1. UNDERSTAND THE ENVIRONMENT
Know what you need to protect. Reduce a problem to its lowest abstraction, and understand the risk and threat landscapes. Have one single source of truth.
2. PEOPLE, PROCESS, AND TECHNOLOGY
Security begins with people. Technology and process complement the people, not replace them. Educate people, create processes, then implement technology. Pick the right people. Quality is better than quantity.
3. DEFENSE IN-DEPTH
Security is built around layers, with each layer being more difficult to penetrate. Make the invisible, visible, and always try your best to engage a threat at the outermost layer.
4. DON’T TRUST, ALWAYS VERIFY
Never trust input. Make sure you authenticate the source. Be wary of unknown output as well.
5. PREPARE FOR THE CRISIS YOU HAVE, NOT THE ONE YOU WANT
Consider what you need for the circumstances you are most likely to face, not the ones that are the easiest or most exciting to plan for. Plan ahead, and red team it. Remember: it’s too late to start planning once the crisis occurs.
6. KEEP IT SIMPLE
Have clear priorities and communicate them in a simple way. Strive for procedures and automation that are easy to follow and are repeatable. Security supports a larger objective, don’t develop in a vacuum.
7. ASK: WHAT CAN GO WRONG?
Search for the things that can go wrong, even if they appear as an impossibility. Understand the issues and proactively address them.
Original source of the principles.