Asset ownership is one of the primary issues in information security. After taking inventory of the information asset, your organization is reviewing the ownership. Which of the following has the least ownership controversy?
A. Commercial-Off-The-Shelf (COTS) software
B. Original equipment manufacturer’s (OEM) production parameters or formula
C. Customer profile
D. Inventions of research and development
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Commercial-Off-The-Shelf (COTS) software.
It is crystal clear that you own the “box” and the “media” (CD) of the COTS software. In other words, in most of the cases you purchased COTS software, you are licensed to use it, but you don’t own it. There are rare cases of ownership controversy over COTS software.
Original equipment manufacturers typically produce products according to customer’s requirements. Customers may provide OEMs with formula and require OEMs cannot use production parameters for other purposes. If the ownership of parameters or formula is not addressed in the contract, it may become controversial.
Customer profiles are typically classified as personal data; it relates to privacy. Organizations collect customer profile or personal data don’t necessarily own them. In GDPR or ISO standards, they tend to use the term “controller,” who determines the purpose and holds the accountability. Are organizations the owner or controller of personal data? There are different perspectives.
Inventions of research and development often become controversial if the ownership is not appropriately addressed. For example, an organization participates in a joint research and development project incorporating two parties, who will be the patent owner of the invention or finding?