Perform 7 Steps To Information Protection
Click here to load reader
-
Upload
sajjad-janjua -
Category
Technology
-
view
126 -
download
0
Transcript of Perform 7 Steps To Information Protection
18/03/2010 11:17:14 Perform 7 steps to information protection 1
Perform 7 steps to information protectionDocument created: 18/03/2010 11:17:14
18/03/2010 11:17:14 Perform 7 steps to information protection 2
Table of Contents
1 Perform 7 steps to information protection............................................................................................. 41.1 Meet Compliancy regulations....................................................................................................... 51.2 Maximize Data security............................................................................................................... 51.3 Safeguard Intellectual property.................................................................................................... 51.1 Assess information Loss & compromise risks.................................................................................. 5
1.1.1 Determine info protection Strategy approach & priorities..........................................................51.1.1.1 Conduct a Risk assessment and survey.......................................................................... 6
1.1.1.1.1 Identify which Info should be protected.................................................................. 71.1.1.1.2 Distinguish Types of confidential information...........................................................7
1.1.1.1.2.1 Apply Classifications.....................................................................................71.1.1.1.3 Determine Perceived risks.................................................................................... 71.1.1.1.4 Identify Existing info protection............................................................................. 7
1.1.1.1.4.1 Identify Policies........................................................................................... 81.1.1.1.4.2 Identify Procedures...................................................................................... 81.1.1.1.4.3 Identify Practices......................................................................................... 8
1.1.1.1.5 Identify high risk Business processes..................................................................... 91.1.1.1.6 Determine awareness of Incidents of info vulnerability............................................. 91.1.1.1.7 Understand the Organizations risk tolerance........................................................... 91.1.1.1.8 Understand companies related Priorities & preferences............................................. 91.1.1.1.9 Quantify & qualify the risk of Confidential information loss...................................... 10
1.1.1.2 Implement software to identify Technical risk................................................................101.1.1.2.1 Locate Confidential data on network.....................................................................111.1.1.2.2 Determine who has Access..................................................................................111.1.1.2.3 Demonstrate Internal information flow................................................................. 111.1.1.2.4 Collate evidence of Unauthorized info transfer....................................................... 111.1.1.2.5 Identify High risk business processes................................................................... 111.1.1.2.6 Document At-risk confidential data...................................................................... 121.1.1.2.7 Quantify Risk of non-compliance.......................................................................... 121.1.1.2.8 Provide a record of Internal / external info flow..................................................... 12
1.2 Identify & classify Confidential information...................................................................................121.2.1 Define Confidential information........................................................................................... 13
1.2.1.1 Use best practices to update Information classifications..................................................131.2.1.2 Identify Confidential information................................................................................. 131.2.1.3 Apply Classifications.................................................................................................. 13
1.2.2 Assign Levels of protection................................................................................................. 141.2.2.1 Use Classifications..................................................................................................... 14
1.3 Develop Policies & procedures.................................................................................................... 141.3.1 Define Responsibilities for protection................................................................................... 14
1.3.1.1 Compare existing Policies to best practices................................................................... 141.3.1.2 Develop Policy updates.............................................................................................. 15
1.3.1.2.1 Base them on Best-in-class models...................................................................... 151.4 Deploy technologies that enable Policy compliance & enforcement...................................................15
1.4.1 Review Compliance technology........................................................................................... 151.4.1.1 Compare Tecnology solutions......................................................................................16
1.4.1.1.1 Assess the Costs............................................................................................... 161.4.1.1.2 Assess the Benefits............................................................................................ 16
1.4.2 Adopt & deploy Policy compliance technology....................................................................... 161.4.2.1 Choose technology with Automatic enforcement............................................................ 17
1.5 Communicate & educate a Compliance culture..............................................................................17
18/03/2010 11:17:14 Perform 7 steps to information protection 3
1.5.1 Inform people of their Information responsibilities................................................................. 171.5.1.1 Draft Key messages...................................................................................................171.5.1.2 Develop Training....................................................................................................... 18
1.5.2 Motivate Information protection behaviour........................................................................... 181.5.2.1 Establish an ongoing Communication campaign............................................................. 18
1.6 Integrate practices into Business processes..................................................................................181.6.1 Identify Key Processes where info is at risk.......................................................................... 191.6.2 Develop a plan to integrate Info policy into those processes................................................... 19
1.7 Audit to ensure Stakeholder accountability...................................................................................191.7.1 Examine current Practices & remediate deficiencies............................................................... 19
1.7.1.1 Establish Audit parameters & methodology................................................................... 201.7.1.2 Conduct Audit........................................................................................................... 20
1.7.1.2.1 Assess Compliance with info policies.....................................................................20
18/03/2010 11:17:14 Perform 7 steps to information protection 4
1 Perform 7 steps to information protection
From: http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_vontu_7_steps_to_information_protection_01-2009.en-us.pdf
"Vulnerability, risk, and information protection challenges
Every organization is at risk of confidential information loss. Billions of dollars worth ofprofits, competitive advantage, reputation, and market share are at stake. Today’shighly competitive business environment intensifies the vulnerability and risk. Globaloperations, with outsourced and off-shored business functions, spread the vulnerability.Tools for accessing and distributing information, such as the Internet and mobilecomputing devices, exacerbate the risk.
Information vulnerability and risk come from both malicious and unintentionaldisclosures by employees and partners; unintentional disclosures are usually the largerproblem. Reducing these risks and vulnerabilities is now both a business imperative anda legal mandate as recent regulations impose obligations on organizations to protectcertain types of information.
Global corporations and government organizations require more than network securityand access control to guard their confidential data. They must protect the informationitself, inform the behavior of those carrying the information, have visibility regardingwhere their confidential data resides on their network, have influence over where thatdata is going, and implement a policy for managing it. A strategy that balances theorganization’s legal and business needs to protect information with the competinginterests to share it is vital.
7 steps to information protection
Information protection strategy best practices involve a cross-functional team that:
1. Assesses risks
2. Identifies and classifies confidential information
3. Develops information protection policies and procedures
4. Deploys technologies that enable policy compliance and enforcement
5. Communicates and educates stakeholders to create a compliance culture
6. Integrates information protection practices into businesses processes
7. Audits so that stakeholders are held accountable."
Perform7 steps to information
WHY
MeetCompliancy regulations
And
MaximizeData security
And
SafeguardIntellectual property
HOW
Assess informationLoss & compromise risks
And
Identify & classifyConfidential information
And
DevelopPolicies & procedures
And
Deploy technologies thatenablePolicy compliance & enforc...
And
Communicate & educate aCompliance culture
And
Integrate practices intoBusiness processes
And
Audit to ensureStakeholder accountability
18/03/2010 11:17:14 Perform 7 steps to information protection 5
1.1 Meet Compliancy regulations
[The author has not attached any text yet.]
MeetCompliancy regulations
HOW
Perform7 steps to information
1.2 Maximize Data security
[The author has not attached any text yet.]
MaximizeData security
HOW
Perform7 steps to information
1.3 Safeguard Intellectual property
[The author has not attached any text yet.]
SafeguardIntellectual property
HOW
Perform7 steps to information
1.1 Assess information Loss & compromise risksAssess information Loss & compromise risks
Assess informationLoss & compromise risks
WHY
Perform7 steps to information
HOW
Determine info protectionStrategy approach & priorities
1.1.1 Determine info protection Strategy approach &priorities
[The author has not attached any text yet.]
18/03/2010 11:17:14 Perform 7 steps to information protection 6
Determine info protectionStrategy approach & priorities
WHY
Assess informationLoss & compromise risks
HOW
Conduct aRisk assessment and survey
And
Implement software to identifyTechnical risk
1.1.1.1 Conduct a Risk assessment and survey
[The author has not attached any text yet.]
Conduct aRisk assessment and survey
WHY
Determine info protectionStrategy approach & priorities
HOW
Identify whichInfo should be protected
And
DistinguishTypes of confidential informa...
And
DeterminePerceived risks
And
IdentifyExisting info protection
And
Identify high riskBusiness processes
And
Determine awareness ofIncidents of info vulnerability
And
Understand theOrganizations risk tolerance
And
Understand companies relatedPriorities & preferences
And
Quantify & qualify the risk ofConfidential information loss
18/03/2010 11:17:14 Perform 7 steps to information protection 7
1.1.1.1.1 Identify which Info should be protected
[The author has not attached any text yet.]
Identify whichInfo should be protected
WHY
Conduct aRisk assessment and survey
1.1.1.1.2 Distinguish Types of confidentialinformation
[The author has not attached any text yet.]
DistinguishTypes of confidential informa...
WHY
Conduct aRisk assessment and survey
HOW
ApplyClassifications
1.1.1.1.2.1 Apply Classifications
[The author has not attached any text yet.]
ApplyClassifications
WHY
DistinguishTypes of confidential informa...
1.1.1.1.3 Determine Perceived risks
[The author has not attached any text yet.]
DeterminePerceived risks
WHY
Conduct aRisk assessment and survey
1.1.1.1.4 Identify Existing info protection
[The author has not attached any text yet.]
18/03/2010 11:17:14 Perform 7 steps to information protection 8
IdentifyExisting info protection
WHY
Conduct aRisk assessment and survey
HOW
IdentifyPolicies
And
IdentifyProcedures
And
IdentifyPractices
1.1.1.1.4.1 Identify Policies
[The author has not attached any text yet.]
IdentifyPolicies
WHY
IdentifyExisting info protection
1.1.1.1.4.2 Identify Procedures
[The author has not attached any text yet.]
IdentifyProcedures
WHY
IdentifyExisting info protection
1.1.1.1.4.3 Identify Practices
[The author has not attached any text yet.]
IdentifyPractices
WHY
IdentifyExisting info protection
18/03/2010 11:17:14 Perform 7 steps to information protection 9
1.1.1.1.5 Identify high risk Business processes
[The author has not attached any text yet.]
Identify high riskBusiness processes
WHY
Conduct aRisk assessment and survey
1.1.1.1.6 Determine awareness of Incidents of infovulnerability
[The author has not attached any text yet.]
Determine awareness ofIncidents of info vulnerability
WHY
Conduct aRisk assessment and survey
1.1.1.1.7 Understand the Organizations risktolerance
[The author has not attached any text yet.]
Understand theOrganizations risk tolerance
WHY
Conduct aRisk assessment and survey
1.1.1.1.8 Understand companies related Priorities &preferences
[The author has not attached any text yet.]
Understand companies relatedPriorities & preferences
WHY
Conduct aRisk assessment and survey
18/03/2010 11:17:14 Perform 7 steps to information protection 10
1.1.1.1.9 Quantify & qualify the risk of Confidentialinformation loss
[The author has not attached any text yet.]
Quantify & qualify the risk ofConfidential information loss
WHY
Conduct aRisk assessment and survey
1.1.1.2 Implement software to identify Technical risk
[The author has not attached any text yet.]
Implement software to identifyTechnical risk
WHY
Determine info protectionStrategy approach & priorities
HOW
LocateConfidential data on network
And
Determine who hasAccess
And
DemonstrateInternal information flow
And
Collate evidence ofUnauthorized info transfer
And
IdentifyHigh risk business processes
And
DocumentAt-risk confidential data
And
QuantifyRisk of non-compliance
And
Provide a record ofInternal / external info flow
18/03/2010 11:17:14 Perform 7 steps to information protection 11
1.1.1.2.1 Locate Confidential data on network
[The author has not attached any text yet.]
LocateConfidential data on network
WHY
Implement software to identifyTechnical risk
1.1.1.2.2 Determine who has Access
[The author has not attached any text yet.]
Determine who hasAccess
WHY
Implement software to identifyTechnical risk
1.1.1.2.3 Demonstrate Internal information flow
[The author has not attached any text yet.]
DemonstrateInternal information flow
WHY
Implement software to identifyTechnical risk
1.1.1.2.4 Collate evidence of Unauthorized infotransfer
[The author has not attached any text yet.]
Collate evidence ofUnauthorized info transfer
WHY
Implement software to identifyTechnical risk
1.1.1.2.5 Identify High risk business processes
[The author has not attached any text yet.]
18/03/2010 11:17:14 Perform 7 steps to information protection 12
IdentifyHigh risk business processes
WHY
Implement software to identifyTechnical risk
1.1.1.2.6 Document At-risk confidential data
[The author has not attached any text yet.]
DocumentAt-risk confidential data
WHY
Implement software to identifyTechnical risk
1.1.1.2.7 Quantify Risk of non-compliance
[The author has not attached any text yet.]
QuantifyRisk of non-compliance
WHY
Implement software to identifyTechnical risk
1.1.1.2.8 Provide a record of Internal / external infoflow
[The author has not attached any text yet.]
Provide a record ofInternal / external info flow
WHY
Implement software to identifyTechnical risk
1.2 Identify & classify Confidential information
[The author has not attached any text yet.]
Identify & classifyConfidential information
WHY
Perform7 steps to information
HOW
DefineConfidential information
And
AssignLevels of protection
18/03/2010 11:17:14 Perform 7 steps to information protection 13
1.2.1 Define Confidential information
[The author has not attached any text yet.]
DefineConfidential information
WHY
Identify & classifyConfidential information
HOW
Use best practices to updateInformation classifications
And
IdentifyConfidential information
And
ApplyClassifications
1.2.1.1 Use best practices to update Informationclassifications
[The author has not attached any text yet.]
Use best practices to updateInformation classifications
WHY
DefineConfidential information
1.2.1.2 Identify Confidential information
[The author has not attached any text yet.]
IdentifyConfidential information
WHY
DefineConfidential information
1.2.1.3 Apply Classifications
[The author has not attached any text yet.]
ApplyClassifications
WHY
DefineConfidential information
18/03/2010 11:17:14 Perform 7 steps to information protection 14
1.2.2 Assign Levels of protection
[The author has not attached any text yet.]
AssignLevels of protection
WHY
Identify & classifyConfidential information
HOW
UseClassifications
1.2.2.1 Use Classifications
[The author has not attached any text yet.]
UseClassifications
WHY
AssignLevels of protection
1.3 Develop Policies & procedures
[The author has not attached any text yet.]
DevelopPolicies & procedures
WHY
Perform7 steps to information
HOW
DefineResponsibilities for protection
1.3.1 Define Responsibilities for protection
[The author has not attached any text yet.]
DefineResponsibilities for protection
WHY
DevelopPolicies & procedures
HOW
Compare existingPolicies to best practices
And
DevelopPolicy updates
1.3.1.1 Compare existing Policies to best practices
18/03/2010 11:17:14 Perform 7 steps to information protection 15
[The author has not attached any text yet.] Compare existingPolicies to best practices
WHY
DefineResponsibilities for protection
1.3.1.2 Develop Policy updates
[The author has not attached any text yet.]
DevelopPolicy updates
WHY
DefineResponsibilities for protection
HOW
Base them onBest-in-class models
1.3.1.2.1 Base them on Best-in-class models
[The author has not attached any text yet.]
Base them onBest-in-class models
WHY
DevelopPolicy updates
1.4 Deploy technologies that enable Policycompliance & enforcement
[The author has not attached any text yet.]
Deploy technologies thatenablePolicy compliance & enforc...WHY
Perform7 steps to information
HOW
ReviewCompliance technology
And
Adopt & deployPolicy compliance technology
1.4.1 Review Compliance technology
[The author has not attached any text yet.]
ReviewCompliance technology
WHY
Deploy technologies thatenablePolicy compliance & enforc... HOW
CompareTecnology solutions
18/03/2010 11:17:14 Perform 7 steps to information protection 16
1.4.1.1 Compare Tecnology solutions
[The author has not attached any text yet.]
CompareTecnology solutions
WHY
ReviewCompliance technology
HOW
Assess theCosts
And
Assess theBenefits
1.4.1.1.1 Assess the Costs
[The author has not attached any text yet.]
Assess theCosts
WHY
CompareTecnology solutions
1.4.1.1.2 Assess the Benefits
[The author has not attached any text yet.]
Assess theBenefits
WHY
CompareTecnology solutions
1.4.2 Adopt & deploy Policy compliance technology
[The author has not attached any text yet.]
Adopt & deployPolicy compliance technology
WHY
Deploy technologies thatenablePolicy compliance & enforc... HOW
Choose technology withAutomatic enforcement
1.4.2.1 Choose technology with Automaticenforcement
18/03/2010 11:17:14 Perform 7 steps to information protection 17
[The author has not attached any text yet.]Choose technology withAutomatic enforcement
WHY
Adopt & deployPolicy compliance technology
1.5 Communicate & educate a Compliance culture
[The author has not attached any text yet.]
Communicate & educate aCompliance culture
WHY
Perform7 steps to information
HOW
Inform people of theirInformation responsibilities
And
MotivateInformation protection behav...
1.5.1 Inform people of their Informationresponsibilities
[The author has not attached any text yet.]
Inform people of theirInformation responsibilities
WHY
Communicate & educate aCompliance culture
HOW
DraftKey messages
And
DevelopTraining
1.5.1.1 Draft Key messages
[The author has not attached any text yet.]
DraftKey messages
WHY
Inform people of theirInformation responsibilities
18/03/2010 11:17:14 Perform 7 steps to information protection 18
1.5.1.2 Develop Training
[The author has not attached any text yet.]
DevelopTraining
WHY
Inform people of theirInformation responsibilities
1.5.2 Motivate Information protection behaviour
[The author has not attached any text yet.]
MotivateInformation protection behav...
WHY
Communicate & educate aCompliance culture
HOW
Establish an ongoingCommunication campaign
1.5.2.1 Establish an ongoing Communicationcampaign
[The author has not attached any text yet.]
Establish an ongoingCommunication campaign
WHY
MotivateInformation protection behav...
1.6 Integrate practices into Business processes
[The author has not attached any text yet.]
Integrate practices intoBusiness processes
WHY
Perform7 steps to information
HOW
Identify KeyProcesses where info is at risk
And
Develop a plan to integrateInfo policy into those processes
18/03/2010 11:17:14 Perform 7 steps to information protection 19
1.6.1 Identify Key Processes where info is at risk
[The author has not attached any text yet.]
Identify KeyProcesses where info is at risk
WHY
Integrate practices intoBusiness processes
1.6.2 Develop a plan to integrate Info policy intothose processes
[The author has not attached any text yet.]
Develop a plan to integrateInfo policy into those processes
WHY
Integrate practices intoBusiness processes
1.7 Audit to ensure Stakeholder accountability
[The author has not attached any text yet.]
Audit to ensureStakeholder accountability
WHY
Perform7 steps to information
HOW
Examine currentPractices & remediate defici...
1.7.1 Examine current Practices & remediatedeficiencies
[The author has not attached any text yet.]
Examine currentPractices & remediate defici...
WHY
Audit to ensureStakeholder accountability
HOW
EstablishAudit parameters & methodo...
And
ConductAudit
18/03/2010 11:17:14 Perform 7 steps to information protection 20
1.7.1.1 Establish Audit parameters & methodology
[The author has not attached any text yet.]
EstablishAudit parameters & methodo...
WHY
Examine currentPractices & remediate defici...
1.7.1.2 Conduct Audit
[The author has not attached any text yet.]
ConductAudit
WHY
Examine currentPractices & remediate defici...
HOW
AssessCompliance with info policies
1.7.1.2.1 Assess Compliance with info policies
[The author has not attached any text yet.]
AssessCompliance with info policies
WHY
ConductAudit