Definition of Needs in Terms of IT Security

Definition Phase

The definition phase for security needs is the first step towards implementing a security policy.

The goal consists in determining the organization's needs by taking an inventory of the information system and then studying the different risks and threats that they represent in order to implement an appropriate security policy.

The definition phase is made up of three steps:

  • Identifying the needs
  • Analysing the risks
  • Defining the security policy

Identifying the Needs

The needs identification phase consists in first taking an inventory of the information system, notably of the following information:

  • People and jobs
  • Materials, servers and the services they provide
  • Network mapping (address map, physical and logical topologies, etc.)
  • List of the company's domain names
  • Communication infrastructure (routers, switches, etc.)
  • Sensative data

Risk Analysis

The risk analysis step consists in indexing the different risks encountered, estimating their probability and finally studying their impact.

The best way to analyze the impact of a threat consists in estimating the cost of the damages it would cause (e.g. an attack on a server or damage to vital company data).

On this basis, it might be interesting to draw up a table of risks and their potentiality (i.e. the probability that they might occur) by giving them staggered levels according to a scale to be defined. For example:

  • Unfounded (or improbable): the threat is groundless
  • Weak: the threat has little chance of occurring
  • Moderate: the threat is real
  • High: the threat has great chances of occurring

Defining the Security Policy

The security policy is the reference document that defines the security goals and the measures implemented to ensure that these goals are reached.

The security policy defines a number of rules, procedures and best practices that ensure a level of security that meets the needs of the organization.

This document must be run like a project that brings together everyone from the users up to the highest part of the hierarchy so that it is accepted by all. Once the security policy has been written, the clauses concerning the employees must be sent to them so that the security policy can have the greatest impact.


Many methods exist that can be used to develop a security policy. Here is a non-exhaustive list of the main methods:

Ask a question
CCM is a leading international tech website. Our content is written in collaboration with IT experts, under the direction of Jean-François Pillou, founder of CCM reaches more than 50 million unique visitors per month and is available in 11 languages.
This document, titled « Definition of Needs in Terms of IT Security », is available under the Creative Commons license. Any copy, reuse, or modification of the content should be sufficiently credited to CCM (

Subscribe To Our Newsletter!

The Best of CCM in Your Inbox

Subscribe To Our Newsletter!