business expiration needs
TRANSCRIPT
![Page 1: Business Expiration Needs](https://reader033.vdocuments.net/reader033/viewer/2022051414/55a468531a28abcd238b46f0/html5/thumbnails/1.jpg)
ExpirationFoundations of Information Security Series
Vicente Aceituno @vaceituno
(c)Inovement Europe 2014
![Page 2: Business Expiration Needs](https://reader033.vdocuments.net/reader033/viewer/2022051414/55a468531a28abcd238b46f0/html5/thumbnails/2.jpg)
Vicente Aceituno
[email protected] - Skype: vaceituno
Linkedin - linkedin.com/in/vaceitunoInovement Europe - inovement.esVideo Blog - youtube.com/user/vaceitunoBlog - ism3.comTwitter - twitter.com/vaceitunoPresentations - slideshare.net/vaceituno/presentationsArticles - slideshare.net/vaceituno/documents
![Page 3: Business Expiration Needs](https://reader033.vdocuments.net/reader033/viewer/2022051414/55a468531a28abcd238b46f0/html5/thumbnails/3.jpg)
Foundations of Information Security Series
Needs
Secrecy Intellectual Property you Own
Intellectual Property you Use
Privacy
Availability
Retention
Expiration
Quality
Obligations
Technical
Compliance
Legal
![Page 4: Business Expiration Needs](https://reader033.vdocuments.net/reader033/viewer/2022051414/55a468531a28abcd238b46f0/html5/thumbnails/4.jpg)
What is Information Security?
“Information Security” is an emergent property of people using information.
People have expectations about information.
If there is no people or no information, “Information Security” is meaningless, as there are no expectations to meet.
![Page 5: Business Expiration Needs](https://reader033.vdocuments.net/reader033/viewer/2022051414/55a468531a28abcd238b46f0/html5/thumbnails/5.jpg)
What is Information Security?
When expectations about information are met, there is “Security”.
When expectations about information are not met, there is an “Incident”.
![Page 6: Business Expiration Needs](https://reader033.vdocuments.net/reader033/viewer/2022051414/55a468531a28abcd238b46f0/html5/thumbnails/6.jpg)
What is Information Security?
Some expectations are things people (or organizations) want to happen for their own reasons. These are Needs.
Some expectations are things people (or organizations) want to happen in order to meet technical, legal or standard compliance requirements. These are Obligations.
![Page 7: Business Expiration Needs](https://reader033.vdocuments.net/reader033/viewer/2022051414/55a468531a28abcd238b46f0/html5/thumbnails/7.jpg)
Expiration
![Page 8: Business Expiration Needs](https://reader033.vdocuments.net/reader033/viewer/2022051414/55a468531a28abcd238b46f0/html5/thumbnails/8.jpg)
Expiration
Some expectations of people about informationare related to ownership, control and use of information over time.
![Page 9: Business Expiration Needs](https://reader033.vdocuments.net/reader033/viewer/2022051414/55a468531a28abcd238b46f0/html5/thumbnails/9.jpg)
Expiration
Ownership is defined having legal rights and duties on something.
Control is defined as having the ability to: Grant or deny access to users.
Attribute to specific users their use of information.
Use is defined as having access to read, writeor modify information.
![Page 10: Business Expiration Needs](https://reader033.vdocuments.net/reader033/viewer/2022051414/55a468531a28abcd238b46f0/html5/thumbnails/10.jpg)
Expiration
There is an expectation that information will be controlled by their owners or authorized administrators only, for as long as they are authorized.
There is an expectation that information will be used by authorized users only, for as long as they are authorized.
![Page 11: Business Expiration Needs](https://reader033.vdocuments.net/reader033/viewer/2022051414/55a468531a28abcd238b46f0/html5/thumbnails/11.jpg)
Expiration
If these expectations are met or not is independent of the observer and repeatable.
Expiration expectations can be determined answering the following question: Under what circumstances should the information be destroyed?
(Example: Information system sent to the dealer for maintenance)
When should the information be destroyed? When does this length of time start counting?
Answering these question renders requirements that can managed.
![Page 12: Business Expiration Needs](https://reader033.vdocuments.net/reader033/viewer/2022051414/55a468531a28abcd238b46f0/html5/thumbnails/12.jpg)
Expiration related incidents
When information can be controlled or used after the expected length of time.
For a more complete list of incidents check tiny.cc/incidents
![Page 13: Business Expiration Needs](https://reader033.vdocuments.net/reader033/viewer/2022051414/55a468531a28abcd238b46f0/html5/thumbnails/13.jpg)
Achieving Expiration
In order to achieve Expiration, normally informationis overwritten with random information.
The directly related O-ISM3 process is: OSP-6: IT Managed Domain Clearing
Having multiple copies of information makes it less likely that Expiration expectations are met.
![Page 14: Business Expiration Needs](https://reader033.vdocuments.net/reader033/viewer/2022051414/55a468531a28abcd238b46f0/html5/thumbnails/14.jpg)
Expiration
![Page 15: Business Expiration Needs](https://reader033.vdocuments.net/reader033/viewer/2022051414/55a468531a28abcd238b46f0/html5/thumbnails/15.jpg)
The O-ISM3 Challenge
This was an exercise designed to throw into sharp relief the inadequacy of traditional information security concepts.
Check the exercise in full at tiny.cc/indepth
A summary of conclusions from the exercise, in relation to Expiration, follow.
![Page 16: Business Expiration Needs](https://reader033.vdocuments.net/reader033/viewer/2022051414/55a468531a28abcd238b46f0/html5/thumbnails/16.jpg)
Secrecy
Business Needs
Intellectual
Property
Privacy
IntegrityBusiness
Obligations
Integrity
Availability
RetentionQuality
Exp
iratio
n
![Page 17: Business Expiration Needs](https://reader033.vdocuments.net/reader033/viewer/2022051414/55a468531a28abcd238b46f0/html5/thumbnails/17.jpg)
Integrity
ISO Definition: The property of safeguarding the accuracy and completeness of assets.
ITIL Definition: A security principle that ensures data and Configuration Items are only modified by authorized personnel and Activities. Integrity considers all possible causes of modification, including software and hardware Failure, environmental Events, and human intervention.
CobIT Definition: Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations.
![Page 18: Business Expiration Needs](https://reader033.vdocuments.net/reader033/viewer/2022051414/55a468531a28abcd238b46f0/html5/thumbnails/18.jpg)
Expiration and Integrity
Integrity can’t be measured (it doesn’t have units). Therefore is not independent of the observer nor repeatable like Expiration is.
Expiration can be used to measure, communicate and manage a specific expectation of people about information.
Integrity is not necessary to understand or measure Expiration.
![Page 19: Business Expiration Needs](https://reader033.vdocuments.net/reader033/viewer/2022051414/55a468531a28abcd238b46f0/html5/thumbnails/19.jpg)
Expiration and Integrity
Expiration and Integrity are not equivalent.
Integrity and Expiration are not synonymous.
Integrity is not useful to understand Expiration.
![Page 20: Business Expiration Needs](https://reader033.vdocuments.net/reader033/viewer/2022051414/55a468531a28abcd238b46f0/html5/thumbnails/20.jpg)
![Page 21: Business Expiration Needs](https://reader033.vdocuments.net/reader033/viewer/2022051414/55a468531a28abcd238b46f0/html5/thumbnails/21.jpg)
Follow the Foundations of Information Security Series by joining the LinkedinO-ISM3 Group at: tiny.cc/osim3LG
Learn Advanced Information Security Management, joining us at an O-ISM3 Course: tiny.cc/osim3