There are multiple layers of control that can help provide security for IT systems and data: 1) Physical security controls like building access restrictions, locks, ID cards help protect the physical infrastructure and limit access. 2) Technical controls include authorization software, encryption, audit trails that monitor user activity and system behavior to detect issues. 3) Operational security procedures audit transaction records and network activity to identify errors, threats, or policy violations. Personnel screening and training also help reduce security risks from internal sources.

1. Security – Layers of Control

2. Layers of control
Personnel screening
Invasions of privacy, Operational security
Natural disasters
virus introduction,
and accidents
malicious destruction Communications security
of data
Authorisation software
Terminal use controls
Building security
IT SYSTEMS
AND
DATA
Errors in Espionage, fraud
programming, Guards, Ids, Visitors passes, and theft, threats,
input and output sign in/out blackmail
procedures,
operations Locks, swipe cards, biometric measures (e.g.
fingerprint recognition)
Access rights (e.g. no access, read-only, read-write)
Automatic callback, encryption, hand-shaking procedures
Audit trails, unusual patterns of use, virus checks, backup and recovery procedures
Hiring policies, separation of duties, education and training, establishing standards of honesty

3. Layers of control
• Building and equipment security
▫ locks and window grills, guards, alarms and automatic fire
extinguishers, Id cards, visitor’s pass
• Authorisation software
▫ user ids and passwords
• Communications security
▫ Databases vulnerable to outside hackers. Combat illegal
access with call back, handshaking, encryption
• Operational security
▫ Audit controls track what happens on a network
• Audit trail
▫ record that traces a transaction
• Personnel safeguards
▫ users and computer personnel within an organisation are
more likely to breach security than outsiders

4. Corporate I.T. security policy
• Awareness and education
▫ Training
• Administrative controls
▫ screening, separation of duties
• Operations controls
▫ backups, access controls
• Physical protection of data
▫ controlled access, fire/flood alarms, UPS
• Access controls to the system and information
▫ access levels, access rights, encryption
• Disaster recovery plan