Threats to information security have evolved significantly over the years. These threats range from curious teenagers to disgruntled employees, activists, criminals, industrial and state sponsored spies, terrorists and even nation states engaged in warfare.
Many organizations have traditionally focus their information security efforts in putting defensive controls at the perimeter. However this has proven to be insufficient. That’s not to say that you should not protect your perimeter, but you should assume that it will be penetrated.
I’ve just recently had the pleasure of working with Brian Honan, a well-respected and recognized security expert, in developing a white paper that focuses on Layered Security. Honan suggest that organizations need to develop a multi-layered security strategy that focuses on the confidentiality, integrity and availability (CIA) of the information being protected. This approach to security ensures that if one layer fails or is compromised, other layers will compensate and maintain the security of that information.
The paper also provides a guide to the most effective preventative and detective controls organizations should deploy. It gives some pragmatic guidance as to how organizations should prioritize their layered security program implementation. The paper describes eight steps that are key for developing a risk-based approach:
- Identify key information
- Categorize information
- Identify threats
- Assess vulnerabilities
- Assess the risks
- Identify controls
- Implement controls
- Monitor continously
It is a very good read. You can download the entire Layered Security white paper (registration required) at our site.