A list of the fundamentals for security
In my recent podcast, I focused on the value of the fundamentals. I purposefully didn’t list out what I though the fundamentals were - since I wanted to take some time to work with you to flesh out a smarter list. Eventually, this is the sort of approach that is well-suited by a wiki and an effort we can make public. But instead of thinking and dreaming big about what we can do in the future… what are the fundamentals that *you* think everyone practicing security should know and be familiar with? To me, being a professional means that you are not only able to rattle off a list of fundamentals, but that you can explain them to others and possess the ability to _apply_ them. Being able to apply the fundamentals requires us to take the time to think, plan and then practice. Practice of the fundamentals is key…If you follow sports, you can easily see every superstar spends HOURS each DAY working on the fundamentals. There is a lesson to be learned there… In order for us to better understand the fundamentals we need to consider and practice, we have to start with a simple list. Once we have a list that we agree upon, it’s short work to build it out and expand it. I’ve got a few different ideas on how we can best do this, but it all comes down to needing a list.I’ll start by adding CIA to the top of the list. For me, Confidentiality, Integrity and Availability (CIA) are without question the starting place for fundamentals. Without these, we don’t really have much else. In our Protecting Information Workshop, we actually guide people through a hands-on exercise to define and then work with these three basics. I am amazed at the number of people who hold a CISSP, CISM or similar that CANNOT define these terms, let alone apply them. I’m not suggesting anything beyond the simple observation that many of us “know” the fundamentals — in that they exist — but fail to continue to study and apply them.Test it OutTake five minutes right now.Go write down on a piece of paper how you define Confidentiality, Integrity and Availability. Could you explain that to someone else? How would you develop a set of requirements around those fundamental concepts? Go ahead, I’ll wait. Okay, so what did you come up with? Either way - by taking even 5 minutes to think about a fundamental concept, write it down and consider how to apply it - you have improved. Today has already been a great day!! Keep on your roll, and share with the entire Security Catalyst Community (free registration required using your full and proper name) what other topics you believe need to be included in the list of fundamentals. When you contribute to the thread, I’m also curious why you think it should be included.You may notice that comments are turned off for this thread.That’s because we need to track the conversation here: http://community.securitycatalyst.com/forums/index.php/topic,523.0.htmlI will work to update the listing so we have a master list at the top, too. When the list gets built out a bit (and I encourage some healthy and positive debate), we’ll explore the fundamentals in an upcoming Security Round Table podcast, in my podcast, this blog and perhaps even in the security salon!It’s time to start making a difference… and I look forward to learning from you!The Fundamentals1. Confidentiality, Integrity and Availability
If you enjoyed this post, make sure you subscribe to my RSS feed!
Posted in Information Protection |
Print this post
|
Permalink
john.smith said,
July 31, 2007 @ 5:08 am
CIA is the oft peddled mantra, and I have two issues with it.
Not saying it’s wrong, just saying I’ve two issues.
#1) the unit currency of security is not C, nor I, nor A, but rather it is TRUST. I think CIA is just one way breaking the concept of TRUST down into manageable components:
C is do you TRUST your data is accessible to the right people, and denied the wrong?
I is do you TRUST your data is free from unauthorised or unexpected modification?
A is to you TRUST your data is going to be available when you need it?
Q. And why do you want to break it down in to bite sized chunks like this?
A. Easiest way for us pygmies to eat that elephant!
2) AVAILABILITY. In the real world (or at least in my version of it) this is a pie carved between many:
Q.Do you trust your data is going to be there when your data centre is flooded?
Operationally this is the domain of Disaster Recovery/ Business Continuity; and that is a different role in most organisations that the Information Security Officer.
Developmentally this might fall under the Safety Officer, or System Architect, or someone else who are usually different from the Security Consultant*
*well done for actually having a security consultant during the development phase!!!
Q. So which part of A pie is left for Security?
A. Do you trust your data to be available when your data is UNDER ATTACK?
Attacks are no accident, they might be impersonal, your information assets might not even be the target, but they are no accident in the “act of god” or “negligence” senses.
Q. So what is my point?
A. CIA is all very well, but never loose sight of the context, and for this purpose believe the context is TRUST.
Similarly if someone asks you
Q. Hey security dude, is my widget secure?
A. Secure against what?
A mantra is no substitute for thinking things through, but it is convenient, and will probably be a good place to start.
The Compliance and Security Connection said,
August 8, 2007 @ 3:48 pm
What do you think the fundamentals of security are?…
Fundamentals. The basics. Building blocks. However, you put it, there are elementary aspects to almost any activity in life. I was listening to a Red Sox game against the Orioles the other night. They were commenting on the Orioles improved…