In this chapter
§ Security planning
§ Risk analysis
§ Security policies
§ Physical security
In reading this book you may have concluded by now that security is achieved through technology. You may think that the important activities in security are picking the right IDS, configuring your firewall properly, encrypting your wireless link, and deciding whether fingerprint readers are better than retina scanners. These are important matters. But not all of security is addressed by technology. Focusing on the firewall alone is like choosing a car by the shape of the headlight. Before you get to the headlights, there are some more fundamental questions to answer, such as how you intend to use the car, how much you can afford, and whether you have other transportation choices.
Security is a combination of technical, administrative, and physical controls, as we first pointed out in Chapter 1. So far, we have considered technical controls almost exclusively. But stop and think for a moment: What good is a firewall if there is no power to run it? How effective is a public key infrastructure if someone can walk off with the certificate server? And why have elaborate access control mechanisms if your employee mails a sensitive document to a competitor? The administrative and physical controls may be less glamorous than the technical ones, but they are surely as important.
In this chapter we complete our study of security controls by considering administrative and physical aspects. We look at four related areas:
o Planning. What advance preparation and study lets us know that our implementation meets our security needs for today and tomorrow?
o Risk analysis. How do we weigh the benefits of controls against their costs, and how do we justify any controls?
o Policy. How do we establish a framework to see that our computer security needs continue to be met?
o Physical control. What aspects of the computing environment have an impact on security?
These four areas are just as important to achieving security as are the latest firewall or coding practice.