Computer networks have allowed activity that none dreamed possible hundreds of years ago; however, millions of attempts to compromise the security of computer systems are made on a daily basis. Knowing and using the 12 principles of information security allows security professionals to mitigate most threats to data security. By understanding the different types of security policies, effective policies can be put into place that ensure better information security. What security professionals must find paramount is that 100% secured is impossible to achieve. The 12 Principles
Given enough time, a person with the right skills and proper tools can break through any lock. Relate this to a thief with a safe; eventually even a steel wall can be compromised. No matter what a person does to protect something, that protection only buys time until the security is ultimately breached (Merkow & Breithaupt, 2006).
The second principle states that all information security policies try to address at least one of these principles: confidentiality, integrity, and availability. Suppose someone gains unauthorized access to sensitive data; already the confidentiality of the data is breached. Should the user have sufficient access, the data could be changed therefore ruining its integrity. This situation could arise through access permissions being set incorrectly (Merkow & Breithaupt, 2006).
Principle three: defense in layers. Cybercriminals should always be forced to break through multiple safeguards if they are to gain access. Much like a medieval castle was built with bridges, walls, and inner walls to provide layers of defense, so too are today’s information security systems (Merkow & Breithaupt, 2006).
Principle four: people will always make poor security decisions if they are not educated to avoid such behavior. We hear so much about the dangers of opening email attachments from people unfamiliar to us; however when presented with the possibility of seeing adult content, people inadvertently spread the Anna Kournikova virus through email in 2001 (Merkow & Breithaupt, 2006).
The fifth principle deals with functional requirements and assurance requirements. These requirements amount to satisfying the following questions: does the system do the right things, and does the system do them in the right way (Merkow & Breithaupt, 2006)? For example, does a computer run a program? Does it do so without consuming too much memory?
Principle six: obscurity does not lead to security. Once it is discovered how a system is secured, the methods are likely to be divulged to many interested parties (Merkow & Breithaupt, 2006). An example is when a secret recipe like KFC’s is discovered; soon, everyone is aware of how to go about making their own tasty chicken.
Principle seven: no security measure should ever cost more to implement than the value of what it protects (Merkow & Breithaupt, 2006). Who would ever consider spending $10 on a lock for a box that contains a few dollars in change?
Preventative, detective, and responsive security measures comprise the eighth principle. Preventative measures seek to physically keep someone or something out, while detective measures identify when preventative measures have been breached. Responsive measures include alarms that may sound to alert the proper people when other security measures have failed (Merkow & Breithaupt, 2006).
Principle nine: complexity is the enemy of security. The more complex any system becomes, the harder it becomes to secure each of its working parts (Merkow & Breithaupt, 2006). Consider the PSTN; securing this type of network is difficult because data is flowing in every direction imaginable.
Principle ten: fear, uncertainty, and doubt do not work to sell security. Managers who spend money on security want justification to ensure the expenditure makes proper business sense (Merkow & Breithaupt, 2006).
The eleventh principle presents the idea that people, process, and technology work together to secure anything. An example is adding new users to corporate networks. A form is usually filled out that a manager must approve, and then the system configuration ensures that user gets proper access (Merkow & Breithaupt, 2006).
Disclosing vulnerabilities is addressed by principle 12. Making those people who can do something about a vulnerability aware of it will get something done about it (Merkow & Breithaupt, 2006). A patch can be written or a firmware upgraded. Microsoft is always patching Vista to provide better security. Types of Policies
Security policies come in four varieties. Program-level policies establish security programs, delegate management responsibilities, state the purpose and objective of the policy, and create a basis for policy compliance. Program-framework policies are directions for various program implementations. Examples include business continuity planning, physical security, and application development security. Issue-specific policies identify specific issues and shape the position of the organization. Finally, system-specific policies focus on specific situations that may arise in a system and define what is to be done (Merkow & Breithaupt, 2006). Summation
Effective security systems are built with an understanding of the 12 principles. The four types of policy are instituted effectively only when the 12 principles are completely understood. What must always be remembered is that security systems are never failsafe and that the only reason they exist is to buy time.