crowmoor.se

Jericho requirement 3 clearly states ”Assume context at your peril”. This is one statement that is very easy to understand but many fails to follow. What does it say actually? The key message is that you should always understand the context of security solution. Every solution is created to handle one or more threats within a given context. The trick is to understand the context. Let me give you a few examples:

1. Hard disk encryption protects your information from being accessed.
a. Assumed your computer is not on.
b. Assumed no one have physical access to your computer.

2. Backup protect you from information loss in case of computer failure
a. Assumed you test that you could restore your information.
b. Assumed you handle all other dependencies.

Do you see the assumptions? This is what “Assume context at your peril” is all about. Understand the scope and limitations for a solution. A solution that works perfectly for one industry may be disastrous for another. I still have a rather old example fresh in my memory within transportation where they have configured their servers according to NSA´s guidelines to make them as secure as possible. Downside was that their availability was way below optimum. They had an uptime of 90%. They had assumed that NSA´s guides would protect them from all harm without defining what kind of risks they actually was exposed for and what was important for their industry. Yep, you guessed right. Availability was the most important for them and confidentiality the least.

So, “Assume context at your peril” means that you should understand your security controls before implementing them.