Definition of Needs in Terms of IT Security

December 2016

Definition Phase

The definition phase for security needs is the first step towards implementing a security policy.

The goal consists in determining the organization's needs by taking an inventory of the information system and then studying the different risks and threats that they represent in order to implement an appropriate security policy.

The definition phase is made up of three steps:

  • Identifying the needs
  • Analysing the risks
  • Defining the security policy

Identifying the Needs

The needs identification phase consists in first taking an inventory of the information system, notably of the following information:

  • People and jobs
  • Materials, servers and the services they provide
  • Network mapping (address map, physical and logical topologies, etc.)
  • List of the company's domain names
  • Communication infrastructure (routers, switches, etc.)
  • Sensative data

Risk Analysis

The risk analysis step consists in indexing the different risks encountered, estimating their probability and finally studying their impact.

The best way to analyze the impact of a threat consists in estimating the cost of the damages it would cause (e.g. an attack on a server or damage to vital company data).

On this basis, it might be interesting to draw up a table of risks and their potentiality (i.e. the probability that they might occur) by giving them staggered levels according to a scale to be defined. For example:

  • Unfounded (or improbable): the threat is groundless
  • Weak: the threat has little chance of occurring
  • Moderate: the threat is real
  • High: the threat has great chances of occurring

Defining the Security Policy

The security policy is the reference document that defines the security goals and the measures implemented to ensure that these goals are reached.

The security policy defines a number of rules, procedures and best practices that ensure a level of security that meets the needs of the organization.

This document must be run like a project that brings together everyone from the users up to the highest part of the hierarchy so that it is accepted by all. Once the security policy has been written, the clauses concerning the employees must be sent to them so that the security policy can have the greatest impact.

Methods

Many methods exist that can be used to develop a security policy. Here is a non-exhaustive list of the main methods:


Related :


Definición de necesidades en términos de seguridad informática
Definición de necesidades en términos de seguridad informática
Définition des besoins en terme de sécurité de l'information
Définition des besoins en terme de sécurité de l'information
Definizione dei bisogni in termini di sicurezza informatica
Definizione dei bisogni in termini di sicurezza informatica
Definição das necessidades de termos de segurança informática
Definição das necessidades de termos de segurança informática
This document entitled « Definition of Needs in Terms of IT Security » from CCM (ccm.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the license, as this note appears clearly.