It operates in light of external forces like life cycles and context to implement the process elements of the technical security architecture.
- Deter: Deterrence is undertaken by top
management and involves a variety of efforts ranging from public
relations campaigns to selection of building appearances and locations.
This is predominantly a perception management effort aimed at
attackers mental processes.
- Prevent: Prevention methods are typified
by the classic separations mechanisms associated with computer security.
It tends to use high surety mechanisms and is highly effective at
reducing vulnerabilities if properly applied. Prevention is entirely
proactive which is to say its failures tend to be brittle.
- Detect: Detection is directed at
identifying event sequences with potentially serious negative
consequences in time to mitigate those consequences to the desired
- React: Reaction is tied to detection in
that the reaction is the activity that mitigates the potentially serious
negative consequences that detection is intended to detect.
- Adapt: Adaptation is the long-term process that changes the overall protection posture of an enterprise to reflect changes in the environment over time.
All protection is formed from combinations of these process elements and the selection of how to mix them is critical to the effectiveness and costliness of protection.
Data at rest: Data at rest is in storage somewhere, in paper, on fiche, on tapes, on disks, and so forth. At rest, data must be properly protected to retain its value and protect it from theft, destruction, corruption,and so forth.
- Data in use: Data in use is typically
being read by people or systems, analyzed for a particular purpose,
perhaps controlling the execution of physical functions such as
temperature control, and so forth. Even in use, data must be protected
against misuse, alteration, destruction, or the consequences associated
with its use or misuse.
- Data in motion: Whenever data travels, weather over a local area network, in a mobile computing device, or over the Internet, it must be protected by suitable means to the risk while still meeting the business requirement of transport.
For more details and in-depth coverage of these issues, buy the Governance Guidebook.
This was first published in January 2006