Enterprise Information Protection
Fred Cohen, PhD
Principal Consulting Analyst
Enterprise information protection starts and ends with the business. It involves understanding how the business works and why it works that way, turning that understanding into a set of defined duties to protect, and carrying out those duties to affect reasonable and prudent operation of the business.
Because enterprises have many moving parts, structuring a protection program requires an architectural context in order to be effective and efficient. This report identifies the structure of such an architecture and the element it normally contains. Taking this as a starting point, details typically get filled in at increasing levels of detail as the specifics of the needs of the enterprise are structured.
A key thing to understand about this architecture in specific and enterprise information protection in general, is that it permeates the entire enterprise. The board and top management are responsible for defining the duties to protect because they understand the business as a whole and are ultimately responsible for taking risks to reap rewards. In order to do this well, the risks and rewards must be understood by the decision-makers, and not merely outlined by surrogates. Top management is responsible, all the way to the board, responsible of any attempt to delegate the activities.
Information protection assures the utility of content. It involves a wide range of activities spanning a wide range of disciplines. This report provides the context for understanding enterprise information protection at a high level and content for understanding protection decisions within that context. As discussed in this report, the Systematic Comprehensive Information Protection Program starts with how the business works and ends with assuring proper protection of content and its business utility. Oversight defines duties to protect. Risk Management turns these duties into decisions about risk acceptance, transfer, avoidance, mitigation, and identifies what to protect and how well to protect it. Executive Security Management then figures out how to protect and use power and influence within organizations to provide control.
Organizational issues and business processes drive “control architecture” and interact with technical security architecture to affect the protection processes. These processes ultimately control protective mechanisms that interact directly with content and its business utility to assure that risk is adequately controlled for the needs of the organization.