10 Essential Digital Security Processes
1 like1,546 views
The document outlines ten essential digital security processes for organizations to implement in order to enhance their security posture. Key processes include compartmentalizing access, securing the weakest links, utilizing choke points, and fostering user involvement in security measures. It emphasizes the need for layered security, simplicity, continuous questioning of security assumptions, and assurance through structured processes.
10 Essential Digital Security Processes
- 2. Computer insecurity is inevitable, and technology alone cannot save us. We also need to implement and follow secure processes.
- 3. Here are 10 essential processes every organization should follow.
- 5. Compartmentalize Follow the principle of least privilege: only give people the privileges (e.g. server access) they need to do their job.
- 6. Secure the weakest link
- 7. Secure the weakest link Look at the entire vulnerability landscape and create an attack tree: find the weakest link and secure it. Then worry about the next weakest link and so on.
- 9. Use choke points A choke point forces users into a narrow channel, one that you can more easily monitor and control. Firewalls and login screens are some examples.
- 10. Provide defense in depth
- 11. Provide defense in depth This is about creating layers of security, such as a firewall combined with an intrusion detection system and strong cryptography.
- 12. Fail securely
- 13. Fail securely Systems should fail in such a way as to be more secure, not less. (For example, if an ATM’s PIN verification system fails, it should fail in such a way as to not spit money out the slot).
- 15. Leverageunpredictability There’s no reason to broadcast your network topology to everyone that asks. If networks are unpredictable, attackers won’t be able to wander around so freely.
- 17. Embrace simplicity A system is only as secure as the weakest link, so a system with fewer links is easier to secure.
- 18. Enlist the users
- 19. Enlist the users Security measures that aren’t understood and agreed to by everyone don’t work. Enlist their support as much and as often as possible.
- 20. Assure
- 21. Assure What we really need is assurance that our systems work properly. This involves a structured design process, detailed documentation, and extensive testing.
- 22. Question
- 23. Question Constantly question security. Question your assumptions and decisions. Question your trust and threat models. Keep looking at your attack trees. Trust no one, especially yourself.
- 24. Find out how to build secure systems in by Bruce Schneier Secrets & Lies Digital Security in a Networked World