Information Technology Reference
In-Depth Information
network at some later date, and all defenses should be regularly tested and
updated to meet emerging threats.
The Process of Security
Security is not a state that can be achieved once and for all time; it is an
ongoing process of addressing threats to the enterprise that may arise from
external attackers, internal mischief or misuse, environmental hazards, or
any other vector that provides a potential undesirable change to enterprise
functionality or availability. The standard view of security addresses three
aspects of service and data:
•
(C)onfidentiality
—Data and services should only be available
through authorized access, with unauthorized access prevented or
detected and reported if controls are bypassed.
•
(I)ntegrity
—Data and services should be protected from unauthor-
ized modification or corruption, during use and in storage.
•
(A)vailability
—Data and services should be available for use upon
authorized access attempts, with outages and service interruptions
monitored and reported.
Security Is like an Onion
To me e t t he prote c t ive g oa l s of t h i s C - I - A m a nd ate, s e c u r it y c ont rol s shou ld
be layered to create a series of barriers against compromise, failure, or unau-
thorized access. Figure 12.1 illustrates this type of layering, starting with
leadership and vision and drilling down to implementation settings and
configuration details. Attackers and undesirable events must bypass each
layer in turn in order to disrupt or modify service availability or enterprise
data, providing more opportunities for denial, mitigation, and alerting.
Program Rather than Project
Although individual implementation efforts may be managed as projects
(limited-term, defined end goal, and criteria), the process of security is
an ongoing operation and so should be managed as a program (open-
ended, regularly reviewed, with corrective actions applied during each
