We started by reviewing the business, looking for the methods to securely conduct business both internally and externally. From this analysis we determined the core business requirements and identified the stakeholders, customer requirements, and our business partners. We also identified our competition as well as industry trends and standards. As a result, we know what we are trying to protect and from whom to protect it. We also saw that security can be a competitive asset.
Our next step was to review our network and determine what was needed to set up a secure network. We then examined the risks involved and saw how to expand business influence by mitigating the various identified risks.
The policies were defined to protect and educate the various parts of the business. Now we are ready to create our first plan. This first cut will drive us throughout the rest of the security implementation process. Create a plan (the "security project") that will detail the steps required to secure your business environment.
Your project should address the design, structure, and configuration of an evolving secure business infrastructure. The technical infrastructure will ensure that a business security environment is in place to support the user community and keep the business running.
The security project should include the following:
Definitions of the goals and objectives of what is needed based on the analysis obtained so far. This will include designing, building, and configuring the technical infrastructure environment.
Definitions of the scope of what is needed to secure your environment. This will include implementing performance and tripwire monitoring of the new security environment.
The plans for roll-out of the new infrastructure that you designed. Be sure to include a pilot run(s) to test your assumptions about what you have designed.
Finally, the roll-out of the new infrastructure. Indicate the communications systems needed to support the implementation, including training requirements and end-user support.
Following are the overall goals of the security project.
Deliver a steady-state platform to support the business's security "vision." This includes design, implementation of a comprehensive common security infrastructure, effective support organization, and technology management processes needed to support the use of security by all business professional and support staff.
Define and facilitate enterprise strategies for secure network evolution and remote connectivity.
The scope should describe key elements of the project, including the following.
Designing, building, and configuring secure business networks.
Creating the budget to implement the security. Each process in the organization should drive the budget. Every process has a security component.
Procuring the equipment and/or tools, including secure facilities, equipment, and tools.
Configuring and testing the secure environment, including equipment and internal and external connectivity.
Reviewing any recommendations for short-term and long-term modifications to the network environment as necessary.
Establishing an interim strategy until any identified network traffic issues can be resolved. Understand the network traffic volume and network SLAs (Service Level Agreements).
Designing the security for servers and workstations (e.g., physical and logical topology, replication schedules, remote access, external connectivity, etc.).
Defining the migration strategy for existing security plans, procedures, tools, systems.
Establishing a security infrastructure implementation plan.
The network(s) will need to be set up and configured. One mechanism to help determine the appropriate level of security is to monitor the existing networks before and after the security changes. The performance monitoring of the traffic on the various networks (trusted and nontrusted) will drive a better understanding of the actual usage of security within the business. Performance indicators should be defined in the following areas.
End-user applications from both the end-user workstation and the server
Overall network traffic utilization
The performance indicators should be derived from the business requirements. These service levels will need to be tied in to the security requirements. The performance indicators will show both the SLA performance and the security performance. If the security implemented is impacting the business service, then that particular security tool/service will need to be reevaluated. The performance monitors will generate information that, when analyzed, will show the historical system performance trends. It is expected that the type of user and the applications used will affect the performance of the network. The roll-out plan will need to include all the various aspects of the security project. Be sure to include the following items:
Incident handling procedures
Pilot (test the systems before going on-line)
Change control systems
Schedule for: pilot, training, network changes, and OS changes
Once the implementation recommendations have been generated, they need to be piloted or tested before the deployment begins for the following reasons:
Prove the processes
Determine potential failure points before production
Assess individual systems and risks
A pilot will identify critical path issues, risks, and potential roadblocks.
It is most interesting that the biggest detractor of a new technology solution will magically appear during a pilot. You will get all types of responses such as, "Why did you choose that tool?" and, "I know a better one." Yet this is an opportunity to refine your implementation plan and revise your tool or system selections. Just make sure you are selecting the process or tools based on security and business requirements and not the ad hoc political environment. Thus, the message here is to pilot your assumptions before going into production.
Create a pilot plan. This should include the goals of the pilot, the scope, the user groups to be included, specific applications, and the evaluation criteria. The following items should be included in your pilot:
Definitions of pilot goals
Pilot evaluation criteria what will make the pilot a success?
Pilot participants select a known group of users.
Definitions of the pilot application and systems
Training schedule yes, you need to pilot the training!
Pilot schedule Who, when, and where
This is it. It's time to implement what you have been building: the client/server hardware and software to the end-user community. This includes network connectivity, operating systems, user accounts, and definition of security access levels. This should also cover the administration and support requirements, server network configurations, and maintenance procedures. This step must involve pushing the technology to the end-user community and should focus on end-user acceptance as well as evaluation of the administrative impact of end users. The following items should be considered in the final roll-out:
Training "train the trainer" and user training
Installation and/or upgrading of hardware
Setting up and configuring servers and network
Installing client and server software
Setting up user/server accounts
Evaluating and refining system and maintenance procedures
A published schedule
Use of ethical hackers to "confirm" the security of the environment
Communications documents and memos