Basic principles of building security systems
To protect information in information systems, the following principles can be formulated:
1. Legality and validity of protection.
The principle of legality and reasonableness provides that the protected information, by its legal status, refers to information that requires protection in accordance with the law.
2. Consistency.
A systematic approach to the protection of an information system implies the need to take into account all interrelated, interacting and time-varying elements, conditions and factors:
in all types of information activities and information manifestations;
in all structural elements;
in all modes of operation;
at all stages of the life cycle;
taking into account the interaction of the object of protection with the external environment.
When ensuring the security of an information system, it is necessary to take into account all the weak, most vulnerable points of the information processing system, as well as the nature, possible objects and directions of attacks on the system by intruders (especially highly skilled intruders), ways of penetration into distributed systems and ways of unauthorized access to information. The protection system should be built not only taking into account all known penetration channels, but also taking into account the possibility of fundamentally new ways of implementing security threats.
3. Complexity.
Integrated use involves the coordination of heterogeneous means in building an integrated protection system that covers all significant channels of threat implementation and does not contain weaknesses at the junctions of its individual components.
4. Continuity of protection.
Information protection is a continuous purposeful process involving the adoption of appropriate measures at all stages of the information system lifecycle, starting from the earliest stages of design. The development of the protection system should be carried out in parallel with the development of the most protected system.
5. Reasonable sufficiency.
It is fundamentally impossible to create an absolutely insurmountable protection system: with sufficient time and money, any protection can be overcome. Therefore, it is possible to achieve only some acceptable level of security. A highly effective protection system requires large resources (financial, material, computing, time) and can create significant additional inconveniences for users. It is important to choose the right level of protection at which the costs, risk and amount of possible damage would be acceptable (the task of risk analysis).
6. Flexibility.
External conditions and requirements change over time. The measures taken and the protective equipment installed can provide both an excessive and insufficient level of protection. To ensure the possibility of varying the level of protection, protective equipment must have a certain flexibility.
7. Openness of algorithms and protection mechanisms.
The essence of the principle of openness of protection mechanisms and algorithms is that knowledge of the algorithms of the protection system should not allow even the developer of protection to overcome it. However, this does not mean that information about a specific security system should be publicly available, it is necessary to ensure protection against the threat of disclosure of system parameters.
8. Ease of use of protective equipment.
The protection mechanisms should be intuitive and easy to use. The use of protective equipment should not be associated with the performance of actions that require significant additional labor during the normal work of legitimate users, and also should not require the user to perform operations that are obscure to him.
