With regard to control and counter measure selections, we must begin by defining the strategy in which they will be employed. We must therefore consider risk and tolerance, the business mission, control objectives, and any regulatory requirements for controls that will have to be put in place. Once we have this determined, we can then begin the process of deciding which controls will best suit this mixture of possibly competing objectives.

As I said before, what we are attempting to do is implement a proper control strategy to protect the identified asset base, do so on balance with the business mission, and accomplish it all in a cost effective and operationally effective manner. There are several principles at work here. One of which is to try to automate as much as we reasonably can.

There are several functions that controls perform that simply cannot be done by a human being. For example, we have malware detection and removal. This cannot be done by a person without them reading every single packet of traffic passing by to find which one has the hostile malware. There are other forms of automation that are quite common as well, such as firewalls and intrusion detection systems. Employing this form of automation as much as is reasonably possible will eliminate the possibility of human error in these cases.

Here are some other examples of automation. The access control system which performs identity management in a variety of aspects will include the functions of identification, authentication, authorization, and accountability establishment. On the slide you see two different systems which perform this function.

MAC, a form of rule-based access control standing for mandatory access control, and DAC, a form of identity-based discretionary access control. We have the principle of how system failures will be dealt with. Two basic forms of failure are considered. We have fail open, which is an insecure way of failing, and failing closed, which is a secure way of failing.

In the case of failing open with a physical control it may be preferable to do so to avoid harm to a human being. With fail closed it may be preferable to do so to avoid escape or the ability of a hacker to a system to circumvent controls when the system is in a semi-disabled state.

When we configure systems, as we frequently do with networks, we choose compartmentalizing various systems aspects, such as data repositories, and operating systems partitions. In all such cases there should be transparency of controls function to ensure that none of these controls become what are called black boxes. And when it comes to the question of trust generally we employ the principle of verification of the object or subject before trust can be employed. This will require authentication of that party to establish the basis of trust.

Another mechanism that may be used is segregation of duties and separation of duties together making certain that the levels of authority and combinations of access do not create conflicts of interest. One subject that has to be addressed is also ensuring that the control being chosen has sufficient strength to handle the order of magnitude of the threat intended. This rule will apply regardless of whether the control is automated or human-driven.

In the event of an automated control cannot be found of an appropriate strength to deal with a given set of circumstances, it may be better to rely on a manual process. For example, the use of facial recognition as a biometric authentication mechanism may require employing the person to look at the faces in order to determine appropriate identities rather than trusting to biometrics and their image recognition or dimensional measurements.

It is entirely possible that mistakes will be made and that performance will be much slower than an automated system might provide. In the end however, this may prove more effective than an automated method and may therefore be more desirable.

This is an example where the strength may be in the form of implementation employing a human element rather than an automated one. Strength itself may be inherent in the control type. Take for example two iron bars, one being an inch in diameter, the second being a millimeter in diameter, both are iron bars, both are made of iron and both have a certain measurement of strength. And though similar in many respects the smaller one could not be substituted for the larger one under many conditions likely to be encountered.

This type of functionality desired should also be considered when considering strength as a primary element of the controls in a particular application. When we get to the point of making control recommendations several elements must also be considered in the recommendation being made. These will include effectiveness, compatibility with other system components, effectiveness in achieving regulatory compliance, compliance with organizational policy, cultural acceptance, safety and reliability, and finally operational impact.

The primary consideration of course must be the operational effectiveness of the control being evaluated or recommended. Along with this must be considered the cost effectiveness as well. When we consider physical or environmental controls we must consider additional elements that may not be necessary when considering technological or administrative control types.

Violation of physical security, for example, could render other systems useless through some form of physical damage or interference with the system's operation. If for example, access to a computer operator console can only be done by having access to the room in which they're set, it may not be possible to damage the systems if the person seeking to do so cannot get into the room. This is another case of defense in depth where a physical control and an electronic or technological control must work together to prevent the ultimate objective of the attacker.

In this particular example, different forms of security controls and counter measures are going to be employed. For example there may be the need to employ identification badges which may also act as physical access control cards. We will have various forms of other detective and preventive controls such as closed-circuit TV cameras, security guards, and various forms of sensors and locks. This is of course the need to protect the environment itself.

Data centers contain many millions of dollars quite often in sensitive equipment. And this equipment can be damaged by failure to control the temperature, humidity, and air purity. Also required will be the fire suppression systems to ensure that if a fire should begin it can then be extinguished rapidly with, hopefully, a minimum loss of equipment and ideally no loss of human life.

In looking at other attributes of controls we find that some have inherent controls or security measures built into them. Technologies such as servers, databases, routers, and switches all have the ability to implement various levels and types of controls to protect themselves already built in.

There may also be forms of supplemental controls that can be added on later. These might include a federated identity management system or a single sign-on type of access control system. We also have, of course, the intrusion prevention system and the firewall.

There are supporting controls that can be added to provide additional visibility or capability to the overall security program. These would include various forms of compliance monitoring, system information, and event management systems, and vulnerability scanning types of tools. We come now to the end of our current section.

We're going to pause here before moving on. So be sure to join us again when we begin the next session. Thank you.