Definition of Protective Security
Since 1986, I have pondered on
the definition of Protective Security, with changes occurring over the years
seeing elements cut out whilst other elements coming under the banner. In some employment roles, protective security
has come to cover close protection. For
my personal benefit, I have developed a definition that meets my requirements
and have added definitions of the various elements that make up Protective
Security that support the security-in-depth concept.
___________________________________________________________________
Protective security
The organised system of
defensive measures instituted and maintained at all levels of an organisation
with the aim of achieving and maintaining the protection of assets, both
tangible and intangible, for its rightful custodian, through the application of
security intelligence, risk management, physical security,
information security, cyber security, personnel security, security awareness training and administrative security, forming mutually supporting
security-in-depth.
___________________________________________________________________
Administrative Security
Administrative security (also
called procedural security) refers to Government Legislation, Regulations and
organisational management constraints, policies and procedures, accountability
procedures (including audit and other compliance and loss prevention checks and audits), security training, governance and supplemental controls, including business
continuity/disaster recovery/contingency plans and procedures established to
provide an acceptable level of control and protection for assets.
Asset
Anything that has value to an
organisation, or value to achievement of organisational mission/business
objectives including, but not limited to, another organisation, a person, sensitive
information or information of value, a physical device, property, hardware or
item (including security cabinets, encryption hardware, military or other
weaponry), computing devices and communication devices, information technology
(IT) system, IT network, IT circuit, software (both an installed instance and a
physical instance), virtual computing platform (common in cloud and virtualized
computing), and related hardware (e.g., locks, cabinets, keyboards).
Note 1:
Assets have interrelated characteristics that include value, criticality, and
the degree to which they are relied upon to achieve organisational
mission/business objectives. From these characteristics, appropriate
protections are to be engineered into solutions employed by the organisation.
Note 2: An
asset may be tangible (e.g., physical item such as people, physical object, hardware,
software, firmware, computing platform, network device, or other technology
components) or intangible (e.g., information, data, trademark, copyright,
patent, intellectual property, image, or reputation).
(Note: Slightly modified from asset
definition at https://csrc.nist.gov/glossary/term/asset)
Cybersecurity
Cyber security or information technology security are the techniques of protecting computers, networks, programs and data from unauthorised access or attacks that are aimed for exploitation of systems and data/information contained to ensure confidentiality, integrity, and availability of information.
Major areas covered in cyber
security are:
1) Application Security
2) Information Security
3) Disaster recovery
4) Network Security
Application security
encompasses measures or countermeasures that are taken during the development life
cycle to protect applications from threats that can come through flaws in the
application design, development, deployment, upgrade or maintenance. Some basic
techniques used for application security are:
a) Input parameter validation,
b) User/Role Authentication
& Authorisation,
c) Session management,
parameter manipulation & exception management, and
d) Auditing and logging.
Information security protects
information from unauthorized access to avoid identity theft and to protect
privacy. Major techniques used to cover this are:
a) Identification,
authentication & authorisation of user,
b) Cryptography.
Disaster recovery
planning is a process that includes performing risk assessment, establishing
priorities, developing recovery strategies for all information technology and
communication systems in case of a disaster. Any business should have a
concrete plan for disaster recovery to resume normal business operations as
quickly as possible after a disaster.
Network security
includes activities to protect the usability, reliability, integrity and safety
of the network along with the Confidentiality, Integrity and Availability (CIA)
of data held on electronic systems. Effective network security targets a
variety of threats and stops them from entering or spreading on the network.
Network security components include:
a) Anti-virus and
anti-spyware,
b) Firewall, to block unauthorized
access to your network,
c) Intrusion prevention
systems (IPS), to identify fast-spreading threats, such as zero-day or zero
hour attacks, and
d) Virtual Private Networks
(VPNs), to provide secure remote access
Information Security
Information security (infosec)
is a set of strategies for managing the processes, tools and policies necessary
to prevent, detect, document and counter threats to digital and non-digital
information. Infosec responsibilities include establishing a set of business
processes that will protect information assets regardless of how the
information is formatted or whether it is in transit, is being processed or is
at rest in storage.
This includes the
identification of information that is an organisational asset, classification
of information, appropriate storage and protection of information and security
of information in transit.
Information security directly interrelates
with administrative security, cybersecurity, personnel security and physical
security.
Personnel
Security
Personnel security involves initial
and periodical vetting and aftercare of its employees and contractors to ensure they
have their identity positively established and are considered suitable to
access organisational resources/assets, and meet an appropriate standard of
integrity, loyalty, probity and honesty.
Physical Security
Physical security involves the
use of multiple layers of interdependent systems that can include (but is not
limited to) CCTV surveillance, security guards, protective barriers, locks,
access control, perimeter intrusion detection, deterrent systems, fire
protection, and other systems designed to deter, detect, delay and respond in order to protect assets.
Risk Management
The management of security
risks applies the principles of risk management to the management of security
threats. It consists of identifying threats (or risk causes), assessing the
effectiveness of existing controls to face those threats, determining the
risks' consequence(s), prioritising the risks by rating the likelihood and
impact, classifying the type of risk, and selecting an appropriate risk option
or risk response (mitigations strategy).
Security Intelligence
Security intelligence (SI) is
the collection, evaluation, and response to potential security threats in
real-time. It involves information relevant to protecting an organisation from
external and inside threats as well as the processes, policies and tools
designed to gather and analyse that information.
Intelligence, in this context, is actionable
information that provides an organisation with decision support and possibly a
strategic direction to mitigate identified threats.
