Information Security Practice Principles: a Rosetta Stone for information security work

Too often, security professionals, developers, and operators are left to re-learn security methods as technology changes. They don’t speak the same language as one another when it comes to security, let alone any language easily understood by management, lawyers, or laypeople. Our day-to-day way of speaking about information security is bound up in individual technologies and controls, often ignoring the forest for the trees: no strategy.

This talk presents the Information Security Practice Principles (ISPPs), developed at the Indiana University Center for Applied Cybersecurity Research. The ISPPs provide an answer to the not-so-simple question: what makes a system, a piece of code, a component, or an entire network secure or insecure? They provide unchanging guideposts that allow one to select security approaches for any technology or situation, and to explain those approaches and their trade-offs to stakeholders who may not have deep understanding of every technology in play, right up to the C-suite.