Confidentiality, Integrity, Availability
Understand the issues, risks
Assess, plan, design/architect
Principle of Least Privilege
When designing a security policy, be it a firewall rule, or filesystem
permissions, never give more than the necessary permissions to get the job
done. Doing so reduces the attack surface, and weakens (though does not eliminate)
the potency of compromise. It's easier to loosen rules than to tighten them later.
The appropriateness of a security architecture is that it meeds the
confidentiality/integrity/availability needs of an organization. It balances
security, risk mitigation, usability, and costs.
Where an action cannot be denied, proof of data integrity.
One of the chief goals of security is that business continuity is ensured.
Beyond simple security practices, this is having systems in place that can
tolerate failure so that business continues with little/no affect.
A hardened system has these characteristics:
- Minimal amount of software (and hardware) installed and running - *only* what is needed
- Regular updates
- Privileges only for what is needed
- SP800-12 "An Introduction to Computer Security: The NIST Handbook
- SP800-14 "Generally Accepted Principles and Practices for Securing Information Technology Systems"
- OECD Digital Security Risk Management
- Generally Accepted System Security Principles by International Information Security Foundation