The best laid schemes o’ Mice an’ Men,Gang aft agley,An' lea'e us nought but grief an' pain,For promis'd joy!— Robert BurnsSecurity in the Real World
❖Planning security•Setting up a security plan•Forecasting future needs❖Understanding risk•What should you be worried about?•What should you guard against?❖Creating a good security policy❖Non-technical risks•Understanding them•Mitigating themSecurity in the real world2
❖Understand what’s currently being done❖Figure out where the environment is headed❖Decide what can be done to make things better❖Set up a plan•Policy•Current state•Requirements•Recommended controls•Accountability•Timetable•Continuing attentionPlanning security3
❖High-level description of intended security policy•Usually dictated from “on high”•Typically can’t be changed (easily)❖Outlines how system security should work•Goals•Responsibilities•Commitment (who’s paying?)❖Need to identify•Who gets access?•What resources can they get access to?•What kinds of access do they get?What’s in a security policy?4
❖Need to know where things are now•Critical for planning upgrades•May not be possible to make “discontinuous” changes❖May involve trying to break into the system!•Understand current issues and weaknesses❖Not just current security strengths & weaknesses, but also who’s responsible!•Security is as much about people as it is technologyCurrent security status5
❖What does the system need to do to ensure a “secure” environment?•Depends on policy❖Constraint•Restricts or directs implementation of requirements❖Control•Attempt to reduce a vulnerability❖Requirements should be general•Specify effect, not mechanism•Provide choices for implementation❖Requirements should be•Correct•Consistent•CompleteSecurity requirements6
❖Recommendations•What should be done to implement security plan•List of controls needed and plan for using them❖Responsibility•Who’s going to do all of this?