Defending Information in Depth ... in All Directions

Many organizations are coming to realize that information assurance involves more than just securing information technology systems with more technology. Information assurance also involves a shared responsibility among everyone in an organization.

The defense in depth approach to information assurance was first popularized by the Department of Defense, and involves applying technological, operational, and people- related countermeasures to mitigate information assurance risks in a holistic manner (Joint Chiefs of Staff, 2003). People-oriented actions may include such things as training and personnel security. Operational actions such as plans, policies, and guidelines are also a part of the strategy, and technology activities such as system redundancy, intrusion detection, and firewalls may also be employed.

These three prongs of defense in depth could arguably include almost any imaginable means of assuring information and mitigating risks to it. Most if not all sub-elements of these three capabilities also arguably involve in some respect the other two capabilities as well.

Consider, for example, an intrusion detection system (IDS). Generally an IDS system is thought of as a technology in the form of a network or host-based IDS. The technology is designed to detect unauthorized or anomalous activities on the system or network. But just like the earlier example of the home security IDS, at the point where a legitimate incident is detected , a person will be notified, and become involved. The person, whether monitoring a home or a network, ought to be following an established operational procedure that governs further investigation and reporting on the incident. If the person responsible for doing the monitoring is poorly trained, despite the great capabilities of the technology, at a minimum an unauthorized intrusion may take place, and at the worst, whether in the home or on the network, a catastrophe may occur. Likewise, a weak policy or poorly written procedure can render technological effectiveness a moot point.

So once again, as with generalization of requirements, simple categorization of the elements of defense in depth as technology, people, or operations, is perhaps inadequate. A more careful consideration of the necessary interrelationships and dependencies between the elements of the defense in depth strategy is required in order to employ these countermeasures effectively.

Broadly considered , defense in depth can also have a force multiplier effect by actively involving more parts of an organization, and thus more people, in assuring information. When more means or countermeasures are employed, more roles in defense in depth are established, and when managed well, the effectiveness of the strategy is enhanced.

Several other lists of means provide more defined elements that can be part of a defense in depth strategy. ISO Standard 17799, for example, includes compliance, security organization, and asset classification and control, among its list of 10 elements (ISO, 2000).

Internet Security Systems describes a security management lifecycle, centered on security policy, standards, and guidelines, and consisting of the steps of assess, design, deploy, manage and support, surrounded by ongoing education (Internet Security Systems, 2000).

Electronic Data Systems also describes an information assurance lifecycle consisting of the steps of assess, protect, validate, train, and monitor (EDS, 2000).

Regardless of whether we consider all of the means as a concept, or process, or lifecycle, or in any other form, it is most important that we recognize that they are much more than the technologies that many people think of when they hear the term information assurance, and they therefore will involve many more people within an organization in the overall information assurance effort.