There are eight foundation stones in Information Security:
- Information Security supports the mission of the organization.
- Information Security is an integral element of sound management.1
- Information Security protections are implemented so as to be commensurate with risk.
- Information Security roles and responsibilities are explicit.
- Information Security responsibilities for system owners go beyond their own organization.
- Information Security requires a comprehensive and integrated approach.
- Information Security is assessed and monitored regularly.
- Information Security is constrained by societal and cultural factors.
Information Security Supports the Mission of the Organization
Management personnel are ultimately responsible for determining the level of acceptable risk for a specific system and the organization as a whole, while considering the cost of security controls. Since Information Security risk cannot be completely eliminated, the objective is to find the optimal balance between protecting the information or system and utilizing available resources. It is vital for systems and related processes to have the ability to protect information, financial assets, physical assets, and employees, while also taking resource availability into consideration.
Information Security Protections Are Implemented So as To Be Commensurate with Risk
Risk to a system can never be completely eliminated. Therefore, it is crucial to manage risk by striking a balance between usability and the implementation of security protections. The primary objective of risk management is to implement security protections that are commensurate with risk. Applying unnecessary protections may waste resources and make systems more difficult to use and maintain. Conversely, not applying measures needed to protect the system may leave it and its information vulnerable to breaches in confidentiality, integrity, and availability, all of which could impede or even halt the mission of the organization.
Information Security Roles and Responsibilities Are Explicit
The roles and responsibilities of system owners, common control providers, authorizing officials, system security officers, users, and others are clear and documented. If the responsibilities are not made explicit, management may find it difficult to hold personnel accountable for future outcomes.
Information Security Responsibilities for System Owners Go Beyond Their Own Organization
Users of a system are not always located within the boundary of the system they use or have access to. For example, when an interconnection between two or more systems is in place, Information Security responsibilities might be shared among the participating organizations. When such is the case, the system owners are responsible for sharing the security measures used by the organization to provide confidence to the user that the system is adequately secure and capable of meeting security requirements. In addition to sharing security-related information, the incident response team has a duty to respond to security incidents in a timely fashion in order to prevent damage to the organization, personnel, and other organizations.
Information Security Requires A Comprehensive and Integrated Approach
Providing effective Information Security requires a comprehensive approach that considers a variety of areas both within and outside of the Information Security field. This approach applies throughout the entire system life cycle.
Security controls are seldom put in place as stand-alone solutions to a problem. They are typically more effective when paired with another control or set of controls. Security controls, when selected properly, can have a synergistic effect on the overall security of a system. Each security control has a related controls section listing security control(s) that compliment that specific control. If users do not understand these interdependencies, the results can be detrimental to the system.
Interdependencies between and amongst security controls are not the only factor that can influence the effectiveness of security controls. System management, legal constraints, quality assurance, privacy concerns, and internal and management controls can also affect the functionality of the selected controls. System managers must be able to recognize how Information Security relates to other security disciplines like physical and environmental security.
Information Security Is Assessed and Monitored Regularly
Information Security is not a static process and requires continuous monitoring and management to protect the confidentiality, integrity, and availability of information as well as to ensure that new vulnerabilities and evolving threats are quickly identified and responded to accordingly. In the presence of a constantly evolving workforce and technological environment it is essential that organizations provide timely and accurate information while operating at an acceptable level of risk.
Information Security Is Constrained by Societal and Cultural Factors
Societal factors influence how individuals understand and use systems which consequently impacts the Information Security of the system and organization. Individuals perceive, reason, and make risk-based decisions in different ways. To address this, organizations make Information Security functions transparent, easy to use, and understandable. Additionally, providing regularly scheduled security awareness training mitigates individual differences of risk perception.
As with societal factors, how an organization conducts business can serve as a cultural factor worth considering when dealing with Information Security. An organization’s own culture can impact its response to Information Security. Careful explanation of the risks associated with the business practices can help in the transparency and acceptance of the recommended Information Security practices.
To learn more, download our free Cybersecurity eBook.