Defense-in-depth protects logical but can apply to physical security, too.

The Just Enough Security (JES) model is based on the premise that it takes layers of controls to effectively protect information assets. Also known as “defense-in-depth,” layered security can take on a variety of forms. The JES model is a model for planning, implementing and managing an organization’s Information Security effort. The figure here depicts the JES approach.

The objective of layered security is to implement a variety of controls that work in unison to neutralize the efforts of a threat agent. A threat agent attempting to compromise the confidentiality, integrity or availability of a system protected by a layered security environment must pass through several different tests before reaching its target. These layers comprise administrative, physical and technical safeguards. To be truly effective, this model must extend to all company owned devices, whether located on the company network, at home or at a customer site.

Is it necessary to implement all layers to ensure security? Not necessarily. That is the purpose of JES. Which layers to implement, and to what extent, is a risk management decision. There are risk management processes designed to help make informed decisions about the layers, and the controls at those layers, on which to focus security resources.

Management support

The foundation of any security program is management support. This support should be comprised, at a minimum, of effective policies, adequate budgets and consistent enforcement. Efforts to change user behavior and to implement security measures carry no weight unless there is visible executive management support. Visible support in not just the hanging of a few posters around the lunch room. Effective executive support is evident in the project approval process, in the presence of a meaningful awareness program and in how executive management deals with violations of security policy. Effective executive support is reinforced in management and employee meetings, memos and if appropriate, the annual report. In other words, management support of information security should be manifested as a part of the organization’s culture.

Security program

An organization’s security program defines and facilitates the security objectives of management. It consists of policies, procedures, standards and guidelines. Policies are high-level statements of management’s goals and objectives. They do not provide step-by-step directions to reach those goals and objectives; such directions are provided by procedures.

A policy should consist of at least three elements: purpose, scope and compliance. The purpose of the policy clearly explains the objectives it’s intended to achieve. It should also reflect management’s commitment to a secure enterprise. Scope describes all enterprise technology and activities affected by the policy. Finally, compliance defines consequences if the policy is not followed. It is the compliance piece – necessary to strongly encourage implementation – that is often missing from security policies.

Procedures are the administrative, physical and technical guidelines for producing a secure enterprise. They are derived from the very management policies they support. The step-by-step nature of procedures helps to ensure consistent compliance with security policy.

Along with procedures that support security policies, standards and guidelines form the security handbook of an organization. Standards are mandatory configurations and approaches to technology implementation. Guidelines assist implementers and managers with issues that are not specifically covered by standards; they are not mandatory.

User awareness

Unless fully engaged in the company’s security efforts, end-users can be an organization’s greatest threat. Continuous awareness training is the best way to obtain end-user participation in a security program. Training should include:
  • Review of policies, standards, and guidelines
  • Implementation and configuration procedures
  • Password protection
  • How to deal with social engineering attacks
  • Proper protection of workstations, including logging off before walking away from a device, system use by unauthorized users and the elimination of potential shoulder surfing opportunities (a term used to describe any activity whereby a person watches a user perform some action that may result in the unauthorized and unintentional revelation of confidential information)
  • Proper handling of PDAs, laptops, cell phones, etc.
  • Proper handling and disposition of media, including backup tapes, CD-ROMs, floppy disks and other types of storage devices