Information Security Controls are the bread and butter of audit professionals, the bane of developers, and the playground of security professionals. From a business perspective, they provide a means for enabling business resiliency by protecting and reducing the risk associated with the threat landscape. Insofar as the concept of defense in depth is embraced, it’s impact is reduced to mere banding about when we consider ever-present security breaches. If your strategy of control design is based on effectiveness, you do not have true defense in depth, you have a single thread of defense. We learned from our analysis of a reference architecture that businesses and their information systems have multiple attack vectors, therefore, controls modeled from multiple perspectives. This is what yields a truly defense-in-depth environment along with resiliency of controls and continuous compliance. Five steps can get you there.

Step 1: Foundational Controls

A primary outcome of implementing a best-in-class information security program is maintaining the state of due care and due diligence. These states are maintained when what is considered as basic controls are present in a system. A rational method of control organization can be found in NIST 800-53 v4¹ where controls are situationally categorized as: common, system-specific, and hybrid. Common controls provide a state of inheritance as they protect the various subsystems of an information system. Enterprise user directories providing authentication and authorization are examples of a common control in that they enable access to multiple systems across a SOA architecture. System-specific controls reside with service-specific systems, examples are database or web server controls. Hybrid is a blend of common and system-specific such as an antivirus (AV) management solution where the AV solution is specific to protecting against malware yet providing common protection to specified clients. The modes of inheritance through common and hybrid controls enables efficient control design resulting in reduced control sprawl, operational cost, and technology complexity.

The premise of defense is depth is “manage risk with diverse defensive strategies, so that if one layer of defense turns out to be inadequate, another layer will hopefully prevent full breach.”² Foundational controls are less effective when designed non-functionally, meaning while operational, if compromised other controls will fail in a domino effect. Functional controls in contrast are designed to withstand compromise should another control fail. Controls are made functional by designing toward the expectation of compromise, failure and control reaction.

Control reaction is preventative, detective and corrective.³ Preventative controls prevent breach or exploitation, whereas detective controls provide alerts based on characteristics, patterns, and other indicators of compromise. Corrective controls provide automated remediation of threat execution or block active threat continuation. Ordering your foundational controls based on reaction enables control resiliency, ensuring offensive protection to a failed control along with further tuning through tiered situational application.