Using good cyber security principles is crucial for creating a product or service that is secure by default.
Security architecture principles are used to translate selected alternatives into basic ideas, standards, and guidelines for simplifying and organising the construction, operation, and evolution of systems.
It is important to draw an early differentiation between standards, requirements, and principles:
Standards are “musts”; that is, they require compliance.
Requirements articulate specific needs that must be met by a specific solution.
Principles, on the other hand, are more general and serve as a framework for making choices by providing guidance about the preferred outcome of a decision in a given context.
As such, the purpose of our collected principles is to support decision making with regard to security and privacy design within all organizations.
Principles guide architects, consultants and designers with decision making. Within business design and architecture, you find many people with strong opinions with what a good and usable principle is or is not. Discussion is always good to get a better understanding of each other mental maps. However, discussions on what a good security principle is, should be target on what you can do with principles. How principles help you and your company? Can principals help you doing projects faster and better? Can principles prevent your company architecture and software systems becoming the next IT over complexity landscape?
Having security and privacy principles are a crucial foundation as they establish the basis for a set of rules and behaviours for any organization.
In the following section you find good security principles.