Log in / Register
Home arrow Computer Science arrow The InfoSec Handbook
< Prev   CONTENTS   Next >

Principles of Information Security

If you look closely, you will find that there is going to be a close relationship between what we discussed so far in this chapter and what we are going to discuss here. The principles of information security were established as far back as 1996 by the National Institute of Standards and Technology of United States of America through Special Publication 800-14: “Generally Accepted Principles and Practices for Securing Information Technology Systems.” We feel that these fundamental expectations are valid and relevant even in today's context.12

While there are many approaches that may be used to ensure information security, there are some minimum expectations which need to be met invariably by all the current systems, irrespective of their size. These eight fundamental principles of information security are the ones which we are going to discuss in brief in the following paragraphs.12

• Principle 1: Computer Security Supports the Mission of the Organization

As we have seen, every organization has objectives to achieve, whether they are business goals or social goals. Any other system is rendered useless, whether it be information technology system or procedures or otherwise, if it does not enable the achievement of these primary objectives of the organization in conjunction with the goals of these systems too.

• Principle 2: Computer Security is an Integral Element of Sound Management

This principle is straight forward and it cannot be more relevant than in today's world. In today's well connected world, where the attacks can happen on any system from any other part of the world and nobody can be absolutely sure of the protection put in place, information security can be ignored only at the peril of an organization.

• Principle 3: Computer Security Should Be Cost-Effective

At the end of the day, every organization has to sustain, continue to sustain, and grow its business and profitability. Even organizations with social objectives have limited funding available to them and the expectation is that they use it judiciously. Hence, just because an excellent security system is available in the market, one should not go ahead with it unless the benefits accrued by its usage are far more than the costs of their purchase and implementation. This is one of the fundamental requirements for any organization of any size in any business.

• Principle 4: Systems Owners Have Security Responsibilities Outside Their Own Organization

Today, in the era of the Internet and web applications, many of the systems are used by users, whether employees or customers, from outside the organizational physical

boundaries. Every individual has the right to be assured that the system or applications that she/he is using is secure. It is the organization's responsibility to ensure that safety is built into these applications and their users are duly assured of the security in them. No organization can shirk its responsibility in this regard as the growth of business, in recent times, depends on new tools of doing business.

• Principle 5: Computer Security Responsibilities and Accountability Should Be Made Explicit Having clarity is what makes the difference when it comes to achievement. As we have

seen, decisions are not made by the people who are normally working with the data

because the authorities are not clearly defined and assigned. Such a state of confusion can lead to disasters in organizations today, as computer security incidents or breaches and disasters on account of them have to be dealt with using speed, precision, and clarity. In our discussions, earlier in this chapter, we have elaborated on the whys and hows of clear demarcation for information security, roles, responsibilities, and authorities will ensure successful compliance towards information security. Negligence cannot be excused in the field of information security as organizations can be severely affected with reputation loss, business loss, penalties, etc. Accountability is brought in clearly and effectively through clarity on roles, responsibilities, and authorities.

• Principle 6: Computer Security Requires a Comprehensive and Integrated Approach

Most of the organizations operate in a highly competitive environment. For their efficiency and effectiveness, all aspects of business, business enablers and business protection systems have to work in perfect harmony and need to complement and supplement

each other seamlessly into a comprehensive and integrated approach. This is what we emphasized throughout our discussions in this chapter, including in the context of information security frameworks / architecture.

• Principle 7: Computer Security Should Be Periodically Reassessed

As we discussed earlier, changes are the only constant in this world. In the changing context, we need to navigate in the right direction. In order to check for our direction and do course corrections, we need to do periodical reassessment of the organizational computer security. We have already discussed the benefits of the periodical gap analysis through periodical risk assessment as a means of course correction.

• Principle 8: Computer Security is Constrained by Societal Factors

It is true that there is a possibility of conflict between information security requirements and societal factors, e.g. logging activities and privacy requirements. While each of them has significance of their own, we need to ensure a balance between these. The balancing depends upon the context and expectations. It is possible that under certain circumstances, one can complement and support the other.

The aforementioned fundamental principles of information security are further substantiated through additional principles for engineering effective information security through NIST's special publication 800-27 Revision A: “Engineering Principles for Information Technology Security (A Baseline for Achieving Security).”

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science