Understanding Business Requirements for Security Design

Determining Security Business Requirements

When analyzing and determining the security business requirements of the organization, you have to include the
following factors:

• Business model: The business model that the organization uses greatly influences the type of security an
  organization implements. An organization that has world-wide branches would have different security requirements to a
  business that has a single office.

• Business processes: To successfully implement security, you have to know how business processes within the
  organization work. You have to ensure that security does not prevent business processes from being carried out.

• Business growth: As the business grows so too must the security policies and processes be able to cater for
  this growth.

• Determine the risk tolerance of the organization. The level of risk tolerance would differ between
  organizations.

• Determine whether there are any laws and regulations that the organization has to adhere to. This is
  especially important when you draw up the security design.

• Management strategy: Organizations can use either a centralized management strategy or a decentralized
  management strategy.

• Existing security policies and procedures: Determine what the current security policy of the organization
  is.

• The financial stance of the organization would also influence which security design is implemented.

Assessing Existing Security Processes and Policies

One of the first steps in assessing the existing security processes and security policies is to determine what the
current security processes and security policies are, and whether these can be improved to meet the security
requirements of the organization.

Security policies usually fall into one of the following classes:

• Technical policies; include security processes and mechanisms that protect the network resources and the
  data of the organization.

• Physical policies; include physical measures to implement physical security, such as implementing controlled
  room access.

• Administrative policies; includes mechanisms such as nondisclosure agreements.

For a security policy to be effective, users have to be aware of the policy, and the security policy has to be
regularly updated so that it remains current.

An important element of security policies is an Acceptable Use Policy (AUP). An AUP is a document that
details the following:

• The types of access and activity that are allowed on the network.

• The types of access and activity that are not allowed on the network.

The responsibilities and rights of the employee and company have to be encompassed when the AUP is defined. For the
AUP to be successful, you have to define how it will be determined whether the AUP has been violated. The actions which
will be taken when the Acceptable Use Policy is violated should also be addressed. The AUP can then be used to
determine when security breaches have occurred on the corporate network.

Another important aspect when assessing security requirements of the business to decide on the level of privacy
and the level of security that will be maintained:

• Security deals with protecting mission critical data and network resources from being accessed by individuals who
  are not authorized to access the data or resources. When determining the level of security to implement, it is
  important that you maintain a balance between securing the network environment and usability.

• Privacy deals with protecting employee information and customer information. An organization needs to examine the
  privacy of its own information and assets well.

If you are running a Windows Server 2003 Active Directory, you can use the Resultant Set of Policies (RSoP) tool to
determine what current security settings have ben applied to the network through Group Policy Objects (GPOs). The RSoP
tool can also be used to assist in the planning of a Group Policy implementation, and to troubleshoot Group Policy
settings.

Through the RSoP Wizard, you can determine the following:

• Which GPOs are applied

• The level (site, domain, OU) at which they are applied

• Which GPOs are blocked

If you want to determine what the current Group Policy settings are for a particular user account or computer
account, you would need to utilize RSoP logging mode. Logging mode provides the means for you to re-examine the
existing GPOs which are applied to a user or computer. You can also use logging mode to examine existing software
installation applications and security for a user or computer.

RSoP logging mode is typically used for the purposes listed below:

• Determine how local policy affect Group Policy settings.

• Determine how certain security groups affect the application of Group Policy settings.

• Identify any failed policy settings. This includes policy settings which have been overwritten.

How to create a RSoP query in Logging Mode with the Resultant Set Of Policy Wizard

1. Click Start, Run, and enter mmc in the Run dialog box. Click OK.

2. From the File menu, select Add/Remove Snap-In.

3. When the Add/Remove Snap-In dialog box opens, click Add.

4. When the Add Standalone Snap-In dialog box opens, select Resultant Set of Policy from the available list, and click
   Add.

5. Click Close to close the Add Standalone Snap-In dialog box opens.

6. Click OK in the Add/Remove Snap-In dialog box.

7. Proceed to right-click Resultant Set of Policy in the MMC, and select Generate RSoP Data on the shortcut menu.

8. The Resultant Set of Policy Wizard launches.

9. Click Next on the Welcome To The Resultant Set Of Policy Wizard page.

10. When the Mode Selection page appears, select Logging Mode. Click Next.

11. On the Computer Selection page, you can choose the This Computer option, or you can choose the Another Computer
    option. If you select the Another Computer option, click Browse to select the other computer.

12. Enable the Do Not Display Policy Settings For The Selected Computer In the Results | Display User Policy Settings
    Only! checkbox if you only want to view user policy settings. Click Next.

13. On the User Selection page, you can choose the Current User option, or you can choose the Select A Specific User
    option. If you select the Select A Specific User option, choose the user from the list.

14. Enable the Do Not Display User Policy Settings In the Results | Display Computer Policy Settings Only! checkbox if
    you only want to view computer policy settings. Click Next.

15. When the Summary Of Selections page opens, verify that the options which you chose are correct.

16. Click Finish.

17. To view the query results, click the folders in the RSoP console tree.

Matching Business Requirements to the Security Plan

• If the organization uses business processes,

  • You should determine how these business processes flow and how the data associated with these processes flow.

  • You should determine the users that need to access services used in the business processes.

• If the organization uses a centralized management strategy,

  • You should minimize the number of domains

  • Include the management of administrative group membership.

• If the organization uses a decentralized management strategy,

  • You should determine the rights that users require.

  • You should determine whether users need administrative abilities on the network, and if yes, determine who those
    users are.

• If the risk tolerance level of the organization shows an aversion to risks,

  • You should determine the risks that the organization is not prepared to tolerate.

  • Identify the actions which are necessary should the risk become a reality, and then include this in the security
    plan.

• If the organization expects business growth in the next number of years,

  • You should try to estimate how many users and computers will be needed to provide for future business
    expansion.

  • Try to determine how the business will be geographically dispersed.