next up previous contents
Next: 7.2 Cost aspects of Up: 7. Introduction to security Previous: 7. Introduction to security

  
7.1 Developing and managing a security strategy

In order to successfully implement a security strategy, management is required to have a security minded attitude. Security planning and management involves long term strategic planning and creating a corporate ICT policy. The next step consists of doing a risk analysis. After selecting the areas on which to focus, policies and procedures can be defined, as well as measurements that will be used to revise the effectiveness and efficiency of the countermeasures and security mechanisms. The resulting recommendations are then to be implemented, monitored and tested. The results of the compliance checks should eventually be used to revise the original analysis. All this is very similar to the traditional software development life cycle.

The life cycle of a security implementation can (partially7.1) be supported by software tools. They can also help in addressing a number of specific security issues. Here we can think of the wider use of software for monitoring purposes or for assisting in security implementations getting accredited against various (international) standards. Good tools should provide assistance for all aspects of information systems security: training and management of personnel, handling, storage and destruction of documents, dealing with technical issues, support planning and so on. They should contribute to ergonomic cognitive human-computer interaction, provide good facilities for modeling and representing information and be able to generate documentation and reports7.2. Additionally they can provide backtracking possibilities (for justification, as in ``why did we recommend this?'') or what-if analysis. The output they generate can relate to varying levels of assessment, from high level policy statements to compatible detailed low level recommendations. Last but not least, tools should support the every-day management of the operational security environment.


Footnotes

... (partially7.1
Note that according to Amdahl's law, the efficiency of tools is not so much affected by the way they speed up certain stages of the life cycle, but rather by how many aspects of the life cycle they cover. According to this law, the overall speedup Iof some task is given by \( I=\frac{1}{1-k+\frac{k}{m}} \), where some part kis accelerated by a factor m. From \( \lim _{k\rightarrow 1}I=m \)and \( \lim _{m\rightarrow +\infty }I=\frac{1}{1-k} \)it follows that k, the coverage, has much more impact on overall productivity than the acceleration m. It can be proved that kis always everywhere dominant over m, except for low values of mcombined with higher values of k.
... reports7.2
They may provide interfaces to other tools that cover different stages or aspects of the systems development life cycle (testing, time management,...)
next up previous contents
Next: 7.2 Cost aspects of Up: 7. Introduction to security Previous: 7. Introduction to security
(c) 1998, Filip Schepers