Business Retention Needs

13,539 views

Published on

Foundations of Security: Retention

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
13,539
On SlideShare
0
From Embeds
0
Number of Embeds
11,196
Actions
Shares
0
Downloads
20
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Business Retention Needs

  1. 1. RetentionFoundations of Information Security Series Vicente Aceituno @vaceituno (c)Inovement Europe 2014
  2. 2. Vicente Aceituno vac@zenobia.es - Skype: vaceituno Linkedin - linkedin.com/in/vaceituno Inovement Europe - inovement.es Video Blog - youtube.com/user/vaceituno Blog - ism3.com Twitter - twitter.com/vaceituno Presentations - slideshare.net/vaceituno/presentations Articles - slideshare.net/vaceituno/documents
  3. 3. Foundations of Information Security Series  Needs  Secrecy  Intellectual Property you Own  Intellectual Property you Use  Privacy  Availability  Retention  Expiration  Quality  Obligations  Technical  Compliance  Legal
  4. 4. What is Information Security?  “Information Security” is an emergent property of people using information.  People have expectations about information.  If there is no people or no information, “Information Security” is meaningless, as there are no expectations to meet.
  5. 5. What is Information Security?  When expectations about information are met, there is “Security”.  When expectations about information are not met, there is an “Incident”.
  6. 6. What is Information Security?  Some expectations are things people (or organizations) want to happen for their own reasons. These are Needs.  Some expectations are things people (or organizations) want to happen in order to meet technical, legal or standard compliance requirements. These are Obligations.
  7. 7. Retention
  8. 8. Retention  Some expectations of people about information are related to ownership, control and use of information over time.
  9. 9. Retention  Ownership is defined having legal rights and duties on something.  Control is defined as having the ability to:  Grant or deny access to users.  Attribute to specific users their use of information.  Use is defined as having access to read, write or modify information.
  10. 10. Retention  There is an expectation that information will be controlled by their owners or authorized administrators only, for as long as they are authorized.  There is an expectation that information will be used by authorized users only, for as long as they are authorized.
  11. 11. Retention  If these expectations are met or not is independent of the observer and repeatable.  Retention expectations can be determined answering the following questions:  For how long should the owners or authorized administrators control the information? When does this length of time start counting?  For how long should the users use the information? When does this length of time start counting?  Answering these questions renders requirements that can managed.
  12. 12. Retention related incidents  When information is corrupted or lost before the expected length of time. For a more complete list of incidents check tiny.cc/incidents
  13. 13. Achieving Retention  In order to achieve Retention, normally copies of the information are made, in order to make it less likely that the information is lost, and it can be recovered if corrupted.  The directly related O-ISM3 processes are:  OSP-10: Backup Management (This process protects from information loss in the short term)  OSP-27: Archiving Management (This process protects from information loss in the long term)  Having multiple copies of information makes it more likely that Retention expectations are met.
  14. 14. Retention
  15. 15. The O-ISM3 Challenge  This was an exercise designed to throw into sharp relief the inadequacy of traditional information security concepts.  Check the exercise in full at tiny.cc/indepth  A summary of conclusions from the exercise, in relation to Retention, follow.
  16. 16. Secrecy Business Needs Intellectual Property Privacy Integrity Business Obligations Integrity Availability Retention Quality
  17. 17. Integrity  ISO Definition: The property of safeguarding the accuracy and completeness of assets.  ITIL Definition: A security principle that ensures data and Configuration Items are only modified by authorized personnel and Activities. Integrity considers all possible causes of modification, including software and hardware Failure, environmental Events, and human intervention.  CobIT Definition: Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations.
  18. 18. Retention and Integrity  Integrity can’t be measured (it doesn’t have units). Therefore is not independent of the observer nor repeatable like Retention is.  Retention can be used to measure, communicate and manage a specific expectation of people about information.  Integrity is not necessary to understand or measure Retention.
  19. 19. Retention and Integrity  Retention and Integrity are not equivalent.  Integrity and Retention are not synonymous.  Integrity is not useful to understand Retention.
  20. 20.  Follow the Foundations of Information Security Series by joining the Linkedin O-ISM3 Group at: tiny.cc/osim3LG  Learn Advanced Information Security Management, joining us at an O-ISM3 Course: tiny.cc/osim3

×