build security architecture and roadmap rev1

Practical IT Research that Drives Measurable Results

Build a Security Architecture & Roadmap

Introduction

Info-Tech Research Group 2

• Most organizations acquire security tools in a reactive manner. This results in inconsistent security that doesn’t meet organizational goals. A Security Plan eliminates this problem, preserving resources.

• On average, plan development takes 8 months and costs $108,000; a major inhibitor to plan adoption. This solution set eliminates those costs.

• This solution set addresses Security Planning is three steps:

Developing an Implementation Roadmap

Getting Planning Started

Building the Right Architecture

• Small and mid-sized organizations that do not have a formal security plan in place will benefit from completing the Security Architecture and Roadmap Planning Tool.

• This set will define an appropriate security architecture and develop a custom deployment roadmap. These tools will improve security while saving the costs of plan development and streamlining future investments.

Executive Summary


• IT Security Planning is costly and time consuming. Using the Secure Network Design and Roadmap tool is a cost free and quick way to create your organization’s ideal network design and tool implementation roadmap.

• Involve the business side in IT Security Planning, it is not only an IT Exercise. Involving the business results in:

• Better business buy in.

• Easier cost validation for new security tools.

• More insight into future business directions.

• Businesses do not require every security tool. Proper planning prevents organizations from boiling the ocean and allows them to focus on the tools their organization require.

• When it comes to tool implementations, timing matters; planning and roadmapping ensure that tools are implemented in the order that is most appropriate and most secure for the organization.



Getting Started

Why perform security

planning?

Planning and requirements

gathering

The Value of Plans

How deployments

fail



Security Plans save money and improve enterprise security

Improve Organizational Security

55% of organizations that used security plans said that they deployed their security tools in the most secure order.

The IT Security Planning exercise encourages organizations to take all aspects of the organization into consideration in order to create a security plan that best meets their needs.Save Money

45% of organizations that used security plans said that they would not have saved more money had they deployed tools in a different order.

Shift Business Perceptions on IT Security and Spending

The planning process involves the business side of the organization. Keeping the business in the loop will improve the perception of IT and will help shift the perception of IT from a cost center to a vital part of the organization.


Security Planning is essential to the effective deployment of security tools

Do: Take all inputs into consideration. Also plan for future business and IT goals and requirements. Don’t: Place too much emphasis on incident response – being reactionary undermines efficient planning.

Do: Make acquisitions according to established plans.Don’t: Purchase security tools just because they are new or because “everyone else is doing it.” Only purchase tools that are necessary.

Do: Implement tools in the order that best supports the required level of security and the priorities of the organization.Don’t: Deviate from established plans. Reactionary implementations can lead to higher costs and less than ideal architecture.

Planning & Requirements GatheringDetermine what the organization’s security needs are and where their priorities lie. You may need to gain business buy-in at this point.

Determine Required Tools*Once needs and priorities are established, the organization is able to determine what specific security tools they require. This list is based off of business wants and IT requirements.Determine Implementation Order**Determine the order that the security tools should be implemented in. Organizations will have different implementation orders depending on where their priorities lie.* See the “Building the Right Architecture” section for details.

** See the “Developing Implementation Roadmap” section for details.


Planning and Requirements Gathering not a one step process; involves multiple inputs to create a plan that

works

The following four areas are key areas of consideration when in the planning and requirements gathering phase:

• Risk Assessment

• Business Requirements

• Incident Response

• Regulatory Pressure

Organizations will not have to focus on each of these areas equally, find the balance that is right for the organization’s particular needs.

Consider each of the following areas when creating your security plan. Different areas will be more relevant to your organization than others.


Not all inputs are created equally;determine which inputs are most important to you

Risk Assessments: A primary contributor to security plans. After risks have been identified, organizations set out to implement tools required to minimize them.

Pros: Clearly identifies the areas that are of most significant concern allowing the enterprise to build accurate plans.Cons: Risk Assessment is a time consuming process. Completing it enterprise-wide can slow down Plan development significantly.

Regulatory Pressure: Companies required to meet compliance requirements will need to take these into consideration when performing a security plan.

Pros: In many cases, regulatory requirements are generally easy to obtain, clearly laid out and often include an order of implementation.Cons: Compliance is demonstrated through “snap shot” audits that may not be indicative of on-going status.Breaches and Threats: Many organizations implement tools in response to a breach or threat. Reaction is needed but should never be the only input.

Pros: Problem areas can be identified and fixed immediately, preventing additional/potential breaches.Cons: Focusing too heavily on breaches encourages unplanned and/or rash security tool purchases and changes.

Business Requirements: Knowing what the business expects makes it easier to meet their needs and justify budgetary requirements.

Pros: Understanding what the business wants allows IT to deliver better service and improves the perception of IT.Cons: The business may ask for things that IT cannot or will not provide, resulting in a loss of trust and break down in relations.

2010 research shows that organizations with formal security plans feel more secure


Info-Tech research shows that organizations that 91% of organizations that had performed formal security planning also had formal policies in place.

Without proper plans and policies in place, organizations are vulnerable as they do not have mechanisms in place to deal with security issues. If there is a security breech or loss of data and an organization does not have established rules in place, they can loose precious time while trying to figure out what to do. In this situation, the organization may also be legally implicated and can be liable for any losses or complications.

Companies with security documentation have the satisfaction of knowing that their IT security is appropriately scoped and designed. Also, they will generally have mechanisms in place to vet and update the plan regularly, ensuring the highest level of security possible.

N=35

Organizations with formal security plans are 4.5 times

more likely to feel secure than organizations with no plans in

place.


Lack of business buy-in prevents some organizations from performing proper security planning

Business culture lacks an awareness of security. Security planning is required, and there is insufficient resources currently in place to start and keep the momentum moving forward. - Team Member, Utilities

“”

Many things keep us from performing security planning; other priorities, limited resources and the perception that we are not a strong candidate for security incursions. - Manager, Public Administration

Business culture and management perceptions need to change to bring more focus on security awareness. - Manager, Manufacturing

The security plan is our most valuable piece of security documentation, but its intangible nature makes it hard for non-technology business management to understand. - CIO, Finance

Planning is difficult when the business is not on board:

It is difficult to get the time and resources necessary to complete the planning if the business does not see the benefit of the exercise.Justifying the budget required to purchase the tools to become secure is difficult when the business is not security focused.

Do these three steps to get business buy-in:

““

“

”

”

”

Deployments gone wrong;the problems of not using a formal Security Plan


Security Gaps

Informal, ad-hoc security planning results in security gaps as the organization fails to implement the right tools in the right order to maximize security.

Example: An organization that had recently purchased a Unified Threat Management solution that included gateway anti-malware protection decided that endpoint anti-malware was no longer necessary. When one of their remote employees who had been disconnected from the network connected to it with his infected laptop, a virus ran rampant through the network since the endpoints were all unprotected. With proper planning the organization would have considered the risks that remote workers presented and would be required to take the necessary steps to mitigate these.

Not Meeting Business

RequirementsNeglecting to formally establish what the business’ security requirements are can result in failing to appropriately serve and protect the business. This can be costly in the long run.

Example: A sales organization that had plans to move to online sales never conveyed this to IT and IT never asked what the business’ plans were as they never went through the IT Security Planning process. The organization’s Security Network Architecture supported the “old” requirements but not the new direction. When the new direction was communicated, IT was unprepared to support the needs of the company. In the end IT needed to delay the business’ move to online sales while they changed the gateway security infrastructure.

Inappropriate Tools in Place

Info-Tech research shows that companies with no formal IT Security Plan in place show significant randomness in the tools they choose and the order in which these are implemented.

Example: A financial organization that needs to meet specific compliance requirements purchased Content Filtering and Data Leakage Protection systems after implementing baseline tools when they should have implemented a Management System next to monitor all of the tools they already had in place. The high cost of the Management System caused them to look for cheaper tools first. This misalignment resulted in the organization failing to provide conclusive reporting for security auditing purposes.




Building the Right

Architecture

5 Main Inputs Drive Security Network Architecture

Security Network Architecture and Roadmap

Planning Tool


Five factors drive the components and layout of Security Network Architecture

Security Network Architecture Decisions Based On All Five Factors


The degree to which each of the five factors affects an organization will dictate the complexity of the Security

Plan

The higher the organization’s tolerance for risk, the fewer security tools they will need in place.

Organizations in highly regulated industries generally have a low tolerance for risk.

Carefully determine your organization’s risk tolerance as this will have a notable impact on the suite of security tools needed.

Sensitive data and confidential information must be rigorously protected to prevent it from being stolen or lost.

Organizations that have sensitive data will need to implement Data Leakage Protection, Intrusion Detection and Prevention and Encryption.

Remote workers need access to the same tools that they use when physically present in the office.

Virtual Private Networks (VPN) and Network Access Control (NAC) are two essential tools for securely supporting these employees.

A business that needs to be running 24/7 has very different needs from one that is open from 9 to 5.

To ensure that the business has access to the internet and other tools that they need, dual firewalls are required in order to minimize downtime in the case of a failure.

Online businesses cannot afford to have their websites unavailable to their customers as this likely represent a significant loss in revenue.

Online businesses must have dual routers in place to minimize downtime in the case of a failure


Create your ideal Security Network Architecture usingInfo-Tech’s Security Architecture & Roadmap tool

The Business Requirements Questionnaire tab of the tool takes answers to five questions that will gauge how each of the factors discussed previously affects your organization.

Based on these responses, the organization’s ideal security architecture is presented on the next tab of the tool along with an explanation of why the different components are required.

There is an example of a network diagram on the following slide for a company in the Financial Services industry.

The Security Network Architecture and Roadmap Planning Tool will accomplish two things:1. Create the organization’s ideal security architecture.2. Create the organization’s ideal security tool deployment roadmap.


Sample network architecture for a financial services organization

Sample network architecture from the Security Network

Architecture and Roadmap Tool.

The organization requires a high level of security protection. Endpoints should be protected with anti-malware and strong authentication and encryption should be used on laptops and sensitive servers.

The organization require a granularly segmented network to create security zones and since the organization is an online business, dual Internet connections and firewalls are needed to mitigate website and network downtime.

DLP is recommended in the organization to protect sensitive data from loss or theft. Content Filtering is also recommended as it will ensure that no unauthorized websites or other materials are viewed from company endpoints.

NAC should be implemented to protect static endpoints on the network. The organization should ensure that An IDP system should be used to prevent unauthorized or malicious access to data.

Finally, a Management System should be used to properly track, monitor and maintain security systems.

Risk Tolerance: LowPresence of Sensitive Data: YesRemote Users: YesHours of Operation: 24/7Online Business: Yes


Developing a Roadmap

The importance of roadmaps

Compliance vs. Security

Ideal implementation

orders



Security Planning is not a wasted exercise; companies with plans implement tools in secure orders that keep

costs low


Takeaways:

55% of organizations with plans in place felt that their security would not have improved if they had deployed their tools in a different order.

Security planning leads organizations to deploy their IT Security tools in the best order to support enterprise security requirements.

N= 33

Would Security improve if tools deployed differently?

Takeaways:

Only 6% of organizations with plans in place felt that they would have saved money if they had deployed their tools in a different order.

Security planning pays off; organizations without Plans felt that they could have saved money had they implemented in a different order.

Would money be saved if tools deployed differently?

N= 33


Knowing what tools to implement is only half the battle; knowing ideal implementation order is the other

Depending on the complexity and specific needs of your organization, you will require different suites of security tools. There is a right way and a wrong way to implement these tools. Deploy these tools in the order that best meets your organization’s needs. Your ideal order will depend on whether the organization focuses on security or compliance.

Baseline ToolsBaseline tools are those that should be implemented in the same order, regardless of the company and whether they focus on security or compliance.

Security vs. ComplianceCompanies will need to choose whether they should focus on security or compliance. The ideal implementation order for each of these focuses is different.

Choose between compliance and security; each has a different affect on the order in which tools are

implemented


Baseline tools remain the same as they are required by all companies regardless of size, requirements, or priorities.

Implementation order required to make an organization more secure or more compliant are very different. Ensure the organization picks the right factor to focus on. Be sure to validate this decision with the business side.

For many organizations this is an easy decision but for companies that are in heavily regulated industries and have a strong requirement for having the most secure environment possible, this decision becomes more complicated.

The Importance of Security and Compliance in Organizations

Baseline security tools; deployed first in all organizations


1

Refer to Appendix I for a more complete explanation of each of the tools.

Gateway Firewall

Required by all companies.

Should always be the first security tool implemented.

Firewalls monitor the data traversing the corporate network, looking for suspicious activity.

Endpoint Anti-Malware

GatewayAnti-Malware

Basic Network Segmentation

NAC and VPN

Required by companies with large numbers of remote users.

Ensures that remote workers will have full, secure access to the corporate network.


Detects and blocks malware as it enters and exits the organization.

Blocks unwanted inbound and outbound traffic.

Required by most companies.

This is the most basic network structure, it is a network segmentation that separates users from servers.


Essential on all endpoints to protect them from infection from viruses and malware.

Blocks unwanted inbound and outbound traffic.

5432

Baseline security tools are those needed by all organizations, regardless of their priorities or focus.

The baseline tools should ideally be implemented in the order above to ensure basic security protection is available .

The vast majority of companies surveyed by Info-Tech for this study implemented these baseline tools first.

Compliance as a major motivator?Focus on reporting and data protection first


6

Refer to Appendix I for a more complete explanation of each of tools.

IDP

Necessary for organizations that house sensitive data and for those with a low tolerance for risk.

It prevents intrusions into the corporate network from unauthorized third parties.

Management System

Encryption Enhanced Authentication

Required when an organization supports remote workers.


Prevents unauthorized third parties from viewing and accessing sensitive company data by making it unreadable without the proper decryption key.

Consolidates the reporting and notification functions of all security tools.

Organizations that need to meet stringent compliance requirements need this tool for reporting purposes.

987

“ Spending time and money on a formal security plan is essential in order to ensure compliance with state mandates”

- Team Member, Education Services

Compliance as a major motivator?Focus on reporting and data protection first (continued)


10


Data Leakage Protection

Organizations that house sensitive and confidential data must have this in place.

These systems prevent the purposeful or inadvertent transmission of data outside of the enterprise.

Content Filtering

Tier Network Segmentation

Internal Firewalls

Regulates and restricts traffic to and from servers containing sensitive data.

Access to the server is based on a set of pre-defined rules.

First separate user and server networks attached to core network.

Then separate these networks into trusted and untrusted users and servers.

Proper content filtering restricts the type of information, data, and code that can enter the organization via the Internet.

131211

Implement dedicated protection toolsif security is the bigger concern


6


IDP

Necessary for organizations that house sensitive data and for those with a low tolerance for risk.

It prevents intrusions into the corporate network from unauthorized third parties.

Content Filtering

Data Leakage Protection

Encryption

Prevents unauthorized third parties from viewing and accessing sensitive company data by making it unreadable without the proper decryption key.

Organizations that house sensitive and confidential data must have this in place.

These systems prevent the purposeful or inadvertent transmission of data outside of the enterprise.

Proper content filtering restricts the type of information, data, and code that can enter the organization via the Internet.

987

Implement dedicated protection toolsif security is the bigger concern (continued)


10


Enhanced Authentication

Required when an organization supports remote workers.


Tier Network Segmentation

Internal Firewalls

Management System

Consolidates the reporting and notification functions of all security tools.

Organizations that need to meet stringent compliance requirements need this tool for reporting purposes.

Regulates and restricts traffic to and from servers containing sensitive data.

Access to the server is based on a set of pre-defined rules.

First separate user and server networks attached to core network.

Then separate these networks into trusted and untrusted users and servers.

131211

“Management tools are purely for the effectiveness of monitoring and support. The tools and processes themselves are the real risk mitigation agents.”

- CISO, Manufacturing


Determine your ideal deployment roadmap using Info-Tech’s Security Network Architecture & Roadmap tool

The Roadmap Input Page determines which tools suggested are in place and ranks compliance, cost and security factors.

This information determines tool implementation order, which is presented in a step by step format.

Some of the information included in each step will be:•Tool purpose•How the tool works•Relative cost of the tool•Approximate time to implement•Implementation skill required

There is an example of a roadmap on the following slide for a company in the Financial Services industry.

The Security Network Architecture and Roadmap Planning Tool will accomplish two things:1. Create the organization’s ideal security architecture.2. Create the organization’s ideal security tool deployment roadmap.


Sample Implementation Roadmap:Financial Services Organization

Sample roadmap from the Security Network Architecture

and Roadmap Tool.

A online business with remote users, sensitive data and a low tolerance for risk requires a complex architecture. Security tools should be implemented in the following order for the organization to be most secure:

1.Gateway Firewall2.Endpoint Anti-Virus/Malware3.Gateway Anti-virus Malware4.Basic Segmented Network5.Dual Firewalls6.Dual internet connections7.NAC and VPN8.Intrusion Detection and Prevention9.Content Filtering10.Data Leakage Protection11.Endpoint Encryption12.Enhanced Authentication13.Tiered Segmented Network14.Internal Firewalls15.Management System

(Only first three steps of roadmap shown)

Risk Tolerance: LowPresence of Sensitive Data: YesRemote Users: YesHours of Operation: 24/7Online Business: Yes

Summary


• Formal security planning saves time and money and improves the security stance of the organization.

• There are three steps in creating a security plan:1. Planning and Requirements Gathering

Not only an IT exercise. Get this business’ input at this stage. Determine what the organization needs now and in the future and plan accordingly.

2. Determining the appropriate suite of security tools for the organization Use the information from the Planning and Requirements Gathering process to fuel this stage.

3. Determining the order of security tool implementation Consider the organization’s priorities to determine the ideal order.

• Companies need to decide whether they have a focus on security or compliance in order to determine the tool deployment order that best suits their needs.

Appendix IDescription of security solutions


Info-Tech’s standardized security architectures use up to fifteen different security solutions:

• Gateway firewalls• Dual gateway firewalls• Internal firewalls• Gateway anti-malware• Endpoint anti-malware• Dual Internet connections• Segmented networks• Tiered networks

• Virtual Private Networks (VPN)• Intrusion detection & prevention• Content filtering• Data Leakage Protection (DLP)• Network Access Control (NAC)• Endpoint encryption• Enhanced authentication• Security management technologies

The following slides describe these tools. Each slide shows a sample security architecture diagram and highlights the position of the tool in question in that diagram. The slides also indicate the relative (low, moderate, high) cost, time and skill requirements for each tool.

• Low cost indicates something that should be affordable by most enterprises while high cost may be affordable only by larger enterprises.

• Low time indicates a deployment on the order of days to weeks while high time indicates deployment on the order of months to years.

• Low skill indicates a deployment that requires no specialized expertise while high skill indicates a deployment that requires significant expertise.

Appendix I-aGateway Firewall


• Firewalls are a baseline security protection mechanism required by all organizations, regardless of their size of perceived threats. Firewalls regulate the inbound and, in some cases, the outbound flow of traffic. They can be deployed singly or in pairs.

• Firewalls evaluate whether traffic can be allowed to enter the network based on comparison to in-place rules. Creating a detailed and specific ruleset that specifies what constitutes appropriate traffic is they key to good firewall functionality.

Cost: Low to ModerateTime: LowSkill: Low

Appendix I-bInternal Firewall


• Internal firewalls work in exactly the same manner as gateway firewalls except that they are used to filter internal network traffic only. They are generally deployed to protect particularly sensitive network segments.

• Firewalls evaluate whether traffic can be allowed to enter the network segment based on comparison to in-place rules. Creating a detailed and specific ruleset that specifies what constitutes appropriate traffic is they key to good firewall functionality.

Cost: LowTime: LowSkill: Low to Moderate

Appendix I-cGateway Anti-Malware


• Gateway Anti-Malware detects and blocks malware as it attempts to enter the enterprise network. The solution can also be configured to scan outbound traffic for malware threats which can limit distribution and eliminate the reputation hit associated with spreading security threats.

• Gateway Anti-Malware can be integrated into gateway firewalls or deployed as separate device depending on the needs of the organization. It scans incoming files and applications for signatures that match known threats, quarantining or deleting them when discovered.Cost: Low

Time: LowSkill: Low

Appendix I-dEndpoint Anti-Malware


• Endpoint Anti-Virus/Malware is one of the most basic security technologies that an enterprise can deploy. The primary function of this solution is to detect and block malware as it is received at the endpoint and thereby reduce the spread of threats.

• Endpoint Anti-Virus/Malware is software that is installed directly on to endpoints such as servers and workstations. It scans the files and applications for signatures that match known threats, quarantining or deleting them when discovered.

Cost: LowTime: LowSkill: Low

Appendix I-eDual Internet Connection


• Dual Internet connections are essential for online businesses; those needing to provide access to their website 24/7. They ensure a far greater uptime potential to ensure that clients that are looking for the enterprise's website are always able to find it.

• Dual Internet connections require dual front-end routers. Each connection should be capable of handling all of the enterprise's network traffic. If one router fails, the other takes over all of the functions, preventing downtime or latency. Specialized networking will be required to ensure appropriate distribution of traffic in this structure.

Cost: ModerateTime: Low to ModerateSkill: Moderate

Appendix I-fSegmented Internal Network


• Basic network segmentation is the first step in network architecture complexity for those migrating from flat networks. At a minimum, basic network segmentation should separate users from the servers. This allows servers to be protected at a higher level without security tools having to be deployed across the entire network.

• Uses configurational rules within network infrastructure to create virtual network segments that have different IP address ranges from one another. For traffic to pass between these segments they must traverse the switch where security rules can be applied.

Cost: LowTime: Low to ModerateSkill: Low to Moderate

Appendix I-gTiered Internal Network


• Tiered network segmentation takes network segmentation one step further, increasing the granularity with which the network is divided. Tiered segmented networks increase security by providing better isolation of sensitive data and/or processes.

• Uses configurational rules within network infrastructure to create virtual network segments that have different IP address ranges from one another. For traffic to pass between these segments they must traverse the switch where security rules can be applied.

Cost: LowTime: Low to ModerateSkill: Moderate

Appendix I-hVirtual Private Networks


• Network Access Control (NAC) and Virtual Private Networks (VPN) help protect organizations from threats that might be leverage by allowing inbound connections to internal networks by privileged devices (such as remote laptops). VPN allows remote user to connect to the network while preventing session hijacking and sniffing type attacks.

• VPN creates encrypted point-to-point communications channels through which remote users connect to internal network resources.

Cost: Low to ModerateTime: Low to ModerateSkill: Low to Moderate

Appendix I-iIntrusion Detection & Prevention


• IDP is a network alarm system. The solution monitors traffic for anomalous behavior and intrusion/attacks signatures and can issue alerts, or take independent corrective action in response. Generally configured to monitor inbound traffic only, the solution can also monitor two-way traffic flow making it useful sometimes for the protection of sensitive internal network segments.

• IDP sensors can issue alerts to administrative staff for manual intervention or can initiate automated responses..

Cost: Moderate to HighTime: Moderate to HighSkill: Moderate to High

Appendix I-jContent Filtering


• Content filtering helps businesses avoid legal issues by blocking unauthorized inbound web content (websites, web applications, file sharing sites, etc.) from being accessed. Secondarily, these tools block access to websites that may host malware and other threats, directly improving security.

• Proper content filtering restricts the type of information, data, and code that can enter the organization via the Internet. Administrators are able to specify what types of content employees are permitted to view and at what times they are allowed to do so.

Cost: Low to ModerateTime: ModerateSkill: Moderate

Appendix I-kData Leakage Protection


• Data Leakage Protection is designed to monitor for and block the outbound distribution of sensitive data. These solutions work best for protecting against the accidental loss of information and are especially valuable for organizations that house confidential or otherwise sensitive data.

• Analyzes files in transit for disallowed data by looking for keywords and data patterns and then enforces policy-based restrictions. Any time the pattern is noted, the transmission can be quarantined or disallowed and alerts issued to both users and administrators.

Cost: ModerateTime: ModerateSkill: Moderate

Appendix I-lNetwork Access Control


• Network Access Control (NAC) and Virtual Private Networks (VPN) help protect organizations from threats that might be leverage by allowing inbound connections to internal networks by privileged devices (such as remote laptops). NAC ensures that remote devices meet the security requirements of the network and are not injecting threats that bypass gateway controls.

• NAC uses signature based scanning to determine the security configuration of a device that is attempting to connect to the network. Where the configuration does not meet standards, devices can be quarantined for remediation.

Cost: ModerateTime: ModerateSkill: Moderate to High

Appendix I-mEndpoint Encryption


• Encryption is a "last line of defense" type security solution and is designed to ensure that even if systems are illicitly accessed, any information they house will not be subject to loss. Encryption is typically most often applied to systems and media that can be easily accessed (laptops, backup tapes) or stores of particularly sensitive data (databases).

• Encryption protects data by making it unreadable using an encryption key. This data can only be made readable by the use of the corresponding decryption key. Encryption can be applied to entire databases or to slices of data within files.

Cost: ModerateTime: Moderate to HighSkill: Moderate

Appendix I-nEnhanced Authentication


• Enhanced Authentication is necessary when passwords are not sufficient to protect an organization's systems. Enhanced Authentication uses multiple factors of authentication (something you know, something you have, something you are) to establish a greater level of confidence that authenticated users are who they claim to be.

• Uses additional factors of authentication to positively identify users. Additional factors include second factor (something you have) and third factor (something you are).

Cost: Moderate to HighTime: Moderate to HighSkill: Moderate to High

Appendix I-oSecurity Management Technologies


• A number of different types of Security Management systems exist including Security Information Management (SIM), Identity & Access Management (IAM) and Governance, regulation & Compliance (GRC) software. These tools offer heightened monitoring and into user and system activity and can also block inappropriate actions in some cases.

• Management systems consolidate the reporting, notification and maintenance functions of all of the security tools and provide one interface to control them.

Cost: HighTime: HighSkill: High

Appendix IIMethodology


This solution set used data collected from a survey conducted in April 2010 on the topics of Security Policy development, deployment and enforcement. 117 responses were received.

build security architecture and roadmap rev1

Documents

security plans

security planning exercise

inconsistent security

new security tools

formal security plan

roadmap planning tool

proper planning

spendingthe planning