Good security principles should be reused. So save time and prevent extra risks by using good security principles for your new product. Why reinvent the wheel again?
You can also all download security principles to reuse them off-line in your own project:
Remember: Having good security principles for your new business/project/system is MUST. However security principles alone is not enough, we can offer on demand business IT consultancy to help you implement and manage your IT security. Contact us for more information.
In case of question regarding these security principles, please contact us.
Information is power and this is certainly true in the context of technology-enabled global development interventions. How information is collected, stored, analysed, shared, and used has serious implications for both the populations about whom data are being transmitted, and the organizations transmitting the data.
Assess and mitigate risks to the security of users and their data.
Consider the context and needs for privacy of personally identifiable information when designing solutions and mitigate accordingly.
Ensure equity and fairness in co-creation, and protect the best interests of the end end-users.
The security of a software system is linked to what its users do with it. It is therefore important that all security-related mechanisms are designed in a manner that makes it easy for users to deploy, configure, use, and update the system securely. Security is not a feature that can simply be added to a software system, but rather a property emerging from how the system was built and is operated.
The way each user interacts with software is dictated not only by the design and implementation decisions of its creators but also by the cognitive abilities and cultural background of its users.
Failing to address this design principle can lead to a various problems, e.g.:
When designers don’t “remember the user” in their software design, inadvertent disclosures by the user may take place. If it is difficult to understand the authorization model, or difficult to understand the configuration for visibility of data, then the user’s data are likely to be unintentionally disclosed.
Designers sometimes fail to account for the fact that authenticated and properly authorized users can also be attackers! This design error is a failure to distrust the user, resulting in authorized users having opportunities to misuse the system.
When security is too hard to set up for a large population of the system’s users, it will never be configured, or it will not be configured properly.
The term information domain arises from the practice of partitioning information resources according to access control, need, and levels of protection required. Organizations implement specific measures to enforce this partitioning and to provide for the flow of authorized information between information domains. The boundary of an information domain represents the security perimeter for that domain.
An external domain is one that is not under your control. In general, all external systems should be considered insecure.
Take proactive security measurements to protect secure data crossing information boundaries.
Design secure information exchange interfaces (api's).
Consumers should be provided with the audit records they need to monitor access to their service and the data held within it.
If this principle is not implemented, consumers will not be able to detect and respond to inappropriate or malicious use of their service or data within reasonable time-scales. In most countries this is a legal requirement from privacy point of view.
Secure audit mechanism needed.
Requirements needed for audit data retention, storing, archiving.
Authenticate users and processes to ensure appropriate access control decisions both within and across domains.
Authentication is the process where a system establishes the validity of a transmission, message, or a means of verifying the eligibility of an individual, process, or machine to carry out a desired action, thereby ensuring that security is not compromised by an untrusted source. It is essential that adequate authentication be achieved in order to implement security policies and achieve security goals.
Authentication service needed for users and application processes.