Разбирая выложенные курсы MIT, я обнаружил забавный перечень принципов ИБ. Он мне очень понравился, привожу полностью:
Some principles:
- Be skeptical and paranoid
- Don’t aim for perfection (“there are no secure systems, only degrees of insecurity…”)
- Tradeoff cost/security (“to halve the risk, double the cost…” – Adi Shamir)
- Be prepared for loss
- “KISS” (“keep it simple, stupid!”)
- Ease of use is important
- Separation of privilege – require 2 people to perform action
- Defense in depth (layered defense)
- Complete mediation (all requests checked for authorization)
- Least privilege (don’t give some more permissions than they need)
- Education
- Transparency (no security through obscurity)
