Business Goals

First you must understand the goals of a given organization. If you are designing a secure network for an e-commerce retailer, knowing the company's role and function should put you into a certain frame of mind regarding the systems you will need to employ. For example, a security policy that dictates that, because of their sensitivity, all financial transactions must occur over private networks might be appropriate for a federal bank, but it would spell certain doom for an online retailer. Imagine browsing Amazon.com's online catalog using your web browser only to find you must establish a leased-line connection with Amazon when you want to make an actual purchase. This is certainly an extreme example, but the counterexample is equally unlikely. Imagine a federal bank using the public Internet to make financial transactions. The point here is to get a clear understanding of the business goals and ensure that you are able to meet those goals through whatever part the network plays in the overall business.

Understanding business needs can also bring to light essential elements of the security policy and those that can be avoided. For example, a mom-and-pop doughnut shop concerned with making sure that its jelly doughnuts arrive on time probably doesn't need to build an acceptable encryption policy or a remote access policy. The federal bank from our previous example, however, must consider these policies and more. By translating business needs into policy directives, an organization can understand the extent to which its policies must go to secure its network. If the policies match the business needs of the network closely, you are on the right track.

If you and the rest of the security policy development team are having difficulty getting started on this process, you can begin by organizing your information assets into three categories: low value, medium value, and high value. A low-value target is one that causes almost no negative impact to your organization in the event that it is compromised or taken out of service. Medium-risk and high-risk assets can be assessed in the same way by substituting medium negative impact and high negative impact, respectively, for almost no negative impact.

As a security architect, your interface point with business needs is primarily as a receiver of information. Goals should be adequately communicated to you so that sound security decisions can be made. This should be more than a memo from senior management. The security architect must really understand the organization's goals to make effective security choices.

100 SEO Tips

100 SEO Tips

100 SEO Tips EVERY SEO Enthusiast Should Know. This Report 100 SEO Tips will help you to Utilize These Tips to Dominate The Search Engine Today.

Get My Free Ebook


Post a comment