The purpose of this document is to outline requirements for use of Biblica Intellectual Property (IP) by 3rd parties in digital contexts. Biblica, the copyright holder, authorizes the use of Biblica IP in particular contexts and for particular purposes. These requirements do not cover those use cases, but rather cover how those intellectual properties are to be protected when in use.
This document defines an approach for handling data and interactions with organizations that have rights to that data.
As with any security policy or recommendation, there are three goals: to maintain the confidentiality, integrity and availability (CIA) of the data and information in question.
Confidentiality in this context means that only those with the right to use Biblica IP may have access to it. And inversely, no unauthorized entities may gain access to Biblica IP.
Integrity for this recommendation is about maintaining the wholeness and consistency of Biblica IP such that attributions cannot be made about Biblica IP that are untrue.
Availability of Biblica IP is vital to the purposes of Biblica and our partners. The right people and agencies should have authorized access to Biblica IP and as given rights by Biblica.
Application in the context of this document is the usage of data. This can mean within a software application, both server and client-side. This can mean as a source of information or even an electronic asset, like in a database or use within a file system.
3rd party organization and/or individuals that Biblica has granted access and/or usage rights to Biblica IP. Usage rights are defined by licensing agreements which are separate from this document.
For the purposes of this document, the data in question is the electronic form of Biblica IP stored or used in any way that could be used to reconstruct the copyrighted text of Biblica. This includes but is not limited to:
- Storage on various media. e.g. within a database, on a computer hard drive, cloud
- In various data serialization forms. e.g. XML, JSON, Binary, Hex, ASN.1
- In various character encodings. e.g. UTF-8, ASCII, UNICODE, ANSI
The data that represents Biblica IP is independent of the storage or usage mechanisms.
Are the steps taken by a person, agency, or organization to show Biblica that they have taken the necessary precautions to protect Biblica’s intellectual property.
Are the continual activities that make sure that the appropriate protection mechanisms are enforced and operational.
Encryption is the mechanism by which data confidentiality is maintained. Encryption tools and techniques are used to ensure that only the people and organizations with the right to certain information and data have access.
All encryption should maintain a level of at least AES-265 encryption.
Biblica Intellectual Property
Biblica Intellectual Property (IP) includes original works owned by Biblica, the International Bible Society. This includes Bible translation texts, Bible audio, maps and other supplementary material, and other original copyrighted text and audio. Biblica has sole discretion in granting usage and publishing rights.
Usage & Dissemination
As Biblica IP is made available and distributed in various ways and forms, authorized parties should show due care and due diligence.
Authorized parties should report on their due care and due diligence annually.
Authorized parties should be able to speak to their usage and handling of Biblica IP in such a way as to assure that they are aware of their responsibilities in protecting Biblica’s IP. Biblica may request this reporting annually in a means it chooses.
Biblica will maintain a full, up-to-date, record of all authorized parties and require authorized parties to declare any further distribution of the data to other authorized parties.
In order to maintain a basic level of control over the data and ensure due diligence and due care, Biblica must first know who has access to the data and in what ways.
Data at Rest
Whenever the data is at rest, it should be encrypted. The data should also be protected by some mechanism that limits access to authorized parties.
Valid Approach Examples
When the data is stored in a database, the database may be encrypted and protected by username and password for access control.
When the data is stored within a file system, the disk drive may be encrypted and only accessible via username and password.
When stored on a file system, the data may be zipped into a file, encrypted, and protected by username and password.
Data in Transit (“on the wire”)
Whenever the data is in transit, the data must be encrypted and accessible only to authorized parties.
Valid Approach Examples
Web services that make the data available should use SSL or TLS-based HTTPS connections with valid X.509 certificates with access control established by client-side certificates.
Resource servers making the data available have access control managed by OAuth2 user authentication and authorization.
Access to remote databases are access controlled by username and password and connect via SSL or TLS-based sockets.
Using non-encrypted networking, the data is transferred in an encrypted payload that is only accessible after being stored.
Any authorized party should be able to report on the access control list to the data and produce an audit report of access to the data when requested by Biblica.
All authorized parties should review their security policies and practices to show due care and due diligence at least two times a year.
Overview of Recommendations for Authorized Parties
Whenever the data is at rest, it should be encrypted using AES-256 or better (see ISO 27001 standards for latest recommendations). Authentication and authorization should be controlled by an access control list (ACL).
Likewise, whenever the data is in transit, it should be encrypted using AES-256 or better. SSL or TLS over HTTP is the recommended mechanism for the network transfer.
Authentication and authorization should be controlled by an access control list (ACL). Ideally OAuth2 authentication is used as this allows authentication and authorization to be separate from the resource itself.
Authorized parties should be ready, at request, to report on access to Biblica’s IP, especially if they are authorized to distribute the IP to other parties.
Authorized parties should review their due care and due diligence at least semi-annually. Report of this review should be copied to Biblica for their records.
- ISO 27001
- NIST Cyber Security Framework