Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 15: Developing a Security Plan

Published byAlexandra Craig Modified over 8 years ago

Similar presentations

Presentation on theme: "Module 15: Developing a Security Plan"— Presentation transcript:

1 Module 15: Developing a Security Plan

2 Overview Designing a Security Plan Defining Security Requirements
Maintaining the Security Plan

3 A security plan is a design document that consists of policies, procedures, implementation strategies, and verification methods that are needed to meet your organization's security requirements.

4 At the end of this module, you will be able to:
Design a security plan that will meet the security requirements of an organization. Define the security requirements for local and remote networks, public and private networks, and trusted business partners. Develop strategies to maintain the network security plan.

5 Designing a Security Plan
Defining a Security Policy Defining the Scope of the Security Plan Creating the Project Team Developing the Security Plan Deploying the Security Plan

6 You must establish a security plan when you determine that your organization's current level of security no longer meets the security requirements. A well-designed security plan will assist your organization in consistently addressing security issues.

7 Designing a Security Plan
To design a security plan, you must: Define the organization's security policy. Define the scope of the security plan. Create a project team to design and implement the security plan. Develop a security plan that supports the organization's security policy. Deploy and test the security plan. Designing a Security Plan

8 Defining a Security Policy
Providing a Security Framework Identifying the Security Requirements Reasons for implementing security Resources requiring protection Threats or risks to resources Probability of attacks or accidental damage

9 Before you develop your security plan, your organization must define its security policy. A security policy represents the guiding principle for the organization's security plan. The security policy defines an organization's requirements for correct computer and network usage, and includes procedures to detect, prevent, and respond to security incidents. An organization's security policy provides the framework for implementing security plans and procedures. To develop a security policy, start by identifying the security needs of the organization. A well-conceived security policy incorporates the requirement that employees need to perform their jobs with as little inconvenience as possible. For example, when defining password requirements, setting minimum password lengths to be too long can result in users keeping a written copy of their passwords. A written copy can pose a more significant security threat than the use of short passwords that can be more easily memorized.

10 To identify the security needs for your organization, you must identify:
The reasons for implementing security. The resources that require protection. The threats or risks to resources. The probability of attacks or accidental damage occurring to the resources.

11 Defining the Scope of the Security Plan
Local Network Remote User Internet Scope Remote Office Select the Risks Select the Network Areas Security Plan

12 Security plans cannot address all possible risks, so an organization must define the scope of the plan to specify which risks will be addressed. The scope of the plan will determine exactly which areas of the organization or network the security plan will address.

13 For example, you may be developing a security plan for a department within your organization, or you may be developing a plan to address the security needs of the entire organization. In the first scenario, the scope of the plan will include security issues at a detailed level; for example, specifying mandatory user profiles required to prevent users from changing the pre-defined configuration. In the second scenario, the scope of the plan will address security issues at an organizational level; for example, the decision to support particular protocols and authentication methods, but not specify individual user profiles. Defining the scope of the plan before proceeding to the planning stage ensures that the scope does not increase beyond its intended areas. Including the scope definition in the plan will justify the selections of specific components in the plan.

14 Creating the Project Team
Installation Team Training Team Support Team Planning Team

15 After you have defined the scope of the security plan, you will need to create a project team to develop the security plan. The project manager assembles the necessary teams of system administrators and other internal Information Technology (IT) professionals. These teams will plan, test, and implement security configurations; train users; and provide continuing support to the security plan. If required, you can supplement your internal teams with members from external resources.

16 The project team must have upper-level management approval for all decisions. Members of the project team can include: Planning teams that determine the security requirements, develop deployment strategies, and write the security plan. Installation teams that set up the test labs to test the security designs. Training teams that develop the training plan and training documentation. These teams will train the users on the best use of any new technologies introduced by the security plan. Support teams that develop the support plan. The support teams will assist users during and after the security plan is deployed.

17 Developing the Security Plan
Security Requirements Project Timeline Roles and Responsibilities Implementation Technologies Security Configurations

18 When the scope of a security plan has been defined and the security planning team has been created, you can develop the actual security plan. Security plans are the working components of the security policy. The security plan documents sets of procedures. You implement these sets of procedures to support the goal of the security policy within the defined scope of the security plan.

19 A security plan includes:
Security requirements to ensure that the security policy is met. A project timeline that will define any relationships between tasks in the project. Relationships will include any dependencies that exist between the tasks that make up a project. The timeline identifies a critical path for any tasks that must be completed before subsequent tasks can start. Roles and responsibilities assigned appropriately to each participant in the project. Implementation technologies that will be used to deploy the plan. Security configurations for all services and components that the security plan requires.

20 Upper-level management must approve your completed security plan
Upper-level management must approve your completed security plan. You must then review the plan to ensure that all security requirements are met. Security baseline levels must be defined for key areas, to ensure that the deployed plan meets or exceeds objectives.

21 Deploying the Security Plan
Project Timeline Release Date Feedback on Plan Record Required Modifications

22 When the security plan has been designed and approved, the deployment of the plan can occur. You accomplish the deployment by establishing a project timeline. In your timeline, include all tasks involved in accomplishing the security plan, including the release date. A fixed release date will help the team prioritize tasks and plan activities to accomplish the tasks accordingly. The key to project success is finding the right balance between available resources, the deployment date, and components of the plan. When the deployment is complete, obtain feedback from all participants-including users, trainers, and support technicians-and document the information obtained during the deployment. Based on this feedback, identify changes that will increase the effectiveness of the security plan.

23 Defining Security Requirements
Partners Local Network Remote Network Public Network Local Network Remote Network Public Network Partner Access

24 A key step in developing your security plan is the definition of security requirements. When defining security requirements, remember that any proposed solutions must provide security while minimizing any disruption to user performance. Security requirements for a network can be partitioned to allow easier definition of the required security levels. For example, you can partition network security into: Local Network Remote network Public network Partner access

25 Planning Local Network Security
Partners Local Network Remote Network Administrative Groups Active Directory Computer Configurations Local File Security Network Topology Non-Microsoft Clients Public Network

26 You must secure local network resources before expanding the network to include access for remote networks, public networks, and partners. Local network security must ensure that security applied to data stored and transmitted on the local network meets your organization's required security standards.

27 When planning security for the local network, consider:
Administrative group design. Review your administrative group design for: Membership in administrative groups. User rights to ensure that no groups or users have been assigned excess privileges. The policies in place for administrative account usage. The Active Directory™ directory service design. Examine your Active Directory design to determine: Whether you have single or multiple forests. The number of domains in the forest. Whether your organizational unit (OU) structure allows for delegation of administration and deployment of Group Policy as required.

28 When planning security for the local network, also consider:
Microsoft® Windows® 2000-based computer configurations. When defining security templates for computer security configurations, confirm that you have: Defined all classes of computers for the network. Defined all baseline security configurations for each classification. Tested the security templates to ensure that they meet security goals. Designed a plan to deploy all security templates. Local file security. For the security of local files, make sure that you have: Reviewed and refined all of the NTFS file system permissions. Based NTFS permission on groups rather than users. Defined scenarios in which Encrypting File System (EFS) must be deployed. Defined a centralized EFS recovery agent to ensure that encrypted files are recovered.

29 When planning security for the local network, also consider:
Network topology. When designing your network topology, ensure that the following security considerations are addressed: Verify that any applications that require secure transmissions support application-level security. Determine whether any areas of the network cross insecure boundaries. Make sure that your OU structure is designed to facilitate Internet Protocol Security (IPSec) policy assignments. Make sure that network hubs and routers are in secured areas.

30 Non-Microsoft clients. For any non-Microsoft clients, determine:
Which network resources non-Microsoft clients need to access. Whether requirements exist for clients to authenticate with Active Directory. How to configure gateway services for non-Microsoft operating systems so that baseline security requirements are maintained.

31 Planning Remote Network Security
Partners Local Network Remote Network Public Network Public Network Remote Access Users Connectivity to Remote Offices

32 Your security plan must address the risks associated with providing access to your network by remote users and remote offices. Your plan must provide for secure access for authorized remote users, while keeping your network secure from unauthorized remote users. Remote users may connect to your network by using dial-up connections or dedicated connections between offices, or they may use tunnels over established Internet connections. The risks associated with these remote connections will depend on the level of accessibility allowed when the user connects to your network.

33 When designing a security plan for the remote network, consider:
Remote access users. For remote user access, you must determine: Which users will require remote access. Which protocols will be used to support remote access authentication. Whether you will need to support dial-up or virtual private network (VPN) access, or both. Whether you will use the Internet Authentication Service (IAS) to centrally manage remote access policy.

34 When designing a security plan for the remote network, also consider:
Connectivity to remote offices. For connectivity to remote offices, you must determine: The type of information that will be transferred. Whether to use a dedicated network link, or a tunnel over a public network. Whether the network infrastructure uses network address translation (NAT). Whether Routing and Remote Access in Windows 2000 is required to connect third-party products. The security configuration that meets the security policy for the type of connection deployed to the remote office.

35 Planning Public Network Interaction
Partners Local Network Remote Network Public Network Securing the Local Network from the Public Network Providing Secure Access to the Public Network

36 Having access to public networks, such as the Internet, is critical to many business functions. Your security plan must provide access to public networks that is adequate for business requirements, while protecting your local network from security threats.

37 When designing a security plan for interacting with a public network, consider:
Securing the local network from the public network. To secure you local network, you must determine: Which resources will be exposed to Internet users. What type of screened subnet you will deploy. The firewall rules required to restrict network traffic at the external and internal firewalls. What type of access to the screened subnet will be required from the internal network.

38 When designing a security plan for interacting with a public network, also consider:
Providing secure access to the public network. To provide secure access to the public network, your must determine: Which internal network users will require access to the Internet. Whether to impose restrictions on specific content or Web sites. Whether you can use Windows 2000 security groups to manage Internet access. Whether centralized management of Microsoft Internet Explorer settings will be required

39 Planning Partner Access to the Network
Partners Local Network Remote Network Public Network Connecting Partners to the Network Designing a Public Key Infrastructure

40 Securing access for trusted business partners includes designing authentication methods and configuring security so that only the required access is granted to partners. When your security plan must include access for business partners, you must determine the level of access that your partners require and develop a solution to meet those requirements. Your security plan must provide both the method for partner access to your network and the means to secure the partner access.

41 When designing a security plan for partner access to your network, consider:
Connecting your partners to your network. When providing network access to partners, you must determine: Which connection methods partners will use. The applications to which partners will have access. Whether an extranet will be used for partner resources. Which partners will require user accounts in Active Directory. Whether trust relationships must be established between domains in your forest and partners' domains.

42 When designing a security plan for partner access to your network, also consider:
Designing a Public Key Infrastructure (PKI). When designing a PKI, you must establish: Which applications or services will require certificates for authentication. Who will manage certificates issued by an internal certification authority (CA). Which applications will require an external CA. Whether you must deploy a stand-alone or enterprise CA. What structure you will require for a CA hierarchy. Whether partners will require certificates to be mapped to user accounts in Active Directory. Methods for your organization to recover from a failed or compromised CA.

43 Maintaining the Security Plan
Modifying the Security Plan Monitoring Security Issues

44 When you have implemented your security plan, you must make sure that your network security continues to meet your organization's security requirements. In developing a security plan maintenance strategy, you need to identify the functional areas within your organization that may be affected by changes to your organization. Organizational changes may necessitate changing the existing security configuration to meet new security requirements. The goal of designing a maintenance strategy for the security plan is to develop an effective strategy that does not require change as the organization and the security plan change. As part of your maintenance strategy, you must identify security updates that are made to products used within your organization, and you must then update your security plan accordingly.

45 In this lesson you will learn about the following topics:
Modifying the security plan Monitoring the security plan

46 Modifying the Security Plan
Organizational Change May Result In: Modifying security requirements Expanding the scope of the plan Developing a new plan

47 Organizations undergo changes from time to time, and these changes are likely to affect the security plan and the underlying security requirements. Organizational change can include corporate reorganization, expansion, downsizing, change of location, partnerships with other organizations, and mergers with other organizations. Organizational changes and reorganization may result in changes to your organization's security requirements and the need for you to modify your security plan. For example, a bank may merge with another financial institution, and bring with it additional locations, products, and services.

48 When there are changes in your organization, you must identify and analyze the effects of any change by asking: Will the organizational changes result in the need to modify security requirements? Do the organizational changes require that the scope of the existing security plan be increased? Will the new security requirements be handled by expanding the existing security plan, or by developing a new one?

49 As part of ongoing security maintenance, you must remain up-to-date on security issues for your organization's software and hardware. Security issues can arise when attackers find vulnerabilities in software and hardware deployed in your organization.

50 Sources of Security Information
Sources available to you for information about security issues include: Web-based security bulletins. Security newsgroups. list servers. Subscription-based services. Paper-based security bulletins. Because not all sources of information are reliable, you must verify the authenticity of any sources that you use.

51 Deploying Security Updates
When Microsoft updates critical security issues with Windows 2000, these issues are posted on the Windows Update site (windowsupdate.microsoft.com), and are available for you to download. Alternatively, you can receive notification of security updates by subscribing to Microsoft Security Notification Service at

52 After you have downloaded a security update, you must then deploy it to the required computers. To deploy the update, you can use software deployment in Group Policy or in Microsoft Systems Management Server. Computers running non-Microsoft operating systems will need alternative methods of deploying security updates. Caution: You must test any suggested security changes to software before deploying the changes to your organization, because the security update may inadvertently introduce a security weakness or otherwise change security settings.

53 Monitoring Security Issues
Sources of Security Information Deploying Security Updates

54 Lab A: Developing a Security Plan

55 Objectives After completing this lab, you will be able to:
Design a security plan that will meet the security requirements of an organization. Define the security requirements for local and remote networks, public and private networks, and trusted business partners. Develop strategies to maintain network security.

56 Prerequisites Before working on this lab, you must have:
Knowledge of security policies and how to configure them. Knowledge of security risks and how to prioritize them. Knowledge of the strategies used to implement solutions to meet security requirements.

57 Goal In this exercise, you are presented with the task of designing a security plan for Contoso, Ltd., a large- sized organization where you are responsible for IT operations in the Human Resources (HR) department. You will develop a solution to meet the organization's security requirements. To design your solution, review the scenario and design criteria, and then complete the scope of the plan and the design worksheets.

58 Scenario Your company, Contoso, Ltd., is a bank with over 500 branches across the United States and 20 branches internationally. Contoso, Ltd. employs a total of 40,000 people. You are responsible for IT security in the HR department, which has staff in the main office and in several of the larger branch offices throughout the United States. Contoso, Ltd. has a large IT department, with many groups within that department solely responsible for the systems that they maintain. Your responsibilities are limited to the HR department. Other groups within the IT department have responsibility for areas, such as Internet access, remote access, , and network infrastructure. The HR department is responsible for managing the recruitment of new staff, conducting interviews, setting salary levels, participating in performance reviews, and managing contract staff.

59 Exercise 1: Developing a Security Plan for a Large Organization
The HR department has experienced numerous security breaches in the last few months. One of those breaches involved a virus spreading through the system, and another was due to someone from your department posting confidential information on an a company Web site that is accessible from the Internet. Currently, Contoso, Ltd. has connections to the Internet for Web browsing, and in the HR department, permission to browse the Web is granted on an as-needed basis. The internal HR systems are not on the Web, but HR receives resumes from job applicants through Internet The department is currently recruiting a large number of staff, and uses several external agencies to aid the recruitment process. These external agencies need limited access to HR information from the internal HR database and file servers. A VPN server enables external agencies to access the HR department's information. The VPN server allows limited access to only specific servers in the HR network. User accounts for external agency users are created within a partner OU and granted remote access as necessary.

60 In the current network configuration:
The HR database contains all salary, review, and employee benefit information. This information is confidential, and access to it is restricted to certain HR personnel and managers. HR has several file servers used for storing confidential documents and forms. HR uses extensively for both internal communication and communication with prospective employees. Authenticity of internal communication through is currently verified by the use of certificates. The IT department has more than 1,500 staff members. HR has a VPN server with a connection to the Internet that allows external agency users access to certain resources. This VPN server is in a screened subnet, and is only allowed access to specific HR servers.

61 Design Criteria Your solution must meet the following criteria:
All HR information must be secure from internal hackers and accidental internal break-ins. Only select HR staff can make changes to the database. Access to confidential employee information is confined to HR staff. The accounting department must have access to salary data

62 Planning Worksheet Instructions
The following table lists existing policies and solutions for risks that have been identified. Risks Policy Designs Virus infection through All incoming files must be scanned by a virus scanner. Use Group Policy to deploy a desktop virus scanner and configure scanning preferences. Virus scanner must scan . Loss of access to HR file servers due to an internal DoS attack Must not allow internal users to perform attacks oninternal file servers. Monitor audit logs to identify attacks before they happen to minimize the chance of a successful attack. Make sure that all file server security issues are implemented on all internal servers. Printing confidential HR data to public or insecure printers Confidential information shall only be printed on secure printers. Train staff on which printers to use for each form of data. Use permissions to restrict access to printers for staff members who work with confidential data. Use scripts to configure printer connections for staff with access to confidential information.

63 Review Designing a Security Plan Defining Security Requirements
Maintaining the Security Plan

Download ppt "Module 15: Developing a Security Plan"

Similar presentations

Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Module 1: Microsoft Windows 2000 Networking Services Infrastructure Overview.

Module 1: Microsoft Windows 2000 Networking Services Infrastructure Overview.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Information Security Policies and Standards

Information Security Policies and Standards
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Understanding Active Directory

Understanding Active Directory
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..
Network security policy: best practices

Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Understanding Active Directory

Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Module 1: Introduction to Designing a Directory Services Infrastructure.

Module 1: Introduction to Designing a Directory Services Infrastructure.

Similar presentations

Ads by Google