Good security principles should be reused. So save time and prevent extra risks by using good security principles for your new product. Why reinvent the wheel again?
You can also all download security principles to reuse them off-line in your own project:


You are invited to add or improve a security principle. Create a pull request on the list hosted on github, or use the mail form here.

Remember: Having good security principles for your new business/project/system is MUST. However security principles alone is not enough, we can offer on demand business IT consultancy to help you implement and manage your IT security. Contact us for more information.

In case of question regarding these security principles, please contact us.

Complete mediation
StatementComplete mediation
RationaleAccess rights are completely validated every time an access occurs. Systems should rely as little as possible on access decisions retrieved from a cache. Again, file permissions tend to reflect this model: the operating system checks the user requesting access against the file’s ACL. The technique is less evident when applied to email, which must pass through separately applied packet filters, virus filters, and spam detectors.
  • Document decisions regarding use of cached data for security services.
  • Usability aspects should be taken into account with setting cache invalidation timers.
Computer security is constrained by societal factors
StatementComputer Security is Constrained by Societal Factors.
RationaleThe ability of security to support the mission of an organization may be limited by various factors, such as social issues. For example, security and workplace privacy can conflict. Commonly, security is implemented on an IT system by identifying users and tracking their actions. However, expectations of privacy vary and can be violated by some security measures. (In some cases, privacy may be mandated by law.)
  • User awareness campaigns should be included in the security processes on regular basis.
  • IT security measurements are a part of the total security system. Organization processes and policies are of great importance.
Computer Security Requires a Comprehensive and Integrated Approach
StatementComputer Security Requires a Comprehensive and Integrated Approach
RationaleProviding effective computer security requires a comprehensive approach that considers a variety of areas both within and outside of the computer security field. This comprehensive approach extends throughout the entire information life cycle. To work effectively, security controls often depend upon the proper functioning of other controls. Many such interdependencies exist. If appropriately chosen, managerial, operational,and technical controls can work together synergistically.
ImplicationsThe effectiveness of security controls (also) depends on such factors as system management, legal issues, quality assurance, and internal and management controls. Computer security needs to work with traditional security disciplines including physical and personnel security.
Computer Security Responsibilities and Accountability Should Be Made Explicit
StatementComputer Security Responsibilities and Accountability Should Be Made Explicit
RationaleThe responsibility and accountability3 of owners, providers, and users of IT systems and other parties4 concerned with the security of IT systems should be explicit.5 The assignment of responsibilities may be internal to an organization or may extend across organizational boundaries.
ImplicationsDepending on the size of the organization, the computer security program may be large or small, even a collateral duty of another management official. However, even small organizations can prepare a document that states organization policy and makes explicit computer security responsibilities.
Computer Security Should Be Cost-Effective
StatementComputer Security Should Be Cost-Effective.
RationaleThe costs and benefits of security should be carefully examined in both monetary and nonmonetary terms to ensure that the cost of controls does not exceed expected benefits. Security should be appropriate and proportionate to the value of and degree of reliance on the IT systems and to the severity, probability, and extent of potential harm. Requirements for security vary, depending upon the particular IT system.
  • Calculated the cost of damage against security measurements.
  • Take notice of legal boundaries possible and lawsuits possible (for liability)  if no adequate security measurements are taken.
  • Consider using proven generic OSS security services when applicable.
Computer Security should be periodically reassessed
StatementComputer Security Should Be Periodically reassessed
RationaleComputers and the environments in which they operate are dynamic. System technology and users, data and information in the systems, risks associated with the system, and security requirements are ever-changing. Many types of changes affect system security: technological developments (whether adopted by the system owner or available for use by others); connection to external networks; a change in the value or use of information; or the emergence of a new threat. In addition, security is never perfect when a system is implemented.
ImplicationsImplement security audits and pentest with your security control processes.  
1 2 3 4 5 14