Sun Nov 23 10:25:33 PST 2014

Overarching: Protection model: What overarching model will be used for understanding information protection issues?


Options:

Option 1: The enterprise information protection model will be used.
Option 2: A different information protection model will be used.
Option 3: No information protection model will be used.

The enterprise information protection model:

Element Description
Business model Describes how the business works and the implications of protection failures.
Oversight Identifies duties to protect based on interventions.
Business risk management Considers duties in light of business to determine what to protect how well.
Governance and organization Identifies how management causes protection to be measured, controlled, and actuated.
Control architecture Models for protection approaches.
Technical security architecture and implementation Defines the structure of technical measures and implements them.
Elements of the enterprise information protection model

Decision:

The enterprise information protection model will be used as follows:

Element Description
Business model Describes how the business works and the implications of protection failures.
Oversight Identifies duties to protect.
Business risk management Considers duties in light of business to determine what to protect how well.
Governance and organization Identifies how management causes protection to be measured, controlled, and actuated
Control architecture Models protection approaches
Technical security architecture and implementation Defines the structure of technical measures and implements them
Elements of the enterprise information protection model

Basis:

Information protection is formed by a combination of governance, activities, and technologies. Enterprise information protection governance has the same basic principles and operates within the same basic structures as other types of enterprise governance. But it has significant unique content, and requires individuals with specific skills and influence in order to be effective.

Type Promises
Size Constraints
Purpose Locations
Functions Maturity
People
How does the business work?
Things
Sales Process Resource Supply AR/AP Infrastructure Cost
Market Workflow Transform Inventory Collections Services Shrinkage
Brand Results Value Transport Write-offs Users Collapse
Content Outsource
Failures Modeling
Structure Dependency
Mobility Scope
Oversight
Turns Business Needs into Duties to Protect.
Laws
Owners
Board
Auditors
CEO
Risk Management
Turns Duties to Protect into What to Protect and How Well.
Threats
{Capabilities & Intents}
Vulnerabilities
{Technical, Human, Organizational, Structural}
Consequences
{Brand, Value, Time, Cost}
Accept / Transfer / Avoid / Mitigate
Interdependencies
Function People Applications Systems Physical systems Critical infrastructures
Matching Surety to Risk
Security Management
Uses Power and Influence to Control the Protection Program.
Organizational Governance
Business Processes
Human Actuators & Sensors
Control Architecture
Change control
R&D, test, Change control, test, Production
Access facilitation
Identification, Authentication, Authorization, Use
Trust
Basis, Purpose, Extent
Perimeters
Structure and mechanism
Functional units
I/O, Control, Audit, Surety changes
Control scheme
Possession; Clearance; Roles/rules; Owner authorized; Subject-object
Technical Security Architecture
Protection Processes
InventoryWork flows
Process
Deter
Prevent
Detect
React
Adapt

Data State
At Rest
In Use
In Motion
Protective Mechanisms

Perception:
obscurity - profile - appearance - deception - depiction - cognition
Behavior:
tracking change - timeframe - fail-safe - fault tolerance - human - separation of duties - least privilege - intrusion/anomaly detection and response
Structure:
control and data flows - digital diodes - firewalls and bypasses - barriers - mandatory / discretionary access controls - zoning
Content:
transforms - filters - markings - syntax - situation - presentation
Content and its business utility
Lifecycles
Business
People
Systems
Data

Context
Time
Location
Purpose
Behavior
Identity
Method
Management Processes
Management
Policy
Standards
Procedures
Documentation
Auditing
Testing
Technology
Personnel
Incidents
Legal
Physical
Knowledge
Training
Awareness
Organization
Protection Objectives
Integrity
Source
Change
Reflects reality
Availability
Access
Intolerance
Redundancy
Confidentiality
Privacy
Secrecy
Aggregation
Use control
Identify
Authenticate
Authorize
Accountability
Attribution
Situation
Activity
Transparency
Process
Implementation
History
Custody
Source
Chain
Status
Overarching
Information
Protection
Model
The information protection program model

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved