Information Technology Reference
In-Depth Information
8.3
iA Serices
A service is the act of satisfying some demand (
service
as a verb) or the entity that
satisfies some demand (
service
as a noun). IA services are akin to business func-
tions. These IA business functions provide information assurance services to the
organization. As shown in Figure 8.1, business requirements drive security services.
Security services in turn may use security mechanisms. Personnel and technology
may provide security services.
This chapter and the next place IA services and IA mechanisms in an enterprise
context as well as introduce how IA
2
assists in aligning IA services and IA mecha-
nisms with business drivers.
When a risk is identified, there is a short list of options:
accept
risk,
ignore
risk
(implicit acceptance),
share
risk,
transfer
risk, and
mitigate
risk. Risk mitigation
requires investments in security controls. Effective implementation of security
controls creates defense-in-depth, where layers of security increase the difficulty
and cost of a successful attack. Generally speaking, if someone wants something
you have badly enough, they may be willing to take extraordinary steps get it.
The objective of security is to make the cost of getting it more than the adversary
is willing to spend. One goal of defense-in-depth is to make a breach so difficult
as to be cost prohibitive in terms of both means (money and knowledge) and
method (effort).
IA service examples include:
n
n
n
n
n
n
n
n
n
n
Compliance Management
Assessment and Audit
Policy Management
Security Education, Training, and Awareness
Privacy Management
Computer Security Incident Response
Vulnerability Management
Digital Forensics
Business Impact Assessment
Business Continuity Management
Consider IA services as part of an overall defense in depth strategy.
8.3.1
Defense-in-Depth Perspective
There are key business functions that both define and fulfill the reasons for the exis-
tence of the organization. Key personnel are those people that perform key business
functions or have key business knowledge. Key technology is that technology used
by key personnel to perform key business functions. All other business functions,
