There are 6 main principles when talking about information security. These principles first introduced in 2016 by Gartner risk and security division.
Principles are:
- Principle No. 1: Stop Focusing on Check Box Compliance, and Shift to Risk-Based Decision Making
- Security is not the same old beast. Information security must be a top down approach and driven from identified business risk. Risk management and risk analysis is the first big step of any information security work.
- Principle No. 2: Stop Solely Protecting Infrastructure, and Begin Supporting Business Outcomes
- Information security is a business enabler. Security is there to help business achieve its goals and targets. The only way of having a successful information security architecture is to make sure it is aligned with business strategy.
- Principle No. 3: Stop Being a Defender, and Become a Facilitator
- Again, the aim of information security is to facilitate business to hit the targets. Of-course security is important, but if we are blocking business process, it is useless.
- Principle No. 4: Stop Trying to Control Information; Instead, Determine How It Flows
- Big shift in security mind set is moving away from local and limited controls and have a holistic approach looking at flows and process.
- Principle No. 5: Accept the Limits of Technology and Become People-Centric
- These days more and more attacks are result of lack of user awareness. Training people and using resources is as important as having technical controls.
- Principle No. 6: Stop Trying to Perfectly Protect Your Organization, and Invest in Detection and Response
- We all know it is impossible to have a complete safe environment. Threats and vulnerabilities are always there. Proper incident response plan and operation is crucial for any business.
No comments:
Post a Comment