Capability: Security Process
On This Page
Security process is a key element of infrastructure optimization, and security must be part of the design criteria for all procedures and technologies highlighted by the Infrastructure Optimization Model. The following table lists the high-level challenges, applicable solutions, and benefits of moving to the Dynamic level in Security Process.
Lacking regulatory compliance for data security
Lack of cost/benefit analysis
Critical data may still be at risk, despite two-factor authentication
No formalized way to assess services and improve them
Advanced Two-Factor User Authentication
Continuous improvement programs for all security processes
Improved information security and identity protection helps protect business from threats, regardless of device
Proactive IT operations resolve problems earlier to avoid reducing user productivity
The Rationalized level of optimization required that most required security measures were in place prior to moving to the Dynamic level. At the Dynamic level, all security processes should follow the lead of the ITIL/COBIT-based Management Process and participate in continuous improvement programs.
Requirement: Advanced Two-Factor User Authentication
You should read this section if you do not have plans in place for security policies, risk assessment, incident response, and data security.
Most organizations know that it is important to protect their data and resources from loss or damage due to theft, human or computer error, malicious intent, or any number of other events. You can take steps to limit the opportunities for loss or damage to occur. You can also establish policies and procedures to respond to and minimize the effects of the loss or damage to your IT environment. The Dynamic level in this guide deviates somewhat from the Core Infrastructure Optimization Online Self-Assessment and focuses on advanced two-factor user authentication.
At the Rationalized level, we introduced the concept of two-factor authentication, and at the Dynamic level we add to the sophistication of two-factor authentication by requiring advanced capabilities, such as biometric scanning, to access highly sensitive data.
Phase 1: Assess
During the Assess phase, you should determine the appropriate security needs for your organization and identify which authentication processes and technologies are currently in place. Security requirements can vary dramatically from company to company or institution to institution based, for example, on size, industry or field, or regional laws and regulations. Gathering the requirements of your organization will allow you to define an appropriate security process.
Phase 2: Identify
During the Identify phase, you will examine the tools and procedures currently in place in your organization and determine what the security requirements are for your organization. During this phase, you will gather authentication policies that are currently implied or enforced, in addition to technology components already in use or at your disposal. You will also gather any external requirements based on laws or regulations for your region or industry.
Phase 3: Evaluate and Plan
The Evaluate and Plan phase moving to the Dynamic level of optimization requires strong authentication using advanced two-factor authentication, such as incorporating biometric scans, to access highly sensitive data in the organization.
Advanced Two-Factor Authentication
Single secrets such as passwords can be effective security controls. A long password of more than 10 characters that consists of random letters, numbers, and special characters can be very difficult to crack.
Advanced two-factor authentication systems overcome the issues of single secret authentication by the requirement of a second secret. Advanced two-factor authentication uses a combination of two of the following three items:
Biometrics, such as retina or fingerprint scans, and/or
Something the user knows, such as a personal identification number (PIN) and/or
Something that the user has, such as a hardware token or a smart card.
Biometrics can be excellent authentication mechanisms. Examples of biometric measurements include retinal scans, facial feature scans, palm prints, fingerprints, and voice recognition. With biometrics, users may or may not need to enter user IDs, but they are clearly authenticated with features that only they possess. Organizations can provide an important additional layer of security if they implement biometrics for strong authentication. For detailed information on two-factor authentication, go to http://www.microsoft.com/technet/security/guidance/networksecurity/securesmartcards/default.mspx.
Phase 4: Deploy
Evaluated and approved security process improvements are implemented in the Deploy phase. It is important to perform usability tests as they pertain to tightening of security policy and periodic fire drills to ensure that data processes are efficient.
For more information on developing security operations and process standards, go to the Security Guidance Portal on Microsoft TechNet at http://www.microsoft.com/technet/security/guidance.
Checkpoint: Advanced Two-Factor User Authentication
Developed and implemented advanced two-factor identity and access management policies for highly sensitive data.
If you have completed the steps listed above, your organization has met the minimum requirement of the Dynamic level for Advanced Two-Factor User Authentication.
We recommend that you follow additional best practices for security processes addressed at the Microsoft TechNet Security Center.
Go to the next Self-Assessment question.