Principles and Practices
for Securing IT Systems
Table of Contents
1. Introduction .............................................................1
1.1 Principles ........................................................1
1.2 Practices .........................................................1
1.3 Relationship of Principles and Practices .................................2
1.4 Background ......................................................2
1.5 Audience ........................................................3
1.6 Structure of this Document ...........................................3
1.7 Terminology ......................................................3
2. Generally Accepted System Security Principles .................................4
2.1 Computer Security Supports the Mission of the Organization .................5
2.2 Computer Security is an Integral Element of Sound Management ..............6
2.3 Computer Security Should Be Cost-Effective .............................6
2.4 Systems Owners Have Security Responsibilities Outside Their Own Organizations
.............................................................7
2.5 Computer Security Responsibilities and Accountability Should Be Made Explicit . 8
2.6 Computer Security Requires a Comprehensive and Integrated Approach ........9
2.7 Computer Security Should Be Periodically Reassessed ......................9
2.8 Computer Security is Constrained by Societal Factors .....................10
3. Common IT Security Practices ..............................................11
3.1 Policy ..........................................................13
3.1.1 Program Policy ............................................13
3.1.2 Issue-Specific Policy .......................................14
3.1.3 System-Specific Policy ......................................14
3.1.4 All Policies...............................................15
3.2 Program Management ..............................................16
3.2.1 Central Security Program ....................................16
3.2.2 System-Level Program ......................................17
3.3 Risk Management .................................................19
3.3.1 Risk Assessment ...........................................19
3.3.2 Risk Mitigation ...........................................20
3.3.3 Uncertainty Analysis .......................................21
3.4 Life Cycle Planning ...............................................22
3.4.1 Security Plan .............................................22
3.4.2 Initiation Phase ............................................22
3.4.3 Development/Acquisition Phase ...............................22
3.4.4 Implementation Phase ......................................23
iii