Information Protection Planning

Tawfiq Al-Rushaid

February 2004

Agenda

• Objectives

• Business Drivers & Challenges

• Enterprise Information Protection Approach

• Enterprise Information Protection Architecture

• The Architecture Process Model

• Gap Analysis Process

• Q & A

Objectives

• Emphasize the need for centralizing information protection planning.

• Present the information protection planning approach.

• Share the implementation experience.

Business Drivers & Challenges

• Information protection is unfinished business.– What is next

• Business-driven risks management – Stay in line with business strategy

• Develop the relationship between:– People– Businesses – Processes – Technologies

• Manage costs of information protection program.– Common risk elements– Common solutions– Increase efficiency– Standardization

Enterprise Information Protection Planning Approach

• Process ownership.

• Integrate planning.

• Establish accountability.

• Decentralize implementation.

• Link business imperatives to information protection solutions.

• Optimize existing security infrastructure.

• Adhere to the enterprise information protection architecture.

IT Architecture

Information Protection Architecture

Network Architecture

Computing Architecture

Data\Storage Architecture

Applications Architecture

IT Services Architecture

Purpose of Information Protection Architecture

• Establish an enterprise roadmap of technologies.

• Ensure that used technologies are achieving the enterprise IT missions.

• Facilitate the development/deployment of new systems, and the insertion of emerging technologies.

Enterprise Information Protection Architecture

Technologies, and Processes

Identification &Authentication

Authorization& Access Control

Administration Audit

Information Protection Services

DataTechnologies, Policies,Processes, Standards,

Organizations,Staff, and Skill sets

Environmental Trends

Business visiontrends &

requirements

Current information protection

Architecture

Target information protection

Architecture

Threats factors & business impact

GapAnalysis

Assessment Process

IdentificationProcess

Resolution Process

Implementation Plan

The Architecture Process Model

Gap Analysis Process

• Assessment Process

– Map your IT infrastructure to the Information protection processes.

– Map your business requirements to the Information protection services

– Map your security threats to the Information protection standards, tools & technologies

• Identification Process– Identify missing links

– Identify deviation

• Resolution Process– Directions

– Solutions

Gap Analysis – Continue

Enterprise Information Protection Architecture

Technologies, and Processes

Identification &Authentication

Authorization& Access Control

Administration Audit

Information Protection Services

IT Infrastructure Business Requirements

Threats

Technologies, Processes

Gap Analysis – Continue

Secure Tokens

Directorates

Digital Certificates

User ID

Password Management

Identification &Authentication

Technologies, Processes

Anti SPAM

VPN

Policy Server

Firewalls

Content filtering

Anti Virus

Encryption

Gap Analysis – Continue

Authorization& Access Control

Technologies, Processes & Standards

Vulnerability Management

Policies Management

Risk Management

Awareness Programs

Incidents Management

Identity Management

Gap Analysis – Continue

Administration

Technologies, Processes & Standards

Vulnerability Assessment

Compliance Monitoring

Intrusion Management

Event Management

Gap Analysis – Continue

Audit

Architecture Process Model – Continue

• Develop implementation plan

• Develop migration plan

Conclusion

• There is high risk with decentralized information protection planning.

• The higher the risk, the more important it is to take an enterprise approach

Q & A