Defining Departmental Infrastructure and Security Philosophy.

by Marie Whiting

Principle 1:There is no such thing as absolute security

Any security measure, given time, tools, and expertise, can be broken.
Implementation
All protocol must be updated quarterly.
Bibliography
Breithaupt, J. and M. Merkow (2014, January 6). Information Security Principles of Success. Retrieved January 25, 2015.
Merkow, M. and J. Breithaupt (2010, January 1). Information Security Principles and Practices. Retrieved January 25, 2015.
Security: Reduce Your Risk: 10 Security Rules To Live By. (n.d.). Retrieved January 25, 2015.

Principle 2: The three security rules are confidentiality, integrity, and availability

CIA (confidentiality, integrity, availability) are three important rules that guide every security policy.
Implementation
Employees will review and sign a security agreement stating they have knowledge of all of the security policies.
Bibliography
Confidentiality, integrity, and availability (CIA triad). (n.d.). Retrieved January 25, 2015.
Miller School of Medicine, University of Miami. Confidentiality, Integrity and Availability (CIA). (2008, January 1).
Retrieved January 25, 2015.
Phillip, L. (2013, August 9). Smart Phone Apps Demand an End to Privacy. Retrieved January 25, 2015.

Principle 3: Defense in depth as strategy

Just as customers would not expect to have one power line to their house, but a circuit incase the one line was down, so should
we expect to have multiple measures in place to protect our security assets.
Implementation
Components of defense in depth include antivirus software, firewalls, anti-spyware programs, hierarchical passwords,
intrusion detection and biometric verification. In addition to electronic countermeasures, physical protection of business
sites along with comprehensive and ongoing personnel training enhances the security of vital data against compromise,
theft or destruction (Rouse, M).
Bibliography
Defense in Depth. (n.d.). Retrieved February 25, 2015.
Perrin, C. (2008, December 18). Understanding layered security and defense in depth. Retrieved January 25, 2015.
Rouse, M. (2007, June 1). Defense in depth definition. Retrieved January 26, 2015.

Principle 4: When left on their own, people tend to make the worse security decisions.

Social engineering is successful because people tend to believe the best in others. Pretending to be someone else on the phone
that needs security information for a bonafide reason when that person sounds sincere and honest is a huge risk to
security.
Implementation
Protocol is established so that procedures and rules including ways to identify people asking for information and documentation
that must be provided to release any information. This includes procedure for only certain personnel authorized to release
any security or company information.
Bibliography
Bianco, D. (2015, January 1). Reference for Business. Retrieved January 25, 2015.
Breithaupt, J. (2014, July 4). Principle 4: When left on their own, people tend to make the worst security decisions.
Retrieved January 25, 2015.
Bryant, C. (2010, September 28). Are decisions made in groups better than decisions made alone? - HowStuffWorks.
Retrieved January 25, 2015.

Principle 5: Computer security depends on two types of requirements: functional and assurance

The two types of security address what a security system should look like and how it should act (functional) and how the actual
logistics of the system is used and how it is tested (assurance).
Implementation
The IT department will create a flow chart designating personnel responsibilities and security user privileges. In addition, all
hardware and software will be accounted for and marked with serial numbers and listed on an inventory list. A work order
system will be set up so that if there is a glitch in the system, IT can be notified immediately in order for the situation to be
resolved.
Bibliography
ASD | Information Assurance/Information Security. (2007, January 1). Retrieved January 25, 2015.
Breithaupt, J. (2014). Information Security Principles of Success. In Information Security: Principles and Practices, 2nd
Edition (2nd ed.). Pearson IT Certification.
Computer security. (2015, January 20). Retrieved January 26, 2015.

Principle 6: Security through obscurity is not an answer

Having no one hack you because no one knows you exist does not mean that you are secure. Sooner or later someone will find
you and attempt to access your network.
Implementation
Procedures and protocols will be followed by all employees. Safety and security precautions will be addressed for every area
which security might be breached.
Bibliography
Isn't all security "through obscurity"? (2013, January 1). Retrieved January 25, 2015.
Mylund Nielsen, P. (2011, May 22). Security Through Obscurity. Retrieved January 25, 2015.
Why is security through obscurity a bad idea? (2012, January 1). Retrieved January 25, 2015.

Principle 7: Security = Risk Management

You can never totally eliminate risk, you can only manage it as best you can.
Implementation
Implementation - don't get cocky about being totally secure.
Bibliography
Risk (2015, January 10). Retrieved January 25, 2015.
Risk management. (2015, January 21). Retrieved January 25, 2015.
Security & Risk Management. (2015, January 1). Retrieved January 26, 2015.

Principle 8: The three types of security controls are preventative, detective, and responsive

When setting up a security system, there must be preventative measures in place, a way to detect any intrusion, and a plan to
respond.
Implementation
The company protocols will be set up to address all of these areas.
Bibliography
Breithaupt, J. (2014, July 4). The Three types of Security Controls are Preventative, Detective, and Responsive. Retrieved
January 25, 2015.
Security controls. (2014, October 5). Retrieved January 25, 2015.
Types of Controls. (2009, January 1). Retrieved January 25, 2015.

Principle 9: Complexity is the enemy of security

The more complex a system, the harder that system becomes to secure.
Implementation
Keep the network as simplistic as possible
Bibliography
Chan, C. (2012, December 17). Complexity the worst enemy of security. Retrieved January 25, 2015.
Krebs on Security. (2014, May 27). Retrieved January 26, 2015.
Shin, Y. (n.d.). Is Complexity Really the Enemy of software Security? Retrieved January 25, 2015.

Principle 10: Fear, uncertainty, and doubt do not work in selling security

These emotions -- fear, uncertainty, doubt -- lead to overreactions when security events occur. These overreactions then lead to
panic.
Implementation
Fear, uncertainty, and doubt stem and even panic is the result of not having procedures and policies in place. The
companys security protocol is a dynamic product that will include company personnel in an effort to address any issues
that have come up and to create a plan so that overreaction to security breaches do not happen.
Bibliography
Armerding, T. (2012, June 11). Cybersecurity expert argues FUD can be effective. Retrieved January 25, 2015.
Cross, R. (2014, April 30). Dispelling F.U.D. in the Brave New World of Software-Defined Networking. Retrieved January
25, 2015.
Stanganelli, J. (2014, May 21). Cloud Security FUD Drives Genomics Industry towards Cloud-in-a-Box, Part 2. Retrieved
January 25, 2015.

Principle 11: People, process, and technology are all needed to adequately secure a system or facility

Systems are different pieces working together. People, processes, and technology are each an important pieces of creating a secure
network system.
Implementation
Technology will be researched and purchased according to the companys need and within the appropriate price range. The IT
department will develop and continue to revise as needed all procedures and policies to ensure the security of the companys
network system. Employees will attend ongoing training to ensure knowledge of acceptable procedures and will systems
will be in place to monitor employees activities.
Bibliography
Breithaupt, J. and M. Merkow (2014, January 6). Information Security Principles of Success. Retrieved January 25, 2015.
Gary, S. (2004, June 1). Engineering Principles for Information Technology Security (A Baseline for Achieving Security). Retrieved
January 25, 2015.
Reymann, P. (2008, January 1). Aligning People, Processes, and Technology for Effective Risk Management. Retrieved January 25,
2015.

Principle 12: Open disclosure of vulnerabilities is good for security

Open disclosure can lead to consumer created solutions.

Implementation
Implementation will include full disclosure of all security weaknesses. With this information known, steps can be taken
to correct and strengthen all security measures to address the vulnerabilities.
Bibliography
Crenshaw, A. (2013, March 27). Ethics of full disclosure concerning security vulnerabilities. Retrieved January 25,
2015.
Ragragio, I. (2007, March 29). Full Disclosure - IT Security. Retrieved January 25, 2015.
Schneier, B. (2007, January 1). Schneier: Full Disclosure of Security Vulnerabilities a 'Damned Good Idea' Retrieved
January 25, 2015.