I am very happy to announce that 12 Tenants by the premier Global Information Security professional organizations have been developed to advance the profession of Information Security. This is huge! Collaboration of this effort requires egos to be left at the door; We have some huge egos in IT Security, this demonstrates that they can all get along and work together to globally practice the tenants of IT Security, which are Confidentiality, Integrity and Availability.
These 12 principles were developed as a framework for IT Security professionals to influence and guide them in their career; they are a welcome sight for individuals new to the field. The principles are intended to affect behaviors, objectives, approaches and activities, which in return will lead to more success safeguarding privacy and technology infrastructure in organizations across the globe.
The principles for information security practitioners are aimed at all individuals working in the information security community, including
- are employed as part of a security function
- provide security services in local environments (eg local security co-ordinators)
- are responsible for developing systems securely
- supply security products and services (eg vendors and consultants)
- influence legal / regulatory requirements for information security
- are aspiring to become security practitioners (eg students).
Benefits to Business
Organizations that have not had a real security framework for their IT Security professionals to follow will see an immediate benefit, which can add value and become a marketable asset.
- A - Support the Business
- B - Defend the Business
- C - Promote Responsible Security Behavior
Information security practitioners need to respond to the changing requirements of organisations in today’s complex, interconnected world.
- corporate, IT and information security governance have promoted information security higher up on the board’s agenda
- the information security profession is not fully mature, traditionally has a bias towards technology and needs to be more risk focused
- rapidly evolving threats require information security practitioners to stay ahead of the game
- co-ordinated efforts are needed to maintain the adaptability of information security practitioners, particularly in changing business environments. Over the years there have been a number of offerings related to individual information security practitioners that cover behaviour, actions or ethics. However, there is a requirement for an independent, non-proprietary set of principles, which are:
- more generic and complete, with less focus on professional qualifications
- relevant to the business world – and kept up to date
- agreed throughout the security profession, rather than being proprietary to one organization
- able to map easily to different security standards and guidelines.
of the worlds leading global security organizations, the ISF, ISACA and (ISC)².
A. Support the business
- A1. Focus on the business: The business is the reason that you have your job! Your goal is to help your organization make money or meet your organizations mission or vision statement.
- A2. Deliver quality and value to stakeholders: The solutions you implement as an IT security professional in the form of technology, process and people can add value and become a marketable asset for your organization.
- A3. Comply with relevant legal and regulatory requirements: The law and Information Security go hand and hand. The IT security professional must adhere and comply to all laws and help your organization meet or exceed required compliance objectives.
- A4. Provide timely and accurate information on security performance: You won't know if your IT Security objectives are working if you have no way to measure the outcome of your IT security implementations; are you receiving the desired results?
- A5. Evaluate current and future information threats: Information Security threats are forever changing and criminals are always ahead, so the IT security professional must be proactive by studying trends and defending the business from threats before they become a problem.
- A6. Promote continuous improvement in information security: Once you implement your security solutions go back and review to see if there are opportunities to improve your security solutions currently in production.
- B1 Adopt a risk-based approach: Protect the most critical business applications and information.
- B2. Protect classified information: Always limit access on a need to know basis to information like the following: social security numbers, customer account information, health records, credit card numbers and proprietary business information; and don't let unauthorized individuals to access your network.
- B3. Concentrate on critical business applications: Information or systems that are VITAL for the business to stay up and running need the most security; think defense in layers; defense in depth; Confidentiality, Integrity and Availability (CIA).
- B4. Develop systems securely: Implement security at the beginning of your Information Technology projects. It much easier and cost effective to do so, than try to fit in after a system or data base has been implemented.
- C1. Act in a professional and ethical manner: You are held to a high standard as one appointed to safeguard an organizations system and data assets. Read ethics/ code of conduct from the premier IT Security organizations: ISF, (ISC)2, and ISACA,
- C2. Foster a security-positive culture:
I applaud the premier IT Security organizations for working together to create the 12 principles, which will be of great value to new IT Security professionals entering the field.
Julius Clark, MBA, CISSP, CISA
ISF, (ISC)2 and ISACA Release Information Security Principles
12 Principles Poster Download