Vulnerability Analysis
Policy review

Before adding new security solutions to an existing network, the current state of the network and organizational practices needs to be identified to verify their current compliance with the requirements, and identify possible improvements and the potential need to redesign a part of the system, or to rebuild a part of the system from scratch to satisfy the requirements.

Policy Identification
If a security policy exists, the designer should analyze it to identify the security requirements, which will influence the design of the perimeter solution. Initially, two basic areas of the policy should be examined:

  • The policy should identify the assets that require protection. This will help the designer provide the correct level of protection for sensitive computing resources, and identify the flow of sensitive data in the network.
  • The policy should identify possible attackers. This will give the designer insight into the level of trust assigned to internal and external users, ideally identified by more specific categories such as business partners, customers of an organization, outsourcing IT partners.

The designer should also be able to evaluate if the policy was developed using correct risk assessment procedures. For example, did the policy development include all relevant risks for the organization and not overlook important threats? The designer should also re-evaluate the policy mitigation procedures to determine if they satisfactorily mitigate expected threats. This ensures that the policy, which the designer will work with, is up to date and complete.

Organizations that need a high level of security assurance will require defense-in-depth mechanisms to be deployed to avoid single-points-of-failure. The designer also needs to work with the organization to determine how much investment in security measures is acceptable for the resources that require protection.

The result of policy analysis will be:

  • The evaluation of policy correctness and completeness
  • Identification of possible policy improvements, which need to be made before the security implementation stage