Any combination of the following.
• Personnel security: The organization should have a policy that clearly identifies who has the authorization to enter, modify, access data. Adequate checks, such as passwords, must be completed to grant role-based access to data. The risk here becomes increasingly important with the size of the users. Security checks on critical personnel are common in many large organizations.
• Application security: All mission-critical (software, hardware, firmware) applications are secure from unauthorized access. This includes all possible means, from password protection to secured physical vaults.
• Operating systems security: From personal laptops to highly distributed operating systems, major functions of the operating systems should be secured: memory management, access to I/O devices, file management, and hardware configuration.
• Network security: Unauthorized viewing and tampering of networks is a much-sought-after target for hackers. Particular attention should be paid to communication devices that serve as a gateway to the organization's computing platform.
• Middleware and Web services security: With the proliferation of open-source applications, middleware affords more possibilities for security breaches. IT security staff should frequently review the mddleware architectures and define a unified view of security across heterogeneous middleware systems, and provide a basis for decentralized policy for middleware security.
• Facility security: All physical rooms where information systems are installed should be fully protected with entry locks, security guards, and cameras.
• Egress security should be enforced: Policy for taking out sensitive documents should be clearly given to personnel. Sensitive data printed on paper should be stored in safes. Unused documents should be shredded. When sensitive equipment is sent out for maintenance or repair, proper security procedures must be enforced.