The most effective safeguards are not recommended individually, but rather are considered as a component of an integrated system of controls. In addition, most safeguards can be implemented as one of 14 protection strategies.2 See Figure "Protection Strategy Timeline."
Using these strategies, an information security professional may prescribe preferred and alternative responses to each threat based on the protection needed or budget available. This model also allows the developer to attempt to place controls at the last point before the loss becomes unacceptable. Since developers will never have true closure on specification or testing, this model prompts the information security professional to provide layers of related safeguards for significant threats. Thus if one control is compromised, other controls provide a safety net to limit or prevent the loss. To be effective, controls should be applied universally. For example, if only visitors are required to wear badges, then a visitor could look like an employee simply by removing the badge.