Information Security Management Principles in a Nushell
- Security is an emergent property of people using information/information systems. Therefore, security in inherently dependent of this context.
- It is possible to determine what people expect from information/information systems.
- It is possible to increase the likelihood of security expectations by using appropriate tools and processes.
- An incident by definition is any instance of a security expectation of a user being failed.
- Incidents must be used to improve tools and processes. The same type of incident should never happen twice.
- The cost of tools and processes must be proportionate to the cost of the incidents they protect from.
- Incidents should be prevented using two or more complementary tools and processes. This should eliminate single points of failure.
- Protection and Monitoring should be performed at the highest abstraction level possible, thus protecting from business significant incidents. (Protect the pound, not the byte.)