Eight core principles of information Security are discussed below:
i. Accountability: Security of information requires timely allotment of responsibility and accountability to data owners, process owners, technology providers and users. This accountability should be formalized and communicated. Issues relating to specification of ownership of data and information, identification of users and others who access the system, recording of activities and assignment of responsibility for maintenance of data and information etc. should be considered and clarified.
ii. Awareness: In order to foster confidence in information, data owners, process owners, technology providers and users must be provided with the information of the system requirements for security, its applications, risk to the organization and the organization‘s security initiatives and future requirements. Security measures are only effective if all involved are aware of their responsibilities for the proper functioning of the system, risk involved and the security measures taken by the organization..
iii. Multidisciplinary: Security measure covers technological, administrative, organizational, operational and legal issues. Technical standards should be developed with and enforced by codes of practice, audit, legislative, legal and regulatory requirements, awareness, education and training.
iv. Cost effectiveness: Different levels and types of security may be required to address the risks to information. Security level and associated costs must be compatible with the value of the information. Following issues must be considered:
• Value to and dependence of the organization on particular information assets.
• Value of the data or information itself, based on a pre-defined level of confidentiality or sensitivity.
• Threats to the information, including the severity and probability of such threats. • Safeguards that will minimize or eliminate the threats, including the costs of implementing the safeguards.
• Costs and benefits of incremental increases to the level of security.
• Safeguards that will provide an optimum balance between the harm arising from a security breach and the costs associated with the safeguards.
• Where available and appropriate, the benefit of adopting established minimum security safeguards as a cost-effective alternative to balancing costs and risks.
v. Integration: Measures, practices and procedures for security must be coordinated and integrated with each other and with other measures, practices, and procedures of the organization, so as to create a coherent system of security. This requires that all levels of the information cycle are covered.
vi. Reassessment: The security of information system should be reassessed periodically, as information systems and the requirements for their security vary over time.
vii. Timeliness: Security procedures must provide for monitoring and timely response to real or attempted breaches in security in proportion with the risk. Following issues must be considered:
• Instantaneous and irrevocable character of business transactions.
• Volume of information generated from the increasingly interconnected and complex information systems.
• Automated tools to support real-time and after-the –fact monitoring
• Expediency of escalating breaches to the appropriate decision making level.
viii. Social factors: Information and the security of information should be provided and used in such a manner that the rights and interests of others are respected. Level of security must be consistent with the use and flow of information.
The main roles of a security administrator are:
a. To ensure that the environment and the facilities for system development, implementation, maintenance and operation are safe and secure.
b. To set security policy, subject to approval from management.
c. To guide other security administrators and users on the selection and application of the security measures.
d. To investigate all security violations.
e. To advise senior management on matters of information resource control.
f. To provide consultations on the information security matters.
g. To conduct a security program that involves a series of ongoing, regular and periodic evaluations of the facilities.
h. To consider all possible threats to the information of the organization and develop an inventory of the threats, existing control mechanisms, new controls and security measures etc.