The definition phase of security needs is the first step toward implementing a security policy.
The aim is to determine organizational needs by drafting system inventory information and then study the different risks and different threats posed to implement an appropriate security policy.
The definition phase then comprises three stages:
- Identifying the needs
- Risk analysis
- Definition of security policy
Identifying the needs
The identification step is needs to first make an inventory of the information system, in particular the following:
- People and functions
- Materials, servers and services they provide
- Outlining network (addressing scheme, physical and logical topologies, etc..)
- List of domain names the company.
- Communication infrastructure (routers, switches, etc..)
- Sensitive Information
The risk analysis step is to relieve the various risks that are noticed, estimate their chances and finally, to study its impact.
The best way to analyze the impact of a threat is to calculate the cost of the damage it would cause (for example, an attack on a server or data corruption of vital importance to the company).
On this basis, it would be interesting to make a table of risks and their potential (ie, the probability that there are) giving staggered levels on a scale to be defined. Eg
- Unfounded (or unlikely): the threat is unsustainable
- Weak: the threat is unlikely to exist
- Moderate: the threat is real
- Added: the threat is unlikely to be
How to define the security policy
The security policy is the reference document that defines the security objectives and the measures to be implemented to be certain of achieving these goals.
The security policy defines a number of rules, procedures and practices that ensure a level of security that will match the needs of the organization.
This document must be submitted as a project that includes everyone, from users to the highest rank in the hierarchy, to be accepted by all. Once written security policy, should be sent to employees that involve clauses that security policy has the greatest impact.
There are many methods to develop a security policy. Then you will see a non-exhaustive list of the main methods:
- MARION (Méthodologie d'Analyse of Hazard Informatiques Niveaux orientée pair [risk analysis methodology tiered computer]), developed by CLUSIF
- Mehari (méthode d'Analyse Harmonisée Hazard [harmonized approach for risk analysis])
- EBIOS (Expression des Besoins et Identification des Objectifs de Sécurité [expression of needs and identification of security objectives], developed by the DCSSI (Direction Centrale de la Sécurité des Systèmes d'Information)
- ISO 17799 Standard
Community assistance and advice.
Air Force Doctrine Document 3-12, Cyberspace Operations - Malware, Network Defense, Definitions, Policy and Doctrine, U.S. National Cyberspace Policy, United States Strategic Command
eBooks (Progressive Management)
LOL....ok...will do.2008-07-09 19:39:49 by Enickma
I'm just gonna randomly throw stuff out here, because I don't feel like typing this all night. Vista sports a significantly more configurable group policy funcitonality. No longer are custom templates adm files, now they're admx files, in xml format, that aren't replicated between the sysvol shares of all your dc's. Now there's a template "central store" for the domain that all GPMC modifications reference, regardless of their source. The depth and scope of policy configurables is vastly increased. As is the granularity of firewall administration. The GINA logon process no longer exists. This is HUGE
You might also like:
5 Tips to Prevent BYOD Security Breaches at Your Firm — Accountingweb.com
Another area that should be included in a company's network security policy is remote access to the network. "You need a solution that is going to be secure when it is first implemented and monitored," Stark said. "Make sure no major changes are made ..
CyberCIEGE Scenario Illustrating Secrecy Issues Through Mandatory and Discretionary Access Control Policies in a Multi-Level Security Network
Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'
Sarbanes-Oxley Compliance Using COBIT and Open Source Tools