• Home
  • Information Security Practice Principles

Information Security Practice Principles

Information Security Practice Principles

The very best information security professionals are like health care professionals, lawyers, and military commanders. They do much more than implement compliance checklists or set up firewalls: they think critically and use judgment to make decisions and offer guidance. They apply their experience and expertise to the full scale of cyber problems, from system design to developing and implementing cybersecurity programs addressed to an entire mission or campaign.  Most importantly: they adapt.

We need more of these cyber samurai, and that means maturing the information security community and how we educate and train. There are true masters of information security, but we believe that excellence in this field leans heavily on master-apprentice relationships, trial-and-error experience, and the mimetic transfer of knowledge and know-how. These represent very powerful ways to learn, but they don’t necessarily scale or produce quick results. The ISPPs can be a cornerstone of information security education, helping new practitioners build a very deep and very broad insight into what information security is all about, not unlike the Fair Information Practice Principles for privacy professionals, or the Model Rules of Professional Conduct for lawyers.

Moreover, we need more people up and down the chain of command and in other specialties to be able to engage in and (at some level) understand the information security dialogue. The intended audience for this work is anyone making security decisions at any level of an organization: current practitioners, future practitioners, technologists whose decisions interact with or impact security, managers, and stakeholders.

The ISPPs

Written and developed by Craig Jackson, Scott Russell, & Susan Sons

“Am I covering all of my bases?”

Identify and account for all relevant systems, actors, and risks in the environment.

Related concepts: Complete Mediation, End-to-end Encryption, Reconnaissance, Inventory

”Am I taking advantage of my environment?”

Take advantage of the actor relationships, material resources, and strategic opportunities available in the environment.

Related concepts: Information Sharing, White Hat Testing, Deception, Common Tools

”What is correct behavior, and how am I ensuring it?”

Specify and enforce the expected states, behaviors, and processes governing the relevant systems and actors.

Related concepts: Governance, Requirements, Monitoring, Audits, Follow-Through

”Can this be a smaller target?”

Minimize the size, quantity, and complexity of what is to be protected, and limit externally facing points of attack.

Related concepts: Attack Surface, Compactness, Data Minimization

“Is this made of distinct parts with limited interactions?”

Isolate system elements, and enable and control the interactions that are strictly necessary for their intended purposes.

Related concepts: Modularity, Forward Secrecy, Least Privilege, Air Gapping, Cryptography

”What happens if this fails?”

Anticipate and address the potential compromise and failure of system elements and security controls.

Related concepts: Resilience, Failsafe Defaults, Defense in Depth, Revocability

"Is this worth it?”

Tailor security strategies to the magnitude of the risks, accounting for the practical constraints imposed by the mission and the environment.

Related concepts: Risk Management and Acceptance, Usability