Measures, practices, and procedures for the security of information
systems should address all relevant considerations and viewpoints, including
technical, administrative, organizational, operational, commercial,
educational, and legal.
Complexity: Security is achieved by the combined efforts of data owners, custodians, and security personnel. Essential
properties of security cannot be built-in and preserved without other disciplines such as configuration
management and quality assurance. Decisions made with due consideration of all relevant viewpoints will be
better decisions and receive better acceptance. If all perspectives are represented when employing the least
privilege concept, the potential for accidental exclusion of a needed capability will be reduced. This principle
also acknowledges that information systems are used for different purposes. Consequently, the principles will
be interpreted over a wide range of potential implementations. Groups will have differing perspectives,
differing requirements, and differing resources to be consulted and combined to produce an optimal level of
security for their information systems.