Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

Jun 20, 2010

Incident management principles

A blog explaining useful principles for managing incidents draws an interesting analogy I've not seen before:
"Incident management plans can be considered one element of a company's risk insulation policy. If risk management is considered in terms of the insulating layers surrounding a live wire (the program or business activity), each layer of mitigation or management affords an additional level of protection against disruptive or harmful influences—thus making a risk pass through several layers of protection or defense prior to being able to cause harm"
That's a neat description of the well-known principle of 'defense in depth', which is one of a handful of high level and very broadly applicable information security principles.

I have an abiding interest in such high level principles, triggered by trying to compile a set of them to guide the development of our information security policy based on ISO/IEC 27002.  The ISO standard presents a set of 39 control objectives which were relatively easy to convert into a corresponding set of 39 policy axioms, but needing an even more succinct and generic set of principles as well, I compiled a shortlist of 7 along the lines of: compliance with ISO/IEC 27002; information deserving protection as a valuable asset; controls needed to protect the confidentiality, integrity and availability of information; information security being pervasive throughout the entire organization; defense in depth ... and so on.  Personally, I wish ISO/IEC 27002 would incorporate a set of high level principles of this nature but ISO/IEC JTC1/SC27 has such ponderous and tortuous development processes that there's little realistic chance of this happening - unless someone finds a decent set of published infosec principles that would give us a head start.

What would you suggest?