Control 5.32 : Intellectual Property Rights

Summary

The organization should implement appropriate procedures to protect intellectual property rights. This ensures that both the organization's proprietary information and the licensed software or data of third parties are used in compliance with legal and contractual obligations.

Applicability

In-Scope: Mandatory for protecting the organization's unique value (code, designs, trade secrets) and avoiding the legal risks of using unlicensed software.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Digital Rights Management: Use Microsoft Purview Information Protection to apply encryption and usage rights that prevent the unauthorized copying or printing of proprietary documents.

• Software Compliance: Utilize Microsoft Intune to inventory installed software and ensure only authorized, licensed applications are present on company devices.

• Source Code Protection: Secure repositories in GitHub or Azure DevOps using Entra ID authentication and conditional access to prevent unauthorized leakage of proprietary code.

Evidence Checklist

• Intellectual Property Policy: A documented policy addressing the protection of IP and the use of licensed software.

• Software Inventory: A list of all software in use with corresponding license entitlement records.

• NDA Records: Evidence that employees and contractors have signed non-disclosure agreements.

Practical Audit Advice

Here are some questions the auditor might ask:

• How does the organization identify and track its own intellectual property assets?

• What controls are in place to ensure that employees do not install unlicensed or pirated software on corporate assets?

• How is intellectual property protected when it is shared with external partners or consultants?

• Can you demonstrate the process for auditing software licenses to ensure the organization is not in violation of its agreements?