Creating Policies
For many administrators, the idea of working "top down"--from risk assessment and business controls to technical security settings on servers--may seem out of the ordinary.
Historically IT security has often been "bottom up." Technical IT risk decisions, such as which firewall to install and how to configure it, were made without input from business executives. Today, some IT professionals welcome having the business side more involved with risk assessment. However, the lack of technical knowledge of some business executives can cause frustration, even concern, for security professionals. But keep in mind that this is an opportunity to bring security out of the technical closet and make it a cornerstone of the business risk process. IT can help management understand how mitigating technologies work, how much they cost to run and manage, and what level of assurance can be reasonably expected.
Meanwhile, management is responsible for being part of the oversight process by setting acceptable levels of risk and communicating these to the IT staff. From there, the IT staff can determine what technical security policy measures are required and find tools that can meet those requirements.
Communication and collaboration are critical to a successful transition from regulations to control frameworks to technical policies and implementations.
Implementing Technical Solutions
Once the framework and policies have been set, it's time to build the security architecture. One way is to translate the control objectives into organizational and IT activities, and then into a technical security architecture.
Case in point: If your organizational objective is to protect personal information from unauthorized access, you'll need to initiate employee training and user awareness. On the technical side, you may need to implement network zoning, configuration management and content controls using a variety of products including firewalls, filtering gateways and vulnerability management software among others. (See "Building Frameworks," at right)
While this process is still fairly high level, it will grow even more detailed as your organization makes additional decisions such as design choices about which firewalls or filtering gateways are selected. Technical security policies and configurations will need to be approved and applied to the various devices in the architecture.
