Seven guiding principles for a better information security practice

Published April 27, 2020

Staff meeting.

Cyber threats can make our increasingly online world feel like a wild frontier. We don’t always agree how to navigate this wilderness, but there are some goals and ideals we do agree on. 


The big-picture goals of information security are pretty simple: we want to support the creation and sharing of knowledge and information as intended at UB, while keeping our systems, data and people safe, keeping bad actors out and making sure the people on the other end of our communications are who they say they are.

To help us find the right path forward, I’ve outlined seven guiding principles designed to help us, both as individuals and as an organization, build a culture and practice of information security:

  1. Security as a culture
  2. Demonstrated control
  3. Trust, but verify
  4. Defense in depth
  5. Default secure
  6. Least privilege
  7. Minimum necessary

You can see a detailed description of these principles on the UB ISO web page. They are designed to be broadly applied in our technology, our careers and our lives—much like the data we create and share every day.

Imagine what it might look like to “practice” information security in your daily life. Checking email at a coffee shop, sending a spreadsheet around to your colleagues—all the while “checking in,” stopping regularly to think “How am I doing? Am I making the proper considerations for security based on what I’m working on, and whom I’m working with?”

The first step down the path forward is simply being mindful about our security practice, and setting good intentions about securing your personal and work data.  

Just like leaving the front door to your house ajar, a lax security practice telegraphs to others that we may be vulnerable. But intentionality is a powerful thing: by reflecting in our everyday actions the intention to be more mindful of our personal and work data, we signal to others that we are thoughtful and trustworthy.  

While these principles apply broadly to our institution here at UB, I encourage everyone to think about how they can be practiced daily on an individual level.

For instance, we can all practice “defense in depth” by using a strong, unique password for each of our online accounts, even when we’re also using two-step verification (because we know that no single layer of security is perfect).

Likewise, we can practice being “secure by default” by locking our computers when the screensaver kicks in. It’s a simple, one-time settings change that makes your machine safer (by default) in a variety of common situations.

It’s a practice—so keep practicing. Keep these principles in mind in your daily life, and you will automatically begin down a path of security that leads to peace of mind online, at work and in your personal life.

Join the conversation!

Tell us what you think on our Twitter page.