In most companies some type of systemic security is already in place; it is unlikely that you will need to start your security analysis from scratch. An evaluation must be performed to allow you to review the security already in place relevant to current security requirements.
The following steps will help you identify the security requirements for your Internet interfacing enterprise:
Identify the core business.
Identify the stakeholders.
Compile customer demographics.
Identify the vendors and business partners.
Identify the competition.
Identify industry trends and standards.
Unless you are a business consulting company and/or a security software vendor, security is likely not a core competency of your business. One of the biggest mistakes companies make is that they start with security first and look at the business after the fact. When asked, "Why did you install a firewall?" the answer is commonly, "Well, because we needed one!" The next question, "What policies did you use to determine that you needed a firewall and what procedures did you use to effectuate that decision?" may elicit the response, "Well, because we thought we needed a firewall." Following are the questions a business should start with:
"What are we protecting against?"
"What segments of the business do we need to protect?"
"How can we conduct business securely  and safely?"
"How can we use a secure infrastructure as a competitive advantage?"
To answer these questions we need to understand what the core business is and why it needs an interface to the Internet or any network. As part of any analysis, you will need to document your findings. In each step, write a short summary of the results of your analysis.
The Company is a publicly traded enterprise that provides the automotive industry with Widgets. The core business is to manufacture Widgets and market and sell the Widgets to automotive parts distributors and to individual customers. The Company currently sells most of its products via a dedicated sales force, mail order catalogs, and an 800 number advertised in trade publications. The Company wants to expand its Internet presence quickly and, at the same time, securely.
This example provides a quick start on what your business needs are and where you will need to start putting your time and resources.
The stakeholders can be the company owners and stockholders. The CxOs are the owners of the applications. In many enterprise companies, there will be several applications or processes that will need to be secured. Each application and/or process will have an owner who makes the decisions about the application or process and is responsible in the event that the application or process does not function. The stakeholder can also be anyone who has any type of ownership in security.
Understand the company from both an internal and external perspective. Identify the number of employees, the customer base, and the volume of sales.
The Company has been in business for 15 years and has 800 employees. The Company has 500 parts distributors to which it sells Widgets. The Company has 15 vendors that supply raw materials. The Company has few direct sales customers. Selling directly to the parts distributors generates the most sales for the Company. Once you have this data, you can begin compiling the types of access rights each group has and will need.
It is important to understand the vendors with which you do business. In many cases, you may have the vendors connected directly to your data processing systems. This is a great advantage but it can also be a point of entry for unauthorized access.
All but three of the Company's vendors connect directly into the data process systems. This allows for the vendors to automatically process orders for the JIT (Just in Time) Widget manufacturing process.
The business partners are not necessarily the same as a vendor. In many cases, the business partners will work with the business to extend products or services rendered.
The Company has five business partners that take raw Widgets and create "extended Widgets." The business partners need to share encrypted e-mail and will need to access secure web pages for product updates.
Be sure to map out in detail the business partners' access levels, account names, and what trusted networks they have access to.
Yes, the competition will keep track of what you are doing. In fact, they may even be using these steps to create a profile on what your business is doing. So you are well advised to complete the profile before they do. (Beware if you see one of your competitors with a copy of this book!) Begin by compiling a list of your competitors and what information or resources they would be interested in obtaining. For example, you may have a secret formula or some specialized personnel that you would not want to lose. In today's changing economy, it is hard to keep first-rate personnel. Your competition also faces this problem, and they may find that your company web site is a great place to acquire potential candidates' names.
The Company's main competitor is Bubba Inc. Bubba Inc. creates Sprockets, which can be used in place of Widgets. Bubba Inc. has a strong web presence and has many of the same customers, business partners, and vendors as the Company. Bubba Inc. could hurt the Company if it could access the Company's internal price list and sales commission rates. Also, the Company could lose valuable people to Bubba Inc. if Bubba Inc. could access the Company's corporate personnel directory. In the September 2, 2002 issue of Business Week  an article on page 78 reviews a case in which a series of passwords may have been stolen and used by a competitor. According to the article, industrial espionage was used via web sites to download data about a set of new products. The advice here is to know your competition and also try to monitor if any previous employees have moved to a competitor company.
This step can identify a common trend that businesses in all sectors are currently undergoing. Your business may be moving data via the Internet. Supply chain integration may use virtual private networks (VPN) to communicate with the vendors, including on-line ordering and JIT (Just in Time) raw material order and delivery management.
Both companies that create Widgets and Sprockets share the same parts distributors (customers), vendors, and business partners. All the major players in this market communicate with their suppliers via a VPN over the Internet. Also, the parts houses are requesting the ability to generate JIT orders and on-the-fly orders via the Internet.
Business continuity and disaster recovery plans should be included with this analysis.
A McGraw-Hill Company magazine.