Module 15: Developing a Security Plan

Overview

Designing a Security Plan

Defining Security Requirements

Maintaining the Security Plan

A security plan is a design document that consists of policies, procedures, implementation strategies, and verification methods that are needed to meet your organization's security requirements.

At the end of this module, you will be able to:

Design a security plan that will meet the security requirements of an organization.

Define the security requirements for local and remote networks, public and private networks, and trusted business partners.

Develop strategies to maintain the network security plan.

Designing a Security Plan

Defining a Security Policy

Defining the Scope of the Security Plan

Creating the Project Team

Developing the Security Plan

Deploying the Security Plan

You must establish a security plan when you determine that your organization's current level of security no longer meets the security requirements. A well-designed security plan will assist your organization in consistently addressing security issues.

To design a security plan, you must:

Define the organization's security policy.

Define the scope of the security plan.

Create a project team to design and implement the security plan.

Develop a security plan that supports the organization's security policy.

Deploy and test the security plan.

Designing a Security Plan

Defining a Security Policy

Providing a Security Framework

Identifying the Security Requirements

Reasons for implementing security

Resources requiring protection

Threats or risks to resources

Probability of attacks or accidental damage

Before you develop your security plan, your organization must define its security policy. A security policy represents the guiding principle for the organization's security plan. The security policy defines an organization's requirements for correct computer and network usage, and includes procedures to detect, prevent, and respond to security incidents. An organization's security policy provides the framework for implementing security plans and procedures.

To develop a security policy, start by identifying the security needs of the organization. A well-conceived security policy incorporates the requirement that employees need to perform their jobs with as little inconvenience as possible. For example, when defining password requirements, setting minimum password lengths to be too long can result in users keeping a written copy of their passwords. A written copy can pose a more significant security threat than the use of short passwords that can be more easily memorized.

To identify the security needs for your organization, you must identify:

The reasons for implementing security.

The resources that require protection.

The threats or risks to resources.

The probability of attacks or accidental damage occurring to the resources.

Defining the Scope of the Security Plan

Select the Risks

Select the Network Areas

Remote User

LocalNetwork

Remote Office

Internet Internet Internet Internet

Security PlanSecurity Plan

ScopeScope

Security plans cannot address all possible risks, so an organization must define the scope of the plan to specify which risks will be addressed. The scope of the plan will determine exactly which areas of the organization or network the security plan will address.

For example, you may be developing a security plan for a department within your organization, or you may be developing a plan to address the security needs of the entire organization. In the first scenario, the scope of the plan will include security issues at a detailed level; for example, specifying mandatory user profiles required to prevent users from changing the pre-defined configuration. In the second scenario, the scope of the plan will address security issues at an organizational level; for example, the decision to support particular protocols and authentication methods, but not specify individual user profiles.

Defining the scope of the plan before proceeding to the planning stage ensures that the scope does not increase beyond its intended areas. Including the scope definition in the plan will justify the selections of specific components in the plan.

Creating the Project Team

ProjectTeam

ProjectTeam

Planning Team

Planning Team

Installation Team

Installation Team

Training Team

Training Team

Support Team

Support Team

After you have defined the scope of the security plan, you will need to create a project team to develop the security plan. The project manager assembles the necessary teams of system administrators and other internal Information Technology (IT) professionals. These teams will plan, test, and implement security configurations; train users; and provide continuing support to the security plan. If required, you can supplement your internal teams with members from external resources.

The project team must have upper-level management approval for all decisions. Members of the project team can include:

Planning teams that determine the security requirements, develop deployment strategies, and write the security plan.

Installation teams that set up the test labs to test the security designs.

Training teams that develop the training plan and training documentation. These teams will train the users on the best use of any new technologies introduced by the security plan.

Support teams that develop the support plan. The support teams will assist users during and after the security plan is deployed.

Developing the Security Plan

Security Requirements

Project Timeline

Roles and Responsibilities

Implementation Technologies

Security Configurations

When the scope of a security plan has been defined and the security planning team has been created, you can develop the actual security plan. Security plans are the working components of the security policy. The security plan documents sets of procedures. You implement these sets of procedures to support the goal of the security policy within the defined scope of the security plan.

A security plan includes:

Security requirements to ensure that the security policy is met.

A project timeline that will define any relationships between tasks in the project. Relationships will include any dependencies that exist between the tasks that make up a project. The timeline identifies a critical path for any tasks that must be completed before subsequent tasks can start.

Roles and responsibilities assigned appropriately to each participant in the project.

Implementation technologies that will be used to deploy the plan.

Security configurations for all services and components that the security plan requires.

Upper-level management must approve your completed security plan. You must then review the plan to ensure that all security requirements are met. Security baseline levels must be defined for key areas, to ensure that the deployed plan meets or exceeds objectives.

Deploying the Security Plan

Project Timeline

Release Date

Feedback on Plan

Record Required Modifications

When the security plan has been designed and approved, the deployment of the plan can occur. You accomplish the deployment by establishing a project timeline. In your timeline, include all tasks involved in accomplishing the security plan, including the release date. A fixed release date will help the team prioritize tasks and plan activities to accomplish the tasks accordingly. The key to project success is finding the right balance between available resources, the deployment date, and components of the plan.

When the deployment is complete, obtain feedback from all participants-including users, trainers, and support technicians-and document the information obtained during the deployment. Based on this feedback, identify changes that will increase the effectiveness of the security plan.

Defining Security Requirements

Remote

Network

Public

Network

Local

Network

Partners

Local Network

Remote Network

Public Network

Partner Access

A key step in developing your security plan is the definition of security requirements. When defining security requirements, remember that any proposed solutions must provide security while minimizing any disruption to user performance. Security requirements for a network can be partitioned to allow easier definition of the required security levels. For example, you can partition network security into:

Local Network

Remote network

Public network

Partner access

Planning Local Network Security

Remote

Network

Public

Network

Local

Network

Partners

Administrative Groups

Active Directory

Computer Configurations

Local File Security

Network Topology

Non-Microsoft Clients

You must secure local network resources before expanding the network to include access for remote networks, public networks, and partners. Local network security must ensure that security applied to data stored and transmitted on the local network meets your organization's required security standards.

When planning security for the local network, consider: Administrative group design.

Review your administrative group design for: Membership in administrative groups. User rights to ensure that no groups or users have been assigned

excess privileges. The policies in place for administrative account usage.

The Active Directory™ directory service design.

Examine your Active Directory design to determine: Whether you have single or multiple forests. The number of domains in the forest. Whether your organizational unit (OU) structure allows for delegation

of administration and deployment of Group Policy as required.

When planning security for the local network, also consider: Microsoft® Windows® 2000-based computer configurations.

When defining security templates for computer security configurations, confirm that you have:

Defined all classes of computers for the network. Defined all baseline security configurations for each classification. Tested the security templates to ensure that they meet security goals. Designed a plan to deploy all security templates.

Local file security.

For the security of local files, make sure that you have: Reviewed and refined all of the NTFS file system permissions. Based NTFS permission on groups rather than users. Defined scenarios in which Encrypting File System (EFS) must be deployed. Defined a centralized EFS recovery agent to ensure that encrypted files are

recovered.

When planning security for the local network, also consider:

Network topology.

When designing your network topology, ensure that the following security considerations are addressed:

Verify that any applications that require secure transmissions support application-level security.

Determine whether any areas of the network cross insecure boundaries.

Make sure that your OU structure is designed to facilitate Internet Protocol Security (IPSec) policy assignments.

Make sure that network hubs and routers are in secured areas.

Non-Microsoft clients.

For any non-Microsoft clients, determine:

Which network resources non-Microsoft clients need to access.

Whether requirements exist for clients to authenticate with Active Directory.

How to configure gateway services for non-Microsoft operating systems so that baseline security requirements are maintained.

Planning Remote Network Security

Remote

Network

Public

Network

Local

Network

Partners

Remote Access Users

Connectivity to Remote Offices

Public

Network

Your security plan must address the risks associated with providing access to your network by remote users and remote offices. Your plan must provide for secure access for authorized remote users, while keeping your network secure from unauthorized remote users.

Remote users may connect to your network by using dial-up connections or dedicated connections between offices, or they may use tunnels over established Internet connections. The risks associated with these remote connections will depend on the level of accessibility allowed when the user connects to your network.

When designing a security plan for the remote network, consider:

Remote access users.

For remote user access, you must determine:

Which users will require remote access. Which protocols will be used to support remote access

authentication. Whether you will need to support dial-up or virtual private

network (VPN) access, or both. Whether you will use the Internet Authentication Service

(IAS) to centrally manage remote access policy.

When designing a security plan for the remote network, also consider:

Connectivity to remote offices.

For connectivity to remote offices, you must determine:

The type of information that will be transferred.

Whether to use a dedicated network link, or a tunnel over a public network.

Whether the network infrastructure uses network address translation (NAT).

Whether Routing and Remote Access in Windows 2000 is required to connect third-party products.

The security configuration that meets the security policy for the type of connection deployed to the remote office.

Planning Public Network Interaction

Remote

Network

Public

Network

Local

Network

Partners

Securing the Local Network from the Public Network

Providing Secure Access to the Public Network

Having access to public networks, such as the Internet, is critical to many business functions. Your security plan must provide access to public networks that is adequate for business requirements, while protecting your local network from security threats.

When designing a security plan for interacting with a public network, consider:

Securing the local network from the public network.

To secure you local network, you must determine:

Which resources will be exposed to Internet users.

What type of screened subnet you will deploy.

The firewall rules required to restrict network traffic at the external and internal firewalls.

What type of access to the screened subnet will be required from the internal network.

When designing a security plan for interacting with a public network, also consider:

Providing secure access to the public network.

To provide secure access to the public network, your must determine:

Which internal network users will require access to the Internet.

Whether to impose restrictions on specific content or Web sites.

Whether you can use Windows 2000 security groups to manage Internet access.

Whether centralized management of Microsoft Internet Explorer settings will be required

Planning Partner Access to the Network

Remote

Network

Public

Network

Local

Network

Partners

Connecting Partners to the Network

Designing a Public Key Infrastructure

Securing access for trusted business partners includes designing authentication methods and configuring security so that only the required access is granted to partners.

When your security plan must include access for business partners, you must determine the level of access that your partners require and develop a solution to meet those requirements. Your security plan must provide both the method for partner access to your network and the means to secure the partner access.

When designing a security plan for partner access to your network, consider:

Connecting your partners to your network.

When providing network access to partners, you must determine:

Which connection methods partners will use.

The applications to which partners will have access.

Whether an extranet will be used for partner resources.

Which partners will require user accounts in Active Directory.

Whether trust relationships must be established between domains in your forest and partners' domains.

When designing a security plan for partner access to your network, also consider:

Designing a Public Key Infrastructure (PKI). When designing a PKI, you must establish: Which applications or services will require certificates for

authentication. Who will manage certificates issued by an internal certification

authority (CA). Which applications will require an external CA. Whether you must deploy a stand-alone or enterprise CA. What structure you will require for a CA hierarchy. Whether partners will require certificates to be mapped to user

accounts in Active Directory. Methods for your organization to recover from a failed or

compromised CA.

Maintaining the Security Plan

Modifying the Security Plan

Monitoring Security Issues

When you have implemented your security plan, you must make sure that your network security continues to meet your organization's security requirements. In developing a security plan maintenance strategy, you need to identify the functional areas within your organization that may be affected by changes to your organization. Organizational changes may necessitate changing the existing security configuration to meet new security requirements. The goal of designing a maintenance strategy for the security plan is to develop an effective strategy that does not require change as the organization and the security plan change.

As part of your maintenance strategy, you must identify security updates that are made to products used within your organization, and you must then update your security plan accordingly.

In this lesson you will learn about the following topics:

Modifying the security plan

Monitoring the security plan

Modifying the Security Plan

Organizational Change May Result In:

Modifying security requirements

Expanding the scope of the plan

Developing a new plan

Organizations undergo changes from time to time, and these changes are likely to affect the security plan and the underlying security requirements. Organizational change can include corporate reorganization, expansion, downsizing, change of location, partnerships with other organizations, and mergers with other organizations.

Organizational changes and reorganization may result in changes to your organization's security requirements and the need for you to modify your security plan. For example, a bank may merge with another financial institution, and bring with it additional locations, products, and services.

When there are changes in your organization, you must identify and analyze the effects of any change by asking:

Will the organizational changes result in the need to modify security requirements?

Do the organizational changes require that the scope of the existing security plan be increased?

Will the new security requirements be handled by expanding the existing security plan, or by developing a new one?

As part of ongoing security maintenance, you must remain up-to-date on security issues for your organization's software and hardware. Security issues can arise when attackers find vulnerabilities in software and hardware deployed in your organization.

Sources of Security Information

Sources available to you for information about security issues include:

Web-based security bulletins.

Security newsgroups.

E-mail list servers.

Subscription-based e-mail services.

Paper-based security bulletins.

Because not all sources of information are reliable, you must verify the authenticity of any sources that you use.

Deploying Security Updates

When Microsoft updates critical security issues with Windows 2000, these issues are posted on the Windows Update site (windowsupdate.microsoft.com), and are available for you to download. Alternatively, you can receive notification of security updates by subscribing to Microsoft Security Notification Service at www.microsoft.com/security.

After you have downloaded a security update, you must then deploy it to the required computers. To deploy the update, you can use software deployment in Group Policy or in Microsoft Systems Management Server. Computers running non-Microsoft operating systems will need alternative methods of deploying security updates.

Caution: You must test any suggested security changes to software before deploying the changes to your organization, because the security update may inadvertently introduce a security weakness or otherwise change security settings.

Monitoring Security Issues

Sources of Security Information

Deploying Security Updates

Lab A: Developing a Security Plan

Objectives

After completing this lab, you will be able to:

Design a security plan that will meet the security requirements of an organization.

Define the security requirements for local and remote networks, public and private networks, and trusted business partners.

Develop strategies to maintain network security.

Prerequisites

Before working on this lab, you must have:

Knowledge of security policies and how to configure them.

Knowledge of security risks and how to prioritize them.

Knowledge of the strategies used to implement solutions to meet security requirements.

Goal

In this exercise, you are presented with the task of designing a security plan for Contoso, Ltd., a large-sized organization where you are responsible for IT operations in the Human Resources (HR) department.

You will develop a solution to meet the organization's security requirements.

To design your solution, review the scenario and design criteria, and then complete the scope of the plan and the design worksheets.

Scenario

Your company, Contoso, Ltd., is a bank with over 500 branches across the United States and 20 branches internationally. Contoso, Ltd. employs a total of 40,000 people. You are responsible for IT security in the HR department, which has staff in the main office and in several of the larger branch offices throughout the United States.

Contoso, Ltd. has a large IT department, with many groups within that department solely responsible for the systems that they maintain. Your responsibilities are limited to the HR department. Other groups within the IT department have responsibility for areas, such as Internet access, remote access, e-mail, and network infrastructure. The HR department is responsible for managing the recruitment of new staff, conducting interviews, setting salary levels, participating in performance reviews, and managing contract staff.

Exercise 1: Developing a Security Plan for a Large Organization

The HR department has experienced numerous security breaches in the last few months. One of those breaches involved a virus spreading through the e-mail system, and another was due to someone from your department posting confidential information on an a company Web site that is accessible from the Internet.

Currently, Contoso, Ltd. has connections to the Internet for Web browsing, and in the HR department, permission to browse the Web is granted on an as-needed basis. The internal HR systems are not on the Web, but HR receives resumes from job applicants through Internet e-mail.

The department is currently recruiting a large number of staff, and uses several external agencies to aid the recruitment process. These external agencies need limited access to HR information from the internal HR database and file servers. A VPN server enables external agencies to access the HR department's information. The VPN server allows limited access to only specific servers in the HR network. User accounts for external agency users are created within a partner OU and granted remote access as necessary.

In the current network configuration:

The HR database contains all salary, review, and employee benefit information. This information is confidential, and access to it is restricted to certain HR personnel and managers.

HR has several file servers used for storing confidential documents and forms.

HR uses e-mail extensively for both internal communication and communication with prospective employees. Authenticity of internal communication through e-mail is currently verified by the use of certificates.

The IT department has more than 1,500 staff members.

HR has a VPN server with a connection to the Internet that allows external agency users access to certain resources. This VPN server is in a screened subnet, and is only allowed access to specific HR servers.

Design Criteria

Your solution must meet the following criteria:

All HR information must be secure from internal hackers and accidental internal break-ins.

Only select HR staff can make changes to the database.

Access to confidential employee information is confined to HR staff.

The accounting department must have access to salary data

Planning Worksheet Instructions

Risks Policy Designs

Virus infection through e-mail

All incoming files must be scanned by a virus scanner.

Use Group Policy to deploy a desktop virus scanner and configure scanning preferences. Virus scanner must scan e-mail.

Loss of access to HR file servers due to an internal DoS attack

Must not allow internal users to perform attacks oninternal file servers.

Monitor audit logs to identify attacks before they happen to minimize the chance of a successful attack. Make sure that all file server security issues are implemented on all internal servers.

Printing confidential HR data to public or insecure printers

Confidential information shall only be printed on secure printers.

Train staff on which printers to use for each form of data. Use permissions to restrict access to printers for staff members who work with confidential data. Use scripts to configure printer connections for staff with access to confidential information.

The following table lists existing policies and solutions for risks that have been identified.

Review

Designing a Security Plan

Defining Security Requirements

Maintaining the Security Plan