Principles of Information Security

For security controls to be effective apply the pillars of information security

–Principle of least privilege
–Separation of duties
–Economy of mechanism
–Complete mediation
–Open design

Least Privilege
• “Need to Know”
• Default deny – essentially , don’t permit any more to occur than is required to meet business or functional objectives
• Anything extra introduces risk

Separation of Duties
• The idea is that we don’t want to give any one individual so much power that they cloud take dangerous actions without any checks and balances in place.
• You trust them with their job responsibilities but they should be accountable for their actions which is only possible when you measure or monitor their performance.

Economy of Mechanism
• Complexity is an enemy of security, it’s much more difficult to create a simple mechanism and keep it that way.
• The more complexity added to a system, the more chance for error or flaw

Complete Mediation
• The control cannot be bypassed (organization firewall, by creating a backdoor)
• This principle says no unofficial backdoor (no disabling the anti-virus software)

Open Design
• The security of a system must not be based on the obscurity of the mechanism
• Proprietary software are not tested properly and sometime include an undisclosed back door (ballot counting software)