Before adding new security solutions to an existing network, the current
state of the network and organizational practices needs to be identified to
verify their current compliance with the requirements, and identify possible
improvements and the potential need to redesign a part of the system, or to
rebuild a part of the system from scratch to satisfy the requirements.
Policy Identification
If a security policy exists, the designer
should analyze it to identify the security requirements, which will influence
the design of the perimeter solution. Initially, two basic areas of the policy
should be examined:
- The policy should identify the assets that require protection. This will
help the designer provide the correct level of protection for sensitive
computing resources, and identify the flow of sensitive data in the
network.
- The policy should identify possible attackers. This will give the designer
insight into the level of trust assigned to internal and external users,
ideally identified by more specific categories such as business partners,
customers of an organization, outsourcing IT partners.
The designer should also be able to evaluate if the policy was
developed using correct risk assessment procedures. For example, did the policy
development include all relevant risks for the organization and not overlook
important threats? The designer should also re-evaluate the policy mitigation
procedures to determine if they satisfactorily mitigate expected threats. This
ensures that the policy, which the designer will work with, is up to date and
complete.
Organizations that need a high level of security assurance will
require defense-in-depth mechanisms to be deployed to avoid
single-points-of-failure. The designer also needs to work with the organization
to determine how much investment in security measures is acceptable for the
resources that require protection.
The result of policy analysis will
be:
- The evaluation of policy correctness and completeness
- Identification of possible policy improvements, which need to be made
before the security implementation stage