Information Technology Reference
In-Depth Information
Figure 12.1
A simplifi ed structural outline of a layered defensive strategy.
Note that training and communications support all other functions, while poli-
cies and standards provide a solid basis for implementation and control. Your
leadership and vision will defi ne and align protective strategies with organiza-
tion requirements and mandates.
iteration). Security planning and review should include management of a
risk register, with impact, value, and responsible parties clearly identified
and communicated appropriately. This registry is a living document and
must be updated at each change in standards, tech refresh cycle, change
in personnel, change in partnering or hosting practices, or identification
of an emerging threat.
Explain Why
Implemented security measures should not be onerous or present barriers
to normal operations, or users will take action to circumvent their pro-
tective action to “just get the job done.” Automation of settings manage-
ment, access provisioning, and event log review can all aid in smoothing
out the impact of new security measures by ensuring that standards are
applied uniformly and completely. Training efforts and user awareness
