Security process model

At the beginning of this chapter, we introduced the security process model. This section expands the security process model by examining each step in additional detail.

The security process model is derived from a traditional management model and involves steps to plan, implement, monitor, and evaluate. The security process model is summarized here, with a slightly expanded view to create a security policy:

1. Identify and document the security requirements.

This planning step is used to identify and document the list of general security requirements based on the organization, industry, government regulations, and standards.

2. Plan and write a security policy.

During this planning step, the security policy is created, along with the standards, guidelines, baselines, and procedures. The standards, guidelines, baselines, and procedure must relate to and support the security policy.

3. Implement the security policy.

In this step, the security policy, standards, guidelines, baselines, and procedures previously created are implemented.

4. Monitor for implementation accuracy.

The policy must often be interpreted and applied to different technologies.

Monitoring the accuracy of the implementation helps evaluate if the right controls are in place based on the interpretation and technology application as required by the security policy.

5. Monitor for compliance with the security policy.

The entire environment that is covered by the security policy must be monitored to assure compliance with the documented security policy, standards, guidelines, baselines, and procedures.

6. Independent security policy and implementation review.

The security policy must be independently reviewed to ensure that it is valid for the organization and has been appropriately implemented.

2.2.1 Identifying and documenting the security requirements

Figure 2-1 shows the input, process, output, and roles for identifying and documenting an organization’s security requirements. The main input is the organization’s requirements, as provided by the organization’s senior

management. It also includes any other applicable requirements such as industry or government requirements.

The results of documenting the applicable requirements should be combined into a single general security requirements document that is used as input into writing the security policy.

Figure 2-1 Identifying and documenting the security requirements

2.2.2 Planning and writing a security policy

Figure 2-2 shows the input, process, output, and roles for planning and writing a security policy. The main input is the security requirements and any other guidelines such as platform or industry, or international.

The security policy is the responsibility of an organization’s senior management.

The writing of the security policy should be a combined activity between senior management (such as the CEO and CIO), the Information Technology (IT) director, the organization’s lawyers, and the security officer. The security policy is the organization’s written security plan that defines the items that must be secured and avoids specifics about how to implement the security policy. The

Input Process Output

security policy must cover computer systems as well as all security areas including the manual process such as physical security.

The results of planning and writing the security policy are a documented, management-supported policy that should be communicated by senior management to the organization.

Figure 2-2 Planning and writing a security policy

For additional information about the contents of a security policy, refer to 2.3,

“Security policy contents” on page 21.

2.2.3 Implementing the security policy

Figure 2-3 shows the input, process, output, and roles for implementing a security policy. In this step, you change the system security configuration as required by the security policy.

The main input is the security policy. The security policy should clearly identify the controls to be implemented and any settings for the controls. Implementing the security policy is usually the responsibility of the security officer, security administrator, or security technical specialist. The results of implementing the security policy are a system secured according to the security policy.

Process Output

Plan and

Roles

CEO, CIO, IT Director, Lawyers, Security Officer write the

security policy

– Written policy – Management

support – Widely

communicated Security

Input

Guidelines requirements

Figure 2-3 Implementing the security policy

2.2.4 Monitoring for implementation accuracy

Figure 2-4 shows the input, process, output, and roles for monitoring the implementation accuracy of the security policy. In this step, you configure the system to monitor the security configuration to ensure compliance with the security policy.

The main input is the security policy. The security policy should clearly identify the security controls to be implemented and any settings for the controls.

Monitoring the implementation accuracy of the security policy is usually the responsibility of the security officer, security administrator, or security technical specialist. The results of this step are reports that show the implementation accuracy of the security policy.

Figure 2-4 Monitoring for implementation accuracy

Process Output

Roles

Security Officer, Security Administrator, Security Technical Specialist Implementing

the security policy

System secured according to the security policy Security

policy Input

Input Process Output

Roles Security policy

Monitor implementation

accuracy

Periodic reports

Security Officer, Security Administrator, Security Technical Specialist

2.2.5 Monitoring for compliance with the security policy

Figure 2-5 shows the input, process, output, and roles for monitoring for

compliance with the security policy. The main input is the security policy and the actual system settings. The security administrator, security officer, or security technical specialist compares the security policy with the actual system settings.

This person usually performs this type of monitoring on a regular schedule such as on a daily basis.

The security administrator, security officer, or security technical specialist reviews and summarizes the results of the monitoring to provide the

organization’s security resources with issues that need to be investigated and resolved by making a change to some security setting in the system. Security warnings may be issued to any system users who are not following the security policy, processes, or procedures.

Figure 2-5 Monitoring for compliance with the security policy

2.2.6 Independent security policy and implementation review

Figure 2-6 shows the input, process, output, and roles for performing an independent security policy and implementation review. This process step ensures that the organization’s security policy meets all the security requirements and is implemented correctly. Also in this step, any manual

procedures are reviewed that are required to accomplish the goals of the security policy.

The main input for the review is the security policy and procedures. The independent reviewer reviews the security policy to see if it has been properly implemented on the system. This person also reviews the security procedures to see whether they are being following by the system users. The results of the review provide the organization’s senior management with evidence regarding

Input Process Output

Security policy Monitor for Compliance

Findings

Roles

Security Officer, Security Administrator, Security Technical Specialist Actual system compliance

with security policy

analysis settings

compliance with the policy, implementation, finds, and recommended policy changes.

Figure 2-6 Independent security policy and implementation review