ABSTRACT
Diversity in information security is a practice that can greatly improve the security of an organization’s
information assets. Using different techniques and controls can multiply the effectiveness of security
controls in an increasingly diverse risk environment. Using overlapping controls can also provide
redundancy that is important if a control should fail. Information technology security controls and
response processes address different areas within an environment. These include network controls,
operating system controls, and application level controls, as well as monitoring and responses to security
events. Attention must also be paid to the coverage of the different controls, as the failure to provide
protection for one piece of the application or service may lead to compromise of other areas. Providing
adequate protection for all the pieces of an application will ensure its proper functioning and reduce the
risk of its being compromised. It is also possible for one control to provide overlapping protection for
other areas. Maximizing the overlapping protection and providing diversity within each one of these
controls and processes are important to minimizing the risk of a security failure with regard to the
information or services being protected. In addition, response and monitoring processes must also be
able to address incidents and provide solutions in a timely manner. These controls and processes can also
take advantage of diversity to reduce the risk of a single point of failure. Together, these controls and
processes work to provide confidentiality, integrity, and availability of the information or service
being secured.
