Although security technologies are highly advanced, effective security must combine technology with good planning for business and social practices. No matter how advanced and well implemented the technology is, it is only as good as the methods used in employing and managing it.

Implementing the appropriate security standards is a key issue for most organizations. To implement security standards, devise a security plan that applies a set of security technologies consistently to protect your organizations resources. After you have established your plan, implement the appropriate Windows 2000 Professional security features.

Consider developing a security plan that describes how you will use the features of Windows 2000 to establish a secure, usable environment. A typical security plan might include the following sections:

  • Security goals : Describe what you are protecting.

  • Security risks : Enumerate the types of security hazards that affect your enterprise, including what poses the threats and how significant the threats are.

  • Security strategies : Describe the general security strategies necessary to meet the threats and mitigate the risks.

  • Security group descriptions : Describe security groups and their relationship to one another. This section maps security policies to security groups.

  • Security Policy : Describe Group Policy security settings, such as network password policies. Note that if you add your Windows 2000 Professional–based computer to a domain, your Security Policy settings will be affected by domain Security Policies.

  • Network logon and authentication strategies : If you work in a networked environment, consider authentication strategies for logging on to the network and for using remote access and smart card to log on.

  • Information security strategies : Include how you implement information security solutions, such as an encrypted file system (EFS), Internet Protocol security, and access authorization using permissions.

  • Administrative policies : Include policies for delegation of administrative tasks and monitoring of audit logs to detect suspicious activity.

  • Public key usage policies : Include your plans for how clients will use certification authorities for internal and external security features.

Your security plan can contain more sections, but these are suggested as a starting point. If possible, test and revise your security plans using test labs that model the computing environments for your organization. Also, conduct pilot programs to further test and refine your network security plans.