Seven Simple Rules

Explaining the role and importance of Information Security in the organization, especially to management, can be a difficult task. I have lost count of the number of times in my career where, ten or fifteen minutes into a presentation on IS, I have looked up to find one half of my audience asleep and the other half clueless. As a result, I often rely on the following seven simple objectives and explain that, if you can answer “yes” to each of these rules at the end of the day, then you have succeeded in creating a solid information security organization:

  1. Do we know who is using the service? This requires that we identify and authenticate each user of the system.
  2. Can we control what they do and ensure confidentiality?
  3. Can we ensure the integrity (accuracy) of the information?
  4. Can we prevent unauthorized changes to information?
  5. Can we provide for non-repudiation of a transaction? (Can we associate any change with a specific user?)
  6. Do we know if there is a problem and do we know about it soon enough so that we can take appropriate action to minimize and contain the problem?
  7. Can we ensure the availability of information?

From a goal or objective setting standpoint, these rules provide a good starting point. They may not provide a perfect control environment, but they will certainly cover all the substantial risk areas.

The primary weakness of these rules is that they define an end state, they do not tell you how to get there. We need something more, a framework that defines how we structure an information security program, where we focus our resources and how we organize the overall activities.

©2009 ISRMC, LLC