Approaches include
-
Defence in depth (overlapping controls are stronger)
- Operational responsibilities (set clear expectations - see policies and procedures below)
- Centralised security (to enable control - see physical protection)
- Application controls (operating within an application)
- Monitoring (detective control)
- Personnel controls (preventative control)
- User training (preventative control) &
- Segregation of duties (reducing risks of fraud or error)
I write about how to maximise each of them at the above links.
Within the above approaches are a variety of more specific techniques or practices (some of which I cover in more detail).
