• FAQs
• Articles
• Tutorials
• Web Tools
• Reference
• Blog
• Proxy
• Software
• Cell Phones

• Microsoft Security Articles
• Planning Server Security
• Planning a Security Update Infrastructure
• Auditing Security Events
• Authentication Types
• Planning and Implementing and Authentication Solution
• Planning and Implementing an Authorization Solution
• Defining a Baseline Security Template
• Designing Network Infrastructure Security
• Identifying Security Issues Common to all Server Roles
• Implementing Access Control
• Implementing Account and Security Policies
• Implementing Auditing
• Network Attacks
• Responding to Network Attacks and Security Incidents
• Resultant Set of Policies
• Securing Application and Terminal Servers
• Securing Database Servers
• Securing Domain Controllers
• Securing File and Print Servers
• Securing Mail Servers
• Securing Web Servers
• Shared Folder Permissions
• Understanding and Designing Public Key Infrastructure
• Understanding Business Requirements for Security Design
• Understanding Certificate Authorities
• Understanding Security Templates
• Wireless Connection Security
• Implementing IAS
• Articles Menu
• » Windows Server
• » Microsoft Networking
• » Microsoft Security
• » Active Directory
• » Microsoft IIS
• » Microsoft IPSec
• » Microsoft DNS
• » Microsoft DHCP
• » Microsoft WINS
• » Microsoft Filesystems
• » Remote Access
• » Microsoft Exchange
• » Microsoft SMS
• » Microsoft ISA Server
• » Microsoft Biztalk Server
• Main Menu
• » Networking
• » Physical Layer
• » Data Link Layer
• » Network Layer
• » Network Security
• » Wireless Networks
• » VoIP
• » Telephony
• » Mobile Telephony
• » Electronics
• » Radio
• » Television
• » Cryptology
• » Passwords
• » Smart Cards
• » Privacy
• » Malware
• » Vulnerabilities
• » Unix
• » Macintosh
• » Microsoft Windows
• » The Web
• » Web Publishing
• » E-mail
• » Instant Messaging
• » Databases
• » Computer Hardware
• » CPU's
• » Memory
• » Storage
• » Video
• » Audio
• » Multimedia
• » Satellite
• » Java
• » IT Management
• » Science
• » Miscellaneous

Understanding Business Requirements for Security Design

Determining Security Business Requirements

When analyzing and determining the security business requirements of the organization, you have to include the following factors:

• Business model: The business model that the organization uses greatly influences the type of security an organization implements. An organization that has world-wide branches would have different security requirements to a business that has a single office.
• Business processes: To successfully implement security, you have to know how business processes within the organization work. You have to ensure that security does not prevent business processes from being carried out.
• Business growth: As the business grows so too must the security policies and processes be able to cater for this growth.
• Determine the risk tolerance of the organization. The level of risk tolerance would differ between organizations.
• Determine whether there are any laws and regulations that the organization has to adhere to. This is especially important when you draw up the security design.
• Management strategy: Organizations can use either a centralized management strategy or a decentralized management strategy.
• Existing security policies and procedures: Determine what the current security policy of the organization is.
• The financial stance of the organization would also influence which security design is implemented.

Assessing Existing Security Processes and Policies

One of the first steps in assessing the existing security processes and security policies is to determine what the current security processes and security policies are, and whether these can be improved to meet the security requirements of the organization.

Security policies usually fall into one of the following classes:

• Technical policies; include security processes and mechanisms that protect the network resources and the data of the organization.
• Physical policies; include physical measures to implement physical security, such as implementing controlled room access.
• Administrative policies; includes mechanisms such as nondisclosure agreements.

For a security policy to be effective, users have to be aware of the policy, and the security policy has to be regularly updated so that it remains current.

An important element of security policies is an Acceptable Use Policy (AUP). An AUP is a document that details the following:

• The types of access and activity that are allowed on the network.
• The types of access and activity that are not allowed on the network.

The responsibilities and rights of the employee and company have to be encompassed when the AUP is defined. For the AUP to be successful, you have to define how it will be determined whether the AUP has been violated. The actions which will be taken when the Acceptable Use Policy is violated should also be addressed. The AUP can then be used to determine when security breaches have occurred on the corporate network.

Another important aspect when assessing security requirements of the business to decide on the level of privacy and the level of security that will be maintained:

• Security deals with protecting mission critical data and network resources from being accessed by individuals who are not authorized to access the data or resources. When determining the level of security to implement, it is important that you maintain a balance between securing the network environment and usability.
• Privacy deals with protecting employee information and customer information. An organization needs to examine the privacy of its own information and assets well.

If you are running a Windows Server 2003 Active Directory, you can use the Resultant Set of Policies (RSoP) tool to determine what current security settings have been applied to the network through Group Policy Objects (GPOs). The RSoP tool can also be used to assist in the planning of a Group Policy implementation, and to troubleshoot Group Policy settings.

Through the RSoP Wizard, you can determine the following:

• Which GPOs are applied
• The level (site, domain, OU) at which they are applied
• Which GPOs are blocked

If you want to determine what the current Group Policy settings are for a particular user account or computer account, you would need to utilize RSoP logging mode. Logging mode provides the means for you to re-examine the existing GPOs which are applied to a user or computer. You can also use logging mode to examine existing software installation applications and security for a user or computer.

RSoP logging mode is typically used for the purposes listed below:

• Determine how local policy affect Group Policy settings.
• Determine how certain security groups affect the application of Group Policy settings.
• Identify any failed policy settings. This includes policy settings which have been overwritten.

How to create a RSoP query in Logging Mode with the Resultant Set Of Policy Wizard

1. Click Start, Run, and enter mmc in the Run dialog box. Click OK.
2. From the File menu, select Add/Remove Snap-In.
3. When the Add/Remove Snap-In dialog box opens, click Add.
4. When the Add Standalone Snap-In dialog box opens, select Resultant Set of Policy from the available list, and click Add.
5. Click Close to close the Add Standalone Snap-In dialog box opens.
6. Click OK in the Add/Remove Snap-In dialog box.
7. Proceed to right-click Resultant Set of Policy in the MMC, and select Generate RSoP Data on the shortcut menu.
8. The Resultant Set of Policy Wizard launches.
9. Click Next on the Welcome To The Resultant Set Of Policy Wizard page.
10. When the Mode Selection page appears, select Logging Mode. Click Next.
11. On the Computer Selection page, you can choose the This Computer option, or you can choose the Another Computer option. If you select the Another Computer option, click Browse to select the other computer.
12. Enable the Do Not Display Policy Settings For The Selected Computer In the Results | Display User Policy Settings Only! checkbox if you only want to view user policy settings. Click Next.
13. On the User Selection page, you can choose the Current User option, or you can choose the Select A Specific User option. If you select the Select A Specific User option, choose the user from the list.
14. Enable the Do Not Display User Policy Settings In the Results | Display Computer Policy Settings Only! checkbox if you only want to view computer policy settings. Click Next.
15. When the Summary Of Selections page opens, verify that the options which you chose are correct.
16. Click Finish.
17. To view the query results, click the folders in the RSoP console tree.

Matching Business Requirements to the Security Plan

• If the organization uses business processes,
  • You should determine how these business processes flow and how the data associated with these processes flow.
  • You should determine the users that need to access services used in the business processes.
• If the organization uses a centralized management strategy,
  • You should minimize the number of domains
  • Include the management of administrative group membership.
• If the organization uses a decentralized management strategy,
  • You should determine the rights that users require.
  • You should determine whether users need administrative abilities on the network, and if yes, determine who those users are.
• If the risk tolerance level of the organization shows an aversion to risks,
  • You should determine the risks that the organization is not prepared to tolerate.
  • Identify the actions which are necessary should the risk become a reality, and then include this in the security plan.
• If the organization expects business growth in the next number of years,
  • You should try to estimate how many users and computers will be needed to provide for future business expansion.
  • Try to determine how the business will be geographically dispersed.

Bookmark Understanding Business Requirements for Security Design

Latest Blog Posts

• Acai Berry Spam via MSN

• Obama Seeks Power to Shut Down the Internet

• Help Beta Test Tech-FAQ 2.0!

• Windows 7 Forum

• Boston College: Ability to Use a Command Line is a Sign of Criminal Activity

• Google Hacked?

• Recycle your old phone – Make some money, and save the environment too!

• SourceForge vs. Freshmeat

• Fastest Web Browser: Google Chrome

• New Webmaster Forum