Tue Mar 5 05:15:56 PST 2013
Overarching: Protection model: What model will be used for understanding information protection issues?
Option 1: The systematic comprehensive information protection model will be used.
Option 2: A different information protection model will be used.
Option 3: No information protection model will be used.
The systematic comprehensive information protection model:
| Element ||Description|
|Business model || Describes how the business works and the implications of protection failures. |
|Oversight || Identifies duties to protect based on interventions. |
|Business risk management ||Considers duties in light of business to determine what to protect how well. |
|Governance and organization ||Identifies how management causes protection to be measured, controlled, and actuated. |
|Control architecture ||Models for protection approaches. |
|Technical security architecture and implementation || Defines the structure of technical measures and implements them. |
The systematic comprehensive information protection is formed by a
combination of governance, activities, and technologies. Enterprise
information protection governance has the same basic principles and
operates within the same basic structures as other types of enterprise
governance. But it has significant unique content, and requires
individuals with specific skills and influence in order to be
- The systematic comprehensive information protection program
ultimately starts with how the business works and ends with assuring
proper protection of content and its business utility.
- Oversight defines duties to protect.
- Risk management turns these duties into decisions about risk
acceptance, transfer, avoidance, and mitigation, and identifies what
to protect and how well.
- Executive security management then figures out how to protect and
uses power and influence within organizations to provide control.
- Organizational issues and business processes drive control
architecture and interact with technical security architecture to
affect the protection processes.
- These processes ultimately control protective mechanisms that
interact directly with content and its business utility to assure that
risk is adequately controlled for the needs of the organization.
Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved