We would love to stay in touch with you!

Enter your details to join our mailing list and we'll send you a link to exclusive content.

* indicates required
Close

Ten Rules of Information Security

by Jago Maniscalchi  //  December 4, 2011  //  Risk Management  //  1 Comment

There are a number of rules, or principles, that I firmly believe should be at the heart of any organisation’s Information Security programme. I’ve spent a number of years advising clients on these topics and thought it was time I captured them in a list. Here is a set of ten of the most important rules, and are those which I find myself repeating most often. This is a living article, so if you disagree with any of th epoints, or think that I have missed something out, please drop us a comment at the end.

1. Know what you are protecting, and why you are protecting it

This is, by far, the most important rule of Information Security and it comes down to this simple fact: whatever you are doing, do it for a reason. Usually, security requirements lead back to the CIA triad (Confidentiality, Integrity, Accessiblity), and so should all your risk assessments, your plans and your mitigations. Unlikely as it is, if none your data is not worth anything, then confidentiality should be a requirement that you put little if any resource into achieving.

2. Understand your enemy

Once you have decided what you are protecting and why, you need to identify the hostile actors that you will defend against. These could be your commercial competition, low level criminals, organised crime groups, state sponsored actors or even disgruntled employees. This rule should probably read “Understand your enemies”, because you will almost certainly identify more than one. You should pay particular attention to the groups that you don’t care about, and should avoid wasting time defending against them.

When you have identified a group of hostile actors, you must devote time to understanding their capabilities. You should understand the attack vectors that they use regularly against similar organisations and also the defences that others have successfully used against them. Cooperation with partners (and even competitors) in your industry will be essential.

3. Defence should be in depth

Applying multiple layers of defence is a military tactic designed to reduce the momentum of an attacker, who you confront with a number of different defensive tactics one after another. It is a strategic decision to give some ground to the attacker, whilst buying time for the defender. The concept was first applied to Information Security by the National Security Agency (NSA) in the United States. In short – do not rely on one single defensive measure – complement your primary defences with a series of (always different) secondary and tertiary layers.

4. Accept some risk

Risk Management is not a process that reduces risk to zero – any attempts to do so will certainly fail, and will consume significant amounts of money and manpower. Instead, should identify risks in your business that are not acceptable, mitigate them as far as possible, and then accept whatever residual risk remains. Being comfortable with accepting risk (and being able to express that risk to management) is an important element of Information Security.

5. Technology is the least of your worries

Information Security is not just a technology problem, it is often a people problem. Although a few risks exist that are purely technological (disk drives crashing, and taking data off-line for example), your biggest threat is almost certainly your workforce. A maliciously motivated insider with access to your data can cause untold damage. Don’t forget that your most dedicated staff will also make mistakes (losing confidential disks, clicking on phishing links, connecting new computers to the network without permission) which you need to prepare for.

Further Reading: Secure Hiring Practice and Employee Controls.

6. Your strength is a function of your weakest link

I was at a trade exhibition in Europe in 1997 at which the manufacturer of a new firewall launched a ‘Capture the Flag’ competition. They placed a server in a cabinet and put the root password on a big poster for all to see. The server was behind their new firewall, and the challenge was to hack through the firewall, log in to the server with the password provided and retrieve the flag, which was a code saved in a text file. Hundreds of members of the public were queuing up to plug their laptops into the network and to attempt to hack through the firewall.

One clever pair of hackers tried a different attack vector. The first hacker distracted the staffer who was manning the stand. The second hacker opened the cabinet and logged onto the server using the keyboard and monitor inside. He retrieved the flag in seconds. The weak link? The cabinet wasn’t locked. You can build the tallest, smartest, strongest wall possible around your compound, but it is useless if you don’t lock the gate.

7. People are your solution

Rule 5 stated that ‘Technology is the least of your worries’ and that your biggest threat is usually your workforce – whether disgruntled or not. Once you’ve accepted this, the next stage is to realise that your people are also your biggest asset. As well as fulfuling the important role of generating your income, they are also your most effective (and intelligent) early warning system. Any security process that you design should have your people at its heart, and should focus on training them to add to your organisation’s security.

8. Security is journey, not a destination

Remember that achieving a safe and secure operation is an ongoing process. The assets that you are protecting are constantly changing, as are your priorities. So too are those hostile actors who may wish to breach your security – new competitors will emerge, employees will come and go, criminal groups may move into, or out of, your market. Don’t set aside a fixed resource to ‘make the organisation secure’ – you’ll need to dedicate resource on an ongoing basis.

9. Get top cover

An effective Information Security programme will reach into all areas of an organisation, and will require changes in areas like corporate technology, human resources, finance and estates. An Information Security Officer must have agreement and sponsorship at board level for the changes they are trying to implement across the organisation. Without this sponsorship, introducing a security programme will be an uphill struggle.

10. Be honest

Mistakes will happen, intrusions will occur, and your employees will make mistakes. A culture of honesty – encouraging those who have made mistakes to come forward and admit them for the good of the organisation – is essential to protect security. If you can build an honest workforce, trained to consider security at all times, and motivated to put the organiastion first, you will have most of your job complete.

The Digital Threat Manifesto

About the Author

Jago Maniscalchi is a Cyber security consultant, though he tries to avoid the word "Cyber" at all costs. He has spent 15 years working with Information Systems and has experience in website hosting, software engineering, infrastructure management, data analysis and security assessment. Jago lives in London with his family, enough pets to start a small zooalogical society, and a Samsung NaviBot Robotic Vacuum Cleaner. Despite an aptitude for learning computer languages, his repeated attempts to learn Italian have resulted in spectacular failure.

One Comment on "Ten Rules of Information Security"

  1. Franck Depierre December 10, 2011 at 141 ·

    A lots of good posts. Congratulation, keep going.

Leave a Comment

comm comm comm