Which security level first if i use layering?

Dear all,

i just start with my preparation for CISSP. Don't know when and how will manage it.
In the chapter "security governance" there is a concept of layering. Know my question is, which level of security strengh should be first in the serie of security methods? Should i start with a low security level (User/PW) or high security level (Token; Biometric)?
Do you have a best practise?

Thanks for your ideas.

Best regards and a happy new year.
Oliver

Find more posts tagged with

Comments

636-555-3226

Kind of vague. Layering as in "defense in depth?" Could mean layers of controls like AV, web filter, email filter, secure workstation configuration, etc.

Might be layers of security principles - Identify, Protect, Detect, Respond, Recover?

jcundiff

Its really going to come down to what you are protecting... are you talking about the initial entry (ID/PW) onto the corporate network? Or onto the datacenter floor? the requirements are going to be different. For the corp network (user domain) ID/PW would be a suitable first step. Not so much to access the raised floor environment that hold the crown jewels... I would expect dual badge access or biometrics. However, these would not be the 1st layer of defense. The first layer would be physical access to either the corp office or dc building, both of which may be badged access or require sign in at a desk with security guard personnel

OliLue

Thanks for your response. I think about the technology or concept. For example access control. Should i start with the low level User / Password and than increase the level our should i start with the high level.
But i think in depend on what i want protect. After categorize the information i can adapt the security level for access.

divertwig

If we're talking about layered security, or defense in depth, whichever you want to call it... the first layer should be physical security. All the logical security (IDs, PWs, whatever) isn't going to do you much good if someone can walk in off the street, pick up your server, and walk back out with it.

jcundiff

divertwig wrote: »

If we're talking about layered security, or defense in depth, whichever you want to call it... the first layer should be physical security. All the logical security (IDs, PWs, whatever) isn't going to do you much good if someone can walk in off the street, pick up your server, and walk back out with it.

As I stated above,

jcundiff wrote: »

The first layer would be physical access to either the corp office or dc building, both of which may be badged access or require sign in at a desk with security guard personnel

Its really going to depend on what you are protecting... Data center is going to have much higher security and more layers than an office environment/contact center... but yes in most cases, physical is going to come first