Best Security Practices: An Overview

Security technology is important to security, but the practices of the people who develop, integrate, evaluate, configure, maintain, and use that technology are more important; indeed, these practices are the foundation of technical (as well as physical and personnel) security. It is crucially important, therefore, that security practices be good ones; when feasible, best security practices (BSPs) should be used. In Section 2 this paper defines "BSP," asserts the need for multiple levels of goodness among BSPs, and connects the sharing of BSPs to Knowledge Management. Section 3 argues for the use of a security process framework (SPF) to categorize BSPs and describes an SPF that harmonizes three well-known collections of BSPs. Section 4 identifies six important phases, or functions, of the BSP life cycle–namely, identify, package, evaluate, adopt, deliver, and improve–and briefly discusses packaging (offering a format for BSPs) and evaluation (discussing some criteria for such evaluation). A summary concludes the paper.