Implementation Considerations › Review and Tailor Security Policy

Review and Tailor Security Policy

Members of IT should know the company data security goals and objectives before implementing CA Top Secret Option for DB2. Your IT members must evaluate the existing security policy of the organization and determine whether you want to modify your existing policy before you implement CA Top Secret Option for DB2. Identify any areas of the policy that are unclear or inappropriate. Keep in mind the modifications that your team wants to make as you plan to implement CA Top Secret Option for DB2 security in your data center.

Identify Current Security Standards

The first step in reviewing your security policy is to identify existing site security policies or standards. Because not every site has a formal security policy, start by identifying what has already been protected. Then, based on the implementation plan, identify the changes you must make in your current security policy. Note the differences in policy or functions of the features. During the implementation of CA Top Secret Option for DB2, you can change anything that you did not implement in CA Top Secret the way you originally wanted. Communicate any necessary changes to the user community by publishing a new security policy.

Many factors influence a site's policies and objectives. These can include the following areas:

• Government regulations that can affect data security requirements at your site, such as the National Computer Security Center (NCSC) ratings, the Privacy Act, Foreign Corrupt Practices Act, Securities and Exchange Commission (SEC) and other agency regulations, and various other accounting and reporting requirements.
• Legal requirements, such as controls over Electronic Funds Transfers (EFT) and contractual agreements preventing the disclosure of information.
• Industry practices and agreements, as they relate to recognized standards of due care.
• The threats of sabotage, white‑collar crime, and computer fraud.
• Good business practices, such as separation of function, clear lines of responsibility and authority, individual accountability, knowing what the control procedures are and that they are in place, knowing who has access to assets and records and controlling this access, and various auditing considerations.
• Existing corporate policies that relate to computer assets such as data security, access control, and auditing computer control.
• Impact on the user community, such as decisions that relate to the degree of functional separation and the degree of centralization or decentralization in the administration of CA Top Secret Option for DB2 and related controls.
• Procedure enforcement needs, such as naming conventions for ACIDs and resource prefixing.

Tailor Your New Security Policy

After you evaluate existing security policies and standards, you must tailor your new security policy to accommodate DB2 requirements. If these policies and goals are not known or defined, the IT will find it difficult to choose appropriate CA Top Secret Option for DB2 options and to proceed quickly through CA Top Secret Option for DB2 implementation. Communicate the new policy to your user community to ensure that they know the new goals. You can use CA Top Secret Option for DB2 as a tool to implement security policies, automate policy enforcement, and help the company achieve its goals in relation to DB2 security.

As you begin tailoring the security policy, you must make decisions based on the following questions:

• What is the condition of my current security system?
• How do I want to secure development versus production systems?
• Do I want to centralize or decentralize my security administration?
• What role should DBAs play?
• How do I migrate an application from test to production? What issues should I consider?
• How much authority do I want to give the developers of applications?
• What resources do I want to audit?
• Which audit tools do I want to use?