The final commonly held element of good Defense in Depth is Operations. I say “commonly held” because various authors make additions to the list of People, Technology and Operations.

For a functioning description, consider Operations to be the tasks required to maintain a desired level of security. It is easy to get bogged down thinking about the security posture and auditing to make sure that we are maintaining that posture.

Regardless of what level of security you want, the following are some ideas to get you started thinking about InfoSec Operations…

Good InfoSec operations will be driven by policy.

• Acceptable Use Policy – The AUP clearly lays out what the organizations resources can or can not be used for. Check out some reasons you need an Acceptable Use Policy.
• Configuration Change Policy – Even the smallest of businesses needs to have guidelines and policies of who can make and when changes can be made to computer, software and infrastructure. Chaos ensues without this.

Good InfoSec operations will work to minimize the risk from malware.

• Operation system patches – Whether you are running Unix, Linux, Windows or OS X as you operating system, there are frequent patches that should be applied. Depending upon your business, you may even need to test patches on test servers and workstations prior to general deployment.
• Anti-virus updated and scanning – Malware is a significant attack vector. Viruses, worms or spyware are often used to gather personal information from the infected host. A major step in minimizing the risk if to keep the anti-virus software updated and scanning.

Good InfoSec operations will be aware of threats.

• Know what the risks are to your organization – The risks to a small bank are different than the risks for the fitness club. Awareness of the risks to your specific industry will enable you to establish sound defenses.
• Know what has been done to remediate specific threats – I keep a “risk register” of the various risks, threats, problems that I encounter. It includes the date found, a brief description of the risk, what I have done to address the risk, and the date that was done. Not only does it help me remember, but it is good to periodically review it to make sure the remediation is still valid.

Good InfoSec operations will be ready to recover from an incident.

• Backups – Having good backups can make you look like a genius! (and they can be the difference between an inconvenience and the organization shutting the doors…)
• Disaster Recover Planning – Even the smallest of businesses needs a DRP. Ready.gov can be a good starting place.

- Dan

Can a small or medium sized business do Defense in Depth?

How about the home user?

The phrase “defense in depth” is tossed around in the Information Security field as if everyone knows what is being talked about.

Just what is Defense in Depth?

The National Security Agency has put out a short paper which discusses a strategy for defense in depth.

I certainly encourage you to take a look at that paper.

The defense in depth strategy focuses on three important elements as we work toward information assurance. These elements are:

• People
• Technology
• Operations

We will soon begin looking at each of these elements as it related to Information Security and the small business or home user.

- Dan