The set of security controls should be designed to support and enforce the Information Security Policy and to minimize all recognized and potential threats. The controls will be considerably more cost effective if included within the design of all services. This ensures continued protection of all existing services and that new services are accessed in line with the policy.
There are various security threats to our infrastructure and we want to prevent or reduce the damage of these as much as possible. Prevention/Risk reduction measures assist us to do this. E.G. Antivirus systems, firewalls etc.
1. In the case that they do pass our prevention mechanisms, we need to have detection techniques to identify when and where they occurred.
2. Once a security incident has occurred, we want to repress or minimize the damage associated with this incident. We then want to correct any damage caused and recover our infrastructure to normal levels. E.G. Antivirus systems quarantining an affected file.
3. After this process we need to review how and why the breach occurred and how successful were we in responding to the breach.
To assist in identifying what controls are missing or ineffective, a matrix can be developed that analyzes each of the control measures used for the different perspectives of security that need to be protected and controlled.
The Information Security Measure Matrix is a useful tool in performing a gap analysis:
• Ensures there is a balance in measures
• Avoids a concentration of measures in either a certain perspective (e.g. technical) or of a certain measure (e.g. detection).
Remember: ultimately it’s a cost-benefit analysis that determines how much you invest in security.