Information Security sounds like a complicated task, but it really isn't. Knowing what needs protected and how to protect it are the keys to security success.
Twelve Information Security Principles of Success
- No such thing as absolute security. Given enough time, tools, skills, and inclination, a hacker can break through any security measure.
- The three security goals are: Confidentiality, Integrity, and Availability. Confidentiality means to prevent unauthorized access. Integrity means to keep data pure and unchanged. Availability means to keep data available for authorized use.
- Defense in Depth as Strategy. Layered security measures. If one fails, then the other measures will be available. There are three elements to secure access: prevention, detection, and response.
- When left on their own, people tend to make the worst security decisions. Examples include falling for scams, and taking the easy way.
- Computer security depends on two types of requirements: Functional and Assurance. Functional requirements describe what a system should do. Assurance requirements describe how a functional requirement should be implemented and tested.
- Security through obscurity is not an answer. Security through obscurity means that hiding the details of the security mechanism is sufficient to secure the system. The only problem is that if that secret ever gets out, the whole system is compromised. The best way around this is to make sure that no one mechanism is responsible for the security.
- Security = Risk Management. Security work is a careful balance between the level of risk and the expected reward of expending a given amount of resources. Assessing the risk and budgeting the resources accordingly will help keep abreast of the security threat.
- Three type of security controls: Preventative, Detective, and Responsive. Basically this principle says that security controls should have mechanisms to prevent a compromise, detect a compromise, and respond to a compromise either in real-time or after.
- Complexity is the enemy. Making a network or system too complex will make security more difficult to implement.
- Fear, uncertainty, and doubt do not work. Trying to "scare" management into spending money on security is not a good way to get the resources needed. Explaining what is needed and why is the best way to get the resources needed.
- People, process, and technology are all needed to secure a system or facility. People are needed to use the processes and technology to secure a system. For example, it takes a person to install and configure (processes) a firewall (technology).
- Disclosure of vulnerabilities is good. Let people know about patches and fixes. Not telling users about issues is bad for business.
These are by no means a fix-all for security. The user must know what they are up against and what is needed to secure their system or network. Following the twelve principles will help achieve success.