Combined Security Principles

This is a collection of security principles that can be utilised by Security Architects on any given digital programme. Primarily created to provide a central view of principles for the delivery of UK-centric digital services, it collates the principles detailed by

• NIST
• ISC2 Certification of Secure Software Lifecycle Professional (CSSLP) exam criteria
• Internet Security Forum (ISF)
• UK CESG and Government Digital Service (GDS)
• OWASP

PCI-DSS requirements have been purposefully omitted in the initial draft in favour of NIST to provide more generic Design Evaluation Criteria.

As this collection spans development, project and operation, then there is a level of interchangeability of terms. Whilst this set of principles are in development the terms 'service', 'solution' and 'product' may be in conflict - as various sources and requirements may interchange their use.

Principles of the Principles

The following rules must apply to all principles:

• It should be possible to test a decision in relation to a principle. Architecture principles should be specific enough to allow an architect to make a yes / no decision;
• A principle should be realistic and achievable;
• It must be possible to consider a principle in relation to a trade-off;
• It is acceptable to diverge from a principle. However, architects should be aware that they are non-compliant and be able to justify non-compliance.