Just Enough Security

September 12, 2006

Defense-in-depth protects logical but can apply to physical security, too.

The Just Enough Security (JES) model is based on the premise that it takes layers of controls to effectively protect information assets. Also known as “defense-in-depth,” layered security can take on a variety of forms. The JES model is a model for planning, implementing and managing an organization’s Information Security effort. The figure here depicts the JES approach.

The objective of layered security is to implement a variety of controls that work in unison to neutralize the efforts of a threat agent. A threat agent attempting to compromise the confidentiality, integrity or availability of a system protected by a layered security environment must pass through several different tests before reaching its target. These layers comprise administrative, physical and technical safeguards. To be truly effective, this model must extend to all company owned devices, whether located on the company network, at home or at a customer site.

Is it necessary to implement all layers to ensure security? Not necessarily. That is the purpose of JES. Which layers to implement, and to what extent, is a risk management decision. There are risk management processes designed to help make informed decisions about the layers, and the controls at those layers, on which to focus security resources.

Management support

The foundation of any security program is management support. This support should be comprised, at a minimum, of effective policies, adequate budgets and consistent enforcement. Efforts to change user behavior and to implement security measures carry no weight unless there is visible executive management support. Visible support in not just the hanging of a few posters around the lunch room. Effective executive support is evident in the project approval process, in the presence of a meaningful awareness program and in how executive management deals with violations of security policy. Effective executive support is reinforced in management and employee meetings, memos and if appropriate, the annual report. In other words, management support of information security should be manifested as a part of the organization’s culture.

Security program

An organization’s security program defines and facilitates the security objectives of management. It consists of policies, procedures, standards and guidelines. Policies are high-level statements of management’s goals and objectives. They do not provide step-by-step directions to reach those goals and objectives; such directions are provided by procedures.

A policy should consist of at least three elements: purpose, scope and compliance. The purpose of the policy clearly explains the objectives it’s intended to achieve. It should also reflect management’s commitment to a secure enterprise. Scope describes all enterprise technology and activities affected by the policy. Finally, compliance defines consequences if the policy is not followed. It is the compliance piece – necessary to strongly encourage implementation – that is often missing from security policies.

Procedures are the administrative, physical and technical guidelines for producing a secure enterprise. They are derived from the very management policies they support. The step-by-step nature of procedures helps to ensure consistent compliance with security policy.

Along with procedures that support security policies, standards and guidelines form the security handbook of an organization. Standards are mandatory configurations and approaches to technology implementation. Guidelines assist implementers and managers with issues that are not specifically covered by standards; they are not mandatory.

User awareness

Unless fully engaged in the company’s security efforts, end-users can be an organization’s greatest threat. Continuous awareness training is the best way to obtain end-user participation in a security program. Training should include:

Review of policies, standards, and guidelines
Implementation and configuration procedures
Password protection
How to deal with social engineering attacks
Proper protection of workstations, including logging off before walking away from a device, system use by unauthorized users and the elimination of potential shoulder surfing opportunities (a term used to describe any activity whereby a person watches a user perform some action that may result in the unauthorized and unintentional revelation of confidential information)
Proper handling of PDAs, laptops, cell phones, etc.
Proper handling and disposition of media, including backup tapes, CD-ROMs, floppy disks and other types of storage devices

Tom Olzak is the author of Just Enough Security, published by Lulu Press, and this excerpt is by permission. The book is available for $34.95 from Lulu Press, online at http://adventuresinsecurity.com

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

Join our subject matter experts as they explore how the right systems can help identify, analyze and report potential incidents and help building owners sustain compliance and create safer spaces.

Security Magazine

2020 September

This month in Security magazine, we bring you our 2020 Most Influential People in Security annual report, where we highlight 22 industry leaders, their path to security, careers, goals and guidance for future security professionals. Industry experts discuss the evolution of ransomware, houses of worship security, cybersecurity standards, security careers in investigations and the unifying power of security. Diane Ritchey, past Editor-in-Chief, says goodbye and thank you to our readers.

View More Create Account

Just Enough Security

User awareness

Report Abusive Comment

Security Magazine

2020 September