Develop Implementation Plan › Scheduling Implementation › Consider Task Dependencies › Security Plan Components

Security Plan Components

The following tasks may be included as a part of a typical security implementation plan. The considerations involved in each task are discussed in detail in the remainder of this document.

• Product Training—Time must be allocated to allow Security Administrator(s) to obtain training in the use of CA Top Secret. This task is critical because misconceptions in the use of any product can cause delays and redesign later on.
• Installation—The installation of CA Top Secret may be scheduled at any time before actual CA Top Secret administration is required. The time required for installation is usually minimal, especially if the user has obtained the appropriate product knowledge before attempting the installation. Development of backup and recovery procedures must accompany this task because once CA Top Secret is installed, your installation may want to use the product initially to provide some function, even if it is only the support of security administration.
• Inventory of Resources and Users—The inventory phase can be one of the most time-consuming phases of the implementation. Its duration is determined by the number of users and resources in the installation and whether or not enforced standards are in place. The inventory can be scheduled by logical groups of users and resources and by facility. The results can then be input to a phased implementation.
• Naming Standards—This task must be scheduled to address naming standards for the elements of the CA Top Secret Security File. For organizations that do not have resource naming standards or have inadequate naming standards, this may be an excellent time to schedule a task to address the development and implementation of standard resource names. The existence of standard resource names can expedite the implementation process, and results in a clearer, less complicated Security File.
• Security File Design—The results of the inventory can give you an organized picture of the users and resources and how they relate to each other. This input can be used in designing the Security File. It is important to schedule the time to design the file before actual administration begins. This simplifies the maintenance effort later on.
• Definition of Implementation Strategy—Each organization may choose to approach the implementation in a different manner, addressing different resources and using different options and controls. A task can be scheduled to define and document that strategy so that a clear direction is set.
• Definition of Violation and Reporting Strategies—Any security product is misused if the results it reports are not monitored. It is critical to define how violations are logged, reported, and handled. A task can be scheduled to address this important requirement.
• Development of Emergency and Troubleshooting Procedures—Problems due to misuse or malfunctioning of a security product can greatly impact your operation. For this reason, it is critical to schedule the time to develop emergency procedures which help minimize the time required to diagnose and resolve specific problems before they occur.
• Define Audit Procedures—Schedule a task to design audit procedures which give Security Administrators and auditors the necessary tools to properly audit CA Top Secret and its use within the organization.
• Development of Security Maintenance Procedures—The end of the security implementation is not the end of dealing with the security product. Changes in your environment require changes to the Security File. Also, upgrades in the operating system may result in upgrades to the security product itself. CA Top Secret also periodically upgrades and adds features and facilities. Development of maintenance procedures may be scheduled early on in anticipation of subsequent maintenance requirements.
• Testing—A test plan can be designed to ensure that the security product is implemented and functioning as desired in the installation. You may find that testing is a function that continues ad infinitum as the package is enhanced and as your use of the package evolves into more elaborate security controls. A good test procedure can developed that remains useful long after security implementation is complete.
• Customization—This task is optional. Some organizations may find that they have a unique requirement that CA Top Secret does not automatically address. In this case, customization is necessary. This task must be carefully scheduled with sufficient time to properly design, implement and test the customized routines.
• Security Awareness Programs—The solidity and permanence of the security implementation depends on the support of the user community. Support comes only if the users are properly educated in the features of the security product. This is an important phase which may be time-consuming, but cannot be ignored since security enforcement ultimately comes from the users.
• Ongoing Assessment and Evaluation—Since an implementation of a security product is as dynamic as the environment in which the product lives, ongoing assessment and evaluation programs can be developed and scheduled at regular intervals. This ensures that CA Top Secret is used properly and effectively.