ABSTRACT
An IA mechanism is a piece of equipment, a tool, or component to mitigate business risk. Examples of IA mechanisms include firewalls and intrusion detection systems. Many devices contain security features that may be activated to address risk. These devices are not themselves IA mechanisms; however, there are mechanistic IA configurations that may address risk. While each IA mechanism performs an IA task, that IA task is part of a broader IA function; that is, IA mechanisms and mechanistic IA configurations are parts of a broader IA capability. Therefore, this chapter presents the following IA mechanism examples in context of three categories:
IA devices Anti-malware Firewall IDS
n − − −
PKI
IA configuration settings Operating system security
IA capabilities (aggregation of IA mechanisms) Identity and privilege management Protecting the information infrastructure Local area networks Cryptography E-commerce safeguards Development quality assurance
Mechanistic IA configurations are settings on or within devices that activate or restrict certain capabilities of that device. For example, an operating system configuration may activate the enforcement of strong passwords at system logon. IA devices are dedicated to and perform a specific IA function; e.g., filter traffic between the internal network and the Internet. Combinations of IA devices and IA configurations support a variety of IA capabilities. These IA capabilities are not IA services, but aggregations of IA functionality that satisfy a broader business objective. For the sake of brevity, the use of the term IA mechanism in the remainder of this chapter may refer to all three of categories. The context of usage will clarify which categories are relevant.
