The definition phase for security needs is the first step towards implementing a security policy.
The goal consists in determining the organization's needs by taking an inventory of the information system and then studying the different risks and threats that they represent in order to implement an appropriate security policy.
The definition phase is made up of three steps:
- Identifying the needs
- Analysing the risks
- Defining the security policy
Identifying the Needs
The needs identification phase consists in first taking an inventory of the information system, notably of the following information:
- People and jobs
- Materials, servers and the services they provide
- Network mapping (address map, physical and logical topologies, etc.)
- List of the company's domain names
- Communication infrastructure (routers, switches, etc.)
- Sensative data
The risk analysis step consists in indexing the different risks encountered, estimating their probability and finally studying their impact.
The best way to analyze the impact of a threat consists in estimating the cost of the damages it would cause (e.g. an attack on a server or damage to vital company data).
On this basis, it might be interesting to draw up a table of risks and their potentiality (i.e. the probability that they might occur) by giving them staggered levels according to a scale to be defined. For example:
- Unfounded (or improbable): the threat is groundless
- Weak: the threat has little chance of occurring
- Moderate: the threat is real
- High: the threat has great chances of occurring
Defining the Security Policy
The security policy is the reference document that defines the security goals and the measures implemented to ensure that these goals are reached.
The security policy defines a number of rules, procedures and best practices that ensure a level of security that meets the needs of the organization.
This document must be run like a project that brings together everyone from the users up to the highest part of the hierarchy so that it is accepted by all. Once the security policy has been written, the clauses concerning the employees must be sent to them so that the security policy can have the greatest impact.
Many methods exist that can be used to develop a security policy. Here is a non-exhaustive list of the main methods:
- MARION (Méthodology of IT Risk Analysis by Level), developed by CLUSIF
- MEHARI (Harmonised Method of Risk Analysis)
- EBIOS (Expression of Needs and Identification of Security Goals), developed by DCSSI (Centeral Information Systems Security Office)
- ISO Standard 17799