2.6 Implementation 61
2.6 Implementation
We started by reviewing the business, looking for the methods to
securely conduct business both internally and externally. From this
analysis we determined the core business requirements and identified
the stakeholders, customer requirements, and our business partners.
We also identified our competition as well as industry trends and stan-
dards. As a result, we know what we are trying to protect and from
whom to protect it. We also saw that security can be a competitive
asset.
Our next step was to review our network and determine what was
needed to set up a secure network. We then examined the risks involved
and saw how to expand business influence by mitigating the various identi-
fied risks.
The policies were defined to protect and educate the various parts of the
business. Now we are ready to create our first plan. This first cut will drive
us throughout the rest of the security implementation process. Create a
plan (the "security project") that will detail the steps required to secure your
business environment.
Your project should address the design, structure, and configuration of
an evolving secure business infrastructure. The technical infrastructure will
ensure that a business security environment is in place to support the user
community and keep the business running.
The security project should include the following:
°
.
.
.
Definitions of the goals and objectives of what is needed based on
the analysis obtained so far. This will include designing, building,
and configuring the technical infrastructure environment.
Definitions of the scope of what is needed to secure your environ-
ment. This will include implementing performance and tripwire
monitoring of the new security environment.
The plans for roll-out of the new infrastructure that you designed.
Be sure to include a pilot run(s) to test your assumptions about
what you have designed.
Finally, the roll-out of the new infrastructure. Indicate the com-
munications systems needed to support the implementation,
including training requirements and end-user support.
I Chapter 2
62 2.6 Implementation
2.6.1
Goals and objectives
Following are the overall goals of the security project.
1. Deliver a steady-state platform to support the business's secu-
rity "vision." This includes design, implementation of a com-
prehensive common security infrastructure, effective support
organization, and technology management processes needed to
support the use of security by all business professional and sup-
port staff.
2. Define and facilitate enterprise strategies for secure network evo-
lution and remote connectivity.
2.6.2 The scope
The scope should describe key elements of the project, including the
following.
Designing, building, and configuring secure business networks.
Creating the budget to implement the security. Each process in the
organization should drive the budget. Every process has a security
component.
Procuring the equipment and/or tools, including secure facilities,
equipment, and tools.
Configuring and testing the secure environment, including equip-
ment and internal and external connectivity.
Reviewing any recommendations for short-term and long-term mod-
ifications to the network environment as necessary.
Establishing an interim strategy until any identified network traffic
issues can be resolved. Understand the network traffic volume and
network SLAs (Service Level Agreements).
Designing the security for servers and workstations (e.g., physical and
logical topology, replication schedules, remote access, external con-
nectivity, etc.).
Defining the migration strategy for existing security plans, proce-
dures, tools, systems.
Establishing a security infrastructure implementation plan.

Get Internet Security now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.