UC Home Maps A-Z Index Web Search People Search UC Tools  
University of Cincinnati - UCit   University of Cincinnati - Home
 
 

From the Director - The 12 points of Information Security



Gene Spafford
Gene Spafford

Those of us in security are very much like heart doctors. Our patients know that lack of exercise, too much dietary fat, and smoking are all bad for them. But they will continue to smoke, and eat fried foods, and practice being couch potatoes until they have their infarction. Then they want a magic pill to make them better all at once, without the effort. And by the way, they claim loudly that their condition really isn't their fault — it was genetics, or the tobacco companies, or McDonalds that was to blame. And they blame us for not taking better care of them; but it doesn't have to be this way. We can do things better. We need to stop doing business as usual and start focusing on end-to-end quality. Security needs to be built in from the start — not slapped on after the fact.

  
— Gene Spafford, NIST


12 Points of InfoSec

  1. Create constancy of purpose toward improvement of security and electronic privacy, with the aim to lower risk to an acceptable level and to provide trusted systems and trusted information.
  2. Adopt the new philosophy. All must awaken to the challenge, learn their responsibilities and take on leadership for change.
  3. Lessen dependence on hardware/technology or SW to achieve security. Build Information Security into the process and system in the beginning.
  4. End the practice of awarding business to Information Security vendors based solely on a price tag. Instead, minimize total cost and leverage existing investments. Move toward a single supplier for any /all security needs. Create long term partnerships and establish long-term relationships of loyalty and trust.
  5. Improve constantly and forever; the entire system. Embrace the Kaizen concept of small systemic improvements over a long period of time.
  6. Institute training on the job. Information security is EVERYONE'S responsibility.
  7. Institute Information Security leadership.
  8. Drive out the fear of reprisal or embarrassment, so that everyone may work effectively toward Information Security and efficiency.
  9. Break down the communications barriers between units/departments /offices/titles - share information.
  10. The bulk cause of all Information Security events is the human-element or human-factor. Stop stabbing at the effect and start targeting the cause.
  11. Institute a vigorous program of education, self-improvement and self audit.
  12. Put everybody to work on accomplishing the transformation. The transformation is everybody's job — Information Security is everyone's job...

(Adapted from Dr. W. Edward Deming's 14 Points of Management)

 
InfoSec Home
Free Anti-Virus
PSS Help
Report an Incident
Security Update
 
 

Featured Article

 
 

It's all UC Footer rule line
 
Contact Us | University of Cincinnati | 2600 Clifton Ave., Cincinnati, Ohio 45221
Undergraduate Admission: 513-556-1100 | Graduate Admission: 513-556-4335
University Information: 513-556-6000 | Copyright Information © 2006