Weitere ähnliche Inhalte Ähnlich wie Six Irrefutable Laws of Information Security (20) Kürzlich hochgeladen (20) Six Irrefutable Laws of Information Security2. IT Risk and Security
Opposing Forces
Locked Down
Information assets
should be fully protected
Open Access
Reduces cost and enables
use of data and systems
2 Copyright © 2012 Intel Corporation. All rights reserved.
3. IT Risk and Security
A Balancing Act
Open Access
Reduces cost and How do we balance:
enables use of data • Access to information?
and systems
• Protection of information?
• Legal compliance?
• Privacy of data? Locked Down
Information assets
• Cost of controls?
should be fully
protected
3 Copyright © 2012 Intel Corporation. All rights reserved.
4. You can achieve balance in your
security controls by understanding the
Six Irrefutable Laws of Information Security1
and making choices about your design accordingly.
1 Phil Venables 2008, adapted from Scott Culp 2000, Pete Lindstrom 2008, and other sources
5. Law 1 Information wants to be free.
People have a natural tendency to share information
with each other—through talk, posts, and email
Sharing information creates potential for leakage. People
may release information that shouldn’t be set free. But sharing also
increases innovation. We need to make it safe to collaborate.
* Other names and brands may be claimed as the property of others.
5 Copyright © 2012 Intel Corporation. All rights reserved.
6. Law 2 Code wants to be wrong.
Because people write code, it will never be
100 percent error-free.
If intruders are smart
and persistent, they
will find a way into
the software.
There is no simple
solution. We need to
stay vigilant and
ready to adjust
security controls.
6 Copyright © 2012 Intel Corporation. All rights reserved.
7. Law 3 Services want to be on.
Services need to be left on so that processes
and updates can run in the background.
But when services are left on, security
risk rises. People add to the risk by
installing services like application
updates. Services that “are always on”
can potentially open a straight line
into the system for the intruder.
7 Copyright © 2012 Intel Corporation. All rights reserved.
8. Law 4 Users want to click.
When people are connected to the Internet,
they sometimes click on things without thinking.
Curiosity can overcome judgment when people
see interesting things on the Internet. Clicking
on things make systems and people vulnerable.
8 Copyright © 2012 Intel Corporation. All rights reserved.
9. Law 5 Even a security feature can be used for harm.
The risks of code errors and services left
on, leaves “holes” in security controls.
Security controls are designed to create
safety. But, like other software, security
controls are created with code, and can
be manipulated and coopted by hackers
with malicious intent.
9 Copyright © 2012 Intel Corporation. All rights reserved.
10. Law 6 The efficacy of a control deteriorates with time.
We tend to set and forget about security
controls, allowing them to lose effectiveness over
time.
Forgetting about security controls
leaves systems open to risk. Hackers
move fast; we need to move faster—
and maintain an ongoing assessment
of controls.
10 Copyright © 2012 Intel Corporation. All rights reserved.
11. You may think you know a threat when it approaches…
11 Copyright © 2012 Intel Corporation. All rights reserved.
12. … but don’t assume you recognize the true risk.
12 Copyright © 2012 Intel Corporation. All rights reserved.
13. Risk surrounds and envelops us.
Without understanding it,
we risk everything,
without capitalizing on it,
we gain nothing.4
4 Glynis Breakwell – The Psychology of Risk
13 Copyright © 2012 Intel Corporation. All rights reserved.
14. The most effective information security controls help you
understand, manage, and balance the inevitable risks.
If you want to know more…
"Can Information Security Survive?" webinar
Malcolm Harkins, Vice President and Chief Information
Security Officer at Intel, talks about balancing business
needs and growth with risk mitigation.
14 Copyright © 2012 Intel Corporation. All rights reserved.
15. Learn more about Intel IT’s information
security initiatives at: Intel.com/IT
15 Copyright © 2012 Intel Corporation. All rights reserved.