A virtuous circle for information security management
A blog describing Intel's 'defense in depth' approach to information security has a neat description of the 4 main phases:
(1) Prediction (essentially risk assessment);
(2) Prevention i.e. classic preventive security controls;
(3) Detection and monitoring for threats that evade, disable or bypass preventive controls; and
(4) Response and recovery - corrective controls, a last resort.
Add a pinch of continuous improvement to learn from every event, and there you have it. Sure beats ISO/IEC 27001's somewhat simplistic plan-do-check-act model!
[By the way, Intel, the 'defense in depth' concept also applies within any of those phases e.g. using multiple information sources to broaden and deepen the analysis of security vulnerabilities in phase 1, or combining real-time alerting with near-time log anaysis in phase 3.]
(1) Prediction (essentially risk assessment);
(2) Prevention i.e. classic preventive security controls;
(3) Detection and monitoring for threats that evade, disable or bypass preventive controls; and
(4) Response and recovery - corrective controls, a last resort.
Add a pinch of continuous improvement to learn from every event, and there you have it. Sure beats ISO/IEC 27001's somewhat simplistic plan-do-check-act model!
[By the way, Intel, the 'defense in depth' concept also applies within any of those phases e.g. using multiple information sources to broaden and deepen the analysis of security vulnerabilities in phase 1, or combining real-time alerting with near-time log anaysis in phase 3.]