Principles of Security
Principles of Information Security
Principle 1: No absolute security.
This principle entails safe locks considerations (tamper resistant, but possible to be broken through), safe lock approach (an evaluation is given after testers get sufficient time and tools).
Principle 2: Security goals are confidentiality, integrity and availability.
Confidentiality only relates to authorized individual or systems. An example would be making an internet card transaction requires the transmittance of the card number from the buyer to the merchant and from the business to a processing network. Integrity means the assurance that the data is not modified without permission. Real-life example of integrity violation would be an employee deletes important data or modifies his own salary in the company’s database. Availability is the principle of information being available when it is needed and ensures the guaranteed access despite failures and attacks.
Principle 3: Defense in depth as strategy.
This principle is based on layered security when common layers provide three elements: prevention, detection and response.
Principle 4: When left on their own, people tend to make the worst security decisions.
Example: 2003 InfoSecurity Europe conference’ organizers asked office workers to disclose their passwords and were offering a free pen for doing that.
Principle 5: Computer security depends on two types of requirements: functional and assurance. Functional is based on what the system is required to do. Assurance is the process of actual implementation and testing.
Principle 6: Security through obscurity is not an answer.
It stands for hiding data sufficiently to secure the system. For example, even though the algorithm of a system is kept secret, people will still discover the secrets.
Principle 7: Risk management.
Risk management looks for understanding and identifying two aspects such as consequences and likelihood. Here is the scenario: Management decides to mitigate a risk by implementing these different types of controls: administrative, logical and physical. Next, it requires information to be allotted a security classification. After that, access to protected information must be limited authorized individuals. Finally, the security issue is identified and authenticated.
Principle 8: The three types of security controls are preventative, detective and responsive.
These controls constituted the basic collection of information that involves the objectives of integrity, confidentiality and availability.
Principle 9: Complexity is the enemy of security.
This principle is based on the fact that the more complex the system is the less secure it gets.
Principle 10: Fear, uncertainty, and doubt do not work in selling security.
This tactic of scaring management into spending on security used to work before. Now it’s no longer effective as protection needs are more carefully evaluated.
Principle 11: People, process, and technology are all needed to adequately secure a system or facility.
This principle is seen in the example of how security department gives access to users according to their duties. Through the user access request a user is approved to enter the company; user ID and password is processed and further protected from unauthorized access.
Principle 12: Open disclosure of vulnerabilities is good for security.
As opposed to principle 6, disclosing vulnerabilities will omit that “false sense of security”.
Security Policies
Programme-level policy
Programme-level policy is an establishment of the following components: security purpose and scope, responsibilities and policy compliance.
Programme-framework policy
Programme-framework policies are directions for various programme implementations. The following are examples programme-framework policies: business continuity planning, physical security and application development security.
Issue-specific policy
Issue-specific policy works on identifying specific issues and shapes the position of the organization.
System-specific policy
Comparing to programme-level and issue-specific policies which involve a broader function, system-specific policy is a more focused approach dealing with just one system.
