Fri Apr 8 06:47:16 PDT 2016
Overarching: Protection model: What model is used to understand information protection issues?
Options:
Option 1: Use the enterprise information protection model.
Option 2: Use the archival protection model.
Option 3: Use a mandated information protection model.
Option 4: No information protection model will be used.
The enterprise information protection model:
Element | Description |
Business model | Describes how the business works and the implications of protection failures. |
Oversight | Identifies duties to protect based on interventions. |
Business risk management | Considers duties in light of business to determine what to protect how well. |
Governance and organization | Identifies how management causes protection to be measured, controlled, and actuated. |
Control architecture | Models for protection approaches. |
Technical security architecture and implementation | Defines the structure of technical measures and implements them. |
Elements of the enterprise information protection model
Basis:
Information protection is formed by a
combination of governance, activities, and technologies. Enterprise
information protection governance has the same basic principles and
operates within the same basic structures as other types of enterprise
governance. But it has significant unique content, and requires
individuals with specific skills and influence in order to be
effective.
- The information protection program starts with how the business
works and ends with assuring the utility of content.
- Oversight defines duties to protect.
- Risk management turns these duties into decisions about risk
acceptance, transfer, avoidance, and mitigation, and identifies what
to protect and how well.
- Executive security management then figures out how to protect and
uses power and influence within organizations to provide control.
- Organizational issues and business processes drive control
architecture and interact with technical security architecture to
affect the protection processes.
- Control architecture defines and specifies the structure and nature
of controls and what they do.
- Technical security architecture details the mechanisms used
to implement controls.
- Protective mechanisms interact directly with people, things, and content
to assure the utility of content.
Use the mandated information protection
model: In some cases a protection model is mandated by outside
forces. If so, apply that model in the context of this assessment
process.
Use the enterprise information protection model:
Type | Promises |
Size | Constraints |
Purpose | Locations |
Functions | Maturity |
|
People |
How does the business work? |
Things |
Sales |
Process |
Resource |
Supply |
AR/AP |
Infrastructure |
Cost |
Market |
Workflow |
Transform |
Inventory |
Collections |
Services |
Shrinkage |
Brand |
Results |
Value |
Transport |
Write-offs |
Users |
Collapse |
|
Content | Outsource |
Failures | Modeling |
Structure | Dependency |
Mobility | Scope |
|
|
Oversight Turns Business Needs into Duties to Protect.
Laws |
Owners |
Board |
Auditors |
CEO |
|
Risk Management Turns Duties to Protect into What to Protect and How Well.
Threats {Capabilities & Intents} |
Vulnerabilities {Technical, Human, Organizational, Structural} |
Consequences {Brand, Value, Time, Cost} |
Accept / Transfer / Avoid / Mitigate |
Interdependencies
Function People Applications Systems Physical systems Critical infrastructures |
Matching Surety to Risk |
|
Security Management Uses Power and Influence to Control the Protection Program.
Organizational Governance |
Business Processes |
Human Actuators & Sensors |
|
|
Control Architecture
Change control R&D, test, Change control, test, Production |
Access facilitation Identification, Authentication, Authorization, Use |
Trust Basis, Purpose, Extent |
Perimeters Structure and mechanism |
Functional units I/O, Control, Audit, Surety changes |
Control scheme Possession; Clearance; Roles/rules; Owner authorized; Subject-object |
|
Technical Security Architecture
|
| Process |
Deter |
Prevent |
Detect |
React |
Adapt |
Data State |
At Rest |
In Use |
In Motion |
| Protective Mechanisms
Perception:
obscurity - profile - appearance - deception - depiction - cognition |
Behavior:
change - timeframe - fail-safe - fault tolerance - human - separation of duties - least privilege - intrusion/anomaly detection and response |
Structure:
control and data flows - digital diodes - firewalls and bypasses - barriers - mandatory / discretionary access controls - zoning |
Content:
transforms - filters - markings - syntax - situation - presentation |
Content and its business utility |
|
| Lifecycles |
Business |
People |
Systems |
Data |
Context |
Time |
Location |
Purpose |
Behavior |
Identity |
Method |
|
|
|
Management Processes
Management |
Policy |
Standards |
Procedures |
Documentation |
Auditing |
Testing |
Technology |
Personnel |
Incidents |
Legal |
Physical |
Knowledge |
Training |
Awareness |
Organization |
|
Protection Objectives |
Integrity Source Change Reflects reality |
Availability Access Intolerance Redundancy |
Confidentiality Privacy Secrecy Aggregation |
Use control Identify Authenticate Authorize |
Accountability Attribution Situation Activity |
Transparency Actors Actions Mechanisms |
Custody Source Chain Status |
| Overarching Information Protection Model |
---|
|
The information protection program model
Use the archival protection model:
Type | Promises |
Size | Constraints |
Purpose | Locations |
Functions | Maturity |
|
People |
How does the business work? |
Things |
Ingest | Sales |
Process |
Resource |
Supply |
AR/AP |
Infrastructure |
Cost |
Preserve | Market |
Workflow |
Transform |
Inventory |
Collections |
Services |
Shrinkage |
Access | Brand |
Results |
Value |
Transport |
Write-offs |
Users |
Collapse |
|
Content | Outsource |
Failures | Modeling |
Structure | Dependency |
Mobility | Scope |
|
|
Oversight Turns Business Needs into Duties to Protect.
Laws |
Owners |
Board |
Auditors |
CEO |
|
Risk Management Turns Duties to Protect into What to Protect and How Well.
Threats {Capabilities & Intents} |
Vulnerabilities {Technical, Human, Organizational, Structural} |
Consequences {Brand, Value, Time, Cost} |
Accept / Transfer / Avoid / Mitigate |
Interdependencies
Function People Applications Systems Physical systems Critical infrastructures |
Matching Surety to Risk |
|
Security Management Uses Power and Influence to Control the Protection Program.
Organizational Governance |
Business Processes |
Human Actuators & Sensors |
|
|
Control Architecture
Change control R&D, test, Change control, test, Production |
Access facilitation Identification, Authentication, Authorization, Use |
Trust Basis, Purpose, Extent |
Perimeters Structure and mechanism |
Functional units I/O, Control, Audit, Surety changes |
Control scheme Possession; Clearance; Roles/rules; Owner authorized; Subject-object |
|
Technical Security Architecture
Protection Processes |
Inventory | Work flows | Metadata |
---|
|
|
| Process |
Deter |
Prevent |
Detect |
React |
Adapt |
Data State |
At Rest |
In Use |
In Motion |
| Protective Mechanisms
Perception:
obscurity - profile - appearance - deception - depiction - cognition |
Behavior:
change - timeframe - fail-safe - fault tolerance - human - separation of duties - least privilege - intrusion/anomaly detection and response |
Structure:
control and data flows - digital diodes - firewalls and bypasses - barriers - mandatory / discretionary access controls - zoning |
Content:
transforms - filters - markings - syntax - situation - presentation |
Content and its business utility |
|
| Lifecycles |
Business |
People |
Systems |
Data |
Context |
Time |
Location |
Purpose |
Behavior |
Identity |
Method |
|
|
|
Management Processes
Management |
Policy |
Standards |
Procedures |
Documentation |
Auditing |
Testing |
Technology |
Personnel |
Incidents |
Legal |
Physical |
Knowledge |
Training |
Awareness |
Organization |
|
Protection Objectives |
Integrity Source Change Reflects reality |
Availability Access Intolerance Redundancy |
Confidentiality Privacy Secrecy Aggregation |
Use control Identify Authenticate Authorize |
Accountability Attribution Situation Activity |
Transparency Actors Actions Mechanisms |
Custody Source Chain Status |
| Overarching Information Protection Model |
---|
|
The archival and records management protection program model
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved
|