Complementing the preparation done at lower layers to ensure sensitive activities are planned and executed securely, the final three layers look back on outcomes to ensure that the organization’s policies are adhered to.

Beginning with an inspection of the intended and actual outcomes, Layer 5 encompasses both Intent Evaluations and Behavioral Evaluations.

Based on the findings of those evaluations, Layer 6 describes Preventative Enforcement activities that serve as guardrails, blocking non-compliant designs before they go live, and Remediative Enforcement activities which produce corrections after negative outcomes are detected in a real world scenario.

Finally, Layer 7 describes activities which serve to Audit the effectiveness of the organization’s policies, evaluation and enforcement activities, and orchestrate Continuous Monitoring to ensure that sensitive activities remain compliant indefinitely.

An old leadership adage states that “a unit only does well that which its commander inspects well.” Activities categorized within layers 5, 6, and 7 act as that inspection which equips our organizations to excel.

Continue Reading