Information Protection Posture Assessments

Welcome to the home page for information protection posture assessments (IPPAs). IPPAs started in the early 1990s when I was working on consulting gigs that were increasingly involving complex systems interactions. After writing some extensive books and papers on information protection issues and facing the overwhelming complexity of the information protection problem, I came to the conclusion that all of the details in the world did little to predict the real effectiveness of an information protection program. In my quest for alternatives, I came across a different approach. I noticed that there was a strong correlation between certain activities performed by organizations and the likelihood of getting the details right. (Regardless of the organized crime approach, for most of us protection is something you do, not something you buy.) That was the origin of the information protection posture assessment methodology.

One of the books I wrote starting in the early 1990s addressed these issues. The book it titled "Protection and Security on the Information Superhighway" and it is available on the Web site or on bookshelves near you. The relevant chapters are: Chapter 5 - Protecting your information Assets, Chapter 6 - Protection Posture Case Studies, and the appendix which has detailed examples.

Since their inception, IPPAs have grown in popularity and they are now performed by many different shops, although not uniformly. They are also taught to many students in programs around the world as an approach to getting at the information protection issues. I often see 3-4 bidders for IPPAs, but what is being offered varies significantly. That is, in part, why I have created this page and this venue. It is a form of initial standardization.

IPPAs have not actually changed all that much since they were first created, which is a good indicator that they work well and are strategic rather than tactical in nature. They tend to be done early in processes, are supported by top management, and are good for time frames on the order of 3 years. That is, you do one every 3 years or so and follow through on the urgent, tactical, and strategic issues, and you end up with a strong overall information protection program. The other major use of IPPAs is for new CISOs at a company to get a handle on what is going on. Because on IPPA can be done in a month give or take, and because they are within the budget of most executives on a discretionary basis, they are ideal for getting an initial situation understanding and developing a strategic and tactical plan for the new and big job you just got.

Because of the incrasing desirability and popularity of IPPAs and the lack of clear guidance on performing them and having them performed, this site was created as a means to provide grounding for IPPAs in a common basis.

More details will show up here over time - including some of the detailed methodologies in use today, and so forth. In the meanwhile, please enjoy.