Information Security Management Principles in a Nushell

  • Security is an emergent property of people using information/information systems. Therefore, security in inherently dependent of this context.
  • It is possible to determine what people expect from information/information systems.
  • It is possible to increase the likelihood of security expectations by using appropriate tools and processes.
  • An incident by definition is any instance of a security expectation of a user being failed.
  • Incidents must be used to improve tools and processes. The same type of incident should never happen twice.
  • The cost of tools and processes must be proportionate to the cost of the incidents they protect from.
  • Incidents should be prevented using two or more complementary tools and processes. This should eliminate single points of failure.
  • Protection and Monitoring should be performed at the highest abstraction level possible, thus protecting from business significant incidents. (Protect the pound, not the byte.)