For each project that requires security in your organization, you must develop a security plan, or a security component to the project plan, that defines how you must configure security for the project.
After this lesson, you will be able to
- Design the steps required to develop a security plan for your organization
Estimated lesson time: 30 minutes
A security plan requires careful design to ensure that the plan reflects the organi-zation's security policy and provides the framework for deploying security for the organization. Consider the following when designing a security plan:
- Define the scope. The most common problem with a security plan is that its scope is too great. By defining the scope of the security plan before developing it, you can easily determine whether a component proposed for the security plan is within the scope. Defining the scope prevents the project from being expanded during the project duration to include items that aren't related to the security plan's intent.
- Define the project team. You must put together a project team that represents the organization's views and ensures that the project is successfully completed. The project team can include both members from the organization and personnel from third-party organizations that supplement any skills deficiencies. When determining membership of the project team, consider the following participants:
- Management representatives who can approve the project for both content and cost
- Members of the IT department who will deploy the project plan
- Representatives of the user groups affected by the security plan
- Training personnel who will implement training for new technologies introduced by the security plan
- Support personnel who will maintain the deployed security plan
- Outside consultants who lend their expertise to the security plan's design
- Collect security requirements. The security plan must ensure that interviews are performed with all stakeholders in the project. Involving all stakeholders, including management and the users affected by the security project, helps ensure the proper balance between security and ease.
- Define security baselines. After collecting the security requirements, you must define the security baselines. Security baselines define the minimum level of security required for deployment. In some cases you can maintain the baseline through the use of Windows 2000 security templates. In other cases you can define the security baseline only by documenting the desired settings for future deployments.
You can set security baselines only when the desired results can be measured or documented. If it's impossible to measure or document the baseline, it's impossible to define what the baseline security must be. You can't define security baselines in an esoteric manner.
- Deploy the project plan. After completing the security plan design, you must develop a project plan that includes the following:
- Project timeline. Establish a proposed timeline for the project. The timeline drives the project forward toward completion. You should be aware that you may have to adjust the timeline if unforeseen events occur.
In the plan, the project manager should identify tasks that will affect the project's completion date. The critical path tasks will affect the entire schedule if their due dates slip. The critical path for a project includes any tasks that will cause a project's completion date to slip if the tasks aren't completed on time.
- Define responsibilities. Assign each task within the project timeline to a specific person or specific team. If you don't assign responsibility for each task, it's more likely that the task won't be completed on time.
Making the Decision
Table 17.1 outlines the design decisions you must make when developing a security plan for a project.
Table 17.1 Designing a Security Plan
|To||Do the Following |
|Prevent a project from growing beyond its initial goals||Define the scope of the project before the project begins |
Compare any proposed additions to the project to the original scope to determine if the addition is within the scope.
|Ensure that all aspects of the project are included in the security plan||Interview participants to determine the expected ease of use and security goals. Determine the appropriate balance based on the organization s security policy. |
|Ensure that management supports the project||Include management representation on the project team. |
Develop the security plan to reflect the organization s security policy
|Define security baselines||Identify each resource that must be protected by the security plan. |
Design security requirements for each resource and document the level of security required for each resource based on the organization s security policy.
Document all security requirements. Use documentation or security templates to define the security configuration settings.
|Ensure that the project is completed on schedule||Ensure that all tasks in the project plan are assigned to a project team member. |
Periodically reevaluate the project s timeline to ensure that the estimated time reflects the project s actual progress.
Applying the Decision
Fabrikam Inc. must ensure that the design decisions fit its security policy. To accomplish this, you must do the following:
- Define the scope. The plan must contain only security planning that's related to the Radar System project. Any tasks in the security plan that aren't re-lated to the Radar System project should be considered out of scope and should be removed.
- Define the project team. Not everyone who has volunteered for the project team is appropriate for the Radar System project. Jeffrey Weems, the graphic artist at the New York office, doesn't need to be on the project team. All other proposed members, however, could play a part in the plan's design. Also, the proposed team doesn't include upper-level management. Without adequate representation, upper-level management may reject the proposed plan.The current project team lacks expertise in the PKI infrastructure that's required to support encrypted and digitally signed e-mail messages. If these technical skills aren't available from employees, Fabrikam may have to hire a consulting firm.
- Collect security requirements. The security plan must define the levels of access that are required to the Radar share on the HELIOS server. The definition of the security requirements will facilitate the definition of group memberships and NT file system (NTFS) and share permissions. Collect the security requirements from all participants in the Radar System project, from the project manager to the data entry clerks.
- Define security baselines. The security plan must document the required settings for the Radar System project. This documentation includes the following:
- Security groups required in Active Directory directory service
- Organizational unit (OU) structure required for Group Policy deployment and delegation of administration
- NTFS permissions that must be established for all data stored on the HELIOS server
- Share permissions required for the Radar share on the HELIOS server
- Group Policy settings required to ensure that Server Message Block (SMB) signing is enforced for all connections to the HELIOS server
- SMB signing configuration settings for all Windows 98 and Windows NT 4.0 clients
- E-mail client configuration to allow digital signatures and e-mail encryption
- PKI design to allow the deployment of digital certificates, private keys, and public keys to e-mail participants
- Audit policy that must be deployed at the HELIOS server to track all access to the Radar System project
- Deploy the project plan. Develop a plan that identifies all the tasks that must be completed in order to deliver it. Assign the tasks to the project team to ensure that each member is responsible for the completion of each task in the defined time frame.
A security plan must reflect an organization's security policy. All decisions made in the security plan must address the balance between security and ease of use. By defining the scope of the plan before development takes place, an organization can keep it within the scope and ensure that its focus isn't diverted from its primary goal.
Ensure that all participants affected by the security plan play a role in its development so that it addresses all employee concerns.