Core Security Principles
Core Security Principles are some generally accepted principles that address information security from a very high-level viewpoint. These principles are fundamental in nature, and rarely change. Individual/Corporative shall observe these principles for developing, implementing and understanding security policies. The principles listed below are by no means exhaustive.
Information System Security Objectives
Information system security objectives or goals are described in terms of three overall objectives: Confidentiality, Integrity and Availability. Security policies and measures shall be developed and implemented according to these objectives.
Risk Based Approach
A risk based approach shall be adopted to identify, prioritise and address the security risks of information systems in a consistent and effective manner. Proper security measures shall be implemented to protect information assets and systems and mitigate security risks to an acceptable level.
Prevent, Detect, Respond and Recover
Information security is a combination of preventive, detective, response and recovery measures. Preventive measures avoid or deter the occurrence of an undesirable event. Detective measures identify the occurrence of an undesirable event. Response measures refer to coordinated actions to contain damage when an undesirable event (or incident) occurs. Recovery measures are for restoring the confidentiality, integrity and availability of information systems to their expected state.
Protection of information while being processed, in transit, and in storage
Security measures shall be considered and implemented as appropriate to preserve the confidentiality, integrity, and availability of information while it is being processed, in transit, and in storage. As an example, a wireless communication without protection is vulnerable to attacks, security measures shall be adopted when transmitting classified information.
External systems are assumed to be insecure
In general, an external system shall be assumed to be insecure. When information assets or information systems connect with external systems, security measures shall be implemented, using either physical or logical means, according to the business requirements and the associated risk levels.
Resilience for critical information systems
All critical information systems shall be resilient to stand against major disruptive events, with measures in place to detect disruption, minimise damage and rapidly respond and recover. Damage containment shall be considered in the resilience plan and implemented as appropriate with an aim to limit the scope, magnitude and impact of an incident for effective recovery.
Auditability and Accountability
Security shall require auditability and accountability. Auditability refers to the ability to verify the activities in an information system. Evidence used for verification can take form of audit trails, system logs, alarms, or other notifications. Accountability refers to the ability to audit the actions of all parties and processes which interact with information systems. Roles and responsibilities shall be clearly defined, identified, and authorised at a level commensurate with the sensitivity of information.
To be responsive and adaptive to a changing environment and to new technology, a continual improvement process shall be implemented for monitoring, reviewing and improving the effectiveness and efficiency of IT security management. Performance of security measures shall be evaluated periodically to determine whether IT security objectives are met.