Security Principles

Principles provide general governance-level guidance to establish and maintain the

security of information.

Security Principles target organizational governance and executive management. They outline
high-level recommendations to help organizations solidify an effective Information Security
strategy, and include conceptual goals relating to accountability, ethics, integration and
assessment.
The generally accepted information security principles are:
• Accountability Principle
• Awareness Principle
• Equity Principle
• Ethics Principle
• Integration Principle
• Multidisciplinary Principle
• Proportionality Principle
• Reassessment Principle
• Timeliness Principle
These information security principles have been proven in practice and accepted by practitioners,
and draw upon established security guidance and standards to create comprehensive, objective
guidance for information security professionals, organizations, governments, and users.
The use of these generally accepted information security principles:
• Promotes good Information Security practices at all levels of organizations;
• Creates an increase in management confidence that Information Security is being assured in
a consistent, measurable and cost-efficient manner;
• Is an authoritative source for opinions, practices, and principles for information owners,
security practitioners, technology products, and IT systems;
• Encourages broad awareness of Information Security requirements and precepts;
• Enables organizations to seek improved cost structures and program management through
use of proven practices and global principles rather than varied, local, or product-specific
guidelines;
• Is written hierarchically to allow application to any appropriate level of the organization or IT
infrastructure, from the Corporate Board to the technical staff working “in the trenches”.

The security principles section is based on the work done by the International Information Security Foundation
(IISF) to produce the Generally Accepted System Security Principles, and the Information Systems Security
Association (ISSA) project to develop Commonly Accepted Security Practices and Recommendations (CASPR)
which now have been merged to develop the Generally Accepted Information Security Principles (GAISP).

©
2005, Halting the Hacker, LLC 1
Accountability Principle

Management shall hold all parties accountable for their access to and use of information,
e.g., additions, modifications, copying and deletions, and supporting Information
Technology resources. It must be possible to affix the date, time, and responsibility to the
level of an individual for all significant events.

Accountability characterizes the ability to audit the actions of all parties and all processes that
interact with information. Roles and responsibilities are clearly defined, identified, and authorized
at a level commensurate with the sensitivity and criticality of information. The relationship
between all parties, processes, and information must be clearly defined, documented, and
acknowledged by all parties. All parties must have responsibilities for which they are held
accountable.
• Identification & Authentication – Positive identification and proper attribution of events is
crucial to accountability.
• Unique Identification is necessary for individual accountability. An account is to be
used by a single individual. There should be no sharing of accounts or passwords.
• Universal Identification is required to be able to attribute all activities to individuals.
Anonymous access to any significant resource should not be allowed.
• Uniform Identification is used to associate an individual to his/her identifier on all
applicable systems to be able to produce a complete representation of activities.
• Strong Authentication is necessary to provide a high level of confidence in the accuracy
of the identity. It shall include a shared secret, a physical token or a measurable attribute.
• Authorization defines the level of access granted and provides more granularity of
accountability.
• Business Need shall be demonstrated before any authorizations are granted.
• Least Privileges will be provided to successfully complete the required task to reduce
the possibility of accidental or malicious misuse.
• Monitoring and Auditing – Accountability is dependent on monitoring and the creation of
logs that form an audit trail. The activities of every user must be monitored and recorded so
that they can be held accountable for their actions.
• Accurate Time is necessary to ensure the association of activities between systems.
• Logging must be adequate to record those events necessary to associate the activities
of information systems with the individual who initiated them.

©
2005, Halting the Hacker, LLC 2
Awareness Principle

Management shall communicate information security policy to all personnel and ensure
that all are appropriately aware. Education shall include standards, baselines, procedures,
guidelines, responsibilities, related enforcement measures, and consequences of failure to
comply.

This principle applies between and within organizations. Awareness of information security
principles, standards, conventions, and mechanisms enhances and enables controls and can
help to mitigate threats. Awareness of threats and their significance also increases user
acceptance of controls. Without user awareness of the necessity for particular controls, the users
can pose a risk to information by ignoring, bypassing, or overcoming existing control
mechanisms. The awareness principle applies to unauthorized and authorized parties.
• Openness of Design – Having a complete understanding of a security process or
mechanism should in no way reduce the effectiveness of the security it provides. This is
meant to assist those with a legitimate interest to learn of or be informed about the security of
an information system
• Information Security Policy – Management shall ensure that policy and supporting
standards, baselines, procedures, and guidelines are developed and maintained to address
all aspects of information security. Such guidance must assign responsibility, the level of
discretion, and how much risk each individual or organizational entity is authorized to
assume.
• Roles and Responsibilities – The organization and all its units must assure that all users
are aware of their roles and responsibilities with the organization’s resources. Adequate
guidance must be provided to assure that all users have the skills and knowledge necessary
to provide the proper level of security to the resource.
• Responsibilities and Accountability – The responsibilities and accountability of owners,
providers, and users of computer systems and other parties concerned with the security of
those systems should be explicit. The assignment of responsibilities may be internal to an
organization or may extend across organizational boundaries.
• Education and Awareness – Management shall communicate information security policy to
all personnel and ensure that all are appropriately aware. Education shall include standards,
baselines, procedures, guidelines, responsibilities, related enforcement measures, and
consequences of failure to comply.
• External Notification – If a system has external users, its owners have a responsibility to
share appropriate knowledge about the existence and general extent of security measures so
that other users can be confident that the system is adequately secure.

©
2005, Halting the Hacker, LLC 3
Equity Principle

The security of information systems should be compatible with the legitimate use and flow
of data and information in a democratic society.

Information security measures implemented by an organization should not infringe upon the
obligations, rights, and needs of legitimate users, owners, and others affected by the information
when exercised within the legitimate parameters of the mission objectives. The security interests
must be weighed against the legitimate interests in the use and flow of information with the aim of
striking a balance in accordance with the principles of a democratic society.
• Access Control – Individual employees and other parties are restricted from access to
information assets and supporting Information Technology resources that do not directly
relate to their work requirements, assigned objectives, or legitimate, authorized need.
• Need to Know – Access to resources will only be granted if there is a demonstrated and
legitimate need based upon normal job duties and falling within the purpose and scope
for which the data were collected or consent given, consistent with applicable law and
with other parts of these guidelines.
• Least Privilege – The minimum privileges, rights or capabilities necessary to perform the
legitimate activity will be given to an entity. The entity shall have access to these
privileges, rights or capabilities for only as long as it takes to perform the legitimate
activity.
• Simplicity – Access controls for both paper and electronic information should allow
authorized individuals to obtain access as easily as possible, while at the same time
protecting the confidentiality and integrity of the information.
• Acceptability – Security mechanisms should not make the resource difficult to use.
• Education – Before being given access to information systems, individuals should be
trained in the importance of protecting information and information systems and the
methods to provide this protection as well as the proper method of reporting violations.
• Fail-Secure – All systems should be implemented so that their default state provides the
highest level of security and that the security level is not reduced during a system failure or
restart. Reassigning the level of security shall be a security administrator activity which
requires proper justification.
• Trusted Recovery ensures that the system can be brought to full operation without any
lapse in security which could compromise the information or the information system.

©
2005, Halting the Hacker, LLC 4
Ethics Principle

Information systems and the security of information systems should be provided and used
in such a manner that the rights and legitimate interests of others are respected.

Information systems pervade our societies and cultures. Rules and expectations are evolving with
regard to the appropriate provision and use of information systems and the security of information
systems. This principle supports the development of social norms in these areas. Important
aspects are the expression of these norms to all members of society and inculcation of these
concepts from a very young age.
• Compliance – Management shall take steps to be aware of and address all legal, regulatory,
and contractual requirements pertaining to information assets. In order for an organization to
diligently comply with all legal, regulatory, and contractual requirements associated with its
operations, it is necessary to ensure that no requirement exists for which compliance
measures have not been put in place. As part of this effort, plans should also be in place to
address potential actions against the organization should their policy, processes, or actions
be called into question.
• Code of Ethical Conduct – Management shall promote a code of ethics that outlines for all
employees a set of actions, behaviors, and conduct guidelines with respect to information
security and information use. The code sets forth expectations for conduct that may not be
illegal but may be contrary to an organization’s policy or belief. Behavior outside the bounds
of the code would be considered unethical.
• Appropriate Use – Management shall define the boundaries of acceptable use of
information and information systems to ensure that information technology is used to promote
the mission of the organization.

©
2005, Halting the Hacker, LLC 5
Integration Principle

Measures, practices and procedures for the security of information systems should be
coordinated and integrated with each other and with other measures, practices and
procedures of the organization so as to create a coherent system of security.

Many breaches of information security involve the compromise of more than one safeguard. The
most effective security measures are components of an integrated system of controls. Information
security is most efficient when planned, managed, and coordinated throughout the organization’s
system of controls and the life of the information asset.
• Enterprise Security Architecture – When implementing policies and/or procedures
regarding confidentiality, availability, or integrity of information, consideration will be given to
what already exists in the organization to ensure consistent practice. Security controls often
depend upon the proper functioning of other controls. If appropriately chosen, managerial,
operational, and technical controls can work together synergistically.
• Commonality of Approach – Security processes shall be coordinated and integrated
with each other and with other measures, procedures and practices of the organization to
create a coherent system of information security. Logically parallel barriers or techniques
are implemented similarly to minimize the range of potential vulnerabilities
• Baselines define the minimum level of security requirements which must be provided.
• Standards define the method by which security controls are to be implemented. If the
standard is unable to be met, a exception must be created which defines how the same
level of security will be provided.
• Zones of Trust define areas with common security requirements and administration.
• Security Perimeters define the boundaries of the zones of trust where chokepoints and
checkpoints must be put into place to control the flow between the different zones.
• Complete Mediation of all access attempts across a security perimeter must be checked
to assure compliance with access controls.
• Overlapping Security Controls provide greater security through redundancy and diversity. If
one control in the system of controls is compromised, other controls can provide a safety net
to limit or prevent the loss.
• Defense-in-Depth – There should be multiple layers of security mechanisms, designed
to overlap with other each other, so that no failure of a single mechanism will compromise
the system.
• Defense-by-Diversity – There should be multiple types of security mechanisms, built on
differing security technologies, reducing the likelihood that a security vulnerability will
exist in multiple security systems and increasing the range of skills, tools and knowledge
an attacker needs to compromise the system.
• Lifecycle Integration – Security of information systems is best considered when the system
is being designed. Measures for security may be formulated and tested to avoid
incompatibility. Overall costs of security may also be reduced. Security is required at all
phases of the information cycle -- gathering, creating, processing, storing, transmitting and
deleting. Security is only as good as the weakest link in the system.

©
2005, Halting the Hacker, LLC 6
Multidisciplinary Principle

Measures, practices and procedures for the security of information systems should take
account of and address all relevant considerations and viewpoints, including technical,
administrative, organizational, operational, commercial, educational and legal.

When devising and maintaining measures, practices and procedures for the security of
information systems, it is important to review the full spectrum of security needs and available
security options. In an organization, for example, this would involve consultation with technical
personnel, management, the legal department, users and other. All these resources should be
consulted and combined to produce an optimal level of security for the information system.
Similarly, on a policy level, technical standards, codes of practice, legislation, public awareness,
education and training for security of information systems may be mutually reinforcing.
• Physical Security
• Environmental Management – Management shall consider and compensate for the
risks inherent to the internal and external physical environment where information assets
and supporting Information Technology resources and assets are stored, transmitted,
processed, or used.
• Personnel Security
• Appropriate Use Policy sets guidelines on what activities are acceptable and
unacceptable.
• Separation of Duties provides checks and balances by dividing responsibility for
sensitive processes so that no individual acting alone can compromise the security of the
system.
• Rotation of Duties provides opportunity for monitoring by providing a new set of eyes to
a process, which can uncover irregularities.

©
2005, Halting the Hacker, LLC 7
Proportionality Principle

Security levels, costs, measures, practices and procedures should be appropriate and
proportionate to the value of and degree of reliance on the information systems and to the
severity, probability and extent of potential harm, as the requirements for security vary
depending upon the particular information systems.

Security controls should be commensurate with the value of the information assets and their
vulnerability. Consider the value, sensitivity and criticality of the information, and the probability,
frequency and severity of direct and indirect harm or loss. This principle recognizes the value of
approaches to information security risk management, ranging from prevention to acceptance.
• Information Asset Management – Management shall routinely catalog and value
information assets, and assign levels of sensitivity and criticality. Information, as an asset,
must be uniquely identified and responsibility for it assigned.
• Asset Inventory – All information assets need to be identified and a value assigned to
each asset.
• Security Classification – All information assets need to be assigned a security
classification based on the potential loss if the confidentiality, integrity or availability of the
asset is compromised.
• Information Risk Management – Management shall ensure that information security
measures are appropriate to the value of the assets and the threats to which they are
vulnerable.
• Threat Assessment is the process of identifying any circumstance or event with the
potential to cause harm. The common threat-sources can be natural, human, or
environmental.
• Vulnerability Assessment is an analysis of the system environment to determine flaws
or weaknesses that could be exploited by the potential threat-sources.
• Exposure Assessment should determine the likelihood and magnitude of losses
associated with the defined resource-threat-vulnerability scenarios.

©
2005, Halting the Hacker, LLC 8
Reassessment Principle

The risks to information and information systems should be assessed periodically, as

information systems and the requirements for their security vary over time.

Information and the requirements for its security vary over time. It is important to implement a
formal process to monitor and measure the risks to the information, its value, and the probability,
frequency, and severity of direct and indirect harm/loss. Periodic assessment identifies and
measures the variances from available and established security measures and controls and the
risk associated with such variances. Periodic assessment enables accountable parties to make
informed information risk management decisions whether to accept, mitigate, or transfer the
identified risks with due consideration of cost effectiveness.
• Control Measurement – evaluates the costs of implementing and maintaining each of the
security options calculated. The level and type of security should then be weighed against the
severity and probability of harm and its costs as well as the cost of the security measures.
This analysis should be carried out for the information system in the context of all other
relevant procedures and systems, including other information systems.
• Cost-Effectiveness – The costs and benefits of security should be carefully examined in
both monetary and nonmonetary terms to ensure that the cost of controls does not
exceed expected benefits.
• Operation-Effectiveness – The impact on operations for both the users and the
administration of the systems must be measured and evaluated.
• Control Analysis evaluates and enumerates the security measures, practices and
procedures available to protect the various elements of the information system.
• Adequacy – The security design shall be examined to determine the appropriateness of
the security controls.
• Effectiveness – The security measures shall be tested to determine the effectiveness of
the controls in the working environment.
• Control Improvement and Refinement determines changes needed to improve managerial,
technical and operational security controls.

©
2005, Halting the Hacker, LLC 9
Timeliness Principle

Public and private parties, at both national and international levels, should act in a timely
coordinated manner to prevent and to respond to breaches of security of information
systems.

Parties may need to act together swiftly to meet challenges to the security of information systems.
Depending upon the security breach, the relevant parties may be members of the public or
private sectors and may be located in different countries or jurisdictions. This principle recognizes
the need for the public and private sectors to establish mechanisms and procedures for rapid and
effective cooperation in response to serious security breaches.
• Business Impact Analysis determines the impact an individual business unit would sustain
subsequent to a significant interruption of computing or telecommunication service. These
impacts may be financial, in terms of monetary loss or operational, in terms of inability to
deliver.
• Mission Critical Processes must be identified for proper prioritization of security efforts.
• Impact of Disruptive Events should be evaluated to determine the likelihood of the
events and consequences resulting from them.
• Recovery Requirements define the maximum tolerable downtime for critical processes.
• Incident Management – Management shall provide the capability to respond to and resolve
information security incidents expeditiously and effectively in order to ensure that any
business impact is minimized and that the likelihood of experiencing similar incidents is
reduced.
• The Incident Detection and Response Plan must be developed, deployed and tested to
assure that a timely response can be achieved.
• The Incident Escalation Plan defines the process to increase the resources on an
incident.
• Operational Continuity and Contingency Planning – Enterprise-wide business continuity
planning should consider every critical aspect of its business in creating a plan for how it will
respond to disruptions. It can not limit the plan to the restoration of information technology
systems and services; it must consider every critical business unit, including personnel,
physical workspace, and similar issues, so it will be able to resume serving its customers at
acceptable levels.
• Business Continuity Planning counteracts interruption to business activities and should
be available to protect critical business processes from the effects of major failures or
disasters. It deals with the natural and man-made events and the consequences if not
dealt with promptly and effectively.
• Business Resumption Planning addresses the restoration of business processes after
an emergency.
• Disaster Response Planning applies to major, usually catastrophic, events that deny
access to the normal facility for an extended period and focuses on restoring the
operability of the target system, application, or computer facility at an alternate site after
an emergency.
• The Occupant Emergency Plan provides the response procedures for occupants of a
facility in the event of a situation posing a potential threat to the health and safety of
personnel, the environment, or property.

©
2005, Halting the Hacker, LLC 10