access control (p. 22): The access control model deals with how properties are associated with people and things to make determinations about what people and things are allowed to do with respect to other people and things. (†1511)
availability (p. 176):
Availability is typically measured as percentage of down time per unit time. (†1476)
business model (p.27): Business models are unique to each enterprise and, while some commonalities exist, they are not sufficient to allow a single model to be built today to reflect everything we need to do or know for every enterprise. Like all of information protection, business modeling is something you do, not something you buy. (†1484)
business model (p.32-33): A business model is typically built by a team of people. The core team is typically fairly small and uses meetings with the top executives, business owners, people responsible for business consequences, people who understand how things really work because they do these things every day, and people who understand the technology issues and how technology carries out business functions. The team starts at the top by understanding the business.
(†1485)
confidentiality (p. 176): Confidentiality is usually controlled based on the clearance of the identity, certainty of the authentication of that identity, classification of the content, and need for the authorized purpose.
(†1478)
control architecture (p. 11): The control architecture includes structural mechanisms that obtain security objectives through access control models, functional units, perimeters, mechanisms using identification, authentication, and authorization to facilitate use, change control, and other non-architectural mechanisms for specific situations.
(†1479)
control architecture (p. 21-22): Control architecture may be the most complex thing to understand about enterprise information protection because it is so ephemeral and yet so critical. Control architecture goes directly to how the enterprise thinks about and acts on information protection issues. . . . The control architecture is typically comprised of protection objectives, an access control model, functional units, perimeters, access mechanisms, a trust model, and change controls. (†1480)
control architecture (p. 23): The control architecture is not the implementation of things that carry out these controls. Rather it is a model of what the controls are, how they work, and how they interact to assure the utility of content.
(†1481)
control architecture (p. 173): The control architecture creates the overarching objectives and structural approaches to protection without drilling down into the details of how those objectives are met or those approaches are implemented. It is a theoretical structure that ultimately gets implemented by the technical security architecture.
(†1482)
data state (p.227):
Today, with mobile computing, data is often at rest in a disk and in motion because the disk is in a personal data assistant or laptop computer. Or it may be in motion because the laptop is on an airplane and in use because the user is using it.
(†1486)
data state (p.227, 235, 239): Data at rest is, in essence, data stored at a physical location in a physical device, typically a disk, CD-ROM, USB storage device, etc. In most cases, computers with high valued information in large quantity remain in one physical location. This means that the physical security measures associated with that location act as a significant part of the protection afforded to that data.
¶ Data in motion may operate through physically secured wiring and infrastructure. If the physical security is adequate to the need, no additional measures are required. However, the vast majority of information in motion today travels over long distances through insecure infrastructure. In these cases additional protection is required as the consequences increase. Protection of data in use is problematic because it must be in a form that is useful for processing. There are some cases, like comparison to specific known values in password verification, where data can be left encrypted and have utility. But the vast majority of uses require that the data be readable.
¶ Data in use is rarely protected against modification beyond process separation mechanisms, because this is not supported by current processors. (†1487)
governance (p. 80): The system under which power and influence operate. These are the processes that take place within the enterprise, its institutions, and its structures to allow those in charge to govern.
(†1474)
Information Security Management (ISO/IEC 27001) (p. 82): ISO 27001 and 27002 are the international standards organization's adaptation of the British Standard BS 7799 and as updated from ISO 17799. They define issues at two levels deeper than GAISP [Generally Accepted Information Security Principles] and codify the most common issues identified by companies in their implementation of information protection. They are designed so that management has the option of determining what to do and to what extent it should be done. Audits against these standards generally adopt the notion that all of the elements must be done to a reasonable and prudent extent based on the situation in the enterprise.
(†1475)
integrity (p. 174): In most cases, the integrity of content is most important to its utility because, even if it is available and kept confidential, properly audited, and under use control, if it is wrong, its utility is poor. If it is wrong in specific ways, it can be very harmful. Integrity is often broken down into the integrity of the source, protection from inappropriate or unauthorized changes in the content, and assurance that the content represents an accurate reflection of reality suitable for the purpose.
(†1483)
maturity model (p. 158): The Capability Maturity Model for Security (CMM-SEC) provides a way to measure progress of an overall program in terms of normalization into enterprise operations. It associates any of levels 0 through 5 (none, initial, repeatable, defined, managed, and optimizing) with each of 11 process areas and 11 organizational issues and is mapped against each of risk management, engineering processes, assurance, and coordination to provide an overall picture of the maturity of the information protection function within an enterprise.
(†1472)
maturity model (p. 82): The security interpretation of CMM (CMM-SEC) codifies the maturity level of a security engineering capability. Variations are very useful as management tools because they codifies capabilities from a standpoint of how effectively they are managed. . . . CMM-SEC is not a formal standard.
Rather, it is the best codification of these issues available and has utility for the CISO. It differentiates 6 levels of maturity; (0) none, (1) initial, (2) repeatable, (3) defined, (4) managed, and (5) optimizing. (†1473)
oversight (p.10): Oversight comes from laws, owners, the board of directors or a similar entity, auditors, and the chief executive officer. It produces a set of duties to protect that include legal and regulatory duties, contractual duties, and self-imposed duties. Oversight is also tasked with responsibility for making certain that the duties imposed are carried out and, typically, for making decisions that affect the entire enterprise. (†1488)
oversight (p.36-37): Oversight is the critical governance function provided by top management relating to information protection and it is fundamental to proper operation of a protection program. It is the job of oversight to assure that proper duties to protect are put in place, that the management measures the effectiveness of the protection program in fulfilling those duties, and that management adapts the protection program to meet those duties.
Laws: Laws and regulations define the legally mandated duties to protect associated with jurisdictions. All laws of all jurisdictions in which an enterprise operates have to be considered in order to make prudent determinations about duty to protect. Owners: The owners are the ones hurt by bad management decisions and they need to assure that their investment is not lost by electing proper boards of directors. For public companies there are regulatory assurances to support the public owners so that they don't have to get involved in the details of selections in order to reasonably protect their investments, but this lack of direct control by owners is often reflected in the frauds we see in the world. Owners of privately held firms are directly responsible for the disposition of their assets and for proper protection and they directly suffer from poor decisions in this regard. Board: The board of directors is legally and morally responsible to assure that the CEO and other officers are doing their jobs and have the ability to define additional duties to protect in keeping with their responsibilities. They also have oversight responsibility to act on behalf of the shareholders to assure that the shareholder value is protected. Auditors: Auditors are tasked with providing independent and objective feedback to the shareholders, board of directors, CEO,
and others on the effectiveness of the protection program in fulfilling the duties to protect within the risk tolerance parameters set by management. CEO: The CEO is responsible for day-to-day control over the
enterprise, and as part and parcel of this responsibility, for protecting shareholder value, for identifying the duties to protect, or assuring that those duties are carried out, for measuring the performance of those duties to allow adequate control to improve situations that warrant improvement and for keeping costs as low as possible without undertaking inappropriate levels of risk. In concert, these elements comprise the oversight functions of enterprise information protection and define the duty to protect. (†1489)