1. Introduction
Defense-in-depth is a commonly cited best practices strategy for achieving Information Assurance. It is an approach to security that layers controls thus increasing security for the system as a whole (United States National Security Agency, n.d.). Security controls derive from three primary categories: Administrative, Technical/Logical, and Physical/Environmental (Harris & Kumar, 2013, p. 28). To help mature and improve information security as a process and business enabler, it is critical that organizations adapt their understanding and cogency of administrative controls. The information security market is flooded with technical solutions that fit into technical/logical control categories. As more businesses move to the Cloud, physical and environmental controls are relegated to third-parties. To achieve true Defense-in-Depth, businesses must further develop their Administrative controls and efforts. This enables the business to understand the value of security, and enables security to align with business strategy (Cano M., Ph.D, CFE, 2014, p. 51-55). This paper will examine the importance of administrative information security controls and the role they play in Defense-in-Depth strategies by discussing the maturity of security programs, discovery of security program foundations, frameworks, and process, enterprise security architecture, and the governance of information security strategies.
2. Mature Security Programs: Basics of Administration
2.1.
Defense in depth identifies the need for many security layers to be utilised in defense of the system from the bottom as physical security to the top as Data security.
Another step involves security checks upon implementation and describes agency-level threat to the business scenario or the mission. It similarly entails sanctioning the information system for processing and lastly constant monitoring of the security controls. FISMA and NIST's standards are aimed at offering the ways for agencies to achieve their identified missions with safety commensurate with the threat (United States Department of Agriculture, 2015). Together with guidelines from the Office of Management and Budget (OMB), FISMA and NIST create a framework for advancing and growing an information security scheme (SecureIT, 2008). Such framework includes control descriptions and evaluation, program development, and system certification and accreditation. The final objective involves conducting daily functioning of the agency and achieving the agency's articulated objectives with sufficient security commensurate with risk.
In this paper I will be discussing some of the benefits of having frameworks for information security management. What each of the frameworks of information security are, their pros and their cons. Which major perspectives to consider in information security management and framework choice. What organizational factors should be considered in framework choice? I will also attempt to come up with a better framework for information security.
The ever changing threat landscape has resulted in increased challenges for organizations to safeguard their information assets. Today, organizations are forced to assess their entire IT ecosystem, both their own IT infrastructure and the IT infrastructure of third party service providers and vendors. The close interconnection
The Department of Commerce (DOC) is required to implement an Information Security Continuous Monitoring (ISCM) Program as mandated by the Office of Management and Budget (OMB) Memorandum 14-03. The memorandum requires Federal agencies to manage information security risk on an ongoing basis. This document provides a high-level DOC-wide strategic plan for maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. Otherwise known as information security continuous monitoring or ISCM, this strategic plan promotes informed and actionable risk management decisions; empowers leaders and improves organizational accountability; simplifies regulatory compliance through integrated
By defining key controls based on cyber threats (translated into business risks), an organization can more easily right-size the its control set and adapt it to their needs. Risk assessment processes that are near real-time, gated by the change control process, provide continuous feedback on the sufficiency of controls within an
Defense in depth is a practical strategy for achieving information assurance in today’s highly networked environments, as defined by the NSA, which first applied the long-standing military strategy to network security. The basic premise of defense in depth is that layering security controls within a computing environment helps slow down an attacker’s progress should she/he gain access (K. Teitler, 2016). The defense-in-depth strategy that was created by the NSA is very practical in finding information. The steps and processes that are taken into consideration are for each system to draw out any vulnerability that may be present. Each step has a different job that delivers different results than the rest. What the NSA Information Assurance based defense-in-depth strategy is they
Designing a working plan for securing the organization s information assets begins by creating or validating an existing security blueprint for the implementation of needed security controls to protect the information assets. A framework is the outline from which a more detailed blueprint evolves. The blueprint is the basis for the design, selection, and implementation of all subsequent security policies, education and training programs, and technologies. The blueprint provides scaleable, upgradeable, and comprehensive security for the coming years. The blueprint is used to plan the tasks to be accomplished and the order in which
It is not uncommon to find various organizations complaining about security flaws in their information systems. Failing to prevent or mitigate the security flaws may lead to system breakdown, errors, and loss of crucial information. This is why it is important for users of information systems to find the right solutions that can help counter and mitigate security flaws. One common problem with security flaws connected with information systems or networks is that the security flaws occur in multiples. Technological advances have, fortunately, made it possible for people and organizations to prevent and detect such security flaws using security strategies. Layered Security and Defense in Depth are two strategies that can help prevent attacks and protect information systems against security flaws. The two strategies are similar but are based on completely two different concepts. This paper compares and contrasts the Layered Security and Defense in Depth Strategies by explaining how each of the two functions. Additionally, the paper includes an explanation about the advantages and disadvantages of the two strategies.
The intent of this security proposal is to ensure the ongoing protection and data security for a government agency's data center. Security and access privileges will be defined at the role and department levels, with added authentication for system administrators and members of the IT staff. Role-based access to this government facility will be tracked continually and reported using real-time log reporting and analysis (Amsel, 1988). This role-based approach to managing security will provide for inclusion of authentication, detection and deterrence in the areas of social engineering, firewalls, Virtual Private Networks (VPNs), authentication, security protocols and vulnerability assessments.
While all of these technologies have enabled exciting changes and opportunities for businesses, they have also created a unique set of challenges for business managers. Chief among all concerns about technology is the issue of information security. It seems to be almost a weekly occurrence to see a news article about yet another breach of security and loss of sensitive data. Many people will remember high profile data breaches from companies such as T.J Maxx, Boston Market, Sports Authority, and OfficeMax. In the case of T.J. Maxx, a data breach resulted in the loss of more than 45 million credit and debit card numbers. In many of these incidents, the root cause is a lack of adequate security practices within the company. The same technologies that enable managers can also be used against them. Because of this, businesses must take appropriate steps to ensure their data remains secure and their communications remain
Information security professional’s job is to deploy the right safeguards, evaluating risks against critical assets and to mitigate those threats and vulnerabilities. Management can ensure their company’s assets, such as data, remain intact by finding the latest technology and implementing the right policies. Risk management focuses on analyzing risk and mitigating actions to reduce that risk. Successful implementation of security safeguards depends on the knowledge and experience of information security staff. This paper addresses the methods and fundamentals on how to systematically conduct risk assessments on the security risks of information systems.
risks and make informed and business-directed security decisions. The result is a deployment strategy that balances the
The purpose for an IT security policy is to provide “strategy, policy, and standards regarding the security of and operations in cyberspace, and encompasses the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure” ("Cyberspace policy RevIew", 2016).
In a constantly evolving information assurance landscape, it has become increasingly challenging for organizations to protect their information resources. The changing ecosystem in which industries operates, adoption of new technologies by organizations, integration of IT into organization’s core business processes, and substantial increase in the use of internet based services by consumers for daily activities like banking, communications, online shopping etc., pose new threats to organizations. A recent Gartner survey states that 77% of the 500 business leaders of companies having revenues over $1 billion confirmed to increased levels and new types of risks posed by the digital world. Also, majority of the participants agreed that organizations are not investing the required levels for mitigating the new risks (Gartner, 2015).