Open Framework, Information Management Strategy & Collaborative Governance | Data & Social Methodology - MIKE2.0 Methodology
Wiki Home
Collapse Expand Close

Members
Collapse Expand Close

To join, please contact us.

Improve MIKE 2.0
Collapse Expand Close
Need somewhere to start? How about the most wanted pages; or the pages we know need more work; or even the stub that somebody else has started, but hasn't been able to finish. Or create a ticket for any issues you have found.

Information Security Design

From MIKE2.0 Methodology

Share/Save/Bookmark
Jump to: navigation, search

Content Model Relationship

Contents

Activity: Information Security Design

Objective. The Information Security Design activity covers an overall design approach for information security. It builds off the Information Standards and Information Governance Policies defined in Phase 2 and the Security Model and the classification model defined in Phase 3 to provide an implementable design. In conjunction with the Infrastructure Management Process Design activity, an approach is defined to protect information assets.

The Information Security Design does not cover all aspects of security. For a further description of the scope of Information Security, refer to the Solution Definition of the Information Security Solution Offering. There are tasks listed within this activity that relate more to Infrastructure Development than Information Development but they are covered only at a high level.

Major Deliverables
  • Information Security Design
  • Information Security Monitoring Design
Tasks

Task: Design Network Infrastructure Security Controls

Objective: The Network Infrastructure Security task ensures the network is secure and it is protected from attack. This includes making sure the proper hardware and software firewalls are in place and that data is encrypted across this network.


Input:


Output:

Task: Design Host Security Controls

Objective: The Host Security Controls task make sure the platform that the information systems run on is secure. Host security is implemented by restricting equipment access, controlling host password assignments and through setting permission levels on what functions users can perform. It is also implemented through the use of anti-virus, anti-spyware and anti-spam software which also impact network and application security.


Input:

  • Detailed Business Requirements
  • Information Security Standards
  • Information Security Policies
  • Information Security Model
  • Classified Information Assets


Output:

Task: Design Database Security Controls

Objective: This task defines the controls that will be implemented to restrict users from accessing information, based on how the information is classified and the security model. Example controls include:

  • Restricting the rights a user has to access information
  • Restricting the rights a user has to perform certain functions, e.g. only letting a system user drop tables
  • Tracking activities in the database to provide an audit trail if needed

Database security is the last line of defense to protect information assets. For an information management engagement it is typically the area where the implementation team will be most directly involved.


Input:

  • Detailed Business Requirements
  • Information Security Standards
  • Information Security Policies
  • Information Security Model
  • Classified Information Assets


Output:

Task: Design Identity and Access Management Controls

Objective: The Identity and Access Management task ensures that the user accessing the system is who they claim to be, thereby protecting systems from incorrect usage. It also protects users by informing them through:

  • Stating how their personal information will be used
  • Only using user information in the fashion that is stated
  • By protecting user information from dissemination to other entities without stated permission

Authentication is generally the key design feature from a technical perspective. It may involve use of simple password logins or more advanced forms of authentication such as the use of security tokens or biometrics so it goes across network, host, application and data security. The authentication design may involve single-sign on across a federated systems environment.


Input:


Output:

Task: Design Cryptographic Controls

Objective: The Cryptographic control task processes go across each of the above tasks. Cryptographic design involves putting additional controls in place so that only appropriate users are able to read information, even if a non-authenticated user is able to access it. Cryptography may take place during access management stages by encrypting data that goes across the network. Encryption is also often applied within an information store so that even an administrator cannot see the data, such as password, credit card details or classified government content.

The design process defines the most appropriate encryption technique and technologies to be used. It also defines the approach for how it will be applied specifically to the information in scope.


Input:


Output:

Task: Design Security Monitoring Processes

Objective: As part of this task, a Security Monitoring solution is designed that makes sure the solution that has been implemented continues to meet the defined business requirements. Security Monitoring pro-actively and reactively looks for issues in the environment that are violations of security policies or may be indications of attempted breaches.


Input:

  • Detailed Business Requirements
  • Solution Architecture Definition/Revision#Information Security Model
  • Information Security Design


Output:

Role:Solutions Administrator

Role:Technology Architect

Role:Information Architect

Role:Information Security Specialist

Yellow Flags

Areas to look out for include:

  • Poorly defined Information Standards and [[Data Governance Policies|Information Governance Policies]. In this case, these standards and policies should be re-visisted.
  • Strong resistance from the organisation to follow standards and policies.
  • The organisation has suffered security breaches in the past and root causes have not been eliminated.
  • Use of technologies that are either immature (e.g. biometric technologies) or new to the organisation.
  • New business requirements that push security boundaries that have been traditionally followed in the organisation (e.g the need to deal with external partners).

Potential Changes to this Activity

This activity is still being defined and will likely undergo a number of changes. Potential changes include:

  • Network and Host Security may move to Infrastructure Management Process Design
  • Some areas of security aren't really covered that are important for security, such as restricting physical access to hosts.
  • Need to determine how much depth will be covered on Information Security as it relates to techniques for Infrastructure Development
Wiki Contributors
Collapse Expand Close

View more contributors