· Assume that a breach is not a matter of if, it’s a matter of when, and design all systems to continue to operate effectively despite the presence of attackers.
· Encrypt everything. This includes data at rest, data in transit and data in use. This way, even if an attacker gains access to protected system resources they will be of little or no value upon exfiltration, thus maintaining confidentiality despite a breach. Additionally, they will be difficult if not impossible to alter, thus maintaining data integrity.
· Implement comprehensive and fine-grained authorization management to ensure that the principle of least privilege is automatically implemented and maintained. The open standard for the implementation of attribute based access control, the eXtensible Access Control Markup Language, or XACML, was first published in 2004, and there is a wide array of tools from which to choose when implementing this capability.
· Ensure that email traffic is subjected not only to in-line spam filtration, but also to psycholinguisitic analysis intended to determine the degree to which a communication is deceptive.
· Require that all personnel received mandatory training on good cyber hygiene and that continued compliance with cyber-hygiene standards is part of an annual or semi-annual performance evaluation.
· Partner with industry to ensure a constant influx of innovative ideas.