The new model for information security has 12 security functions instead of the 3 (prevention, detection, and recovery) included in previous models. These functions describe the activities that information security practitioners and information owners engage in to protect information as well as the objectives of the security controls that they use. Every control serves one or more of these functions.
Although some security specialists add other functions to the list, such as quality assurance and reliability, I consider these to be outside the scope of information security; other specialized fields deal with them. Reliability is difficult to relate to security except as endangerment when perpetrators destroy the reliability of information and systems, which is a violation of security. Thus, security must preserve a state of reliability but need not necessarily attempt to improve it. Security must protect the auditability of information and systems while, at the same time, security itself must be reliable and auditable. I believe that this security definitions include destruction of the reliability and auditability of information at a high level of abstraction. For example, reliability is reduced when the authenticity of information is put into question by changing it from a correct representation of fact.
Similarly, we do not include such functions as authentication of users and verification in my lists, since we consider these to be control objectives to achieve the 12 functions of information security.
There is a definite logic to the order in which we present the 12 security functions. A methodical information security practitioner is likely to apply the functions in this order when resolving security vulnerabilities.
1. Information security must first be independently audited in an adversarial manner in order to document its state and to identify its weaknesses and strengths.
2. The practitioner must determine if a security problem can be avoided altogether.
3. If the problem cannot be avoided, the practitioner needs to try to deter potential abusers or forces from misbehaving.
4. If the threat cannot be avoided or deterred, the practitioner attempts to detect its activation.
5. If detection is not assured, then the practitioner tries to prevent the act from occurring.
6. If prevention fails and an act occurs, then the practitioner needs to stop it or minimize its harmful effects through mitigation.
7. The practitioner needs to determine if transferring the responsibility to another individual or department might be more effective at resolving the situation resulting from the attack, or if another party (e.g., an insurer) might be held accountable for the cost of the loss.
8. After a loss occurs, the practitioner needs to investigate and search for the individual(s) or force(s) that caused or contributed to the incident as well as for any parties that played a role in it—positively or negatively.
9. When identified, all parties should be sanctioned or rewarded as appropriate.
10. After an incident is concluded, the victim needs to recover or assist with recovery.
11. The stakeholders should take corrective actions to prevent the same type of incident from occurring again.
12. The stakeholders must learn from the experience in order to advance their knowledge of information security and educate others.