EXPERT RESPONSE
You can secure your data by building a risk assessment program that builds defense in depth. Broad steps include:
- Risk assessment
- Policy
- Implementation
- Training
- Auditing
Following this approach will allow you to build security controls in a layered manner. The idea is that if one security mechanism fails there is another behind it to take its place. That is the concept of defense in depth: building security in layers -- if one layer is breached, you have multiple layers beneath it to continue protecting your organizations assets.
In reality, it's not always easy as you must try and find a balance between the protection cost and the value of the informational asset. For example, if you have an information classification system but also have encrypted data, you have put two security controls in place. In this example, strong controls have been placed on who has access to the information; the physical devices the information is located on has been secured; and when it is in transit it is only transmitted in a encrypted form. While this doesn't mean the information cannot be attacked or disclosed, it does mean you have placed several effective barriers that will deter its release.
|
