Collective Infosec Controls

The InfoSec controls that must be considered for any national security environment include:

• Individual accountability;

• Physical controls;

• System controls;

• System stability;

• Data continuity;

• Least privilege ^[3];

• Communications security; and

• National security information controls.

These controls are based on the contractual and noncontractual requirements and generally established national security principles. The InfoSec program that includes the objectives and controls noted above is usually approved by the government security officer responsible for the security of the corporation's contractual efforts. In fact, each system that is considered for use to process, store, display, and transmit national-security-related information must be approved by the government's security officer (GSO) for the contract. The entire effort often has a name designated for it by the government customer, and it is also called a program instead of a contract, for example, Widget Program.

^[3]Least privilege means that the user or program can only access the information needed and no more. Furthermore, the user does not have any authority that is not absolutely necessary to perform the work assigned—for example, a user might not be allowed to add, delete, or modify databases or information.