Information Security Principles of Success
- Introduction
- Principle 1: There Is No Such Thing As Absolute Security
- Principle 2: The Three Security Goals Are Confidentiality, Integrity, and Availability
- Principle 3: Defense in Depth as Strategy
- Principle 4: When Left on Their Own, People Tend to Make the Worst Security Decisions
- Principle 5: Computer Security Depends on Two Types of Requirements: Functional and Assurance
- Principle 6: Security Through Obscurity Is Not an Answer
- Principle 7: Security = Risk Management
- Principle 8: The Three Types of Security Controls Are Preventative, Detective, and Responsive
- Principle 9: Complexity Is the Enemy of Security
- Principle 10: Fear, Uncertainty, and Doubt Do Not Work in Selling Security
- Principle 11: People, Process, and Technology Are All Needed to Adequately Secure a System or Facility
- Principle 12: Open Disclosure of Vulnerabilities Is Good for Security!
- Summary
- Test Your Skills
This chapter is from the book
This chapter is from the book
This chapter is from the book
Chapter Objectives
After reading this chapter and completing the exercises, you will be able to do the following:
- Build an awareness of 12 generally accepted basic principles of information security to help you determine how these basic principles apply to real-life situations
- Distinguish among the three main security goals
- Learn how to design and apply the principle of defense in depth
- Comprehend human vulnerabilities in security systems to better design solutions to counter them
- Explain the difference between functional requirements and assurance requirements
- Comprehend the fallacy of security through obscurity to avoid using it as a measure of security
- Comprehend the importance of risk-analysis and risk-management tools and techniques for balancing the needs of business
- Determine which side of the open disclosure debate you would take
Introduction
Many of the topics information technology students study in school carry directly from the classroom to the workplace. For example, new programming and systems analysis and design skills can often be applied on new systems-development projects as companies espouse cloud computing and mobile infrastructures that access internal systems.
Security is a little different. Although their technical skills are certainly important, the best security specialists combine their practical knowledge of computers and networks with general theories about security, technology, and human nature. These concepts, some borrowed from other fields, such as military defense, often take years of (sometimes painful) professional experience to learn. With a conceptual and principled view of information security, you can analyze a security need in the right frame of reference or context so you can balance the needs of permitting access against the risk of allowing such access. No two systems or situations are identical, and no cookbooks can specify how to solve certain security problems. Instead, you must rely on principle-based analysis and decision making.
This chapter introduces these key information security principles, concepts, and durable “truths.”