The eight core principles of information Security are discussed below:
1. Accountability: Security of information requires timely apportionment of responsibility and accountability among data owners, process owners, technology providers and users. This accountability should be formalized and communicated. Issues relating to specification of ownership of data and information, identification of users and others who access the system,
recording of activities and assignment of responsibility for maintenance of data and information etc. should be considered.
2. Awareness: In order to foster confidence data owners, process owners, technology providers and users must be able to gain knowledge of the existence and general extent of the risks facing the organization and its system and the organization’s security initiatives and requirements. Security measures are only effective if all involved are aware of their proper functioning and of the risks they address.
3. Multidisciplinary: Security covers technological, administrative, organizational, operational and legal issues. Technical standards should be developed with and enforced by codes of practice, audit, legislative, legal and regulatory requirements and awareness, education and training.
4. Cost effectiveness: Different levels and types of security may be required to address the risks to information. Security level and associated costs must be compatible with the value of the information. Following issues must be considered:
• Value to and dependance of the organization on particular information assets.
• Value of the data or information itself, based on a pre-defined level of confidentially or sensitivity.
• Threats to the information, including the severity and probability of such threats.
• Safeguards that will minimize or eliminate the threats, including the costs of implementing the safeguards.
• Costs and benefits of incremental increases to the level of security.
• Safeguards that will provide an optimum balance between the harm arising from a security breach and the costs associated with the safeguards.
• Where available and appropriate, the benefit of adopting established minimum-security safeguards as a cost-effective alternative to balancing costs and risks.
5. Integration: Measures, practices and procedures for security must be coordinated and integrated with each other and with other measures, practices, and procedures of the organization, so as to create a coherent system of security. This requires that all levels of the information cycle are covered.
6. Reassessment: The security of information system should be reassessed periodically, as information systems and the requirements for their security vary over time.
7. Timeliness: Security procedures must provide for monitoring and timely response to real or attempted breaches in security in proportion with the risk. Following issues must be considered:
• Instantaneous and irrevocable character of business transactions.
• Volume of information generated from the increasingly interconnected and complex information systems.
• Automated tools to support real-time and after-the-fact monitoring and
• Expediency of escalating breaches to the appropriate decision making level.
8. Social factors: Information and the security of information should be provided and used in such a manner that the rights and interests of others are respected. Level of security must be consistent with the use and flow of information.