Eight Rules of Information System Security


Time and time again after an attack I have been told by people that “I don’t understand why my network is infected when I have the top rated Antivirus product Installed”, sure you do, but that is not enough. There are many IT professionals in the industry struggling to understand how security works or how much is enough. In this short article we are going to describe conceptional rules of security regardless of what products you use to implement these rules. These eight rules of security and their concept is taken from Kevin Day’s book “Inside the Security Mind.” The aim of this article is to establish a basic explanation of these rules and provide practical examples.

“To secure a network you need to have a security mind.”

To begin with the idea of security I need you to know there is no simple formula or product that can provide a secure system. The foundation of the security relies on the mindset of those who implement security and use the network, which include IT staff, staff in general, your contractors and customers. There are eight rules that Kevin Day’s explain in his text and time and time again, I have seen network that focus on one or more rule from this list, spend thousands while ignoring some of the rules from the list. It is critical to understand that ignoring a single rule could result in a serious disaster. It is important to protect your information system at all fronts.

The Eight Golden Rules

Eight Rule of Information System Security
Eight Rule of Information System Security

Rule of the weakest link

Your security is as good as your weakest link. If you spend thousands in installing an expensive edge firewall, but offer unrestricted access to a trusted partner from VPN whose security is questionable then you are in trouble. The rule of the weakest link is also the reason why all eight rules are considered when building and maintaining security.

Rule of the least Privilege

Does your partner require access to all of your network? Most probably not, you need to provide an access level to services and areas that are needed to perform a business tasks but you should not provide an unrestricted access to anyone within or outside of your organisation for the sake of convenience. For example when you provide administrative access to your network for contractors, you need to ask yourself.

Ask your self does your contractor require administrative access to all of the network or a specific server?

Rule of Trust

When you allow a third party an access to your network or when you include a third party application or a module into your application you are establishing a chain of trust, meaning you are trusting a third party provider to do the right thing for their security and yours.  It’s critical to understand a vulnerable trusted partner with a weak security system or an application without ongoing security updates could lead to a weakest link in your security.

Rule of separation

Many people think of the rule of separation as an optional rule, especially in the small medium network. Most of the time when we think of the need for the rule of separation it is linked to an example of someone with high network privilege for example, an IT manager or administrators act criminally in retaliation or for self-interest. While the rule of separation is critical for such a situation to implement high security standard there is another reason why the rule of separation is also important.

Human are lazy and our IT staff and contractors are also humans, by handing all of the duties and roles to single individual with no oversight or cross check you increase the risk of exposure by introducing more vulnerabilities into your network as a result of your administrator or contractor’s humanly behaviour. For example I have often met administrators who do not change their password for convenience while enforce other users to change password. Another example is of those IT professional who disable firewall instead of configure advance firewall rule for an application to work.

Rule of change

Change can be complex and it can introduce new risks some of which may not be known at the time of implementation. It is important to plan changes in a well organised manner and consider its impact on the security posture of the organisation. Often an adhoc changes to implement new services or troubleshooting an issue lead to new vulnerabilities. For example and administrator trying to troubleshoot service disruption in pressure execute number of changes in a hope to get the system working including disabling a firewall to isolate the possibility if the firewall is to blame and then conveniently left it disabled.

Rule of the three fold process

Security is an ongoing project with no end date, the rule of three fold process dictate that we continue to run this project in a loop cycles of Implementation, maintenance and monitoring.

Rule of the Three Fold Process
Rule of the Three Fold Process

Rule of Preventative Action

Have you heard of the expression,” Prevention is better than cure.” In security, we must drive our security policies and procedure to prevent an attack rather than react to an attack. Sure, you will implement a password policy after password are compromised, but why not implement it before it happen.

Rule of Immediate proper response

When an attack occur people either get panic or stuck with blank paper, so what do we do? It is critical for an organisation to develop a clear incident response procedure and provide ongoing training to their staff about the procedure. In the absence of clear response plan the impact of an attack could expand and important information about the attack that can avoid future attacks could be lost. An example of a simple plan is below:

Virus infection response for end devices

“What should you do if your computer is infected with the virus?

Isolate the machine by disconnect it from the network and do not plug any removable storage to the infected machine, report the incident to the IT department.”

In the absence of a simple procedure or lack of training for such a procedure it could result in serious damage. A staff member with lack of understanding about computer threats could continue using the machine while it is connected to the company’s network and unintentionally spread the virus to other machines on the network.

“Regardless of the expensive firewall and Antivirus software, without the security mind your security will fail.”


To conclude our discussion of the eight golden rules of security it is important to understand that they all form a chain together to protect your environment. When you are designing your security consider these rules before buying an expensive firewall and software, keep in mind while those product may be necessary for your need but without the security mind set they will not be sufficient and your security will fail.