Defence In-Depth And Physical Security - Essay Example

Defense in Depth and Physical Security By: Institution: Course: Instructor: Date of submission: Background It is not easy to achieve consistency when it comes to security advice provided that the security concept especially that of security management encompasses various activities (Brook, 2007, p. 1). This includes social contract conceptions (Fisher & Green, 2004, p. 21) and crime prevention notion (Manunta, 1999, p. 59). Given that security is diverse, there exists no consensual definition. Defense in depth application in the field of IT bank on controls and the aims of these controls is to delay (Smith, 2003, p. 12). As such, firms become unaware that there has been the stealing of their data or the breaching of their perimeter. In IT security context, physical security entails a controlled access, and therefore, ensuring control of security involves ensuring the control of access. The efficacy of any barrier can be determined through an assessment of a specific situation. There exist various barriers necessitating site protection mainly for the identified threats in a risk and threat analysis (Aven, 2008, p. 30). The achievement of protection is through the utilization of procedural, physical, as well as psychological barriers that aim at deterring or delaying unauthorized access. Protection safeguards hamper the barrier occurrence. Among the functions of protection barrier include deterring an attack, prevent or delay access, ensure the protection of asset or person from threat, and impede escape, among others. The efficacy of a barrier occurs when it has the capacity to ensure that an attacker is hindered or stopped (Cubbage & Brooks, n. d, p. 1). The Concept of Physical Security Physical security involves measures intended to prevent unauthorized admittance to material, installations, documents, and equipment, safeguard personnel, and protection against sabotage, theft, damage, and espionage (Browning, 2008, p.1). Physical security controls have various characteristics including measures for detection, deterrence, response, and delay elements to ensure the mitigation of risks as well as the effectiveness of operation (ASIS, 2009, p. 10). The aim of physical security controls is to ensure a reduction of risks via their capacity to systematically detect, deter, delay, as well as respond against any form of deviant act in the context of risk. Decision-making process in physical security Informed decision-making is present in various domains of professions and in physical security, the aim is to ensure the implementation of security controls which efficaciously enhances a reduction of risk as well as support organizational objectives in dynamic environments as well as sector specific that are effective in terms of cost accordant with the diminishing returns economic law (Broekhuis & Vos 2003, Series 3). In the domain of security, the reflection of decision-making is via security risk management geared towards developing a comprehension of uncertainty nature on objectives. The aim of this constructed comprehension is to ensure that more informed decision-making is facilitated and at the same time form the basis for opportunity exploitation, while ensuring a reduction of harm that act as threats to the organization (Standards Australia, 2006, p. 6). Such an approach include the identification of exposure to risk, evaluation of methods aimed at risk management, applying the strategies of treatment, strategies’ performance monitoring, as well as employing feedbacks that are necessary (Heartfield & Hispel cited in Coole, 2010, p. 1). The emphasis of security risk management is the organizational security controls’ key elements that contribute towards risk management through their capacity to detect, deter, delay, recover from damage, as well as respond (Coole, 2010, p. 2). Acceptable risks comprise of unique elements in each risk, and the basis of decision is cost-benefit analysis of ensuring asset protection in relation to assessed level of risk for corresponding treatment control levels (Coole, 2010, p. 2). In this case, the aim of ensuring the implementation of physical security control is ensuring a reduction of offending opportunities as per SCP (Situational Crime Prevention). According to Coole, Corkill, and Wooward (2012) the execution of SCP can occur in line with the theory of defense in depth which connects the elements of layered security into a system combining technology, people, procedures, and barriers to bring about a functional and holistic protective posture (Smith, 2003, p. 8). Such an approach ensures the application of knowledge body to inform the decision process of risk reduction. The aim of the processes of informed decision is to ensure the delivery of enhanced operational effectiveness and choices based on effective risk (Coole, 2010, p. 2). In the domain of security, there has been the development of the decision tools, majority of which focusing on identification and evaluation of risk instead of effective reduction control selection. An example is Microsoft NET technology that helps in the identification, access, control, as well as manages possible impacts to the firm, utilizing risk management as per AS/NZS ISO 31000:2009. The security domain utilizes EASI (Estimated Adversary Sequence Interruption) model as a tool for supporting decision. EASI is a representative of operational macro-state level or systems commissioning, it can be utilized to inform the possibility of Pi (interrupting) a layered defense adversary, in ensuring the possibility of the combination of constituent decisions to ensure the achievement of defined objective of system for the plan of security (Garcia, 2001). Security decision making The Standards Australia AS3555.1 presents defines the decision tool utilized for assessing as well as rating the elements of construction for resisting intruders for barriers used for controlling physical control. The elements of construction for resisting intruders include floors, ceilings, and walls utilized for domestic or commercial premises, in conjunction with evaluation as well as inferred attack type of working time necessary for penetrating each element. Apart from that, the standard also provides these elements’ destructive testing (The Interim Security Professionals Taskforce, 2008, p. 23). However, these tests do not offer a conclusive hint of majority of appropriate element or barrier for the context of security as it offers a delay in working time against scenarios of defined threats and do not make any consideration of other variables that have an interaction with any decision of barrier elements. Subsequently, the standard lack the capacity to expedite determination as well as evaluation of alternate measures for ensuring the selection of security barrier in any corporation domestic, and industrial context (Standard Australia, 2003, p. 2). The selection of elements of barrier usually occurs at the phase of project design prior to the realization of the project. Apart from that, the selection of barrier must occur as per the rate data of the predefined base that provides a baseline for grounding the standards. During the life cycle of project development, some stakeholders pursue to ensure the implementation of changes in either fittings or barrier construction, and this lead to cost overrun and contract variation for the constituent, and this may be triggered by wants instead of needs. Owing to this, appropriate tool for supporting decision becomes an important component of the documentation of the project, providing a clear highlight and documentation of reasons behind making design decisions. The project baseline is provided by the decision support tool. For security, most tools for decision making focus on risk but fail to facilitate the component selection aimed at risk reduction (Risk Management Institute of Australasia, 2007, p. 16). Security system complexity A well planned security design has the capacity to reduce potential attackers who poses necessary determination, knowledge, resources, and skills to overcome the system of barrier. Barrier designs employing various materials dictate the utilization of various supportive tools meaning that the attacker will have to possess specialized skills or use various expensive tools. They may also comprise of complex materials that cannot be easily circumvented or complicated mechanisms. These types of designs have the capacity to deter various attackers who lack ambition or skills for this challenge (Brae & Brooks, 2011, p. 35). Types of security barriers Layering barriers: the designs of layered barriers have advantages especially when they need increased skills, knowledge, as well as talent to outwit them. Layered barriers ensure a delay in time since each layer of safeguard requires time to ensure circumvention and this is essential in the provision of necessary delay when there is slow response time. Procedural barriers: the utilization of security staffs, administration procedures, as well as log books can assist in ensuring unwanted activity’s deterrent. Such procedures help in deterring unwanted activities as they aid in the creation of psychological barriers that have the capacity to prevent asset compromise (Aven, 2008, p. 23). Detection Detection entails the utilization of appropriate devices, procedures, and systems to offer a signal for the occurrence of actual or attempted unauthorized access. When designing a system of physical security, one of the main considerations for ensuring that the asset (s) or target is safeguarded should be early detection. Protection in Depth According to Nunes-Vas (2011), security controls or measures application entails psychological, physical, technical, procedural, or other devices with the capacity to contribute or perform various functions of security and this is through physical space division or demarcation (Atlas, 2008, p. 35) or protection rings (Coole & Brooks, 2011, p. 54). The consideration of such protection rings is in traditional in Depth sense (Nunes-Vas, 2011, P. 373). This is represented as follows: Figure 1: According to Coole and Brooks (2011), Protection in Depth entails various distinct measures that an enemy must encounter in sequence as well as considers the evasion of failure of a single point in any plan of protection. The approach integrates various constituents of detection, multiple measures of delay as well as various response capabilities (Coole & Brooks, 2011, p. 54). The implementation of such an approach can serve the purpose of protecting the unauthorized activity movement across a single or multiple zone of security, whereas per potential consequence there occurs the desire to ensure an interruption as well as a neutralization of unauthorized attempt invasions via a zone of security. Atlas (2008) via the security zoning principle indicates the need to ensure the unrestricting of some facility’s areas during the designated hour’s use. However, there exist restricted or controlled zones or spaces in which the basis for entry is valid reason instead of desire. Atlas indicate that the concept of onion layers or security zoning is effectively utilized in many designs of facilities. Apart from that, restricted area’s section may require extra access control authorizations. The principle of Zoning According to the zoning principle, there exist a clear difference between the security layer and security control (Nunes-Vaz, 2011, p. 375). Security layer entails the implementation of numerous control sets which have the capacity to stop the occurrence of a defined event or can ensure the elimination of its destructive consequences. If the role of security is to ensure the management of risks, then as per the Defense in Depth theory, it is essential to have the means by which the detection, delay, as well as response to a threat to security can be conducted at every restricted zone, irrespective of the perspective in a logical approach to security. For instance, in a facility protection, there may exist in two detection means as well as one delay means combined with a layer which separates the zones of access from each other. Apart from that, the constituents of detection may be composed of technologies of detection intrusion as well as procedural security that aim at detecting unauthorized people’s movement across a zone of access or a machine of x-ray as well as a technology of explosive trace whose aim is to ensure a detection of the movement of contraband across zones that are secure via a staffed portal (Beard & Brooks, 2006, p. 17). The argument is that there exists an interrelation between the Protection in Depth and the Defense in Depth yet there exist distinction when it comes to security plan. Therefore, it is essential to calculate the interruption probability from the variables of delay, detection, and response for individual zones. Adams, et al, (2005, p. 1) provides the summary of the effectiveness of individual zones as follows: The Concept of Defense in Depth Defense in Depth entails a theory indicating that in order to ensure the efficacy of security when it comes to controlling access to an area, security zone, or an asset, it is essential to have the means of delaying, detecting, as well as responding to any attempt made by an adversely to ensure an unauthorized access. Its efficacy can be enhanced by ensuring the occurrence of neutralization and interruption before efficacious zone crossing (Smith, 2003, p. 28). However, such a strategy necessitates the need for across control layers where some individuals within the facility may be allowed to access some of the areas in the protected site. Therefore, as a way of ensuring a separation of security zone, it is essential to have the means of detecting, delaying, as well as responding to unauthorized access threats across the various zones of security in the security context including information technology and physical security zones. Apart from that, based on the nature of risk, the argument is that the separation may incorporate various constituents of detection, multiple control measures of delay and response organized as a system for every zone, ensuring the formation of a layer of security between zones as shown below. Figure 2: Security in Depth that combines Protection in Depth and Defense in Depth to ensure achievement of security state In support of Protection in Depth, Defense in Depth offers articulation to ensure the securing of security zones as well as individuals in a facility. They generally refers to the systems of physical security (PP). However, present approaches to security as well as the zoning of security ought to make a consideration of threat existence whose manifestation can be against the IT infrastructures following the gaining of physical access within the zones of security. Therefore, the Security in Depth conceptions as a more security conception ought to set in these apprehensions into meanings. According to Brooks (2011), there exists various vulnerabilities to the present day BMS (buildings management systems) to attacks that are logical-based, which after gaining physical access can have the manifestation in the zones of security contrary to an asset in a diverse zone of security. According to Nunes-Vaz (2011), there can be the minimization of security risk via the maximization of the efficacy of the layer of security in which case there functions of security are intertwined to ensure the achievement of specific layer of security (Aven, 2008, p. 39). On the basis of such logic, the main argument is that for an asset that has received protection, a facility’s or organization’s Security in Depth entails all the layers of security, logical and physical standing between a protected target and an adversary. The security layers concept combines the measures of control contributing towards a reduction of the capabilities of a threat at the layer via the capacity to detect, deter, detect, as well as respond to unauthorized access’s attempts. Nunes-Vaz (2011) offers support to this concept by suggesting the need for numerous layers because of the hitches encountered in ensuring the development of a perfect layer. Therefore, it is essential for holistic tactics to security to make a consideration of threat posing risk for every layer that has been articulated in a holistic plan of protection. According to Talbot and Jakeman (2009), such a definition approach ensure that the Security Resilience is achieved where the attainment of Security in Depth is via the Protection in Depth accordant implementation with the Defense in Depth theory across all zones of access for logical and physical access control measures. Apart from that, Security in Depth for an organization entails all measures put in place through the facilities. Figure 3: Security in Depth in an Organization Bibliographies Adams, D. G., Snell, M. K., Green, M. W., & Pritchard, D. A. (2005). Between detection and neutralization. Proceeding of the 2005 International Carnahan Conference on Security Technology, Institute of Electronic Engineers. ASIS International. (2009). Security body of knowledge (BoK): substantive considerations. ASIS International Academic/Practitioner Symposium 2009, ASIS International. Atlas, R, I. 2008. 21st Century security and CPTED: Designing for critical infrastructure protection and crime prevention. CRS Press. Boca Raton. Australian Interim Security Professional’s Task Force (2008). Advancing security professionals: Discussion paper. Retrieved from August 2011: http://www.isacaadelaide.org/pd/Discusion_paper_Future_Security_Professionals_March08.pdf Aven, T. (2008). Risk analysis: Assessing uncertainties beyond expected values and probabilities. West Sussex: John Wiley & Sons Inc. Beard, B., & Brooks, D. J. (2006). Security risk assessment: Group approach to a consensual outcome. Proceeding of the 7th Australian Information Warfare and Security Conference, 5-8. Brae, B., & Brooks, D. J. (2011). Organisational Resilience: Understanding and identifying the essential concepts. Paper presented at the SAFE 11: 4th International Conference on Safety and Security Engineering, Antwerp, Belgium. Brooks, D. J. (2007). Defining security through the presentation of security knowledge categories. Perth, Western Australia. Edith Cowan University, International Centre for Security and Risk Sciences. Brooks, D. J. (2011). Intelligent buildings: An investigation into current and emerging security vulnerabilities in automated building systems using an applied defeat methodology. Proceedings from the fourth Australian security and intelligence conference. Perth. Western Australia. Retrieved from: http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1013&context=asi Coole, M., P. (2010). The theory of entropic security decay: the gradual degradation in effectiveness of commissioned security systems. A Thesis Submitted to the Faculty of Computing, Health and Science Edith Cowan University. Retrieved from: http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1372&context=theses Coole, M., P., & Brooks, D., J. (2011). Mapping the organizational relations within physical security’s body of knowledge: A management heuristic of sound theory and best practice. Proceedings from the fourth Australian security and intelligence conference. Perth. Western Australia. Retrieved from: http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1013&context=asi Cubbage, C., & Brooks, D. J. (n. d). Corporate security in the Asia Pacific region: Crisis, crime, fraud and misconduct. New York: Francis & Talyor. Fisher, R. J., & Green, G. (2004). Introduction to Security (7th e.d.). Boston: Butterworth- Heinemann. Garcia, M. L. (2001). The design and evaluation of physical protection systems. Boston: ButterworthHeinemann. Nunes-Vaz, R, M Lord, S., & Ciuk, J. (2011). A more rigorous framework for security-in-depth. Journal of Applied Security Research, 6 (3), 372-393. Risk Management Institute of Australasia. (2007). Security Risk Management Body of Knowledge. Retrieved 24 January, 2007, from http://www.securityprofessionals.org.au/2007SRMBOK.htm Smith, C. L. (2003). Understanding concepts in the defense in depth strategy, School of Engineering and Mathematics. Edith Cowan University. Australia. Standards Australia. (2006). Security risk management. Sydney: Standards Australia International Ltd. Standards Australia. (2009). AS/NZS ISO31000:2009 Risk management - Principles and guidelines. Sydney: Standards Australia International Ltd. Talbot, J., & Jakeman, M. (2009). Security risk management body of knowledge: (SRMBOK). New Jersey: John Wiley and Sons. The Interim Security Professionals Taskforce. (2008). Advancing security professionals: a discussion paper to identify the key actions required to advance security. Melbourne: The Australian Government Attorney General. Verizon. 2012. 2012 Data breach investigations report (pp. 1-92): Verizon Business Read More