X hits on this document





4 / 5

Information Assurance Defense In Depth Strategy




Security Policy

Security Mgmt.


  • Recovery &


  • Certification and


  • Key Management

  • Readiness


Enforce Security Policy Respond Quickly to Intrusions Restore Critical Services

These include:

  • a)

    Maintaining visible and up to date system security policy

  • b)

    Certifying and accrediting changes to the Information Technology baseline. The C&A processes should provide the data to support “Risk Management” based decisions. These processes should also acknowledge that a “risk accepted by one is a risk shared by many” in an interconnected environment.

  • c)

    Managing the security posture of the Information Assurance technology

    • (e.

      g. installing security patches and virus updates, maintaining access control lists)

  • d)

    Providing key management services and protecting this lucrative infrastructure

  • e)

    Performing system security assessments (e.g. vulnerability scanners, RED teams) to assess the continued “Security Readiness”

  • f)

    Monitoring and reacting to current threats

  • g)

    Attack sensing, warning, and response

  • h)

    Recovery and reconstitution

Additional Resources. The National Security Agency, with support from other U.S. Government Agencies and U.S. Industry, has undertaken a number

of initiatives to support the Defense in Depth strategy. These include:

  • a)

    The Information Assurance Technical Framework. This document provides detailed Information Assurance guidance for each of the Defense in Depth focus areas. It is available at https://www.iad.gov/library/iacf.cfm

  • b)

    The National Information Assurance Partnership (NIAP). This is a partnership between NSA and NIST to foster the development of the International Common Criteria (an ISO standard) and to accredit commercial laboratories to validate the security functions in vendor’s products. Information on this activity is available at http://niap.nist.gov

  • c)

    Common Criteria Protection Profiles. These are documents that recommend security functions and assurance levels using the Common Criteria. They are available for a wide range of commercially available technologies and can be accessed at the IATF or the NIAP web sites listed above.

  • d)

    List of Evaluated Products. These are lists of commercial Information Assurance products that have been evaluated against the Common Criteria. The lists are maintained by NIST and are available at the NIAP web site.

  • e)

    Configuration Guidance. These documents, being prepared by NSA, contain recommended configurations for a variety of commonly used commercial products.

Document info
Document views29
Page views30
Page last viewedTue Jan 10 17:36:33 UTC 2017