The layers are not just limited to 3 layers. But a typical 3-layered architecture involves following layers
presentation layer
|
Business Layer
|
Data Access Layerpresentation layer is your User interface. Typically this is your executable (winodows forms) or WebPage (Asp.net). In presentation layer you may just concentrate on look and feel of your application.
Business layer is where you write the actually write the business logic. It includes data validation, processing, communicating with data access layer, etc. Typically business layer will be a DLL which you will reference in presentation layer (i.e presentation layer consumes business logic).
And Data access layer is .. You said you know it.
Now, as per security is concerned, you can implement multiple security layers. you can have it in all three layers or in one of the layers, depending upon the need.
Please mark this post as answer if it solved your problem. Happy Programming!