Information Security Management Principles in a Nutshell

  • Security is an emergent property of people using information/information systems. Therefore, security in inherently dependent of this context.
  • It is possible to determine what people expect from information/information systems.
  • It is possible to increase the likelihood of security expectations by using appropriate tools and processes.
  • An incident by definition is any instance of a security expectation of a user being failed.
  • Lessons learnt from Incidents must be used to improve tools and processes. The same type of incident should never happen twice.
  • The cost of tools and processes must be proportionate to the cost of the incidents they protect from.
  • Incidents should be prevented using two or more complementary tools and processes. This should eliminate single points of failure.
  • Protection and Monitoring should be performed at the highest abstraction level possible, thus protecting from business significant incidents. (Protect the pound, not the byte.)

If you liked this article, consider taking advanced ISMS training online via Udemy