Information Technology Reference
In-Depth Information
table 8.6
Security Controls oeriew
IA
2
LoS
Preventive
Detective
Reactive
Corrective
Business requirements
IA services
IA mechanisms
IA vendor/product
IA operations
ing what security controls are necessary. Also, use the IA
2
LoS that begins with
business requirements and provides links through to security control services and
mechanisms. Supplemental to these, consider security controls in terms of defense-
in-depth preventive, detective, reactive, and corrective controls. Table 8.6
provides
a template to consider cross sections of IA
2
LoS and defense-in-depth.
Each subsequent row in Table 8.6 refines the business requirements into control
services (e.g., identity management), control mechanisms (e.g., card reader for pre-
senting claim of identity, biometric for identity validation), vendor products in sup-
port of the security control mechanisms, and operational procedures and guidelines.
This process of aligning operational constructs with business drivers is a common
theme throughout IA
2
P. Such alignment assists in ROI and ongoing justification
for operational processes. Moreover, if the business requirement goes away, so should
the operational constructs; such alignment quickly identifies useless overhead from
core operational support.
8.18 Conclusion and Commentary
IA services are organizationally focused with respect to services provided by IA pro-
fessionals to and throughout the organization. Many IA services require trained,
experienced professionals. Most IA services involve the use of tools, or IA mecha-
nisms. Some of these mechanisms run continuously without manual intervention,
while other mechanisms are applied as necessary by IA professionals using a com-
bination of science and art, e.g., digital forensics. A selection of IA mechanisms is
presented in the next chapter.
Table purposely left blank.
