Measures, practices, and procedures for the security of
information systems should be coordinated and integrated with each other and
with other measures, practices, and procedures of the organization so as to
create a coherent system of security.
[GASSP95]
Complexity: The most effective safeguards are not recommended individually,
but rather are considered as a component of an integrated system of
controls. Using these strategies, an information security professional may
prescribe preferred and alternative responses to each threat based on the
protection needed or budget available. This model also allows the developer
to attempt to place controls at the last point before the loss becomes
unacceptable. Since developers will never have true closure on specification
or testing, this model prompts the information security professional to
provide layers of related safeguards for significant threats. Thus if one
control is compromised, other controls provide a safety net to limit or
prevent the loss. To be effective, controls should be applied universally.
For example, if only visitors are required to wear badges, then a visitor
could look like an employee simply by removing the badge.
fc@red.a.net