• Skip to main content

Victor Font Consulting Group, LLC

The DEX Intranet Specialists

Call Us:

+1 919-604-5828

  • Home
  • Care Plans
    • Care Articles
    • Optional Subscriptions
  • Consultations
  • Products
    • Code Snippets
    • Public GitHub Repositories
    • Gist Snippets
    • Pastebin Snippets (Free)
    • Free Plugins
  • FAQs
  • Support
    • Graphic Design
  • Contact
    • Speakers
    • Portfolio
  • Resources
    • Free WordPress Video Training
    • Tutorials
    • Articles
    • Cybersecurity
    • EU Referral Network
You are here: Home / Cyber Security / The 8 Foundation Stones of Information Security

The 8 Foundation Stones of Information Security

By Victor M. Font Jr.
August 20, 2018Leave a Comment

There are eight foundation stones in Information Security:

  1. Information Security supports the mission of the organization.
  2. Information Security is an integral element of sound management.1
  3. Information Security protections are implemented so as to be commensurate with risk.
  4. Information Security roles and responsibilities are explicit.
  5. Information Security responsibilities for system owners go beyond their own organization.
  6. Information Security requires a comprehensive and integrated approach.
  7. Information Security is assessed and monitored regularly.
  8. Information Security is constrained by societal and cultural factors.

Information Security Supports the Mission of the Organization

Management personnel are ultimately responsible for determining the level of acceptable risk for a specific system and the organization as a whole, while considering the cost of security controls. Since Information Security risk cannot be completely eliminated, the objective is to find the optimal balance between protecting the information or system and utilizing available resources. It is vital for systems and related processes to have the ability to protect information, financial assets, physical assets, and employees, while also taking resource availability into consideration.

Information Security Protections Are Implemented So as To Be Commensurate with Risk

Risk to a system can never be completely eliminated. Therefore, it is crucial to manage risk by striking a balance between usability and the implementation of security protections. The primary objective of risk management is to implement security protections that are commensurate with risk. Applying unnecessary protections may waste resources and make systems more difficult to use and maintain. Conversely, not applying measures needed to protect the system may leave it and its information vulnerable to breaches in confidentiality, integrity, and availability, all of which could impede or even halt the mission of the organization.

Information Security Roles and Responsibilities Are Explicit

The roles and responsibilities of system owners, common control providers, authorizing officials, system security officers, users, and others are clear and documented. If the responsibilities are not made explicit, management may find it difficult to hold personnel accountable for future outcomes.

Information Security Responsibilities for System Owners Go Beyond Their Own Organization

Users of a system are not always located within the boundary of the system they use or have access to. For example, when an interconnection between two or more systems is in place, Information Security responsibilities might be shared among the participating organizations. When such is the case, the system owners are responsible for sharing the security measures used by the organization to provide confidence to the user that the system is adequately secure and capable of meeting security requirements. In addition to sharing security-related information, the incident response team has a duty to respond to security incidents in a timely fashion in order to prevent damage to the organization, personnel, and other organizations.

Information Security Requires A Comprehensive and Integrated Approach

Providing effective Information Security requires a comprehensive approach that considers a variety of areas both within and outside of the Information Security field. This approach applies throughout the entire system life cycle.

Security controls are seldom put in place as stand-alone solutions to a problem. They are typically more effective when paired with another control or set of controls. Security controls, when selected properly, can have a synergistic effect on the overall security of a system. Each security control has a related controls section listing security control(s) that compliment that specific control. If users do not understand these interdependencies, the results can be detrimental to the system.

Interdependencies between and amongst security controls are not the only factor that can influence the effectiveness of security controls. System management, legal constraints, quality assurance, privacy concerns, and internal and management controls can also affect the functionality of the selected controls. System managers must be able to recognize how Information Security relates to other security disciplines like physical and environmental security.

Information Security Is Assessed and Monitored Regularly

Information Security is not a static process and requires continuous monitoring and management to protect the confidentiality, integrity, and availability of information as well as to ensure that new vulnerabilities and evolving threats are quickly identified and responded to accordingly. In the presence of a constantly evolving workforce and technological environment it is essential that organizations provide timely and accurate information while operating at an acceptable level of risk.

Information Security Is Constrained by Societal and Cultural Factors

Societal factors influence how individuals understand and use systems which consequently impacts the Information Security of the system and organization. Individuals perceive, reason, and make risk-based decisions in different ways. To address this, organizations make Information Security functions transparent, easy to use, and understandable. Additionally, providing regularly scheduled security awareness training mitigates individual differences of risk perception.

As with societal factors, how an organization conducts business can serve as a cultural factor worth considering when dealing with Information Security. An organization’s own culture can impact its response to Information Security. Careful explanation of the risks associated with the business practices can help in the transparency and acceptance of the recommended Information Security practices.

To  learn more, download our free Cybersecurity eBook.

1 sound management refers to due diligence in taking all practical steps to ensure that Information Security management decisions are made in such a way that they not only protect the information stored, processed, and transmitted by an organization, but also the systems that fall under the purview of the organization.
  • 4shares
  • Facebook2
  • Twitter0
  • Pinterest2
  • LinkedIn0
  • Print
  • SMS0

About Victor M. Font Jr.

Victor M. Font Jr. is an award winning author, entrepreneur, and Senior IT Executive. A Founding Board Member of the North Carolina Executive Roundtable, he has served on the Board of Advisors, of the North Carolina Technology Association, the International Institute of Business Analysis, Association of Information Technology Professionals, Toastmasters International, and the North Carolina Commission for Mental Health, Developmental Disabilities, and Substance Abuse Services. He is author of several books including The Ultimate Guide to the SDLC and Winning With WordPress Basics, and Cybersecurity.

Reader Interactions

VictorFont.com runs on the Genesis Framework

Genesis FrameworkThe Genesis Framework empowers you to quickly and easily build incredible websites with WordPress. Genesis provides the secure and search-engine-optimized foundation that takes WordPress to places you never thought it could go.

Check out the incredible features and the selection of designs. It's that simple—start using Genesis now!

Click here to download The Genesis Guide for Absolute Beginners (PDF - 1.4 MB)

Leave a Reply Cancel reply

Your email address and website will not be published. Required fields are marked *
Posting a comment means that you agree with and accept our Comment & Product Review Policy

Call: +1 919-604-5828

Send us an E-mail

Accessibility Statement | Affiliate Marketing Disclosure | Capability Statement

Cookie Policy | Comment & Product Review Policy | Privacy Policy | Site Map | Terms & Conditions

Copyright © 2003–2023 Victor M. Font Jr.

Return to top of page