Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

Establishing and adhering to security engineering principles increases the security of your environment. Requiring system administrators and security staff to follow your company's security principles increases accountability.

NIST Special Publication 800-160 covers the topic of security engineering. It contains a list of "security design principles" of which you need to select some to follow. Document a policy requiring the implementation of the security engineering principles you selected from NIST SP 800-160. Here are a few from NIST SP 800-160 that you can use: "Reduced Complexity: the system design should be as simple and small as possible. A small and simple design will be more understandable, more analyzable, and less prone to error. Least Privilege: each component should be allocated sufficient privileges to accomplish its specified functions, but no more. Trusted Communication Channels: restrict access to communication channels and employ end-to-end protections for the data transmitted over the communication channel. Continuous Protection: all components and data used to enforce the security policy must have uninterrupted protection that is consistent with the security policy and the security architecture assumptions. Accountability and Traceability: it must be possible to trace security-relevant actions (i.e., subject-object interactions) to the entity on whose behalf the action is being taken. Secure Defaults: the default configuration of a system (to include its constituent subsystems, components, and mechanisms) reflects a restrictive and conservative enforcement of security policy. Repeatable and Documented Procedures: the techniques and methods employed to construct a system component should permit the same component to be completely and correctly reconstructed at a later time. Secure System Modification: system modification must maintain system security with respect to the security requirements and risk tolerance of stakeholders. Sufficient Documentation: personnel with responsibility to interact with the system should be provided with adequate documentation and other information such that they contribute to rather than detract from system security. Defense in Depth: security architectures are to be constructed through the application of multiple mechanisms to create a series of barriers to prevent, delay, or deter an attack by an adversary."