Enterprise Information Protection Standards of Practice - Options and Basis
All.Net presents the Options and Basis components of our standards
of practice for enterprise information protection. These provide
overarching coverage and many specifics surrounding what we currently
view as a reasonable and prudent approaches to addressing information
protection for enterprises. While there may be many other approaches
that might also meet the need, we hope that these will help provide
guidance within the community.
This content is part of a process used by our affiliated companies
as developed over many years. We identify these issues, characterize
the environment, and apply these decision points by interacting with
clients and applying our expertise to help form overall architecture
and its component parts. Typically, decisions are reviewed both
internally and externally in an iterative fashion so that as we
discover things that require changes, those changes ripple through the
overall standard to keep it up to date and relevant.
In many cases, this standard of practice is used starting with an
as-is review, identifying a desired future state, doing what, by then,
is a relatively straight forward gap analysis, and then characterizing
a workable transition plan for the organization. In our more agile
approach, we undertake only an initial and periodic as-is and future
state analysis, understanding that the reduced time and cost in
assessment leads to more resources available for acting on the
results, and that planning is less certain and less permanent when we
are moving at a faster pace.
Elements of the framework:
Sat May 17 10:30:21 PDT 2014
- Who are the interviewees?
- Overarching: How does the enterprise describe itself and why this effort is being undertaken?
- Overarching: Protection model: What model is used to understand information protection issues?
- Overarching: Business: What is the nature of the business?
- Overarching: Promises: What promises does the business make, to whom, and why? How do they relate to information?
- Overarching: Scope: What is the scope of this security architecture?
- Overarching: Maturity level: What maturity level does the information protection program have?
- Overarching: Content: What content does the enterprise have and what are the consequences of protection failures?
- Overarching: Location: Where are content and work located?
- Overarching: Organization: What is the structure of the organization?
- Overarching: Security consultants: When are information security consultants used?
- Overarching: Mobility: What part and portion of the workforce is mobile?
- Overarching: Outsourcing people: What part and portion of the workforce is outsourced?
- Overarching: Outsourcing things: When is information technology outsourced?
- Business modeling: How does the enterprise model itself and its business?
- Business modeling: Is an explicit business model used to support information protection decision-making?
- Business modeling: What are the business functions and what information do they depend on for what?
- Oversight: What does enterprise oversight provide to the protection program to define duties to protect?
- Oversight: How are different sorts of duties prioritized in determining what to protect and how well?
- Oversight: Form of duties: What form are duties defined in?
- Oversight: Duties analysis: How is duty to protect analyzed?
- Risk Management: How does the enterprise do risk management?
- Risk Management: Risk management process: What risk assessment processes are used?
- Risk Management: Risk definition: How are risk levels for the protection program defined?
- Risk Management: Threats: How are information-related threats assessed?
- Risk Management: Threats: What threats have been identified, what are their characteristics and relevant history?
- Risk Management: Threats: What design basis threat is used?
- Risk Management: Threats: What attack mechanisms are considered?
- Risk Management: Vulnerabilities: How and when are information-related vulnerabilities assessed?
- Risk Management: Risks: When does the enterprise avoid, accept, transfer, and mitigate information-related risks?
- Risk Management: Risk aggregation: What process is used to identify and control the aggregation of risks?
- Risk Management: Separation of Duties: How should duties be separated?
- Risk Management: Interdependencies: How are supply chain risks managed?
- Risk Management: Interdependencies: How are real-time interdependency risks managed?
- Risk Management: Costs: How is security budgeted?
- Risk Management: Surety matching: How is surety matched with risk?
- Risk Management: Failsafes: When failsafes are required and how are they determined?
- Risk Management: Changing systemic risks: How is changing systemic risks managed?
- Risk Management: Changing subsystem risk and surety: How are risk and surety changes of a subsystem handled?
- Management: How does the enterprise manage the information protection program?
- Management: CISO: Is there an enterprise security lead, and where are they placed?
- Management: Duties: What duties does the information protection lead have?
- Management: Security Metrics: What security measurements are taken and when?
- Management: Policy: What information security policies are needed and used?
- Management: Standards: Which widely used control standards are best suited to the enterprise?
- Management: Procedures: What power and influence does the security lead have?
- Management: Documentation: How are security-related issues documented?
- Management: Auditing: How are audits managed within information protection?
- Management: Testing: What does the testing function do and cover?
- Management: Personnel: How are personnel issues with information protection managed?
- Management: Background checks: When are which background checks done on which workers?
- Management: Incident handling: How are incidents managed?
- Management: Legal issues: How do legal issues interact with protection management?
- Management: Physical security: How is physical security integrated with information protection?
- Management: Knowledge: How is the knowledge program integrated with information protection?
- Management: Security awareness: What sort of enterprise security awareness program does the enterprise have?
- Control Architecture: How does the enterprise model information-related controls?
- Control Architecture: Establishment: Is a control architecture formally established?
- Control Architecture: Objectives: What are the protection objectives and how are they applied??
- Control Architecture: Access Controls: What access control model is used?
- Control Architecture: Identification: How are individuals originally identified and their identities verified?
- Control Architecture: Identity proofing: How are asserted identities proofed after originally identified?
- Control Architecture: Authentication: How are identities authenticated to support authorized access?
- Control Architecture: Access facilitation: How is access facilitated once identity is adequately established?
- Control Architecture: Trust model: How is trust assessed and managed?
- Control Architecture: Change management: How are changes to information technology managed?
- Control Architecture: Control Architecture: When is a systematic security architecture created and updated?
- Technical Security Architecture: How are technical controls structured?
- TechArch: Inventory: What information protection-related inventory is kept and in what form(s)?
- TechArch: Workflows: How are workflows used, controlled, and assured?
- TechArch: Lifecycles: What aspects of lifecycles are considered in the protection program and its processes?
- Zones: How does the enterprise separate parts (zone) its network(s)?
- Zones: Placement: What systems, data, and people go in which zones and subzones?
- Zones: Firewalls: What mechanisms are used to separate communicating zones and subzones?
- Zones: Zone separation verification: How is zone separation verified?
- Zones: Physical separation: How are zones and subzones physically separated and controlled?
- Zones: Connection controls: How are connections between devices controlled?
- Zones: Microzones: How is virtualization and encryption used to for microzones and when?
- Zones: Remote access: How is access to internal zones from distant locations (including wireless) facilitated?
- Zones: Endpoint protection: What protective mechanisms are used to harden which endpoints?
- Zones: Zone to zone access: How is communication facilitated and controlled to areas outside a zone/subzone?
- Incidents: Detection: Are intrusions detected, and if so, how?
- Incidents: Malicious Alteration Detection: How is malicious alteration detected?
- Incidents: Response: Who controls and executes responses to information-related attacks?
- Incidents: Detection and response: What are the process requirements for detection and response?
- Incidents: Deception: When are deceptions to defend networks and systems?
- Content control: How is harmful and useless content controlled in my computing environments?
- Content control: What mechanisms keep control over content with business utility?
- Content control: Data in use: How is data in use protected?
- Content control: Data in motion: When is content in transit encrypted?
- Content control: Data at rest: What is stored encrypted?
- Content control: Version control: How are versions of data over time protected?
- Content control: How is intelligence gathering countered?
- Content control: How is intellectual property protected?
- Human factors: How are human factors considered in the protection program?
- Human factors: Protection load: How is security load managed?
- Human factors: User decision-making: What decisions do users make and how do they make them?
- Human factors: Disruption: How is disruption of work controlled?
- Redundancy: Fault model: What fault model is assumed for analysis of redundancy?
- Redundancy: Backups: What is backed up and how often?
- Redundancy: Backup retention: How long are backups retained and how are they disposed of?
- Redundancy: Storage location: Where and in what sort of containers are backups stored?
- Redundancy: Data center redundancy: How many data centers are required?
- Redundancy: Redundant facility distance: How far apart are redundant data centers and people to assure continuity?
- Redundancy: Business continuity and disaster recovery: What information resources are where?
- Redundancy: Interdependencies: How is redundancy applied to interdependent mechanisms?
- Technology: Logical Perimeters: What logical perimeters have what protection mechanisms?
- Technology: Physical Perimeters: What physical perimeters have what protection mechanisms?
- Technology: Physical/Logical Nexus: How do physical and logical controls interact and integrate?
Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved