Information Protection Planning   <ul><li>Tawfiq Al-Rushaid </li></ul><ul><li>February 2004 </li></ul>
Agenda <ul><li>Objectives </li></ul><ul><li>Business Drivers & Challenges  </li></ul><ul><li>Enterprise Information Protec...
Objectives <ul><li>Emphasize the need for centralizing information protection planning. </li></ul><ul><li>Present the info...
Business Drivers & Challenges  <ul><li>Information protection is unfinished business. </li></ul><ul><ul><li>What is next <...
Enterprise Information Protection  Planning Approach <ul><li>Process ownership. </li></ul><ul><li>Integrate planning. </li...
IT Architecture  Information Protection Architecture  Network  Architecture Computing Architecture DataStorage  Architectu...
Purpose of Information Protection Architecture   <ul><li>Establish an enterprise roadmap of technologies. </li></ul><ul><l...
Enterprise Information Protection  Architecture Technologies, and Processes Identification & Authentication Authorization ...
Data Technologies, Policies, Processes, Standards,  Organizations, Staff, and Skill sets  Environmental Trends  Business v...
Gap Analysis Process  <ul><li>Assessment Process </li></ul><ul><ul><li>Map your IT infrastructure to the Information prote...
<ul><li>Identification Process </li></ul><ul><ul><li>Identify missing links </li></ul></ul><ul><ul><li>Identify deviation ...
Enterprise Information Protection  Architecture Technologies, and Processes Identification & Authentication Authorization ...
Gap Analysis – Continue  Technologies, Processes Secure Tokens Directorates  Digital Certificates User ID Password Managem...
Technologies, Processes Anti SPAM VPN Policy Server Firewalls Content filtering Anti Virus Encryption  Gap Analysis – Cont...
Gap Analysis – Continue  Technologies,  Processes  & Standards  Vulnerability Management  Policies Management Risk Managem...
Gap Analysis – Continue  Technologies,  Processes  & Standards  Vulnerability Assessment Compliance Monitoring Intrusion  ...
Architecture Process Model – Continue  <ul><li>Develop implementation plan  </li></ul><ul><li>Develop migration plan  </li...
Conclusion <ul><li>There is high risk with decentralized information protection  planning.  </li></ul><ul><li>The higher t...
<ul><li>Q & A </li></ul>
Upcoming SlideShare
Loading in …5
×

Information Protection Planning Tawfiq Al-Rushaid

754 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
754
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • The agenda of this presentation as follow: I will start with the objectives of this presentation Followed by Business Drivers &amp; Challenges in planning Information protection Then I will give highlight the Enterprise Information Protection Approach. And in detail I will share with our experience in implementing Information Protection Architecture and different steps and processes.
  • The objective of my presentation is to be an eye opener to consider centralizing information protection Planning. Present a planning approach for information protection. And share with you our implementation experience.
  • Information protection is a process that never end, therefore I will be always unfinished business. With business demand, information protection program can not be defense oriented, I should be business-oriented with focus on building trust an maximizing business efficiency. The relationship between People, Businesses, Processes , and Technologies should be considered when planning for information protection security. Spending on information protection should be controlled and this can be achieved by integrated planning.
  • Someone has to own the planning process, it can not be everybody problem Common objectives for common issues and common solutions produce more effective result. Establish the accountability matrix, that include architects, managers, and systems administrators. For rapid and expedited implementation Decentralize the implementation, including outsourcing of some security services such as vulnerability assessment and monitoring. Stay business oriented, Leverage existing security infrastructure, by reengineering business process, policy enforcement . Most organization have effective tools but is not used. Keep reviewing the Information protection architecture for enhancement
  • The purpose of the information protection is to Establish a corporate roadmap of technologies, Ensure that technologies are achieving the missions. And Facilitate the development of new systems, and the insertion of emerging technologies
  • I will present here and In more details the gap analysis process where you should evaluate each Information protection program, and I stress here on “each” against the different IT infrastructure including computing, servers, databases, storage and applications. Against data networking including switches, routers, extranet, Internet and wireless communication. evaluate each Information protection program against business requirements and strategy. evaluate each Information protection program against security threats, such as anti virus, DoS, Intrusion etc .
  • This slide illustrate the architecture model and the different elements. Information protection architecture is a process that start with documenting the current IP architecture domains, including technologies, data and processes. Assess Translate business needs and requirements to IP requirements. Establish a new IP architecture based on best practices, industry standards, business requirements and business culture. Perform gap analysis Develop implementation plan Develop migration plan Communicate findings, directions and recommendation to IT business lines. Provide support and consultancy during the migration process. Document the current IP architecture domains, including technologies, data and processes. Assess Translate business needs and requirements to IP requirements. Establish a new IP architecture based on best practices, industry standards, business requirements and business culture. Perform gap analysis Develop implementation plan Develop migration plan Communicate findings, directions and recommendation to IT business lines. Provide support and consultancy during the migration process.
  • The Gap analysis process is the center of this model, and include an assessment process where you should Map your IT infrastructure to the Information protection processes. Map your business requirements to the Information protection services Map your security threats to the Information protection standards, tools &amp; technologies
  • As result of the mapping process you should identify missing links Identify deviation And start finding Solutions and Directions
  • I will present here and In more details the gap analysis process where you should evaluate each Information protection program, and I stress here on “each” against the different IT infrastructure including computing, servers, databases, storage and applications. Against data networking including switches, routers, extranet, Internet and wireless communication. evaluate each Information protection program against business requirements and strategy. evaluate each Information protection program against security threats, such as anti virus, DoS, Intrusion etc .
  • For example the Identification &amp; Authentication elements should be examined for it implementation with each platform or device.
  • Information Protection Planning Tawfiq Al-Rushaid

    1. 1. Information Protection Planning <ul><li>Tawfiq Al-Rushaid </li></ul><ul><li>February 2004 </li></ul>
    2. 2. Agenda <ul><li>Objectives </li></ul><ul><li>Business Drivers & Challenges </li></ul><ul><li>Enterprise Information Protection Approach </li></ul><ul><li>Enterprise Information Protection Architecture </li></ul><ul><li>The Architecture Process Model </li></ul><ul><li>Gap Analysis Process </li></ul><ul><li>Q & A </li></ul>
    3. 3. Objectives <ul><li>Emphasize the need for centralizing information protection planning. </li></ul><ul><li>Present the information protection planning approach. </li></ul><ul><li>Share the implementation experience. </li></ul>
    4. 4. Business Drivers & Challenges <ul><li>Information protection is unfinished business. </li></ul><ul><ul><li>What is next </li></ul></ul><ul><li>Business-driven risks management </li></ul><ul><ul><li>Stay in line with business strategy </li></ul></ul><ul><li>Develop the relationship between: </li></ul><ul><ul><li>People </li></ul></ul><ul><ul><li>Businesses </li></ul></ul><ul><ul><li>Processes </li></ul></ul><ul><ul><li>Technologies </li></ul></ul><ul><li>Manage costs of information protection program. </li></ul><ul><ul><li>Common risk elements </li></ul></ul><ul><ul><li>Common solutions </li></ul></ul><ul><ul><li>Increase efficiency </li></ul></ul><ul><ul><li>Standardization </li></ul></ul>
    5. 5. Enterprise Information Protection Planning Approach <ul><li>Process ownership. </li></ul><ul><li>Integrate planning. </li></ul><ul><li>Establish accountability. </li></ul><ul><li>Decentralize implementation. </li></ul><ul><li>Link business imperatives to information protection solutions. </li></ul><ul><li>Optimize existing security infrastructure. </li></ul><ul><li>Adhere to the enterprise information protection architecture. </li></ul>
    6. 6. IT Architecture Information Protection Architecture Network Architecture Computing Architecture DataStorage Architecture Applications Architecture IT Services Architecture
    7. 7. Purpose of Information Protection Architecture <ul><li>Establish an enterprise roadmap of technologies. </li></ul><ul><li>Ensure that used technologies are achieving the enterprise IT missions. </li></ul><ul><li>Facilitate the development/deployment of new systems, and the insertion of emerging technologies. </li></ul>
    8. 8. Enterprise Information Protection Architecture Technologies, and Processes Identification & Authentication Authorization & Access Control Administration Audit Information Protection Services
    9. 9. Data Technologies, Policies, Processes, Standards, Organizations, Staff, and Skill sets Environmental Trends Business vision trends & requirements Current information protection Architecture Target information protection Architecture Threats factors & business impact Gap Analysis Assessment Process Identification Process Resolution Process Implementation Plan The Architecture Process Model
    10. 10. Gap Analysis Process <ul><li>Assessment Process </li></ul><ul><ul><li>Map your IT infrastructure to the Information protection processes. </li></ul></ul><ul><ul><li>Map your business requirements to the Information protection services </li></ul></ul><ul><ul><li>Map your security threats to the Information protection standards, tools & technologies </li></ul></ul>
    11. 11. <ul><li>Identification Process </li></ul><ul><ul><li>Identify missing links </li></ul></ul><ul><ul><li>Identify deviation </li></ul></ul><ul><li>Resolution Process </li></ul><ul><ul><li>Directions </li></ul></ul><ul><ul><li>Solutions </li></ul></ul>Gap Analysis – Continue
    12. 12. Enterprise Information Protection Architecture Technologies, and Processes Identification & Authentication Authorization & Access Control Administration Audit Information Protection Services IT Infrastructure Business Requirements Threats
    13. 13. Gap Analysis – Continue Technologies, Processes Secure Tokens Directorates Digital Certificates User ID Password Management Identification & Authentication
    14. 14. Technologies, Processes Anti SPAM VPN Policy Server Firewalls Content filtering Anti Virus Encryption Gap Analysis – Continue Authorization & Access Control
    15. 15. Gap Analysis – Continue Technologies, Processes & Standards Vulnerability Management Policies Management Risk Management Awareness Programs Incidents Management Identity Management Administration
    16. 16. Gap Analysis – Continue Technologies, Processes & Standards Vulnerability Assessment Compliance Monitoring Intrusion Management Event Management Audit
    17. 17. Architecture Process Model – Continue <ul><li>Develop implementation plan </li></ul><ul><li>Develop migration plan </li></ul>
    18. 18. Conclusion <ul><li>There is high risk with decentralized information protection planning. </li></ul><ul><li>The higher the risk, the more important it is to take an enterprise approach </li></ul>
    19. 19. <ul><li>Q & A </li></ul>

    ×