Information Technology Reference
In-Depth Information
Articulation of the rationale for an IA mechanism in terms of business need
will provide insight on how the IA mechanism will align under existing policy or if
there is a need for a new policy. Policies, standards, and procedures are prospective
guidance to the organization. Prospective in the sense of providing guidance on
what the organization should do . (Section 9.5 provides additional details on the rela-
tionships of policies, standards, and procedures.) Additional to policies, standards
and procedures are practices. Practice is what the organization is actually doing .
Policies state the bounds and qualifications for organizational behavior. Stan-
dards provide guidance on what to use to implement and enforce policy. Proce-
dures describe how to apply standards to implement and enforce policy. Security
policies convey appropriate behavior to maintain mission integrity in terms of the
IA core principles. Security standards convey the appropriate IA tools and settings
to implement and enforce IA policy.
9.5
Security Standards
Security standards specify IA mechanisms and mechanistic IA configurations nec-
essary to mitigate business risk. Security standards specify what to use or what
capability to provide. As long as the capability is delivered, the specific mecha-
nism, vendor, and product are left up to the discretion of those implementing the
capability. At other times, there may be business need for specific products. For
example, a business driver for centralized security support (e.g., help desk, NOC/
SOC, CSIRT, installation, deployment, etc.) may require a homogeneous IA envi-
ronment. To leverage central resources effectively, the organization will benefit
from standards that specify acceptable products by manufacturer, product name,
version, and patch level.
9.5.1
Homogeneous versus Heterogeneous IA Environments
An IA environment that uses a specific product from a particular vendor every-
where is a homogeneous environment. An IA environment that uses multiple prod-
ucts (e.g., firewalls from vendor A and firewalls from vendor B) is a heterogeneous
environment. Like most decisions, there are benefits and drawbacks to both choices
(Table 9.4).
Deciding on a homogeneous versus a heterogeneous environment is not
straightforward. The first question resides in business need. Is your organization
a popular and known target for adversaries? If your organization is a bank, other
financial institution, or a military institution, then probably yes. Is the core mis-
sion of your organization so critical that it must always be available? The answers
to these questions help determine whether the cost of a heterogeneous environ-
ment provides an adequate ROI. There are trade-offs in cost, efficiency, and secu-
Search WWH ::




Custom Search