CHAPTER 17

                               DESIGNING A SECURITY PLAN

 

To deploy security consistently across an organization’s network, you must create a comprehensive

security plan for each project that requires protection.  The security plan serves as a guide for

configuring the network to meet an organization’s security policy.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

======================================================================

 

winsec17.html                                                 PAGE 2                                                       2002/05/04

 

 

 

 

Lesson 1: Defining a Security Policy

         

 

Defining an organization’s security policy is the first step in designing an organization’s security.

 

A security policy defines an organization’s security expectations.  Once a security policy is

developed, an organization can use it as a guideline for developing future security plans.

 

• Resources to be protected. 
• Threats faced by the resources.
• Probability of the treat occurring.

 

By identifying the resources, the treats, and the probabilities of the threats, your organization will be

able to design a security policy that addresses each threat and recommends a course of action to

take if the threat occurs.

 

These costs aren’t only financial costs, but also performance and ease-of-use costs.

 

Generally, you define the security policy based on trade-offs between

 

• Functionality versus security.
• User convenience versus security.
• Cost and functionality.

 

After defining a security policy, you must make the policy visible throughout the organization.  All

employees in the organization must be aware of the policy so that they can help ensure the principles

outlined in the security policy are upheld.

 

 

Making the Decision

 

You make the following decisions when designing a security policy for an organization:

 

• Identify resources that require protection.
• Determine the value of the resources.
• Determine the acceptable level of risk for the organization.
• Develop recommendations for mitigation.
• Ensure that the policy is distributed throughout the organization.

 

 

 

 

 

 

======================================================================

 

winsec17.html                                                 PAGE 3                                                       2002/05/04

 

 

 

Lesson Summary:

 

 

The policy helps the organization define appropriate levels of security for all security plans.

Without such a policy, there’s no conformity in the security configuration of resources.

 

 

Lesson 2:  Developing a Security Plan

 

For each project that requires security in your organization, you must develop a security plan, or a

security component to the project plan, that defines how you must configure security for the project.

 

A security plan  requires careful design to ensure that the plan reflects the organization’s security

policy and provides the framework for deploying security for the organization.

 

• Define the scope.
• Define the project team.
• Collect security requirements.
• Define Security baselines.
• Deploy the project plan

 

 

NOTE:  YOU can set security baselines only when the desired results can be measured or

documented.  If it’s impossible to measure or document the baseline, it’s impossible to define

what the baseline security must be.  You can’t define security baselines in an esoteric manner.

 

 

Lesson Summary:

 

•   A security plan must reflect an organization’s security policy.  All decisions make in the security

plan must address the balance between security and ease of use.

•   Ensure that all participants by the security plan play a role in its development so that it addresses

all employee concerns.

 

 

 

======================================================================

 

winsec17.html                                                 PAGE 4                                                       2002/05/04

 

 

 

Lesson 3:  Maintaining a Security Plan

 

The process doesn’t stop after you design and implement your security plan.  You must determine

a strategy for maintaining the plan so that it’s upgraded to address new risks.

 

You must revise the security plan periodically to make sure that it still meets the organization’s

security needs.

 

• Organizational structure change.
• Mergers and acquisitions.
• Change in security policy.
• Recent security updates to deployed software.

 

 

To keep an organization secure, the security personnel must ensure that the security plan addresses

the current risks and threats that affect the network’s resources.

 

• Web-based security bulletins.
• Security newsgroups.
• Checking hacker Web sites.

 

 

Lesson Summary:

 

•   The process of securing a network doesn’t end when a security plan is completed and deployed. 
•   Security is an ongoing, iterative process.
•   You should review the security of all deployed resources periodically to ensure that security

configuration still meets the organization’s security needs and security policy.