copyright holder receives the right to sell, display or
otherwise dispose of that particular copy, notwithstanding the
interests of the copyright owner.

So, in our examples, the copyright owner has no recourse if the collector
destroys her artwork. But the collector does not have the right to make
copies of the artwork.

Fair Use

Another important provision within copyright law is that of fair use. Fair
use is a limitation on copyright law that allows for the use of protected
works without prior authorization in specific cases. For example, if a
teacher wanted to discuss a current event in her class, she could pass out
copies of a copyrighted news story to her students without first getting
permission. Fair use is also what allows a student to quote a small portion
of a copyrighted work in a research paper.

Unfortunately, the specific guidelines for what is considered fair use and
what constitutes copyright violation are not well defined. Fair use is a well-
known and respected concept and will only be challenged when copyright
holders feel that the integrity or market value of their work is being
threatened.

The following four factors are considered when determining if

something constitutes fair use:
1. The purpose and character of the use, including whether such use is of
commercial nature or is for nonprofit educational purposes;
2. The nature of the copyrighted work;
3. The amount and substantiality of the portion used in relation to the
copyrighted work as a whole;
4. The effect of the use upon the potential market for, or value of, the
copyrighted work.

If you are ever considering using a copyrighted work as part of something

you are creating, you may be able to do so under fair use. However, it is
always best to check with the copyright owner to be sure you are staying
within your rights and not infringing upon theirs.

The History of Copyright Law

As noted above, current copyright law grants copyright protection for

seventy years after the author’s death, or ninety-five years from the date
of creation for a work created for hire. But it was not always this way.

The first US copyright law, which only protected books, maps, and charts,
provided protection for only 14 years with a renewable term of 14 years.
Over time, copyright law was revised to grant protections to other forms of

14
 creative expression, such as photography and motion pictures. Congress
also saw fit to extend the length of the protections, as shown in the chart
below. Today, copyright has become big business, with many businesses
relying on the income from copyright-protected works for their income.

Many now think that the protections last too long. The Sonny Bono
Copyright Term Extension Act has been nicknamed the “Mickey Mouse
Protection Act,” as it was enacted just in time to protect the copyright on
the Walt Disney Company’s Mickey Mouse character. Because of this term
extension, many works from the 1920s and 1930s that would have been
available now in the public domain are not available.

The Digital Millennium Copyright Act

As digital technologies have changed what it means to create, copy, and

distribute media, a policy vacuum has been created. In 1998, the US
Congress passed the Digital Millennium Copyright Act (DMCA), which
extended copyright law to take into consideration digital technologies.
Two of the best-known provisions from the DMCA are the anti-
circumvention provision and the “safe harbor” provision.
 The anti-circumvention provision makes it illegal to create technology to
circumvent technology that has been put in place to protect a copyrighted
work. This provision includes not just the creation of the technology but
also the publishing of information that describes how to do it. While this
provision does allow for some exceptions, it has become quite
controversial and has led to a movement to have it modified.
 The “safe harbor” provision limits the liability of online service providers
when someone using their services commits copyright infringement. This
is the provision that allows YouTube, for example, not to be held liable
when someone posts a clip from a copyrighted movie. The provision does
require the online service provider to take action when they are notified of
the violation (a “takedown” notice). For an example of how takedown
works, here’s how YouTube handles these requests: YouTube Copyright
Infringement Notification.

Many think that the DMCA goes too far and ends up limiting our freedom
of speech. The Electronic Frontier Foundation (EFF) is at the forefront of
this battle. For example, in discussing the anti-circumvention provision,
the EFF states:
Yet the DMCA has become a serious threat that jeopardizes fair use,
impedes competition and innovation, chills free expression and
scientific research, and interferes with computer intrusion laws. If
you circumvent DRM [digital rights management] locks for non-
infringing fair uses or create the tools to do so you might be on the
receiving end of a lawsuit.

Creative Commons

15
 Open-source software has few or no copyright restrictions; the creators of
the software publish their code and make their software available for
others to use and distribute for free. This is great for software, but what
about other forms of copyrighted works? If an artist or writer wants to
make their works available, how can they go about doing so while still
protecting the integrity of their work? Creative Commons is the solution to
this problem.

Creative Commons is a nonprofit organization that provides legal tools for

artists and authors. The tools offered make it simple to license artistic or
literary work for others to use or distribute in a manner consistent with the
author’s intentions. Creative Commons licenses are indicated with the
symbol . It is important to note that Creative Commons and public
domain are not the same. When something is in the public domain, it has
absolutely no restrictions on its use or distribution. Works whose
copyrights have expired, for example, are in the public domain.

By using a Creative Commons license, authors can control the use of their
work while still making it widely accessible. By attaching a Creative
Commons license to their work, a legally binding license is created. Here
are some examples of these licenses:
 CC-BY: This is the least restrictive license. It lets others distribute and
build upon the work, even commercially, as long as they give the author
credit for the original work.
 CC-BY-SA: This license restricts the distribution of the work via the “share-
alike” clause. This means that others can freely distribute and build upon
the work, but they must give credit to the original author and they must
share using the same Creative Commons license.
 CC-BY-NC: This license is the same as CC-BY but adds the restriction that
no one can make money with this work. NC stands for “non-commercial.”
 CC-BY-NC-ND: This license is the same as CC-BY-NC but also adds the ND
restriction, which means that no derivative works may be made from the
original.

These are a few of the more common licenses that can be created using
the tools that Creative Commons makes available. For a full listing of the
licenses and to learn much more about Creative Commons.

Patent

Another important form of intellectual property protection is the patent. A

patent creates protection for someone who invents a new product or
process. The definition of invention is quite broad and covers many
different fields. Here are some examples of items receiving patents:
 circuit designs in semiconductors;
 prescription drug formulas;
 firearms;
 locks;
 plumbing;
 engines;
 coating processes; and
 business processes.

16
 Once a patent is granted, it provides the inventor with protection from
others infringing on his or her patent. A patent holder has the right to
“exclude others from making, using, offering for sale, or selling the
invention throughout the United States or importing the invention into the
United States for a limited time in exchange for public disclosure of the
invention when the patent is granted.”

As with copyright, patent protection lasts for a limited period of time

before the invention or process enters the public domain. In the US, a
patent lasts twenty years. This is why generic drugs are available to
replace brand-name drugs after twenty years.

Obtaining Patent Protection

Unlike copyright, a patent is not automatically granted when someone has

an interesting idea and writes it down. In most countries, a patent
application must be submitted to a government patent office. A patent will
only be granted if the invention or process being submitted meets certain
conditions:
 It must be original. The invention being submitted must not have been
submitted before.
 It must be non-obvious. You cannot patent something that anyone could
think of. For example, you could not put a pencil on a chair and try to get
a patent for a pencil-holding chair.
 It must be useful. The invention being submitted must serve some
purpose or have some use that would be desired.

The job of the patent office is to review patent applications to ensure that
the item being submitted meets these requirements. This is not an easy
job: in 2012, the US Patent Office received 576,763 patent applications
and granted 276,788 patents. The current backlog for a patent approval is
18.1 months. Over the past fifty years, the number of patent applications
has risen from just 100,000 a year to almost 600,000; digital technologies
are driving much of this innovation.

Trademark

A trademark is a word, phrase, logo, shape or sound that identifies a

source of goods or services. For example, the Nike “Swoosh,” the
Facebook “f”, and Apple’s apple (with a bite taken out of it) are all
trademarked. The concept behind trademarks is to protect the consumer.
Imagine going to the local shopping center to purchase a specific item
from a specific store and finding that there are several stores all with the
same name!

Two types of trademarks exist – a common-law trademark and a

registered trademark. As with copyright, an organization will automatically
receive a trademark if a word, phrase, or logo is being used in the normal
course of business (subject to some restrictions, discussed below). A
common-law trademark is designated by placing “TM” next to the
trademark. A registered trademark is one that has been examined,

17
 approved, and registered with the trademark office, such as the Patent
and Trademark Office in the US. A registered trademark has the circle-R
(®) placed next to the trademark.

While most any word, phrase, logo, shape, or sound can be trademarked,
there are a few limitations. A trademark will not hold up legally if it meets
one or more of the following conditions:
 The trademark is likely to cause confusion with a mark in a registration or
prior application.
 The trademark is merely descriptive for the goods/services. For example,
trying to register the trademark “blue” for a blue product you are selling
will not pass muster.
 The trademark is a geographic term.
 The trademark is a surname. You will not be allowed to trademark
“Smith’s Bookstore.”
 The trademark is ornamental as applied to the goods. For example, a
repeating flower pattern that is a design on a plate cannot be
trademarked.

As long as an organization uses its trademark and defends it against

infringement, the protection afforded by it does not expire. Because of
this, many organizations defend their trademark against other companies
whose branding even only slightly copies their trademark. For
example, Chick-fil-A has trademarked the phrase “Eat Mor Chikin” and
has vigorously defended it against a small business using the slogan “Eat
More Kale.” Coca-Cola has trademarked the contour shape of its bottle
and will bring legal action against any company using a bottle design
similar to theirs. As an example of trademarks that have been diluted and
have now lost their protection in the US are “aspirin” (originally
trademarked by Bayer), “escalator” (originally trademarked by Otis), and
“yo-yo” (originally trademarked by Duncan).

Information Systems and Intellectual Property

The rise of information systems has forced us to rethink how we deal with
intellectual property. From the increase in patent applications swamping
the government’s patent office to the new laws that must be put in place
to enforce copyright protection, digital technologies have impacted our
behavior.

Privacy

The term privacy has many definitions, but for our purposes, privacy will
mean the ability to control information about oneself. Our ability to
maintain our privacy has eroded substantially in the past decades, due to
information systems.

Personally Identifiable Information

Information about a person that can be used to uniquely establish that

person’s identify is called personally identifiable information, or PII. This is
a broad category that includes information such as:

18
 name;
 social security number;
 date of birth;
 place of birth;
 mother‘s maiden name;
 biometric records (fingerprint, face, etc.);
 medical records;
 educational records;
 financial information; and
 employment information.

Organizations that collect PII are responsible to protect it. The

Department of Commerce recommends that “organizations minimize the
use, collection, and retention of Personally Identifiable Information or PII to
what is strictly necessary to accomplish their business purpose and
mission.” They go on to state that “the likelihood of harm caused by a
breach involving PII is greatly reduced if an organization minimizes the
amount of PII it uses, collects, and stores.” Organizations that do not
protect Personally Identifiable Information or PII can face penalties,
lawsuits, and loss of business. In the US, most states now have laws in
place requiring organizations that have had security breaches related to
PII to notify potential victims, as does the European Union.

Just because companies are required to protect your information does not
mean they are restricted from sharing it. In the US, companies can share
your information without your explicit consent (see sidebar below), though
not all do so. Companies that collect PII are urged by the FTC to create a
privacy policy and post it on their website. The state of California requires
a privacy policy for any website that does business with a resident of the
state.

While the privacy laws in the US seek to balance consumer protection with
promoting commerce, in the European Union privacy is considered a
fundamental right that outweighs the interests of commerce. This has led
to much stricter privacy protection in the EU, but also makes commerce
more difficult between the US and the EU.

Non-Obvious Relationship Awareness

Digital technologies have given us many new capabilities that simplify and
expedite the collection of personal information. Every time we come into
contact with digital technologies, information about us is being made
available. From our location to our web-surfing habits, our criminal record
to our credit report, we are constantly being monitored. This information
can then be aggregated to create profiles of each and every one of us.
While much of the information collected was available in the past,
collecting it and combining it took time and effort. Today, detailed
information about us is available for purchase from different companies.
Even information not categorized as PII can be aggregated in such a way
that an individual can be identified.

19
This process of collecting large quantities of a variety of information and
then combining it to create profiles of individuals is known as non-obvious
relationship awareness, or NORA. First commercialized by big casinos
looking to find cheaters, NORA is used by both government agencies and
private organizations, and it is big business.

Non-obvious relationship awareness (NORA)

In some settings, NORA can bring many benefits, such as in law

enforcement. By being able to identify potential criminals more quickly,
crimes can be solved more quickly or even prevented before they happen.
But these advantages come at a price: our privacy.

Restrictions on Record Collecting

In the US, the government has strict guidelines on how much information
can be collected about its citizens. Certain classes of information have
been restricted by laws over time, and the advent of digital tools has
made these restrictions more important than ever.

Children’s Online Privacy Protection Act

Websites that are collecting information from children under the age of
thirteen are required to comply with the Children’s Online Privacy
Protection Act (COPPA), which is enforced by the Federal Trade
Commission (FTC). To comply with COPPA, organizations must make a

20
good-faith effort to determine the age of those accessing their websites
and, if users are under thirteen years old, must obtain parental consent
before collecting any information.

Family Educational Rights and Privacy Act

The Family Educational Rights and Privacy Act (FERPA) is a US law that
protects the privacy of student education records. In brief, this law
specifies that parents have a right to their child’s educational information
until the child reaches either the age of eighteen or begins attending
school beyond the high school level. At that point, control of the
information is given to the child. While this law is not specifically about the
digital collection of information on the Internet, the educational
institutions that are collecting student information are at a higher risk for
disclosing it improperly because of digital technologies.

Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is

the law the specifically singles out records related to health care as a
special class of personally identifiable information. This law gives patients
specific rights to control their medical records, requires health care
providers and others who maintain this information to get specific
permission in order to share it, and imposes penalties on the institutions
that breach this trust. Since much of this information is now shared via
electronic medical records, the protection of those systems becomes
paramount.

21