Tue Mar 5 05:15:40 PST 2013
Overarching: Protection model: What overarching model will be used for understanding information protection issues?
Option 1: The enterprise information protection model will be used.
Option 2: A different information protection model will be used.
Option 3: No information protection model will be used.
The ICS information protection model will follow the enterprise information protection model.
Elements of the ICS information protection model
| Element ||Description|
|Business model || Describes how the business works and the implications of protection failures. |
|Oversight || Identifies duties to protect. |
|Business risk management ||Considers duties in light of business to determine what to protect how well. |
|Governance and organization ||Identifies how management causes protection to be measured, controlled, and actuated |
|Control architecture ||Models protection approaches |
|Technical security architecture and implementation || Defines the structure of technical measures and implements them |
Information protection is formed by a combination of
governance, activities, and technologies. Information
protection governance has the same basic principles and operates
within the same basic structures as other types of enterprise
governance. But it has significant unique content, and requires
individuals with specific skills and influence in order to be
Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved
- The systematic comprehensive information protection program
ultimately starts with how the business works and ends with assuring
proper protection of content and its business utility.
- Oversight defines duties to protect.
- Risk management turns these duties into decisions about risk
acceptance, transfer, avoidance, and mitigation, and identifies what
to protect and how well.
- Executive security management then figures out how to protect and
uses power and influence within organizations to provide control.
- Organizational issues and business processes drive control
architecture and interact with technical security architecture to
affect the protection processes.
- These processes ultimately control protective mechanisms that
interact directly with ICS components and their business utility to assure that
risk is adequately controlled for the needs of the organization.