The definition phase for security needs is the first step towards implementing a security policy.
The goal consists in determining the organization's needs by taking an inventory of the information system and then studying the different risks and threats that they represent in order to implement an appropriate security policy.
The definition phase is made up of three steps:
The needs identification phase consists in first taking an inventory of the information system, notably of the following information:
The risk analysis step consists in indexing the different risks encountered, estimating their probability and finally studying their impact.
The best way to analyze the impact of a threat consists in estimating the cost of the damages it would cause (e.g. an attack on a server or damage to vital company data).
On this basis, it might be interesting to draw up a table of risks and their potentiality (i.e. the probability that they might occur) by giving them staggered levels according to a scale to be defined. For example:
The security policy is the reference document that defines the security goals and the measures implemented to ensure that these goals are reached.
The security policy defines a number of rules, procedures and best practices that ensure a level of security that meets the needs of the organization.
This document must be run like a project that brings together everyone from the users up to the highest part of the hierarchy so that it is accepted by all. Once the security policy has been written, the clauses concerning the employees must be sent to them so that the security policy can have the greatest impact.
Many methods exist that can be used to develop a security policy. Here is a non-exhaustive list of the main methods: