In the 19th century, the protection of corporate assets meant locking the cash in a strongbox, putting it on the stagecoach, and arming the guard. When the strongbox reached its destination, someone counted the contents to ensure nothing was missing. Over time, assets came to be represented by more than cash, and the strongbox was no longer sufficient. Today, assets are composed of intellectual property, competitive information, business strategy, client lists, etc. Most are still stored in a “box” termed called a computer, the transport mechanism is faster than dreamt possible, and the technology for protecting those assets has come a long way from the armed guard.
So how do you achieve the protection of assets that has the transport mechanism at the speed of light? Use the Information Protection Layering model:
Avoidance:
Definition: proactive measures to avoid improper disclosure, modification, damage, or loss of information, computing, or telecommunications assets
Process: Reduce financial and business impact resulting from a breach of information protection. The organization must decide what it needs to protect before it can define how it should be protected. Once the decisions of ‘what’ and ‘how’ are made, the design of the infrastructure must be addressed to ensure it is robust. You can use tools like Microsoft Azure Information Protection along with Window Information Protections solutions.
Assurance:
Definition: proactive tools and strategies to ensure that security is implemented correctly, no vulnerabilities have been introduced, and effectiveness continues as designed
Process: The information in this section addresses how to maintain the components of the program is a continually valid state. This layer tests the design and implementation of the programs and processes to ensure the original goals are continuing to be addressed; new business and technology have not introduced gaps.
Detection:
Definition: proactive techniques and programs to ensure early detection, interception, and response to any accidental or intentional security breaches at the time they occur
Process: Minimize loss of system availability, information integrity, and information confidentiality caused either accidentally or intentionally. Frequently, this layer is perceived as having only a security focus, and if the programs that comprise it were designed solely for that purpose, it would be a severe disservice to the organization. The vast majority of incidents that negatively impact normal business operations have nothing to do with hacking attempts. Application processing abends, operating system errors, hardware malfunctions, etc. are all potential causes of incidents that should be identified immediately and resolved quickly and accurately.
Recovery:
Definition: reactive plans and capabilities to rapidly contain an incident, restore a secure environment, identify the cause of the incident, and close the gap that allowed the event to occur
Process: Minimize harm to life; critical business processes; and information, computing, and telecommunications assets. If the world were a perfect place, this layer of the Model would never be exercised. But reality means that, despite the best architecture, implementation of the Model, and qualified, dedicated staff, there will be problems from which the organization must recover with the least damage. The cause of the incidents will vary from human intervention, system or application failures, and Mother Nature. Whatever the reason, the organization that returns to pre-incident status in the shortest time frame has a competitive advantage. And the only way to achieve that goal is to have plans and processes in place. But even that is not sufficient. A thorough plan in a book on a shelf does no good if it has not been exercised, that is, tested to the extent possible with all individuals involved in their assigned roles.
Comments