How is layered protection different from concentric protection?

Layered protection is designed to cautiously simplify admission of authorized persons, whereas concentric protection is designed to deny and detect entry of unauthorized persons (Fay, 2011). Layered protection uses a system of checks and balances, if it were, to minimize unauthorized intrusion by the employment of access controls. This can be illustrated by using the following example. Firewalls, intrusion detection systems, malware scanners, integrity auditing procedures, and local storage encryption tools can each serve to protect your information technology resources in ways the others cannot (Perrin, 2008). Redundancy in not layering; installing two different antivirus programs on a computer to have overlapping protection against each products weaknesses is not layering; it is redundancy. By definition, layered security is about multiple types of security measures, each protecting against a different vector for attack (Perrin, 2008). The outer most access to facility employs a manned vehicle control point where a guard verifies the authorized person(s) via a car decal and a company issued identification badge. Once the employee enters the foyer of the facility they must show a company issued identification badge to a security guard to pass the security checkpoint, once passed the security checkpoint they must swipe their company issued identification badge, which doubles as an electronic access card, and enter a personal identification number before they can enter the inner part of the facility. Once the employee reaches their office and their desk they must login into their company computer using a login and password. Once they have entered the correct login and password they are granted access to the computer and network it resides on. Concentric protection, which can also be called the defense of depth concept or the layer effect, incorporates a ring-themed security protection plan to deter, detect, delay, respond and deny an intrusion or attack. This concept is defined in a series of concentric rings that delineate each layer or ring of protection working its way towards the center that defines an organizations core assets. The idea behind this is that each layer or ring is associated with some physical protection systems (PPS) that and delay, deter, respond and deny an intrusion or attack. The level of detail, expanse and sophistication of the PPS is determined by the overall value of the core assets and what lengths will be used to make sure the core assets are not compromised. The initial ring would be the exterior and the furthest part away from the facility or site, but still within the perimeter or confines of the facility or site. The point or area where an intrusion can be detected is defined as a zone or line of detection (Demkin, 2004). At this point, the ability to detect, delay, deter, respond and deny an intrusion or attack is imperative as this is the greatest distance from the epicenter and therefore collateral damage is most likely minimal depending on

the engagement. This is a best case scenario and depends on the sophistication of the employed PPS and the response to the threat or perceived threat. The next ring would be the actual interior of the facility or building and therefore in semicontained environment. At this point, the ability to detect, delay, deter, respond and deny an intrusion or attack is also imperative as this is now at a closer distance to the epicenter and therefore collateral damage, for the most part, would be minimal depending on the type of engagement. Employment of a PPS is necessary as the core assets are inside the facility or building and are thereby more readily accessible than from the outside, albeit still protected behind another ring of security. The next ring would be the actual offices or rooms where equipment and or data resides and is now further within the interior of the facility or building and ultimately that much closer to the core assets. At this point, the ability to detect, delay, deter, respond and deny an intrusion or attack is crucial as the probability for greater harm to systems and personnel and greater collateral damage due confined locations and a greater chance of larger concentration of personnel within those areas. A PPS is crucial as this the last ring of security before the core assets are breached or compromised and then its end-game. Thoroughly identify and explain two mitigation measures and one remediation measure. Explain the difference between the two types of measures. Mitigating Measures Two-Person Rule The two-person rule is just that, it requires two people to complete an action that could routinely be accomplished by one person, but would allow one person to complete a critical and commanding task, such as signing corporate checks or retrieving petty cash. By requiring two-people to be present and to do the task, it greatly reduces the chances of nefarious activity transpiring. Much like requiring the two-person rule when accessing super user on a computer or network system, the two-person rule verifies that not one person can access databases, logs, or file structures, alone and alter, modify or delete data, logs or other important data to the corporation. Controlled Access Just as it sounds, controlled access attempts to control access to an area, facility or room by limiting it to those that are authorized access to those designated areas, facilities or rooms. The can be accomplished several ways such as access badge, an electronic access card with PIN or through biometrics. Utilizing controlled access greatly reduces the chances of unauthorized access which can lead to possible theft, employees being placed into harms way, serious body harm to unauthorized personnel around machinery or equipment, which could lead to a lawsuit against the corporation.

Remediation Measure Refresher Training This type of remediation measure allows for the correction of inconsistent or noncompliant actions on the part of personnel. This type of corrective action allows the organization to retrain or refocus personnel on correct organization policies and procedures. A remediation measure taken against an employee shows that the employee is important and at the same time dictates what is acceptable and what is not acceptable of the employees actions. It is step that is taken when the infraction does not warrant termination, but is a critical task to show consistent decorum throughout the organization. The difference between a mitigation measure and a remediation measure is that a mitigation measure is used to reduce or eliminate the likelihood of an adverse action happening whereas a remediation measure is used to correct inconsistent actions or behaviors that go against corporate policy and procedure. Remediation measures are used in the hopes of reducing or eliminating inconsistent actions or behaviors, a corrective tool if you will. There are 5 steps that list the process of risk management. Provide an example of using these five steps in looking at a risk. Plan For Risk - This is the first step and probably the most important step since the remaining four steps are centered on this step. During this phase, research and analysis play a huge part determining the risks; risk assessment. This is where you need the experts; they have the majority of the answers to the risk questions. Take a software company that makes apps for cell phones, one of the first things they need to decide is there a market for their products? When its determined there is, they try to determine how they will enter the market and how viable there product will be, they also attempt to determine what could happen if the market becomes saturated or stale. This is where risk planning starts Identify Risk - This actually started in Step 1, but its done more in-depth in this step. The software company will want to identify the risks associated with producing apps that is already on the market and they will want to identify the risks associated with producing apps that are not on the market. They will want to identify the risks associated with flooding the market. Examine Risk Impacts, Both Qualitative and Quantitative - Investigating the risk impacts helps to determine if the solution is a Go or No Go solution through the breakdown of impact usually determined in a financial sense. Take the software company again, while examining the risk impacts of several of their apps they find the market already has dozens of apps just like theirs but with some subtle nuances. If they look at both the qualitative and

quantitative aspects, they have to determine if those subtle nuances between their apps and apps already on the market are viable? Will the software company receive a substantial return on their apps against what it cost to develop it in the first place? How hard will it be to upgrade their apps or how hard it will be to port their apps over to a different cell phone OS? Develop Risk-Handling Strategies - During this process the software company has to determine how they will handle risks if and when they happen. They have three avenues to pursue: 1. Avoidance - Eliminate the risk altogether, this is done by eliminating the factor(s) that make the risk. 2. Transfer Compensate someone else to take part or all the risk. 3. Mitigate This is done by reducing the negative impact or reducing the likelihood of the risk happening (Portney, 2011). Monitor and Control the Risk - This is accomplished through three basic purposes; observing, identifying problems and corrective action. This eliminates any variances in the plan initial intention and any cause for concern. This process guarantees only approved changes are made so the planned doesnt change into something unrecognizable over time. Developing an accurate system for collecting and analyzing data is required for appropriate monitoring and controlling. Again, this is another opportunity for TQM or Six Sigma to step in and determine if the process is giving the company their monies worth. Discuss your preliminary thoughts on which six fundamental assets protection plan components you will include in your week six portfolio assignment. In addition, explain the metrics you intend to use to measure each of these fundamental components. Access Control The selective restrictions placed on a place, device, data or other resource deemed necessary due to its vulnerability, value, scarcity, or other intrinsic values. Access is granted through authentication and is defined as having the authority to access. Access controls are placed on a variety of things to protect from unauthorized personnel, from server rooms to building entrances, from records to networks. The incorporation of access controls does just that, controls the access to those assets deemed in need of protection. By the virtue of utilizing access controls, it narrows down the field of likely suspects who have authorization in the event an incident has occurred or was foiled. Metrics that can be used would be entrance logs that show employees entering the facility during off-duty hours. Auditing computers to see if they are being accessed during off-duty hours or remotely. Information Security Information security is the protection of important information that can be classified or sensitive in nature. Information security is the protection of information that is

considered personal, sensitive, proprietary, trade secret or delicate in nature. Safeguarding this information is pertinent; therefore this information needs to identified and handled accordingly to recognized procedures and secured. These procedures should also include proper handling of information security, the dos and donts, disciplinary action(s) for those who fail to follow established policies and procedures and proper disposal techniques. Metrics that can be used would be computer audits where it shows employees are circumventing established policies and procedures have loaded unauthorized software, violate policy by USB drives that are not authorized and email organizational data to unauthorized recipients. Another metric could be the auditing of printers for excessing document printing, by employee identification numbers. Emergency Management This deals with how emergencies, either natural or man-made, are dealt with during an incident that takes place onsite. This also includes coordinating with local, state and federal, if needed, emergency and law enforcement agencies according to established procedures. A remote location will have different procedures than a site located within a wellestablished city or municipality. Natural weather conditions should be considered and monitored as they can easily initiate an emergency action plan when left unchecked. Metrics that can be used would be response times during mock training exercises along with evaluating those personnel that are tasked with emergency response duties to observe and verify they know their alternate job. Mock exercises in data recovery or scenarios that would include cutting over to a hot or cold site and if they fall within the approved time limits, is another metric that can be used. Physical Security This relates to the protection of personnel, hardware, programs, data and networks from physical environments and events that could cause serious damage or losses to an enterprise, agency, or organization. There are several ways to aid any physical security program such surveillance systems are another way to augment a physical security program through the use of CCTV cameras, intrusion detection systems, strategically placed lighting, alarms and heat detection sensors are but a few avenues that can be utilized. Another aid in a physical security program can be the use of a multi-layer entrance, parameter fencing, high scale walls, turnstiles, electronic access card with PIN and biometric readers. By placing obstacles in the way of possible attackers such as large boulders placed in a walking path, pop-up barriers at vehicle entrances and hardening facilities against potential attacks and environmental disasters. Metrics that can be used would be safe opening/closing sign-off cards, this can tell if those authorized to open and close an organizational safe are following procedure. Also, the use of entrance logs that could highlight specific individuals that has a tendency to work during offhours and to investigate the reason why.

Personal Security This relates to the protection of personnel and the measures that need to be taken in order for personnel to feel secure whether at their work center, within the facility, walking to and from the facility and anywhere on the facility grounds. This also involves the actions to be taken by personnel that do not leave them vulnerable to harassment or attacks. Metrics that can be used would be pre-employment screening and background investigations. Both of these techniques can be used to discover inappropriate behavior that has surfaced during previous employment elsewhere or actions or behavior that is not conducive to organizational policy. Security Awareness Training This deals with training personnel with an organizations security policies and procedures and what they expect of their employees. Annual security awareness training helps to ingrain employees with a greater security sense in their everyday deals within the organization. This training helps to avoid inadvertent disclosure of sensitive or corporate data to those who do not possess the need-to-know. Metrics that can be used would be required annual refresher training, as this allows the organization to modify and update their policies and procedures and pass them on to employees. Employees sign refresher security awareness training documentation that specifies that they have been trained and understand the training, policies and procedures, for accountability purposes. Random employee computer audits are another avenue to determine if employees are complying with organizational policies and procedures. Chapter 9, Page 122 Data Collection and Metrics Management (Dr. Kovacich, 2006) Data collection as it pertains to a Security Education and Awareness Training Program (SEATP) is just that, the collection of data to be researched, analyzed, compared and a potential summation is made according to the data at hand. Data collection is pertinent to troubleshooting, usage, streamlining and research just to name a few. Data collection allows for comparison between multiple instances or variables. Good data collection and metrics should be able to answer the following questions; Who should track the functional metrics input data This should be done by the person at the lowest-level who is responsible for day-to-day SEATP activities (Dr. Kovacich, 2006). What to track All major tasks should be collected for a good overview and then gradually more detailed data should be collected to determine step-by-step task breakdowns. This allows for a greater accuracy in the SMMP baseline (Dr. Kovacich, 2006).

Why track it Tracking allows for more accurate findings, which in turn allow for processes to be streamlined, modified or eliminated. Tracking also allows for the data to be quantified and qualified to determine cost-effectiveness (Dr. Kovacich, 2006). How to track it This is accomplished by merely maintaining records, logs, audits and other information that is captured at consistent intervals. The use of spreadsheets can be a great way to capture and track data (Dr. Kovacich, 2006). When to track it Capturing data at different intervals allows for the building of different pictures. Data taken at different, but consistent intervals such as daily, weekly, bi-weekly, monthly, semi-annually and annual can show tiny details to the big picture. The key is collecting the data on a consistent basis for a more accurate picture (Dr. Kovacich, 2006). Where to track it in the functional process Data is collected at the end of the process, such as at the end of each briefing and entered into a spreadsheet or database or collected at the end of a project (Dr. Kovacich, 2006). Chapter 10, Page 129 Security Compliance Audits Metrics (Dr. Kovacich, 2006) Security compliance audits metrics permits security compliance audits to be effectively and efficiently managed, through performance reviews (metrics). Security compliance audits can reveal non-compliance in several areas that had just been revised due to changes in policy or regulations. This discovery allows the CSO correct the problem before it becomes problematic or brings down the system. Early detection can also avert penalties that might be more severe if left unchecked. References Demkin, J. A. (2004). Security planning and design: A guide for architects and building professionals. New Jersey: John Wiley & Sons, Inc. Dr. Kovacich, G. L. (2006). Security Metrics Management: How to Manage the Costs of an Assets Protection Program. Burlinton: Elsevier. Fay, J. J. (2011). Contemporary Security Management. Burlington: Elsevier. Perrin, C. (2008, December 18). Understanding layered security and defense in depth. Retrieved from Techrepublic.com: http://www.techrepublic.com/blog/it-security/understandinglayered-security-and-defense-in-depth/ Portney, S. E. (2011). Project management for dummies. Hoboken: Wiley, John & Sons.