Information Assurance Defense In Depth Strategy
• Security Policy
• Security Mgmt.
Enforce Security Policy Respond Quickly to Intrusions Restore Critical Services
Maintaining visible and up to date system security policy
Certifying and accrediting changes to the Information Technology baseline. The C&A processes should provide the data to support “Risk Management” based decisions. These processes should also acknowledge that a “risk accepted by one is a risk shared by many” in an interconnected environment.
Managing the security posture of the Information Assurance technology
g. installing security patches and virus updates, maintaining access control lists)
Providing key management services and protecting this lucrative infrastructure
Performing system security assessments (e.g. vulnerability scanners, RED teams) to assess the continued “Security Readiness”
Monitoring and reacting to current threats
Attack sensing, warning, and response
Recovery and reconstitution
Additional Resources. The National Security Agency, with support from other U.S. Government Agencies and U.S. Industry, has undertaken a number
of initiatives to support the Defense in Depth strategy. These include:
The Information Assurance Technical Framework. This document provides detailed Information Assurance guidance for each of the Defense in Depth focus areas. It is available at https://www.iad.gov/library/iacf.cfm
The National Information Assurance Partnership (NIAP). This is a partnership between NSA and NIST to foster the development of the International Common Criteria (an ISO standard) and to accredit commercial laboratories to validate the security functions in vendor’s products. Information on this activity is available at http://niap.nist.gov
Common Criteria Protection Profiles. These are documents that recommend security functions and assurance levels using the Common Criteria. They are available for a wide range of commercially available technologies and can be accessed at the IATF or the NIAP web sites listed above.
List of Evaluated Products. These are lists of commercial Information Assurance products that have been evaluated against the Common Criteria. The lists are maintained by NIST and are available at the NIAP web site.
Configuration Guidance. These documents, being prepared by NSA, contain recommended configurations for a variety of commonly used commercial products.