The Information Security Practice Principles
Indiana University Center for Applied Cybersecurity Research
We believe high-level principles underly a great deal of existing information security thinking and practice, but they have remained generally under-researched and unarticulated in favor of normative artifacts that are highly detailed and are usually highly prescriptive (NIST RMF, CIS Critical Security Controls, ISO, HIPAA security rule). These artifacts may be loaded with great advice, but are difficult to understand without the benefit of significant prior training, and do little to help someone learn to “think like a security practitioner” or address novel, emergent situations. The following principles provide a mental model for information security problem solving: They can be used to teach new or non-practitioners (e.g., students, executives) about doing information security; they can help practitioners make decisions in novel situations (where an established best practice may not exist); and they can add validity and salience to existing, more-detailed statements of best practice.
(“Am I covering all of my bases?”)
Identify and account for all relevant systems, actors, and risks in the environment.
Related concepts: Complete Mediation, End-to-end Encryption, Reconnaissance, Inventory
(”Am I taking advantage of my environment?”)
Take advantage of the actor relationships, material resources, and strategic opportunities available in the environment.
Related concepts: Information Sharing, White Hat Testing, Deception, Common Tools
(”What is correct behavior, and how am I ensuring it?”)
Specify and enforce the expected states, behaviors, and processes governing the relevant systems and actors.
Related concepts: Governance, Requirements, Monitoring, Audits, Follow-Through
(”Can this be a smaller target?”)
Minimize the size, quantity, and complexity of what is to be protected, and limit externally facing points of attack.
Related concepts: Attack Surface, Compactness, Data Minimization
(“Is this made of distinct parts with limited interactions?”)
Isolate system elements, and enable and control the interactions that are strictly necessary for their intended purposes.
Related concepts: Modularity, Forward Secrecy, Least Privilege, Air Gapping, Cryptography
(”What happens if this fails?”)
Anticipate and address the potential compromise and failure of system elements and security controls.
Related concepts: Resilience, Failsafe Defaults, Defense in Depth, Revocability
(”Is this worth it?”)
Tailor security strategies to the magnitude of the risks, accounting for the practical constraints imposed by the mission and the environment.
Related concepts: Risk Management and Acceptance, Usability