CHAPTER 17
DESIGNING
A SECURITY PLAN
To deploy security consistently across an organization’s network, you must create a comprehensive
security plan for each project that requires protection. The security plan serves as a guide for
configuring the network to meet an organization’s security policy.
======================================================================
winsec17.html PAGE
2 2002/05/04
Lesson 1: Defining a Security Policy
Defining an organization’s security policy is the first step in designing an organization’s security.
A security policy defines an organization’s security expectations. Once a security policy is
developed, an organization can use it as a guideline for developing future security plans.
By identifying the resources, the treats, and the probabilities of the threats, your organization will be
able to design a security policy that addresses each threat and recommends a course of action to
take if the threat occurs.
These costs aren’t only financial costs, but also performance and ease-of-use costs.
Generally, you define the security policy based on trade-offs between
After defining a security policy, you must make the policy visible throughout the organization. All
employees in the organization must be aware of the policy so that they can help ensure the principles
outlined in the security policy are upheld.
Making the Decision
You make the following decisions when designing a security policy for an organization:
======================================================================
winsec17.html PAGE
3 2002/05/04
Lesson Summary:
The policy helps the organization define appropriate levels of security for all security plans.
Without such a policy, there’s no conformity in the security configuration of resources.
Lesson 2:
Developing a Security Plan
For each project that requires security in your organization, you must develop a security plan, or a
security component to the project plan, that defines how you must configure security for the project.
A security plan requires careful design to ensure that the plan reflects the organization’s security
policy and provides the framework for deploying security for the organization.
NOTE: YOU can set security baselines only when the desired results can be measured or
documented. If it’s impossible to measure or document the baseline, it’s impossible to define
what the baseline security must be. You can’t define security baselines in an esoteric manner.
Lesson Summary:
plan must address the balance between security and ease of use.
all employee concerns.
======================================================================
winsec17.html PAGE
4 2002/05/04
Lesson 3:
Maintaining a Security Plan
The process doesn’t stop after you design and implement your security plan. You must determine
a strategy for maintaining the plan so that it’s upgraded to address new risks.
You must revise the security plan periodically to make sure that it still meets the organization’s
security needs.
To keep an organization secure, the security personnel must ensure that the security plan addresses
the current risks and threats that affect the network’s resources.
Lesson Summary:
configuration still meets the organization’s security needs and security policy.