It's not easy getting information security right. It is easy to get advice (often from vendors who want to sell you their semi-magic fix for all that ails you) on what you should be doing. But actually protecting your corporate or personal data turns out to be hard in the real world.
There are lots of rule sets you can follow, or in some cases must follow, to protect information. These include the multiple families of security standards put out by the International Organization for Standardization (ISO), which, to me, are too complex and theoretical for humans to effectively implement.
It is frequently quite hard to figure out why these types of rules say what they do—too rarely do the rules include enough context for the reader to understand what threat is being addressed and how the rules will address this. It is also hard to understand what specific parts of the rules are key and which can be tweaked for a local environment without seriously impacting actual security.
Dumb ideas
Sometimes you can learn more by finding out what not to do, than by being told what to do. The best list of things not to do, or more precisely, dumb security ideas is US computer and network security researcher Marcus Ranum's ‘The Six Dumbest Ideas in Computer Security’. This list of bad ideas features very good explanations on why they are dumb. It's a few years old, but the lessons are for today.
The dumb idea I most relate to, being from an educational institution, is No. 5: ‘educating users’. Fundamentally users can not be educated to pay reliable attention to security, and any security mechanism that depends primarily on educating users will fail.
A different type of list of ‘what not to do's’ was just published by the computer security training and certification centre SANS Institute: ‘How to suck at Information Security’. This list does not have any of the kind of background and explanation for each of the bad ideas that Ranum puts in his, but is quite instructive anyway. If you know something is a bad idea maybe you can think about why and learn from that process.
The SANS list is broken into five parts, each listing common information-security mistakes and misconceptions. The sections include security policy and compliance, security tools, risk management, security practices and, finally, password management.
SANS Examples of Bad Security Ideas
• Say 'no' whenever asked to approve a request;
• Enforce policies that have not been properly approved;
• Make somebody responsible for managing risk, but don't give the person any power to make decisions, and;
• Require your users to change passwords too frequently.
What is Information Security?
The Cornell University Law School, in the US, says information security means protecting information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction, in order to provide:
Integrity, which means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity;
Confidentiality, which means preserving authorised restrictions on access and disclosure, including means for protecting personal privacy and proprietary information, and;
Availability, which means ensuring timely and reliable access to and use of information.
