Operational security is divided into three lines of defense: risk management, cybersecurity management, and audits:
- The first line of defense is risk management. Here, the different risks that affect a business' operations are handled. In this line, the key focus is risk analysis and management. The different risks across the scope of the business have to be identified. The key risk indicators for each of these risks have to be established. The probability of the occurrence of each of these risks then has to be determined. This has to be followed by the assessment of the severity of the occurrence of each risk. Using this information, the operational risks can be ranked or tabulated in a matrix to determine the priority of solving them.
- The second line of defense is cybersecurity management. This includes all the processes involved in securing the organization from the operational risks identified by the first line. The second line of defense starts with security policies. These help mitigate the introduction of risks into the business. This is followed by the definition of key risk indicators. These definitions help to alert the IT team when a risk event has occurred. The definition of key risk indicators is followed by cybersecurity standards. The standards outline the execution of different cybersecurity strategies to mitigate or prevent the defined risks from happening. The second line of defense ends with cybersecurity-management tools, which are used to view the cybersecurity stature of the organization.
- The last line of defense in operation security is auditing. There are two types of auditing: internal and external. This line of defense ensures that all the other lines of defense have been correctly implemented. It also helps identify areas of weakness in the security strategy.