It is very important to realize and understand the laws of security, by which all sectors in an enterprise or government can empower security within their perimeters. The higher understanding of this laws, the better security implementation is realized. These laws can be applied in each business field or any business environment. Such laws can be implemented in any degree of simplicity or complexity. Therefore, it is important to understand the environment deeply before reflecting such laws, in order to meet security goals aimed by the owners.
It is proven that analysis of a system the key factor for successful management. These systems are collection of ...view middle of the document...
For that, Bruce emphasizes on this law to extend our view to security to cover managerial and administrative process to take its right place to enforce and strengthen level of security in the perimeters, throwing part of the responsibility on managers and end users in security. This can be realized using Information Security Policies, Standards, Guidelines and Procedures, in addition to applying suitable and effective level of awareness to deal with information assets in a healthy way.
3 Second Law: Security is must-to-have, not better-to-have decision
In the past, security was not matured to be essential since the number of technology specialists was low, and easy to be known. Therefore, most applications were using minimal security measures, and sometimes optionally, to deal with the systems effectively and to keep performance high. Nowadays, technology provided us with high performance machines that can overcome such obstacle. In addition, “specialists” in security and technology are increased more and more as time goes ahead. This should raise security from “optionality” to “enforceability”. Number of hackers, whether they are white, black or gray. The more seriously management treats security, the more security level will be gained.
4 Third Law: Security is built from the Core, not on the Edge
As a complementary to the second law, security should be applied step by step as we build the system, from requirements to analysis to design to implementation up to termination stage. Most security vendors apply their measures in the boundaries of the system, forgetting that relations among information assets and employees their selves are more dangerous. For example, applying security measures such as firewalls on a system and giving the permission to any employee the choice and capability to bypass them or configuring them, this will compromise security within this enterprise. Therefore, separation of duties principle is important to determine the roles for each employee and the permissions that should be given to him before the system is built.
5 Fourth Law: Understanding the business is the most crucial factor to a successful security level
Understanding the system will simplify the way of analyzing vulnerabilities and relevant threats that have the ability to exploit these vulnerabilities. Moreover, understanding the system will simplify the way to architect security. The better understanding of the system, the better security design and implementation can be realized. However, a lot of environments now are studied by security experts in collaboration with system analysts to understand and secure these environments correctly and from higher and more points of views.
6 Fifth Law: Security awareness is the most cost-effective security measure
Surveys on security measures proved that security problems come from internal users. As a result, companies are reforming their views to security from being just technical to...