Defining Communication and Information Security Goals

  • Article

After you analyze your organization's existing business information and communication, define realistic security goals for the organization. This is an important step in controlling the overall cost of the security measures that you eventually implement. Realistic security goals help ensure that you are providing acceptable levels of security at acceptable costs.

Following are examples of realistic communication and information security goals:

  • Provide strong network logon authentication and at the same time reduce the Help desk costs that are associated with supporting users who forget their passwords or who let their passwords expire.

  • Provide increased Internet security by preventing users from downloading or from using nontrusted and nonsigned content from the Internet.

  • Provide increased intranet security by preventing users from downloading or from using nontrusted and nonsigned content from the intranet.

  • Provide integrity and nonrepudiation for general business e-mail messages that are sent within your organization and enable users to send confidential e-mail messages as needed.

  • Provide integrity, nonrepudiation, and confidentiality for all business e-mail messages between members of the executive management and trusted executive staff.

  • Provide integrity, nonrepudiation, and confidentiality for all business e-mail messages that are sent over the Internet.

  • Provide strong user authentication for project Web sites that are used for product development and project collaboration.

  • Provide authentication, integrity, and confidentiality for online cost accounting transactions.

  • Provide for a strong remote network logon process by using a single set of user network logon credentials to reduce the administrative overhead of maintaining separate local and remote network logon accounts for the same users.

Setting unrealistic security goals (for example, specifying an unnecessarily high level of security) can result in security requirements that cost too much to implement or maintain. Unrealistic security goals can also exceed the limits of existing technology and performance capabilities. For example, setting a goal to provide IP-level authentication, integrity, and confidentiality for all of your network communication might be achievable in a few years, but it is generally not feasible with today's network infrastructures and existing IPSec technology. IPSec can place a substantial load on network traffic, and many clients and applications do not yet support IPSec.