44 infosec principles (Hinson tips)


Thinking about the principles underpinning information risk and security, here's a tidy little stack of 44 "Hinson tips" - one-liners to set the old brain cells working this chilly mid-Winter morning:

  • Address information confidentiality, integrity and availability, broadly
  • Address internal and external threats, both deliberate and accidental/natural
  • Celebrate security wins: they are rare and valuable
  • Complete security is unattainable, an oxymoron
  • Complexity is the arch-enemy of security: the devil's in the details
  • Consider all stakeholders - users, administrators, maintainers and attackers
  • Consider threats, vulnerabilities and impacts
  • Controls modify or maintain risk
  • Defence-in-depth layers complementary controls of different types
  • Don't trust anything untrustworthy
  • Ensure business continuity through resilience, recovery and contingency
  • Even barely sufficient security is a business-enabler
  • Excessive security is a business-impediment, more likely to be bypassed
  • Exploiting information can be a good or a bad thing, depending on context
  • Failure is a possibility, so fail-safe means fail-secure
  • Focus on significant risks and the associated key controls
  • General-purpose controls such as oversight and awareness bolster the rest
  • Given practical limits to attainable security, residual risks are inevitable
  • Good security isn't costly: it's valuable, good for business
  • Identify, evaluate and treat risks systematically
  • Information content is a valuable yet vulnerable asset
  • Lack of control is neither threat nor vulnerability
  • Offensive security is a viable approach, within reason
  • People can be our greatest threats and our most valuable allies
  • Reducing exposure reduces risk
  • Residual (e.g. accepted, shared or unidentified) risks are still risks
  • Risk management is inherently risky, prone to failure
  • Risk-aligned planning gives diminishing returns
  • Risks combine the probability of occurrence with consequences of incidents
  • Risk mitigation is not risk elimination
  • Security and risk are dynamic, so proactively maintain and improve security
  • Security and risk are inherently linked
  • Security can be an illusion
  • Security is a process, an outcome and a state of mind
  • Security maturity is the result of learning and improving
  • Security must be cost-effective to add value and so justify its existence
  • Stakeholder understanding and support is vital for long-term success
  • Systematically engineer security - build it up from solid foundations
  • Threats are anything, anyone or any situation with the potential to cause harm
  • Transparency and openness increase assurance, confidence and trust
  • Trust depends on supporting controls such as assurance
  • Unlike responsibility, accountability cannot be delegated or denied
  • Unmaintained, unloved, unused controls are unreliable, subject to entropy and decay
  • Vulnerabilities are inherent weaknesses

Mostly they concern information risk and security in the general corporate/organisational context as opposed to being personal, national or cyber/IT-specific.

Some of them are quite similar or clearly related and could be combined - and I just know there are others worth adding to the list.

Some are phrased as guidance, others as concepts or definitions.

Some are trite truisms, overladen, provocative comments that could usefully be expanded-on for clarity and depth of meaning, perhaps with explanation, corollaries and illustrative examples.

All of them can be challenged with counter-examples and viable/credible alternatives. 

My little list is deliberately pragmatic and realistic rather than academic or theoretical. The sequence could be better, although I'm not sure what kind of conceptual structure would make most sense: more coffee required!

In due course I'd like to contribute to the ISO/IEC 27000 revision project which intends to introduce a new clause around 'security principles'. Maybe some version of these would help? Maybe not.