Fri Apr 8 06:47:16 PDT 2016

Overarching: Protection model: What model is used to understand information protection issues?


Options:

Option 1: Use the enterprise information protection model.
Option 2: Use the archival protection model.
Option 3: Use a mandated information protection model.
Option 4: No information protection model will be used.

The enterprise information protection model:

Element Description
Business model Describes how the business works and the implications of protection failures.
Oversight Identifies duties to protect based on interventions.
Business risk management Considers duties in light of business to determine what to protect how well.
Governance and organization Identifies how management causes protection to be measured, controlled, and actuated.
Control architecture Models for protection approaches.
Technical security architecture and implementation Defines the structure of technical measures and implements them.
Elements of the enterprise information protection model

Basis:

Information protection is formed by a combination of governance, activities, and technologies. Enterprise information protection governance has the same basic principles and operates within the same basic structures as other types of enterprise governance. But it has significant unique content, and requires individuals with specific skills and influence in order to be effective.

  • The information protection program starts with how the business works and ends with assuring the utility of content.
  • Oversight defines duties to protect.
  • Risk management turns these duties into decisions about risk acceptance, transfer, avoidance, and mitigation, and identifies what to protect and how well.
  • Executive security management then figures out how to protect and uses power and influence within organizations to provide control.
  • Organizational issues and business processes drive control architecture and interact with technical security architecture to affect the protection processes.
  • Control architecture defines and specifies the structure and nature of controls and what they do.
  • Technical security architecture details the mechanisms used to implement controls.
  • Protective mechanisms interact directly with people, things, and content to assure the utility of content.

Use the mandated information protection model: In some cases a protection model is mandated by outside forces. If so, apply that model in the context of this assessment process.

Use the enterprise information protection model:

Type Promises
Size Constraints
Purpose Locations
Functions Maturity
People
How does the business work?
Things
Sales Process Resource Supply AR/AP Infrastructure Cost
Market Workflow Transform Inventory Collections Services Shrinkage
Brand Results Value Transport Write-offs Users Collapse
Content Outsource
Failures Modeling
Structure Dependency
Mobility Scope
Oversight
Turns Business Needs into Duties to Protect.
Laws
Owners
Board
Auditors
CEO
Risk Management
Turns Duties to Protect into What to Protect and How Well.
Threats
{Capabilities & Intents}
Vulnerabilities
{Technical, Human, Organizational, Structural}
Consequences
{Brand, Value, Time, Cost}
Accept / Transfer / Avoid / Mitigate
Interdependencies
Function People Applications Systems Physical systems Critical infrastructures
Matching Surety to Risk
Security Management
Uses Power and Influence to Control the Protection Program.
Organizational Governance
Business Processes
Human Actuators & Sensors
Control Architecture
Change control
R&D, test, Change control, test, Production
Access facilitation
Identification, Authentication, Authorization, Use
Trust
Basis, Purpose, Extent
Perimeters
Structure and mechanism
Functional units
I/O, Control, Audit, Surety changes
Control scheme
Possession; Clearance; Roles/rules; Owner authorized; Subject-object
Technical Security Architecture
Protection Processes
InventoryWork flows
Process
Deter
Prevent
Detect
React
Adapt

Data State
At Rest
In Use
In Motion
Protective Mechanisms

Perception:
obscurity - profile - appearance - deception - depiction - cognition
Behavior:
change - timeframe - fail-safe - fault tolerance - human - separation of duties - least privilege - intrusion/anomaly detection and response
Structure:
control and data flows - digital diodes - firewalls and bypasses - barriers - mandatory / discretionary access controls - zoning
Content:
transforms - filters - markings - syntax - situation - presentation
Content and its business utility
Lifecycles
Business
People
Systems
Data

Context
Time
Location
Purpose
Behavior
Identity
Method
Management Processes
Management
Policy
Standards
Procedures
Documentation
Auditing
Testing
Technology
Personnel
Incidents
Legal
Physical
Knowledge
Training
Awareness
Organization
Protection Objectives
Integrity
Source
Change
Reflects reality
Availability
Access
Intolerance
Redundancy
Confidentiality
Privacy
Secrecy
Aggregation
Use control
Identify
Authenticate
Authorize
Accountability
Attribution
Situation
Activity
Transparency
Actors
Actions
Mechanisms
Custody
Source
Chain
Status
Overarching
Information
Protection
Model
The information protection program model

Use the archival protection model:

Type Promises
Size Constraints
Purpose Locations
Functions Maturity
People
How does the business work?
Things
Ingest Sales Process Resource Supply AR/AP Infrastructure Cost
Preserve Market Workflow Transform Inventory Collections Services Shrinkage
Access Brand Results Value Transport Write-offs Users Collapse
Content Outsource
Failures Modeling
Structure Dependency
Mobility Scope
Oversight
Turns Business Needs into Duties to Protect.
Laws
Owners
Board
Auditors
CEO
Risk Management
Turns Duties to Protect into What to Protect and How Well.
Threats
{Capabilities & Intents}
Vulnerabilities
{Technical, Human, Organizational, Structural}
Consequences
{Brand, Value, Time, Cost}
Accept / Transfer / Avoid / Mitigate
Interdependencies
Function People Applications Systems Physical systems Critical infrastructures
Matching Surety to Risk
Security Management
Uses Power and Influence to Control the Protection Program.
Organizational Governance
Business Processes
Human Actuators & Sensors
Control Architecture
Change control
R&D, test, Change control, test, Production
Access facilitation
Identification, Authentication, Authorization, Use
Trust
Basis, Purpose, Extent
Perimeters
Structure and mechanism
Functional units
I/O, Control, Audit, Surety changes
Control scheme
Possession; Clearance; Roles/rules; Owner authorized; Subject-object
Technical Security Architecture
Protection Processes
InventoryWork flowsMetadata
Process
Deter
Prevent
Detect
React
Adapt

Data State
At Rest
In Use
In Motion
Protective Mechanisms

Perception:
obscurity - profile - appearance - deception - depiction - cognition
Behavior:
change - timeframe - fail-safe - fault tolerance - human - separation of duties - least privilege - intrusion/anomaly detection and response
Structure:
control and data flows - digital diodes - firewalls and bypasses - barriers - mandatory / discretionary access controls - zoning
Content:
transforms - filters - markings - syntax - situation - presentation
Content and its business utility
Lifecycles
Business
People
Systems
Data

Context
Time
Location
Purpose
Behavior
Identity
Method
Management Processes
Management
Policy
Standards
Procedures
Documentation
Auditing
Testing
Technology
Personnel
Incidents
Legal
Physical
Knowledge
Training
Awareness
Organization
Protection Objectives
Integrity
Source
Change
Reflects reality
Availability
Access
Intolerance
Redundancy
Confidentiality
Privacy
Secrecy
Aggregation
Use control
Identify
Authenticate
Authorize
Accountability
Attribution
Situation
Activity
Transparency
Actors
Actions
Mechanisms
Custody
Source
Chain
Status
Overarching
Information
Protection
Model
The archival and records management protection program model

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved