Versions Compared

Version Old Version 10 New Version 11
Changes made by

Isaac Straley

Isaac Straley

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Section
Column
width18%
Include Page
public:InfoSecPlanNav
public:InfoSecPlanNav
Column
width77%
Center

Contents

Table of Contents
outlinetrue
stylenone
typelist

Guiding Principles

Management Principles

Stewardship and Accountability
Everyone has a responsibility to protect information and individuals are held accountable.
Risk Management
Information must not be stored without understanding and formally mitigating or accepting the risk.

Architecture Principles

Defense In Depth
Where one control would be reasonable, more controls that approach risks in different fashions are better. Controls, when used in depth, can make severe vulnerabilities extraordinarily difficult to exploit and thus unlikely to occur.
Least Privilege Access
The principle of least privilege recommends that accounts have the least amount of privilege required to perform their business processes.
Segmentation
Areas of risk must be separated by strongly defined and protected technical, logical, and physical segmentation and compartmentalization.
Segregation of Duties
A key control is separation of duties. Certain roles have different levels of trust than normal users. In particular, administrators are different to normal users. In general, administrators should not be users of the application.
Do Not Trust Services
Many departments utilize the processing capabilities of third party partners, who more than likely have differing security policies and posture than you. Therefore, implicit trust of externally run systems is not warranted. All external systems should be treated in a similar fashion.
Simplicity
Attack surface area and simplicity go hand in hand. System administrators, developers, and IT staff should avoid the use of complex architectures when a simpler approach would be faster and simpler.

Information Security and Privacy Policies

Information Security decision making is guided by documented policies.
See more: Information Security and Privacy Policies

Roles and Responsibilities

Information Security roles must be formally defined and individuals must be assigned to fulfill those roles.
See more: Roles and Responsibilities

Data Classification

Data must be formally inventoried and assigned a risk classification.
See more: Data Classification

Risk Management

The critical component to implenting information security is performing risk assessment on all information and infrastructure assets.
See more: Risk Management

Information Security Controls

Each risk classification has a baseline of controls for risk mitigation. These controls must be modified based on individual system risks.
See more: Information Security Controls

Column
width5%