Now that we have discussed the broad cyber resilience (or defence-in-depth) layers – prevention, detection, response and governance – we need to break them down into concrete controls.
Part 2 of this book discusses a range of reference controls, which are also listed in Table 3. This table maps those controls against the defence-in-depth layers, helping you get a sense of the more concrete actions you could take to build each layer.
Note that one control can be used for more than one layer. This is true for the higher-level controls, as discussed in Part 2, as well as for specific solutions. CCTV, for example, can simultaneously act as a deterrent (prevention), a means to identify an intruder (detection) and a means of identifying the culprit (response).
Table 3: The Reference Controls From Part 2 Mapped Against the Defence-in-Depth Layers
Prevention | Detection | Response | Governance | |
Asset management | ||||
Board-level commitment and involvement | ||||
Business continuity management | ||||
Configuration and patch management | ||||
Continual improvement process | ||||
Encryption | ||||
External certification/validation | ||||
Identity and access control | ||||
Incident response management | ||||
Internal audits | ||||
Malware protection | ||||
Network and communications security | ||||
Physical and environmental security | ||||
Security monitoring | ||||
Security policies | ||||
Staff training and awareness | ||||
Supply chain security | ||||
System security | ||||
Vulnerability scanning and penetration testing |
Table 3 can help you plan the controls you may want to implement to build a well-balanced, multi-layered security system. As you select controls, however, you should always remember to take a risk-based approach that aligns to your organisation’s needs and requirements. It is also a good idea to bear in mind Schneier’s five questions, discussed in Chapter 4, on making well-considered trade-offs.