-
Notifications
You must be signed in to change notification settings - Fork 148
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IP records protection #86
Comments
To note: version control systems (e.g cvs, git, subversion) and document version systems (e.g livelink, sharepoint) qualify as the means of control - both for document storage and for access. That doesn't solve your 3rd point or WIP, especially when letting someone go for any reason; but hope that answers the general case at least. |
@BenjamenMeyer I agree that those tools you mention would get the job done of maintaining records about development. Still, those are tools used for collaboration provided by the company (it's not usual that an employee will deploy those by himself). So it seems that you support my idea that you shouldn't ask the employee to keep those records, as that is a company's responsibility (for its interest and responsibility). Do you agree? |
Correct, the employer deploys them, but work product in those tools are not tied to an individuals system. Worse case the employer may lose a small amount of WIP (work in progress), but generally nothing major.
Yes I do agree. Though there is a balance between what is stored in those tools and WIP. When properly struck, the WIP won't generally matter. Often before someone is let go (layoffs, fired, etc) they are cutoff from those tools to ensure they can't do any damage; the WIP is considered loss and replaceable since allowing them to commit it may create a worse situation for the company than merely redoing the work. OTOH someone that voluntarily leaves is asked to make sure all their WIP is completed and checked in and transfer knowledge to others as part of the off-boarding process. |
In section "7. Cooperation" I read:
I think that giving the responsibility for IP record protection to the employee poses the company at risk for different reasons:
1.- Looking at ISO 27002, there is a security control regarding records "18.1.3 Protection of records". That control begins with:
"Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements."
If there are records relevant to the company regarding IP, the company should require the employee to provide them to the company while at work. By doing so, the company can perform a proper backup of that information, and avoid the employee (or future ex-employee) from losing it.
2.- There is another ISO 27002 security control which which gives a hint about what should be considered when an employee is fired, "9.2.6 Removal or adjustment of access rights". That control ends with:
"In cases of management-initiated termination, disgruntled employees or external party users can deliberately corrupt information or sabotage information processing facilities."
Again, you can't trust a former employee with keeping those records for the company's good.
3.- Again, thinking about information security, there is another security control affected here, "8.1.4 Return of assets". That gives more hints:
"In cases where an employee or external party user purchases the organization’s equipment or uses their own personal equipment, procedures should be followed to ensure that all relevant information is transferred to the organization and securely erased from the equipment (see 11.2.7).
In cases where an employee or external party user has knowledge that is important to ongoing operations, that information should be documented and transferred to the organization.
During the notice period of termination, the organization should control unauthorized copying of relevant information (e.g. intellectual property) by terminated employees and contractors."
Maybe what BEIA proposes sounds good if we are talking that the employee works on open source projects for the employer, and that he works on personal open source projects at the same time. But BEIA says "But BEIPA is not specific to open source", and then we can go into problems (from my point of view).
These are just a few that come to my mind to support my suggestion: it is a VERY BAD idea to delegate IP record management on employees.
The text was updated successfully, but these errors were encountered: