Introduction to building a security roadmap
Securing a system against attack is an important responsibility of a system administrator. As a system administrator, you can address this security issue by creating a roadmap that outlines your plans for the system’s security requirements. This roadmap details what information is required to allow you to attain your goal. Each roadmap is designed to meet the specific security requirements of an organization. The roadmap is the blueprint used to ensure a system is adequately secured.
Developing the roadmap
Before a roadmap can be defined, you need to decide what issues it needs to address. This can be determined by examining the policies that senior management have approved and brought into practice. These can include organizational policies such as:
- personnel and physical security
- protection of corporate assets and information
- how employees are hired and their employment terminated
- the responsibilities of employees
You should also consider the security principles behind the system’s design, and how to comply with them. This is generally referred to as the system architecture.
Other areas that should be examined for your roadmap’s requirements include:
- the system life cycle development (SDLC) process
- system acquisition process
- best practices employed for system security
- details on the means for policy and standards approval
- rules for security behavior
You should also examine those documents detailing how policies are written. Additionally, the process for approving these policies needs to be considered to understand how to integrate any future policies securely into a system.
If any of these policies are unclear or nonexistent, you record the approach that you would like implemented instead. This approach is subject to the appropriate approval by the authorizing party.
The information provided by the data you’ve gathered is used to create a layered defense for your system. These policies are implemented, and governed by, utilizing technical, administrative, or physical controls.
Defining specific requirements
The list of internal policies that you have created are gathered and documented as a requirement statement. This is supplemented by using industry practices, government guidelines, and other trustworthy sources to help you break your system into its composite parts. These parts are the requirements of your system that, when implemented, create a layered defense, providing rings of security for your system.
Using the roadmap
The roadmap is tailored to your organization. You can only implement it with the approval of senior management because the roadmap may necessitate organizational change. Therefore, the roadmap needs to be flexible, allowing it to adapt if changes are required.
Besides outlining how to make your system more secure, the roadmap also provides the information required to create a plan of action and milestones (POA&M). The POA&M is used to acquire extra funding, people, or resources to secure the system. It ensures that the system’s schedule proceeds in the correct order.
As a Summaryfor Building a security roadmap
A roadmap outlines your system’s security requirements. It can be created from examining those policies approved by senior management. Policies that are unclear or not yet created need to be outlined and approved by senior management. The policies are gathered and used to create a roadmap’s requirement statement. The requirement statement is used to implement the system and create a layered defense. It must be flexible and approved by senior management.