Defense-in-depth is a defense strategy where an organization protects the different layers (People, Process, and Technology). If one layer is compromised, another security control in another layer should help.
There are 3 general types of Security Controls Administrative, Technical, and Physical. They are described below in more detail.
Management/Administrative Action items include reviewing and analyzing business administrative processes and policies: policies and procedures used by the information security management system (ISMS), including weaknesses found in policies, employee hiring/termination, GRC, etc.
Operational Generally part of Administrative controls. Action items include to review and analyze business processes and functions: the way the business operates may include processes or functions that may not fit in any other category, but may leave the business vulnerable, e.g., personnel, wire transfers processes, working with vendors, customer identification/authentication over the phone, etc.
Technical/Logical Run vulnerability scans on any network, device, connectivity, programs, services, etc., to identify weaknesses on servers, firewalls, computers, mobile devices, websites, network devices, server software, weak passwords, outdated software, shared passwords, etc.
Physical Inspect the physical security of the building, data center, physical access, server room, etc. Physical security includes weaknesses found in door locks, windows, fences, signs, gates, bollards, fire suppression systems, guards, etc.
The control types preceding should help identify: vulnerabilities in the people with whom the organization works internally and externally; the processes the organization and its employees use; and the technology upon which the people and processes rely. Evaluate interactions with people, processes, and technology, and the control types for each asset.
People Includes employees, vendors, partners, suppliers, IT staff, etc.
Processes Includes business and governance processes.
Technology Is used by the people and processes.