Welcome, friends! We continue our journey through Chapter One of the Sybex Ninth Edition book, which covers security governance through principles and policies. In our previous three videos, we discussed security principles and how we derive security policies. We also explored how security is developed using a security framework and the different steps in conceiving an information security policy. Now, we will delve deeper into the intricacies of security principles, such as confidentiality, integrity, availability, and non-repudiation, and their relationship to an organization’s security governance. To illustrate these concepts, I will provide some real-life examples.

The Importance of Principles and Values

I refer to “The Seven Habits of Highly Effective People” by Stephen R. Covey as a guiding philosophy in my professional life. Covey distinguishes between principles and values. He states that principles are the territory, while values are the maps. When we value correct principles, we have the truth or knowledge of things as they are. For example, calling an Apple Pencil by its correct name is truthful, whereas mislabeling it as a robot would not be. Principles such as fairness, integrity, honesty, human dignity, potential, patience, and encouragement are self-evident. Following these key concepts as driving forces in our lives leads to meaningful achievements. This concept is encapsulated in Covey’s idea of being principle-centered .

Principles vs. Values in Organizational Context

Just as principles form the foundation of a value system in life, security principles form the foundation of information security policies in organizations. Sound principles lead to beneficial value systems, while unsound principles result in problematic value systems. This analogy is evident in various frameworks and policies across industries .

Security Principles and Policies

Security principles such as confidentiality, integrity, availability, and non-repudiation are the bedrock of information security policies. These principles guide the assessment of risks and the formation of security policies. For instance, frameworks like NIST (National Institute of Standards and Technology) are based on these principles to ensure comprehensive security governance .

Illustrating Principles with Examples

To further illustrate the importance of principles and values, let’s consider a famous Bollywood movie, “Mohabbatein.” In the film, the school is built on foundational concepts like tradition, honor, and discipline. Similarly, organizations like IBM develop value systems based on sound principles. Tradition, honor, and discipline must be rooted in fairness, equality, and justice to be beneficial. Otherwise, they can become burdensome or unjust .

The Political Realm and Principles

In politics, the distinction between truth and lies often becomes blurred. Politicians may avoid labeling falsehoods as lies, instead using terms like “politically justified” or “diplomatically needed.” This ambiguity highlights the importance of objectively defined principles to avoid the mutation and evolution of words to conceal ulterior motives. Understanding this dynamic is crucial in both political and organizational contexts .

Conclusion

There is a subtle yet significant difference between principles and values. In information security, security principles such as confidentiality, integrity, availability, and non-repudiation form the basis for developing information security policies and frameworks. These principles are not merely definitions but foundational realities guiding risk assessment and policy formation. As we continue our discussion in future videos, we will delve deeper into these concepts, providing further context and understanding.

Thank you for watching, and let’s meet in another video to continue this enlightening discussion.

---

References

1. Covey, S. R. (1989). The 7 Habits of Highly Effective People: Powerful Lessons in Personal Change. Free Press.
2. Covey, S. R. (2004). The 8th Habit: From Effectiveness to Greatness. Free Press.
3. Whitman, M. E., & Mattord, H. J. (2017). Principles of Information Security. Cengage Learning.
4. Von Solms, B., & Van Niekerk, J. (2013). From information security to cyber security. Computers & Security, 38, 97-102.
5. National Institute of Standards and Technology (NIST). (2018). Framework for Improving Critical Infrastructure Cybersecurity. NIST.
6. ISO/IEC 27001. (2013). Information technology — Security techniques — Information security management systems — Requirements. ISO.
7. Covey, S. R. (1994). Principle-Centered Leadership. Free Press.
8. Lakoff, G. (2004). Don’t Think of an Elephant!: Know Your Values and Frame the Debate. Chelsea Green Publishing.
9. Orwell, G. (1949). 1984. Secker & Warburg.

By understanding these concepts and their practical applications, we can better appreciate the relationship between security principles and policies and their impact on organizational security governance.