The last rule was to make enumerations so complete, and reviews so comprehensive, that I should be certain of omitting nothing.
René Descartes, Discourse on the Method
The Principle: Specify and enforce the expected states, behaviors, and processes governing the relevant systems and actors.
Key Question: What is correct behavior, and how am I ensuring it?
Related Concepts: Governance, Requirements, Monitoring, Audits
Rigor is the principle of ensuring that our work is thorough, methodical, and robust. It is where we build and carry out processes that reduce confusion, enhance accountability, and improve upon themselves in light of new evidence.
Information security can’t be all fun and games; sometimes you must put in the work to ensure that you get the job done right. Rigor is the Principle about doing things right. It is where procedure, governance, accountability, and oversight have their day in the sun. It’s never good enough to rest on assumptions. Rigor makes you write those assumptions down, justify their existence, and spell out a plan for when they blow up in your face. When your manager, CEO, or board of directors asks you “how can I be sure?”, Rigor is your answer. It is the series of processes that you put in place and the steps you take to follow through to ensure that information security consistently, efficiently, and effectively accomplishes its goals.