When learning about compliance, we read a lot about principles. The word principles shows up in quite a few of the regulatory documents as well as most of the standards and guideless. So what is a principle, and how are these principles applied?
A principle is usually a widely accepted rule, norm, doctrine, or assumed truth. A set of principles form the basic foundation for a specific set of guidelines. A good example of general principles are the seven principles of the OECD Guidelines for the Security of Information Systems and Networks (awareness, responsibility, response, risk assessment, security design and implementation, security management, and reassessment principles). Principles, then, are fundamental beliefs that set the course for the rest of the thinking on the subject at hand. Principles be combined with a semi-detailed set of rules which flow from them, such as the Generally Accepted Internet Security Principles.
Many principles will find their way into standards and guidelines as they serve as general behavior directives that drive standards discussions in the first place. An outstanding example of a principle directly creating standards are the Generally Accepted Accounting Principles found within the world of finance which have spawned the SAS 91 accounting standard.
Let's take a look at what the regulations, standards, and guidelines say about the various principles we'll find within the world of compliance.
Accountability
Accountability is the ability to hold responsible the owners, providers, and users of information systems and other parties. Hence it is the repercussions of actions taken by individuals. It is the principle that individuals, organizations, and the community are responsible for their actions and may be required to explain them to others. NIST 800-33 would say that accountability is the security objective that generates the requirement for actions of an organization to be traced uniquely to that organization. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, after-action recovery, and legal action. This accountability needs to be made explicit in terms of sanctions for not being accountable. In terms of HIPAA and FISCAM, accountability is accomplished through maintaining a record of the movements of hardware and electronic media and any person responsible for that movement. All requests for and access granted to stored information must be logged for review and possible investigation. Logging should include such items as a date/time stamp, the identification of the user, the type of access, e.g., create, read, modify, delete, the success or failure of the request, and identification of the data acted upon.
HIPAA, NIST 800 series, ISO 15489, DIRKS, FISCAM, ISACA, Centers for Medicare & Medicaid Services (CMS), ISO/IEC 27001:2005, US National Information Assurance (IA) Glossary
Availability
Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities. This requirement is intended to assure that systems work promptly and service is not denied to authorized users. Therefore this is the security objective that generates the requirement for protection against intentional or accidental attempts to perform unauthorized deletion of data or otherwise cause a denial of service or data. You could also think of this as when or how often an asset must be present or ready for use, thus, it also concerns the safeguarding of necessary resources and associated capabilities. Availability is determined by reliability, maintainability, serviceability, performance, and security. Availability is usually calculated as a percentage. This calculation is often based on agreed service time and downtime. It is best practice to calculate availability using measurements of the business output of the IT service. See also security principle.
NIST 800 series, OCTAVE, CobiT, ISACA, Centers for Medicare & Medicaid Services (CMS), ISO/IEC 27001:2005, ISO/IEC 13335-1:2004, FIPS Pub 200, ITIL, US National Information Assurance (IA) Glossary
Awareness principle
Participants should be aware of the need for security of information systems and networks and what they can do to enhance security.
OECD Guidelines for the Security of Information Systems and Networks
Confidentiality
Protection from intentional or accidental attempts to perform unauthorized data reads. Confidentiality covers data in storage, during processing, and while in transit. A requirement that private or confidential information not be disclosed to unauthorized individuals. The need to keep proprietary, sensitive, or personal information private and inaccessible to anyone who is not authorized to see it.
NIST 800 series, OCTAVE, FISCAM, ISACA, Centers for Medicare & Medicaid Services (CMS), CobiT, ISO/IEC 13335-1:2004, ISO/IEC 27001:2005, FIPS Pub 200, ITIL, Workgroup for Electronic Data Interchange, US National Information Assurance (IA) Glossary
Generally Accepted Accounting Principles (GAAP)
The accounting principles that the entity should use. For federal executive agencies, these are federal accounting standards following the hierarchy listed in SAS 91. The standards issued by FASB are the first level of the hierarchy. For government corporations, generally accepted accounting principles are commercial generally accepted accounting principles issued by FASB.
GAO/PCIE Financial Audit Manual
Generally Accepted Internet Security Principles (GAISP)
The GAISP provides a means to unify and harmonize information security efforts and measure their success. It offers a translation of existing regulations, standards, and accepted practices into logical strategy and detailed tactics that can be implemented by any organization.
Information Systems Security Association
Guideline
Recommended configurations, policies, or actions developed to provide assistance in complying with one or more policies or standards. A description of a particular way of accomplishing something that is less prescriptive than a procedure. The hallmark of a guideline is that it will have a set of general principles followed by a set of procedures that guide the user through the necessary steps that should be followed with respect to the given topic under consideration. See also regulation, standard, best practice, policy, procedure.
Centers for Medicare & Medicaid Services (CMS), CobiT, ITIL
Least privilege
The principle that each user is granted the most restrictive set of privileges needed for the performance of authorized tasks. The application of this principle limits the damage that can result from accident, error, or unauthorized use.
Centers for Medicare & Medicaid Services (CMS), US National Information Assurance (IA) Glossary
Pareto Principle
A technique used to prioritize activities. The Pareto principle says that 80% of the value of any activity is created with 20% of the effort. See also the 80-20 rule.
ITIL
Privacy
Freedom from unauthorized intrusion. The right of individuals to control or influence information that is related to them in terms of who may collect or store it and to whom that information may be disclosed. The individual's right to privacy must be protected in Federal Government information activities involving personal information. Such information is to be collected, maintained, and protected so as to preclude intrusion into the privacy of individuals and the unwarranted disclosure of personal information.
ISACA, OMB Circular A-130, Centers for Medicare & Medicaid Services (CMS)
Reassessment principle
Participants should review and reassess the security of information systems and networks and make appropriate modifications to security policies, practices, measures, and procedures.
OECD Guidelines for the Security of Information Systems and Networks
Response principle
Participants should act in a timely and cooperative manner to prevent, detect, and respond to security incidents.
OECD Guidelines for the Security of Information Systems and Networks
Responsibility principle
All participants are responsible for the security of information systems and networks.
OECD Guidelines for the Security of Information Systems and Networks
Risk assessment principle
Participants should conduct risk assessments.
OECD Guidelines for the Security of Information Systems and Networks
Security architecture
A description of security principles and an overall approach for complying with the principles that drive the system design; i.e., guidelines on the placement and implementation of specific security services within various distributed computing environments.
NIST 800 series
Security design and implementation principle
Participants should incorporate security as an essential element of information systems and networks.
OECD Guidelines for the Security of Information Systems and Networks
Security management principle
Participants should adopt a comprehensive approach to security management.
OECD Guidelines for the Security of Information Systems and Networks
Security principle
A strategic objective in an information security policy. Common security principles include confidentiality, integrity and availability. Other objectives such as non-repudiation and accountability can also be security principles.
ITIL
Seven principles of the OECD Guidelines for the Security of Information Systems and Networks
See awareness, responsibility, response, risk assessment, security design and implementation, security management, and reassessment principles.
OECD Guidelines for the Security of Information Systems and Networks