• Top 10 Laws of Security

    By

    Aladdin T. Dandis
    Information Security Compliance Officer
    Jordan eGovernment Program


    Abstract

    It is very important to realize and understand the laws of security, by which all sectors in an enterprise or government can empower security within their perimeters. The higher understanding of this laws, the better security implementation is realized. These laws can be applied in each business field or any business environment. Such laws can be implemented in any degree of simplicity or complexity. Therefore, it is important to understand the environment deeply before reflecting such laws, in order to meet security goals aimed by the owners.

    1 Introduction

    It is proven that analysis of a system the key factor for successful management. These systems are collection of functional and non-functional components that work inherently to meet the strategic objectives of the enterprise. For that, it is important to control relations and processes among such components. Without providing an acceptable security level, all of these components are facing various risks. These risks are hard to be migrated to an acceptable level without good security management. This paper is aimed to urge the top 10 laws of security in any system. Each of which should work with collaboration of the others to gain sustainable framework and robust integration to secure the enterprise.

    2 First Law: Security is a process, not a product

    This law is the conclusion of Bruce Scheiner’s well known book “Secrets and Lies”. It is predicted result the should be taken as the first law. Most of decision makers handle with security as being a product that is more powerful and competent to use with other products. Therefore, technology is the real driver of such people, and they are following technology updates for anti-malware, IDSs, Firewalls…etc. Such idea about security minimizes the efforts of correct security implementation, causing end users to neglect their responsibility on securing their environments.

    For that, Bruce emphasizes on this law to extend our view to security to cover managerial and administrative process to take its right place to enforce and strengthen level of security in the perimeters, throwing part of the responsibility on managers and end users in security. This can be realized using Information Security Policies, Standards, Guidelines and Procedures, in addition to applying suitable and effective level of awareness to deal with information assets in a healthy way.


    3 Second Law: Security is must-to-have, not better-to-have decision

    In the past, security was not matured to be essential since the number of technology specialists was low, and easy to be known. Therefore, most applications were using minimal security measures, and sometimes optionally, to deal with the systems effectively and to keep performance high. Nowadays, technology provided us with high performance machines that can overcome such obstacle. In addition, “specialists” in security and technology are increased more and more as time goes ahead. This should raise security from “optionality” to “enforceability”. Number of hackers, whether they are white, black or gray. The more seriously management treats security, the more security level will be gained.


    4 Third Law: Security is built from the Core, not on the Edge

    As a complementary to the second law, security should be applied step by step as we build the system, from requirements to analysis to design to implementation up to termination stage. Most security vendors apply their measures in the boundaries of the system, forgetting that relations among information assets and employees their selves are more dangerous. For example, applying security measures such as firewalls on a system and giving the permission to any employee the choice and capability to bypass them or configuring them, this will compromise security within this enterprise. Therefore, separation of duties principle is important to determine the roles for each employee and the permissions that should be given to him before the system is built.


    5 Fourth Law: Understanding the business is the most crucial factor to a successful security level

    Understanding the system will simplify the way of analyzing vulnerabilities and relevant threats that have the ability to exploit these vulnerabilities. Moreover, understanding the system will simplify the way to architect security. The better understanding of the system, the better security design and implementation can be realized. However, a lot of environments now are studied by security experts in collaboration with system analysts to understand and secure these environments correctly and from higher and more points of views.


    6 Fifth Law: Security awareness is the most cost-effective security measure

    Surveys on security measures proved that security problems come from internal users. As a result, companies are reforming their views to security from being just technical to extended views such as awareness and investment in security people. Security awareness is a low cost security measure, but it is very effective for the discussions and conversations that are conducted among employees to share their experience and knowledge.

    Security awareness helps people to deal with information assets geniusly, and to increase level of security from practical point of view.


    7 Sixth Law: Without updating security periodically, security is out of date

    This law is compliant with the first law. Security level is considered “High” if security measures are maintained and increased periodically. This should be part of applied security policy in the enterprise. Most of security officers are interested in installing new security software and hardware, including IDSs, IPSs, Firewalls, anti-malware, monitoring tools…etc, without giving special care to updates and support. Moreover, security officers should update their knowledge about security measures and security attacks, including new trends and methodologies of attacks and security. This will harden the systems as security professionals remain professionals all the time. Research, training, reading, listening and attending security materials, courses, webcasts, conferences and workshops are some resources of knowledge updates. Security professionals are posting specialized blogs on the web to discuss new trends and problems in security era. Some programmers, specially in open source community, provides updates and tools to fix security problems under various platforms. This will support the level of security and enhance administrators and security officers’ capabilities to treat security problems and design suitable remedies to them.


    8 Seventh Law: Trust is a result of security

    Trust is the ultimate goal of security. Without trust, interactions and transactions are suspicious. In e-commerce and e-government contexts, trust is the main pillar of successful implementation and usage. This level of high security is provided using high security standards and policies. The more success in implementation of these policies and standards, the more security level is provided, and them more trusted transactions can be realized. Information security assurance is that part of security that emphasizes on this feature. It supports security using proactive measures to meet the level of trust aimed by the enterprise. These measures should support CIA triplet: Confidentiality, Integrity and Availability. Encryption, Business Continuity, Information Security Governance and Compliance are some examples of security projects that support trust.


    9 Eighth Law: Security is the responsibility of everyone

    Most of managers and employees believe that security is the responsibility of security officers. This is a big mistaken belief. As mentioned in the fifth law above, awareness is the most important security measure. Hence, no people urge that security is the responsibility of each employee and manager within the boundaries and perimeter of the enterprise. This fact doesn’t mean that everyone should know everything about security, but it means that security officers have their role in analyzing, architecting, implementing, testing, maintaining and managing security according to published policies and standards, where others should follow security policies and standards, and using available security controls, in addition to handling information assets with the expected level of awareness.


    10 Ninth Law: Security is not just technical issues

    Reference to the first law and eighth law, security is not a just a technical issue. Security is a mixture of political, economic, socio-cultural, managerial, legal and technical issues and factors. The right security implementation should cover these issues. Therefore, security management have to communicate roles from different departments to gain the right recommendations and feedback to security.

    Political issues should deal with external relationships with other countries and information exchange. Economic issues cover risks and revenue of security implementation. Legal issues include laws and regulations affects or can be affected by information security management and practices. Management issues include polices, standards, separation of duties and business continuity program. The last dimension is socio-cultural issues which determine factors and consequences of information security on social and cultural life of employees and other stakeholders. Finally, it is clear that technological issues are important, specially in our networked world.


    11 Tenth Law: Security, Privacy and Transparancy should be managed carefully

    Most of people are looking for security from confidentiality prospective. Security is rather about integrity and availability also. Privacy is about tracking and monitoring the identity, collecting information that is NOT confidential, but private. In information age, and under the refection of social responsibility and democracy, information should be disclosed to community as much as possible, this means that not all information are confidential or private. In this prospective, integrity and availability should be considered as well. Some managers, politicians or business owners try to hide information of public sensitivity level to take over their "kingdoms". As a result, most of those who leave their "kingdoms" lately will disclose OR enforced to diclose these information for legal accountability and investigations.

    Informatino should be kept public as much as possible, taking integrity and availability as "better to have" choice, if no privacy or confidentiality requirement is needed.


    12 Conclusions

    Security is culture. No body can claim that he is secured 100%. More efforts should be paied to protect information assets of the entity and ensure its integrity. Business is built on Trust, and no trust without security. It is important to notice the great effect of human being due care and due deligence as crucial factors to practice security awareness. It is very important to cover security issues periodically to ensure no vulnerabilities stand out their. Finally, management, employees, teachers, students, doctors, family... etc should work together under pre-defined rules and strategic security objectives to secure their communities and environments.

    • 0 comments:

    Post a Comment

    Search This Blog
    Powered by Blogger.

    Featured Post

    Enhancing National Internet Security

    Abstract The increasing rate of cyber terrorism and attacks in the cyber space should balance the efforts needed to adhere the acceptable le...