Welcome » IT Booklets » Information Security » Information Security Strategy » Key Concepts
Security requires the integration of people, process, and technology. Each of the three components should be managed considering the capabilities and limitations of the other components. When the components are considered in total, they should provide for adequate overall risk mitigation.
Security strategies include prevention, detection, and response, and all three are needed for a comprehensive and robust security framework. Typically, security strategies focus most resources on prevention. Prevention addresses the likelihood of harm. Detection and response are generally used to limit damage once a security breech has occurred. Weaknesses in prevention may be offset by strengths in detection and response.
Security strategies should establish limitations on access and limitations on the ability to perform unauthorized actions. Those limitations derive from concepts known as security domains, least permissions, and least privileges.
The creation of security domains involves designing a network so that users and network resources are grouped in a logical or physical manner, and control sets are established to mitigate the risks relevant to each individual domain. At the network level, connectivity between network areas may be disabled, or tightly controlled through perimeters. Tools could include firewalls, virtual local area networks (VLANs), router access control lists (ACLs), and directories. The tools allow for restrictions on access and authorizations at the network and application layers.
The concepts of least permissions and least privileges are used to provide functionality while limiting potentially harmful actions. They generally involve restricting authorizations at the network, server, and client level. For example, a user could be allowed access to only certain network resources and denied access to others. A user could be allowed access to some program functions or file areas and not allowed access to others. A program could be allowed access to some of a computer's or network's resources and disallowed access to others. Authorization for users most often is managed by assigning a user to a group, and granting permissions to the group.
Financial institutions should design multiple layers of security controls to establish several lines of defense between the attacker and the asset being attacked.An Internet security example of this concept may involve the following configuration: a packet filtering router with strict access control rules, in front of an application level firewall, in front of Web servers, in front of a transactional server, in front of a database server, with intrusion detection systems located at various points between the servers and on certain hosts. The layers should be at multiple control points throughout the communication and transactional flow and should include both systems and manual processes. To successfully attack an asset, each layer must be penetrated. With each penetration, the probability of detecting the attacker increases.