security needs. However, a security policy usually does not go into
               details about how to fulfill the security needs or how to implement the

               policy. For example, it may state the need to implement and enforce
               separation of duties and least privilege principles but not state how to
               do so. Professionals within the organization use the security policies as
               a guide to implement security requirements.




                          Chapter 1, “Security Governance Through Principles and

                  Policies,” covers security policies in more depth. It includes
                  detailed information on standards, procedures, and guidelines.




               Implementing Defense in Depth

               Organizations implement access controls using a defense-in-depth
               strategy. This uses multiple layers or levels of access controls to

               provide layered security. As an example, consider Figure 14.1. It shows
               two servers and two disks to represent assets that an organization
               wants to protect. Intruders or attackers need to overcome multiple
               layers of defense to reach these protected assets.