If you are an information security professional, your life is full of moments such as these:
No one around you speaks the infosec language, and you find yourself struggling to get production teams or management on board with necessary controls.
Developers or operations inadvertently create a new vulnerability because they are following the relevant technology’s best practices guide, which doesn’t include security.
Training up new team members feels impossible because the world seems to offer lots of checklists and pie-in-the-sky theory, but no concrete way to bring a bright but inexperienced person up to speed on reasoning about information security.
If you are a policymaker, manager, or executive in an organization that has information technology (and what organization doesn’t today?), you’ve probably experienced these moments:
Dealing with technical experts who do not seem to speak the same language, while trying to formulate a strategy around a technology you don’t really understand.
Being asked to create or approve security strategies without understanding how they might impact your core mission.
Entrusting critical processes and assets—including your organization’s reputation—to something that appears to be nothing but blinking lights and buzzwords.
If you are a systems administrator, programmer, or other IT engineer, you’ve likely gone through the following:
Found security compliance to be a giant headache, and that best practices lists don’t fit the realities of your environment.
Discovered that it’s not always clear whether you are making something more or less secure, given how many conflicting opinions, techniques, and technologies are out there and how little time you have to learn and test them all.
Been in a situation in which someone told you to “bake in” security, but not known what that meant, and were pretty sure that they didn’t know what it meant either.
The Information Security Practice Principles (the Principles) came out of Indiana University’s Center for Applied Cybersecurity Research (CACR), where organizations come when they have information security questions about technologies, networks, and organizational structures that are unconventional, complex, or unexplored. Our policy, process, and technical experts work from these Principles when there aren’t yet proven “best practices” in order to make security that works.
Best practices guides, checklists, policies, and standards pervade nearly every part of information-security practice. Some are well thought out and well written; others…well, less so. By understanding the principles upon which all security operates, you can effectively evaluate those guides, lists, policies, and standards (or create new ones, if needed) because you’ll have the fundamental baseline from which all of security can be understood.
The Principles project is the result of our research1 and the collective 30-plus years of experience between the three of us, who set out to make “thinking about information security from first principles”2 accessible to everyone. Thinking, intelligent people can take these seven principles, which have stood the test of time, (yes, we cite Sun Tzu), and apply them to any information security problem involving any organization or technology, now or yet to come. And remember, first principles apply to everything: so when you find yourself asking, “Does Comprehensivity apply to x,” or, “Should we consider Minimization when we build y,” the answer is yes.
But more fundamentally, the Principles offer a balance between aspirational (and therefore unobtainable) “perfect security,” and the pragmatic need to get things done. Although the Principles set the ideal, they also are designed to guide you toward that ideal in a way that is actually doable. Rather than just say “be a good person,” the Principles model after The Golden Rule (“treat others as you would want to be treated”). Just stating the goal is not enough; the Principles show you how to get there.
This is why working from first principles is so important: it’s the skill set that doesn’t age into irrelevancy. It’s the skill set that tells us what to do when someone drops a network-connected refrigerator, scientific instrument, or drone onto my lap that I’ve never seen before. It’s the skillset that allows us to analyze and understand security policy, technological controls, and physical security, and gives everyone up and down the organization a lingua franca for discussing security.
Each chapter in this book walks you through one of the seven Information Security Practice Principles—Comprehensivity, Opportunity, Rigor, Minimization, Compartmentation, Fault Tolerance, and Proportionality—providing an overview of how they apply in both technical and human/policy contexts, along with their interactions with other principles. We’ve also included links to additional resources at the end of this book that you might find helpful.
A final note about word choice. The Principles are an attempt to consolidate a huge range of information security sources into seven discrete concepts, so naturally some principles will be very similar to concepts you are already familiar with, but under different names. Although this proximity might make the different naming frustrating, we would emphasize that the Principles are designed to help communicate these concepts across the wide-ranging disciplines that need to appreciate cybersecurity concerns. Although you might prefer to refer to a given principle under a different name, utilizing the Principles as a shared language will help you communicate those concepts across fields and to a much broader audience.
1 Information Security Practice Principles Foundational Whitepaper, CACR, (May 2017), https://cacr.iu.edu/principles/ISPP-Foundational-Whitepaper-2017.pdf
2 The concept of “first principles” refers to a basic, foundational, or self-evident proposition that cannot be derived from any other proposition. First principles are widely used in fields such as philosophy, physics, mathematics, and medicine.