For security controls to be effective, apply the pillars of information security

— Principle of least privilege
— Separation of duties
— Economy of mechanisim
— Complete mediation
— Open design

  • Least privilege is Need to Know principle or default deny -essentially, don’t permit more then required to meet the business requirement to avoid extra risk
  • For separation of duties we don’t want to give any individual so much control that they become a security risk without proper check and balance inplace
  • The principle of economy of mechanism basically says that more complexity we introduce into security system, creates potential for failures
  • Complete Mediation says that control cannot be bypassed – no unofficial back doors
  • Open design – the securty of the system must not be based on the obscurity of the mechanism
  • Information Security: Principles and Practice