2.6 Implementation

2.6 Implementation

We started by reviewing the business, looking for the methods to securely conduct business both internally and externally. From this analysis we determined the core business requirements and identified the stakeholders, customer requirements, and our business partners. We also identified our competition as well as industry trends and standards. As a result, we know what we are trying to protect and from whom to protect it. We also saw that security can be a competitive asset.

Our next step was to review our network and determine what was needed to set up a secure network. We then examined the risks involved and saw how to expand business influence by mitigating the various identified risks.

The policies were defined to protect and educate the various parts of the business. Now we are ready to create our first plan. This first cut will drive us throughout the rest of the security implementation process. Create a plan (the "security project") that will detail the steps required to secure your business environment.

Your project should address the design, structure, and configuration of an evolving secure business infrastructure. The technical infrastructure will ensure that a business security environment is in place to support the user community and keep the business running.

The security project should include the following:

  1. Definitions of the goals and objectives of what is needed based on the analysis obtained so far. This will include designing, building, and configuring the technical infrastructure environment.

  2. Definitions of the scope of what is needed to secure your environment. This will include implementing performance and tripwire monitoring of the new security environment.

  3. The plans for roll-out of the new infrastructure that you designed. Be sure to include a pilot run(s) to test your assumptions about what you have designed.

  4. Finally, the roll-out of the new infrastructure. Indicate the communications systems needed to support the implementation, including training requirements and end-user support.

2.6.1 Goals and objectives

Following are the overall goals of the security project.

  1. Deliver a steady-state platform to support the business's security "vision." This includes design, implementation of a comprehensive common security infrastructure, effective support organization, and technology management processes needed to support the use of security by all business professional and support staff.

  2. Define and facilitate enterprise strategies for secure network evolution and remote connectivity.

2.6.2 The scope

The scope should describe key elements of the project, including the following.

  • Designing, building, and configuring secure business networks.

  • Creating the budget to implement the security. Each process in the organization should drive the budget. Every process has a security component.

  • Procuring the equipment and/or tools, including secure facilities, equipment, and tools.

  • Configuring and testing the secure environment, including equipment and internal and external connectivity.

  • Reviewing any recommendations for short-term and long-term modifications to the network environment as necessary.

  • Establishing an interim strategy until any identified network traffic issues can be resolved. Understand the network traffic volume and network SLAs (Service Level Agreements).

  • Designing the security for servers and workstations (e.g., physical and logical topology, replication schedules, remote access, external connectivity, etc.).

  • Defining the migration strategy for existing security plans, procedures, tools, systems.

  • Establishing a security infrastructure implementation plan.

2.6.3 Infrastructure

The network(s) will need to be set up and configured. One mechanism to help determine the appropriate level of security is to monitor the existing networks before and after the security changes. The performance monitoring of the traffic on the various networks (trusted and nontrusted) will drive a better understanding of the actual usage of security within the business. Performance indicators should be defined in the following areas.

  1. End-user applications from both the end-user workstation and the server

  2. Server-to-server traffic

  3. Overall network traffic utilization

  4. Remote communications

The performance indicators should be derived from the business requirements. These service levels will need to be tied in to the security requirements. The performance indicators will show both the SLA performance and the security performance. If the security implemented is impacting the business service, then that particular security tool/service will need to be reevaluated. The performance monitors will generate information that, when analyzed, will show the historical system performance trends. It is expected that the type of user and the applications used will affect the performance of the network. The roll-out plan will need to include all the various aspects of the security project. Be sure to include the following items:

  1. End-user training

  2. OS security

  3. DMZ design

  4. Incident handling procedures

  5. Disaster recovery

  6. Pilot (test the systems before going on-line)

  7. Change control systems

  8. Schedule for: pilot, training, network changes, and OS changes

Once the implementation recommendations have been generated, they need to be piloted or tested before the deployment begins for the following reasons:

  1. Prove the processes

  2. Check assumptions

  3. Determine potential failure points before production

  4. Assess individual systems and risks

A pilot will identify critical path issues, risks, and potential roadblocks.

It is most interesting that the biggest detractor of a new technology solution will magically appear during a pilot. You will get all types of responses such as, "Why did you choose that tool?" and, "I know a better one." Yet this is an opportunity to refine your implementation plan and revise your tool or system selections. Just make sure you are selecting the process or tools based on security and business requirements and not the ad hoc political environment. Thus, the message here is to pilot your assumptions before going into production.

2.6.4 Pilots

Create a pilot plan. This should include the goals of the pilot, the scope, the user groups to be included, specific applications, and the evaluation criteria. The following items should be included in your pilot:

  1. Definitions of pilot goals

  2. Pilot scope

  3. Pilot evaluation criteria what will make the pilot a success?

  4. Pilot participants select a known group of users.

  5. Definitions of the pilot application and systems

  6. Training schedule yes, you need to pilot the training!

  7. Pilot schedule Who, when, and where

2.6.5 Training and execution

This is it. It's time to implement what you have been building: the client/server hardware and software to the end-user community. This includes network connectivity, operating systems, user accounts, and definition of security access levels. This should also cover the administration and support requirements, server network configurations, and maintenance procedures. This step must involve pushing the technology to the end-user community and should focus on end-user acceptance as well as evaluation of the administrative impact of end users. The following items should be considered in the final roll-out:

  1. Training "train the trainer" and user training

  2. Installation and/or upgrading of hardware

  3. Setting up and configuring servers and network

  4. Assigning security/privileges

  5. Installing client and server software

  6. Setting up user/server accounts

  7. Evaluating and refining system and maintenance procedures

  8. A published schedule

  9. Use of ethical hackers to "confirm" the security of the environment

  10. Communications documents and memos

Internet Security(c) A Jumpstart for Systems Administrators and IT Managers
Internet Security: A Jumpstart for Systems Administrators and IT Managers
ISBN: 1555582982
EAN: 2147483647
Year: 2003
Pages: 103
Authors: Tim Speed, Juanita Ellis

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net