Tactics: An Introduction ◾ 113
in day-to-day operations, especially in attack or breach situations. e goal of coverage is to have
skilled people always available to manage security operations and responses. is includes a staff
that has been cross trained to cover periods of illness, vacation, training, and other absences. Skills
management has already been mentioned in a previous section, and it is not our intent to beat the
point to death, but ensuring proper coverage for security functions requires a good understanding
of what critical skills are required and of managing training and staffi ng to make sure you have a
suffi cient number of people with those skills. is includes in-house expertise from IT and other
departments or divisions, as well as external expertise such as penetration testers, forensics con-
sultants, and law enforcement. If you have high-value or high-sensitivity data, you may want to
consider keeping some of these external resources on retainer or contract. Eff ective tactics require
a suffi ciently skilled staff . Tactical planning must include a thorough assessment of the knowledge,
skills, and abilities (KSAs) required for each control objective.
e coverage principle also extends to security management processes. Processes are essen-
tially a command framework, in the sense that they identify key resources and direct how those
resources will be used. Good processes ensure that the information required to make decisions
is collected and available when it is needed, and good processes provide the order and guidance
needed to make those decisions effi cient and eff ective. Process is the commander at Carmarthen
Castle going to the top of the observation tower to gather information about the enemy’s attack
points and his troop positions, and then quickly repositioning troops to counter those attacks.
Coverage means our processes are capable of eff ectively dealing with all the aspects of a situation.
From his corner tower, the commander at Carmarthen Castle could only observe attacks against
two of the castle walls. Fortunately, these were the only two walls the rebels could attack; other-
wise, the process would have required a soldier with signaling capabilities in the opposite tower.
When planning and selecting tactics, it’s not going to be possible to foresee every conceivable situ-
ation, but it is possible to build a framework capable of covering the normal and the unexpected.
is must be what we strive for in our tactical planning endeavors.
Technology is the fi nal aspect of coverage. Computing environments are so complex that it’s
nearly impossible to fi nd a single solution that covers everything. Conversely, “securing almost
everything” is an oxymoron. Security is only as good as the weakest link; leaving some things
unprotected is like locking all but one window in your house. Guess which one the thief came
through? Each of our tactics and associated control objectives must apply to all our systems and
must encompass all of the associated attack scenarios. A tactic that protects your systems from
outside attacks and leaves them wide open to insiders is a poor solution. Coverage says our controls
apply equally across our entire environment.
SIDEBAR: MAY DAY! MAY DAY!
After the 2000 May Day riots in London, Scotland Yard employed a number of these tactical principles to deal with
future May Day protests and violence. First, they increased their observation capabilities with some 2,000 video
feeds, including teams of roving police “spotters” armed with cameras. Second, they used this surveillance to rapidly
direct offi cers (with the appropriate equipment/weaponry) to any emerging trouble spot. This rapid response capa-
bility gave the respondents the edge; they were able to break up crowds before they gained any malicious momen-
tum. Scotland Yard kept a large force in reserve as well. In addition to the “all hands” deployment of central London
police offi cers, more than 1,000 offi cers from surrounding boroughs were kept in active reserve.
Redundancy Principle
Security failures are some of the most impactful events an organization can experience. ese
failures involve not only security breaches but also system/equipment failures. For example, losing
TAF-K11348-10-0301-C007.indd 113TAF-K11348-10-0301-C007.indd 113 8/18/10 3:08:06 PM8/18/10 3:08:06 PM