| We just finished covering the eight essential rules of security. These rules can be a valuable tool when making a security decision, assessment, or when contemplating any security issue. With all rules, I have made suggestions as to how you might incorporate them into your own organization. We can look back to these rules regularly as they can provide clarity in otherwise confusing security issues. So, let's quickly review the rules we just discussed by studying Table 4.4. Putting the Rules in Writing The rules practiced within an organization should be written and published. Even if it seems like no one reads them, it still remains true that each rule will not be effective unless it is incorporated into a security policy. One of the powers of the written word is that it provides constancy and authority to the idea being written. If, for instance, there is a violation of the security policy leading to some argument or confusion, the strongest aid we can have is a written and approved paper exactly stating the policy. Until it is written, we have little power or authority to enforce the rules within the environment. Table 4.4. Overview of the Eight Rules of SecurityRule | Action |
|---|
Rule of Least Privilege | Allow only as much access as is required to do the job, nothing more. In addition, allow only as much access as an individual, group, or object is capable of being securely responsible for. In any and all situations, it is best to start with the idea that nothing is allowed and work from there. | Rule of Change | Changes within an organization very often bring about new risks and vulnerabilities. To remain secure, one must be aware of changes going on within the environment. Changes should be well-coordinated and we should make sure we do not succumb to the guinea pig phenomena. | Rule of Trust | When an organization trusts someone or something, that organization takes on some degree of risk. Trusting any subject means we are also trusting anyone and anything that has access to that subject, thus establishing a chain of trust. We should always be conscious of whom we are trusting and the risks related to that trust. | Rule of the Weakest Link | An organization's security is only as strong as its weakest link. It is important to plan your security as a whole and avoid building up strong front doors while leaving weak back doors. | Rule of Separation | To maintain a high level of security, it is important to separate objects to different security levels and apply different access rules to them. It is also important to perform security verification at all levels, making sure that even security administrators are monitored. | Rule of the Three-Fold Process | Every security project has three processes: implementation, maintenance, and monitoring. All security implementations should include the other two processes in the projected budget. If any one of these three processes is missing, then the security gained will be minimal, if any is gained at all. | Rule of Preventative Action | Reactive policies and processes can't be allowed to drive security responses. The main goal is not to rid an environment of an attack, but to prevent the attack from ever happening. An organization must be focused on dealing with security issues before they manifest, not after. | Rule of Immediate and Proper Response | Every organization should have an organized plan on how to respond during an incident. This plan should be clear, concise, and updated regularly. Everyone should be familiar with his or her part in the plan. |
Decision-Making with the Rules Each rule can be looked at as a component of a security decision. By simply walking through the rules from start to finish and asking if the matter at hand relates to any of them, the security process is automatically taking place. I will address more of this in the coming chapters with an overview on how we can make just about any security decision by simply following the rules and virtues. By making sure each rule is included in the decision-making process, we can avoid most of the confusion and error commonly found in the security decision-making process. Thinking with the Rules Each security rule exists in a symbiotic relationship with the other rules. Using the rules by themselves is a good general guide, but when all the rules are known well and practiced regularly within an environment, they form powerful relationships among each other and are much more effective. They help to form a security consciousness that will keep an environment safe in just about every situation. |
