Explore chapters and articles related to this topic
Establishing a Substantive Control Process
Published in Ken Sigler, Dan Shoemaker, Anne Kohnke, Supply Chain Risk Management, 2017
Ken Sigler, Dan Shoemaker, Anne Kohnke
There is always an implied obligation to protect the ICT product supply chain against known threats. In the management of the process, this is enabled by thorough and in-depth risk assessment procedures as well as the development of a comprehensive defense-in-depth and defense-in-breadth information security strategy. The formal business goals and objectives, as well as the operational procedures and the attendant technology requirements, must include specific documented ICT product supply chain assurance practices. These in-depth and formally documented requirements will help stakeholders ascertain that the customer organization has thought through and properly expressed to its integrator and supplier communities the requirements for ICT product supply chain assurance. The in-depth articulation of these requirements should ensure that the requirements for supply chain security, as specified in the contract between customer and supplier, have been met and that the chances for unauthorized exposure or access to critical elements or processes in the ICT product supply chain as a whole are suitably considered and contained.
Security
Published in Vivek Kale, Digital Transformation of Enterprise Architecture, 2019
Defense in depth is a strategy common to both military maneuvers and information security. In both senses, the basic concept of defense in depth is to formulate a multilayered defense that will allow us to still mount a successful defense should one or more of our defensive measures fail. In Figures 12.1 and 12.2, we can see an example of the layers we might want to put in place to defend our assets from a logical perspective; we would at the very least want defenses at the external network, internal network, host, application, and data levels. Given well-implemented defenses at each layer, we will make it very difficult to successfully penetrate deeply into our network and attack our assets directly.
Dynamic Risk Management
Published in Nicholas Kolokotronis, Stavros Shiaeles, Cyber-Security Threats, Actors, and Dynamic Mitigation, 2021
Ioannis Koufos, Nicholas Kolokotronis, Konstantinos Limniotis
Mitigation strategies identify themselves as a part of the risk response component. In an organizations perspective, mitigations strategies are responsible for minimizing an information system's risk and at the same time confine resources without any unnecessary repercussions. Risk mitigation is considered as the primary link between risk management programs and information security programs. As NIST [4] states, effective risk mitigation strategies consider the placement and allocation of mitigations, the degree of the mitigation and cover mitigations on all the aforementioned tiers of the risk management framework. Mitigation strategies are developed based on organization's goals and objectives, business requirements, and priorities and their existence is fundamental for the establishment of risk-based decisions, regarding the security system's controls. In most environments, the most effective mitigation strategies are being built by employing a combination of bordered protection and implementing agile defenses [4]. This illustrates the information security concepts of defense-in-depth and defense-in-breadth: Defense-in-depth is a strategy that focuses on the integration of people with technology and operations to form multiple layers of security in an organization.Defense-in-breadth is a planned set of activities that identify, manage, and reduce the risk of vulnerabilities exploitation at every stage of the system.
Least Privilege across People, Process, and Technology: Endpoint Security Framework
Published in Journal of Computer Information Systems, 2022
Miloslava Plachkinova, Kenneth Knapp
General information security models often recommended by industry professionals include time-based security, defense-in-depth, baseline security, principle of least privilege, perimeter hardening, zero-trust, and intrusion detection/prevention. The principle of least privilege ensures that every user and system program should be given the least set of rights necessary to complete a job or task and nothing more.5 This principle can be applied to minimize the number of interactions among programs and users so that abuses or excessive privileges are less likely to occur. As a result, this principle limits the damage resulting from a security incident whether malicious or unintentional. The military security clearance rule of ‘need-to-know’ is an example of this principle. Applied to the endpoint, if a user does not have a ‘need-to-use’ a particular application, it should be restricted. The current paper exclusively uses the principle of least privilege as a general security model for promoting endpoint security in organizations. The proposed solution provides a holistic approach because we look into this principle from different aspects within an organization.
Using the Information Harm Triangle to Identify Risk-Informed Cybersecurity Strategies for Instrumentation and Control Systems
Published in Nuclear Technology, 2023
Michael T. Rowland, Lee T. Maccarone, Andrew J. Clark
This paper proposes using the IHT to analyze the cybersecurity of OT systems. The purpose of the IHT is to simplify the understanding and evaluation of (1) the information harm arising from a cyberattack, (2) the physical harm arising from a cyberattack, and (3) the effect of security controls in reducing digital and/or physical harm. By analyzing the effects of security controls to both data and physical information, NPP cybersecurity teams can achieve defense in depth.
A formally verified authentication protocol in secure framework for mobile healthcare during COVID-19-like pandemic
Published in Connection Science, 2021
Shaik Shakeel Ahamad, Al-Sakib Khan Pathan
Our framework incorporates security in design at every phase of development and implementation. Trying to add security at the end of development phase can turn out to be very costly. As presented so far, with personalisation of MHA, encryption, secure channel and overall, step by step building process, we ensure defense-in-depth and end-to-end security.