A security policy is a critical component of the design and implementation of information systems. This document outlines the set of rules, practices, and procedures that specify how the system should manage, safeguard, and circulate sensitive information. Thus its objective is to educate and guide the design, development, implementation, testing and maintenance of the information system. The three most important security rules and principles are the following:
- The rule of least privilege is a vital component of the design of computers and operating systems. Designing operating system processes should include an assured function of running in user mode whenever possible. The more processes that run in privileged mode, the higher the risk of malicious incidence where an unauthorized user could corrupt or gain controlled access to the system.
- The rule of separation of privilege relies on the use of granular access permissions or specific permissions for each type of privileged operation. This gives designers discriminating control in assigning rights to run certain functions, and not full system access.
- Accountability is vital in the security design. Today’s computing is based on the client/server model where users operate on independent computers with access to resources and services giving clients a range of computing and storage capabilities.