We have reviewed the business and the network. At this stage in the process we will combine the information we have collected, which will give us a high-level snapshot of our organization and our network.
Look at each business statement that you created from the "Identify the Core Business" section. Identify each point where security could be an issue or a concern.
The Company has been in business for 12 years and has 7000 employees. It has 600 parts distributors to which it sells Widgets. The Company also has 22 vendors that supply raw materials. The Company has few direct sales customers. Selling directly to the part distributors generates the most sales for the Company.
In this example we have several areas of concern.
7000 employees security training awareness. What are the definitions of trust with each group of employees?
22 vendors what is the trust level of these vendors? Do the vendors need to have direct access to the systems on the trusted network?
Parts distributors how does the company communicate with the parts distributors? Is encrypted mail used? Are secure web pages established?
Remember at all times what your goals are. Ask yourself, "Does this business need a web presence?" The answers can drive you to the solutions that you need. Security is not set up simply for the exercise of setting up security. It is set up to give you a competitive asset in driving your business. With that said, look at the security requirements from a business delivery model.
How can the business security enable the employees to drive the business in a cost-effective method?
How can the business save money by giving the vendors limited access to business data?
How can the business improve service by assisting the parts distributors with order and billing systems?
Next, combine your network analysis with your business needs. Your network may not have the necessary features that you would like it to have. No problem list what features are needed to support your requirements.
The network will have a DMZ that will isolate traffic between the trusted network and the Nontrusted Network.
The network will provide support to the employees by giving them access to all authorized business systems.
The network will allow limited access to extension of systems in the DMZ for the parts distributors.
The network will allow for encrypted messages to be exchanged between employees and the parts distributors.
A detailed risk analysis will be covered in later chapters. This step is "priming the pump." You need to understand what your business requirements are before building the security. Some sites have such strong security requirements in place that the business just bypasses the security. For example, in one company, the security departments set up a file that prevented files greater than two megabytes from being sent. One department could not send its drafting files (four to six megabytes each), so they set up their own access point to the Internet via dialing into a private ISP (Internet Service Provider) and then sending the files. This creative solution caused several problems.
The files sent were not encrypted and thus could not be controlled or monitored for viruses, inbound or outbound.
An access point was made to the trusted network that was not controlled or monitored by a central security point.
The next step is to compile a list of high-level threats to the organization. Here are a few examples.
Management does not encourage or support security measures. (Management must be involved in security from day one.)
There are no security policies or procedures, or the policies and procedures have not been updated for months or years.
There are no formal user training procedures.
The trusted network is not defined.
There is no DMZ (although not required in all cases).
There is a direct connection to the Internet and no filters or firewalls.
There are no monitoring systems in place. (This can be deadly for public utility companies.)
No physical security is in place for the server room; anyone can just walk in.