Pages

Tuesday 24 November 2020

Definition of Protective Security


Definition of Protective Security

Since 1986, I have pondered on the definition of Protective Security, with changes occurring over the years seeing elements cut out whilst other elements coming under the banner.  In some employment roles, protective security has come to cover close protection.  For my personal benefit, I have developed a definition that meets my requirements and have added definitions of the various elements that make up Protective Security that support the security-in-depth concept.

___________________________________________________________________

Protective security

 

The organised system of defensive measures instituted and maintained at all levels of an organisation with the aim of achieving and maintaining the protection of assets, both tangible and intangible, for its rightful custodian, through the application of security intelligence, risk management, physical security, information security, cyber security, personnel security, security awareness training and administrative security, forming mutually supporting security-in-depth.

___________________________________________________________________

Administrative Security

 

Administrative security (also called procedural security) refers to Government Legislation, Regulations and organisational management constraints, policies and procedures, accountability procedures (including audit and other compliance and loss prevention checks and audits), security training, governance and supplemental controls, including business continuity/disaster recovery/contingency plans and procedures established to provide an acceptable level of control and protection for assets.

 

Asset

 

Anything that has value to an organisation, or value to achievement of organisational mission/business objectives including, but not limited to, another organisation, a person, sensitive information or information of value, a physical device, property, hardware or item (including security cabinets, encryption hardware, military or other weaponry), computing devices and communication devices, information technology (IT) system, IT network, IT circuit, software (both an installed instance and a physical instance), virtual computing platform (common in cloud and virtualized computing), and related hardware (e.g., locks, cabinets, keyboards).

Note 1: Assets have interrelated characteristics that include value, criticality, and the degree to which they are relied upon to achieve organisational mission/business objectives. From these characteristics, appropriate protections are to be engineered into solutions employed by the organisation.

Note 2: An asset may be tangible (e.g., physical item such as people, physical object, hardware, software, firmware, computing platform, network device, or other technology components) or intangible (e.g., information, data, trademark, copyright, patent, intellectual property, image, or reputation).

(Note: Slightly modified from asset definition at https://csrc.nist.gov/glossary/term/asset)

  

Cybersecurity

 

Cyber security or information technology security are the techniques of protecting computers, networks, programs and data from unauthorised access or attacks that are aimed for exploitation of systems and data/information contained to ensure confidentiality, integrity, and availability of information.

Major areas covered in cyber security are:

1) Application Security

2) Information Security

3) Disaster recovery

4) Network Security

 

Application security encompasses measures or countermeasures that are taken during the development life cycle to protect applications from threats that can come through flaws in the application design, development, deployment, upgrade or maintenance. Some basic techniques used for application security are:

a) Input parameter validation,

b) User/Role Authentication & Authorisation,

c) Session management, parameter manipulation & exception management, and

d) Auditing and logging.

 

Information security protects information from unauthorized access to avoid identity theft and to protect privacy. Major techniques used to cover this are:

a) Identification, authentication & authorisation of user,

b) Cryptography.

 

Disaster recovery planning is a process that includes performing risk assessment, establishing priorities, developing recovery strategies for all information technology and communication systems in case of a disaster. Any business should have a concrete plan for disaster recovery to resume normal business operations as quickly as possible after a disaster.

 

Network security includes activities to protect the usability, reliability, integrity and safety of the network along with the Confidentiality, Integrity and Availability (CIA) of data held on electronic systems. Effective network security targets a variety of threats and stops them from entering or spreading on the network. Network security components include:

a) Anti-virus and anti-spyware,

b) Firewall, to block unauthorized access to your network,

c) Intrusion prevention systems (IPS), to identify fast-spreading threats, such as zero-day or zero hour attacks, and

d) Virtual Private Networks (VPNs), to provide secure remote access


Information Security

 

Information security (infosec) is a set of strategies for managing the processes, tools and policies necessary to prevent, detect, document and counter threats to digital and non-digital information. Infosec responsibilities include establishing a set of business processes that will protect information assets regardless of how the information is formatted or whether it is in transit, is being processed or is at rest in storage.

This includes the identification of information that is an organisational asset, classification of information, appropriate storage and protection of information and security of information in transit.

Information security directly interrelates with administrative security, cybersecurity, personnel security and physical security.


 Personnel Security

 

Personnel security involves initial and periodical vetting and aftercare of  its employees and contractors to ensure they have their identity positively established and are considered suitable to access organisational resources/assets, and meet an appropriate standard of integrity, loyalty, probity and honesty.

 

Physical Security

 

Physical security involves the use of multiple layers of interdependent systems that can include (but is not limited to) CCTV surveillance, security guards, protective barriers, locks, access control, perimeter intrusion detection, deterrent systems, fire protection, and other systems designed to deter, detect, delay and  respond in order to  protect assets.

 

Risk Management

 

The management of security risks applies the principles of risk management to the management of security threats. It consists of identifying threats (or risk causes), assessing the effectiveness of existing controls to face those threats, determining the risks' consequence(s), prioritising the risks by rating the likelihood and impact, classifying the type of risk, and selecting an appropriate risk option or risk response (mitigations strategy).

 

Security Intelligence

 

Security intelligence (SI) is the collection, evaluation, and response to potential security threats in real-time. It involves information relevant to protecting an organisation from external and inside threats as well as the processes, policies and tools designed to gather and analyse that information.

Intelligence, in this context, is actionable information that provides an organisation with decision support and possibly a strategic direction to mitigate identified threats.