Phase 2 Protection

reduction of vulnerabilities by the application of safeguards
Security: balancing its cost with the possible losses
Info protection must be comprehensive (implemented everywhere), consistent (implemented uniformly), cost effective

Hierarchical security design: successive refinement of detail. 10 aspects addressed in every level.

1. Philosophy security vision of ideal security solution. high-level executive position statements that give direction & relative importance to the areas addressed.
Encompasses: trust: level of confidence needed to use info; determines authorizations, privileges, admin
protection: level of control, integrity, auditing

2. Principles standards of conduct. Refine philosophy to standards that policies adhere to. security architecture: common understanding & framework. Definition of principles that a security implementation can be built with.

3. Policies technology-independent descriptions of the security precautions. Specify what must or must not be done to fulfill the principles. security strategy how to implement the vision in accordance with the architecture given technological constraints.

4. Procedures how to implement the policies to a specific technology. How standards should be implemented. security framework applying the security procedures, which is largely the admin of security objects.
Standards: basic security requirements. Define an acceptable level of security to which every system must adhere.
Exceptions: specific instances where the standards will not be implemented.

5. Practices day-to-day operations that implement the procedures. security implementation details of how framework is implemented. Detailed steps, schedules, responsibilities.