2.6 Implementation 61
We started by reviewing the business, looking for the methods to
securely conduct business both internally and externally. From this
analysis we determined the core business requirements and identified
the stakeholders, customer requirements, and our business partners.
We also identified our competition as well as industry trends and stan-
dards. As a result, we know what we are trying to protect and from
whom to protect it. We also saw that security can be a competitive
Our next step was to review our network and determine what was
needed to set up a secure network. We then examined the risks involved
and saw how to expand business influence by mitigating the various identi-
The policies were defined to protect and educate the various parts of the
business. Now we are ready to create our first plan. This first cut will drive
us throughout the rest of the security implementation process. Create a
plan (the "security project") that will detail the steps required to secure your
Your project should address the design, structure, and configuration of
an evolving secure business infrastructure. The technical infrastructure will
ensure that a business security environment is in place to support the user
community and keep the business running.
The security project should include the following:
Definitions of the goals and objectives of what is needed based on
the analysis obtained so far. This will include designing, building,
and configuring the technical infrastructure environment.
Definitions of the scope of what is needed to secure your environ-
ment. This will include implementing performance and tripwire
monitoring of the new security environment.
The plans for roll-out of the new infrastructure that you designed.
Be sure to include a pilot run(s) to test your assumptions about
what you have designed.
Finally, the roll-out of the new infrastructure. Indicate the com-
munications systems needed to support the implementation,
including training requirements and end-user support.
I Chapter 2