High Level Requirements for a Security Guide

The previous post explored the kinds of information that might be in a security guide.

Let’s lay out some basic requirements for a security guide:

  • The security guide must exist. It must be available, updated, and maintained.
  • The security guide must incorporate relevant government and industry requirements.
  • The security guide must be actionable. If it can’t be implemented it is useless.
  • The security guide should be pro-active, describing what should be done, not what is forbidden. And, where applicable, how to do it.
  • It should be possible to verify compliance with the security requirements through a system audit.
  • The security guide should support the company mission.

This last item may strike you as a bit odd… Recall that the reason we have computer systems is to generate business value. The security guide should balance security risk against generation of business value. If a computer system can’t be used to generate business value, you might as well get rid of it. And, of course, the most secure system is one that doesn’t exist! (Just for the record, this is a joke…)

Ideally, the security guide is a tool to improve the operation of an organization, balancing protection needs against business needs, ease of use, and the threat profile a company actually faces.

Next: System Audits – There Has to be a Better Way!

About Russell Doty

A technology strategist and product manager at Red Hat, working on the next generation of open source systems.
This entry was posted in Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s