The major tasks for Enterprise Information Security are:
1. Architecture : This is the process of domain or entity identification, classification and modeling. Enterprise Information System Architecture requires a clear understanding the Enterprise's goals, cultures and components. All elemental entities within the enterprise have to be identified and placed in groups, classes or domains. An interaction model between and within domains and domain entities have to be defined and clearly articulated and the resulting model will form the basis for developing a structural policy for the enterprise
2. Policy : This will in many cases include standards, guidelines and procedures, but in the planning stage (at the very high level) on determine a matrix of inter-relations between domains and intra-relation within domain elements such that security requirements are defined and security boundaries determined. The Policy will drive the development of a Risk Management process, the most fundamental component of which is risk assessment
3. Risk assessment : Risk is exposure to threats. Risk assessment can only take place when threats have been identified. In an enterprise, holistic threat identification is impossible without a clear policy framework. Since the Policy determines the security requirements and boundaries, risk assessment will rely on identified threats to the requirements and likely breaches of the boundaries. The likelihood of these threats occurring is captured by risk valuation and the consequent costs of these likely threats is embodied in a risk assessment program. Once Risks have been clearly articulated and a thorough assessment conducted, the result will provide required motivation for solution design
4. Solutions Design : At this stage, standards, procedures, baselines and guidelines are set for solutions and operations. The set standards in many cases will drive the technologies and processes to use, but in many occasions, standards can be driven by available technology. The former is the wholesome way to do things and will ensure that tools are obtained or developed to solve problems and where technology is insufficient, manual processes are employed to compensate. The danger with the later approach is that options and possibilities for security solutions are built around a given technology which may not have been developed with the particular security model in mind. The more generic a technology, the less likely it will adequately address specific domain problem holistic and secretly. In many cases, solutions design could be the most challenging artifact in the development of an enterprise information security. Design must be modular and should be targeted at addressing all the requirements of the policy.
5. Evaluation : This is arguably one of the most important component of enterprise information security and can be done at multiple stages. However, it is imperative that A thorough evaluation be carried out on the designed solution to identify its suitability for the particular architecture.
6. Updates: All system must come for review and ongoing evaluation will always call for an ongoing update process. The architecture must be updated to accommodate increasing understanding of the requirement which may not come until the end of the first iteration. Policies have to be updated to reflect new realities as well as updated architectures. Risk are based on threat likelihood and as the environment changes so doe the nature of the risk and thus, the assessed risk states have to be continually updated to reflect the current realities.
1. Architecture : This is the process of domain or entity identification, classification and modeling. Enterprise Information System Architecture requires a clear understanding the Enterprise's goals, cultures and components. All elemental entities within the enterprise have to be identified and placed in groups, classes or domains. An interaction model between and within domains and domain entities have to be defined and clearly articulated and the resulting model will form the basis for developing a structural policy for the enterprise
2. Policy : This will in many cases include standards, guidelines and procedures, but in the planning stage (at the very high level) on determine a matrix of inter-relations between domains and intra-relation within domain elements such that security requirements are defined and security boundaries determined. The Policy will drive the development of a Risk Management process, the most fundamental component of which is risk assessment
3. Risk assessment : Risk is exposure to threats. Risk assessment can only take place when threats have been identified. In an enterprise, holistic threat identification is impossible without a clear policy framework. Since the Policy determines the security requirements and boundaries, risk assessment will rely on identified threats to the requirements and likely breaches of the boundaries. The likelihood of these threats occurring is captured by risk valuation and the consequent costs of these likely threats is embodied in a risk assessment program. Once Risks have been clearly articulated and a thorough assessment conducted, the result will provide required motivation for solution design
4. Solutions Design : At this stage, standards, procedures, baselines and guidelines are set for solutions and operations. The set standards in many cases will drive the technologies and processes to use, but in many occasions, standards can be driven by available technology. The former is the wholesome way to do things and will ensure that tools are obtained or developed to solve problems and where technology is insufficient, manual processes are employed to compensate. The danger with the later approach is that options and possibilities for security solutions are built around a given technology which may not have been developed with the particular security model in mind. The more generic a technology, the less likely it will adequately address specific domain problem holistic and secretly. In many cases, solutions design could be the most challenging artifact in the development of an enterprise information security. Design must be modular and should be targeted at addressing all the requirements of the policy.
5. Evaluation : This is arguably one of the most important component of enterprise information security and can be done at multiple stages. However, it is imperative that A thorough evaluation be carried out on the designed solution to identify its suitability for the particular architecture.
6. Updates: All system must come for review and ongoing evaluation will always call for an ongoing update process. The architecture must be updated to accommodate increasing understanding of the requirement which may not come until the end of the first iteration. Policies have to be updated to reflect new realities as well as updated architectures. Risk are based on threat likelihood and as the environment changes so doe the nature of the risk and thus, the assessed risk states have to be continually updated to reflect the current realities.
No comments:
Post a Comment