Practical IT Research that Drives

Measurable Results

Build a Security Architecture & Roadmap

Introduction
Most organizations acquire security tools in a reactive manner. This results in
inconsistent security that doesnt meet organizational goals. A Security Plan
eliminates this problem, preserving resources.
On average, plan development takes 8 months and costs $108,000; a major
inhibitor to plan adoption. This solution set eliminates those costs.
This solution set addresses Security Planning is three steps:

Getting Planning Started

Building the Right Architecture
Developing an Implementation Roadmap
Small and mid-sized organizations that do not have a formal security plan in
place will benefit from completing the Security Architecture and Roadmap
Planning Tool.
This set will define an appropriate security architecture and develop a custom
deployment roadmap. These tools will improve security while saving the costs
of plan development and streamlining future investments.
Info-Tech Research Group

Executive Summary
IT Security Planning is costly and time consuming. Using the Secure
Network Design and Roadmap tool is a cost free and quick way to
create your organizations ideal network design and tool
implementation roadmap.
Involve the business side in IT Security Planning, it is not only an IT
Exercise. Involving the business results in:
Better business buy in.
Easier cost validation for new security tools.
More insight into future business directions.

Businesses do not require every security tool. Proper planning

prevents organizations from boiling the ocean and allows them to
focus on the tools their organization require.
When it comes to tool implementations, timing matters; planning and
roadmapping ensure that tools are implemented in the order that is
most appropriate and most secure for the organization.

Info-Tech Research Group

Getting
Started

Why perform
security
planning?

Planning and
requirements
gathering

The Value of
Plans

How
deployments fail

Building the Right Architecture

Developing an Implementation Roadmap

Info-Tech Research Group

Security Plans save money and improve enterprise security

Improve Organizational Security
55% of organizations that used
security plans said that they
deployed their security tools in the
most secure order.
The IT Security Planning exercise
encourages organizations to take all
aspects of the organization into
consideration in order to create a
security plan that best meets their
Save Money
needs.
45% of organizations that used security plans said that they would not have saved
more money had they deployed tools in a different order.

Shift Business Perceptions on IT Security and Spending

The planning process involves the business side of the organization. Keeping the
business in the loop will improve the perception of IT and will help shift the
perception of IT from a cost center to a vital part of the organization.
Info-Tech Research Group

Security Planning is essential to the effective deployment of

security tools
Planning & Requirements
Gathering

Do: Take all inputs into consideration. Also

Determine what the organizations

security needs are and where their
priorities lie. You may need to gain
business buy-in at this point.

plan for future business and IT goals and

requirements.
Dont: Place too much emphasis on incident
response being reactionary undermines
efficient planning.

Determine Required Tools*

Do: Make acquisitions according to established

Once needs and priorities are

established, the organization is able to
determine what specific security tools
they require. This list is based off of
business wants and IT requirements.

plans.

Determine Implementation
Order**

Do: Implement tools in the order that best

Determine the order that the security

tools should be implemented in.
Organizations will have different
implementation orders depending on
where their priorities lie.

Dont: Purchase security tools just because

they are new or because everyone else is doing
it. Only purchase tools that are necessary.

supports the required level of security and the

priorities of the organization.
Dont: Deviate from established plans.
Reactionary implementations can lead to higher
costs and less than ideal architecture.

* See the Building the Right Architecture section for details.

** See the Developing Implementation Roadmap section for details.
Info-Tech Research Group

Planning and Requirements Gathering not a one step process;

involves multiple inputs to create a plan that works
Consider each of the following areas when creating your security plan.
Different areas will be more relevant to your organization than others.

The following four areas are key

areas of consideration when in the
planning and requirements gathering
phase:
Risk Assessment
Business Requirements
Incident Response
Regulatory Pressure
Organizations will not have to focus
on each of these areas equally, find
the balance that is right for the
organizations particular needs.

Info-Tech Research Group

Not all inputs are created equally;

determine which inputs are most important to you
Risk Assessments:

Regulatory Pressure:

A primary contributor to security plans. After

risks have been identified, organizations set out
to implement tools required to minimize them.

Companies required to meet compliance

requirements will need to take these into
consideration when performing a security plan.

Pros: Clearly identifies the areas that are of

most significant concern allowing the enterprise
to build accurate plans.
Cons: Risk Assessment is a time consuming
process. Completing it enterprise-wide can slow
down Plan development significantly.

Pros: In many cases, regulatory requirements

are generally easy to obtain, clearly laid out and
often include an order of implementation.
Cons: Compliance is demonstrated through
snap shot audits that may not be indicative of
on-going status.

Business Requirements:

Breaches and Threats:

Knowing what the business expects makes it

easier to meet their needs and justify budgetary
requirements.

Many organizations implement tools in response

to a breach or threat. Reaction is needed but
should never be the only input.

Pros: Understanding what the business wants

allows IT to deliver better service and improves
the perception of IT.
Cons: The business may ask for things that IT
cannot or will not provide, resulting in a loss of
trust and break down in relations.

Pros: Problem areas can be identified and fixed

immediately, preventing additional/potential
breaches.
Cons: Focusing too heavily on breaches
encourages unplanned and/or rash security tool
purchases and changes.

Info-Tech Research Group

2010 research shows that organizations with formal security

plans feel more secure
Organizations with formal security
plans are 4.5 times more likely to feel
secure than organizations with no
plans in place.
N=35

Info-Tech research shows that organizations

that 91% of organizations that had performed
formal security planning also had formal policies
in place.
Without proper plans and policies in place,
organizations are vulnerable as they do not have
mechanisms in place to deal with security issues.
If there is a security breech or loss of data and an
organization does not have established rules in
place, they can loose precious time while trying
to figure out what to do. In this situation, the
organization may also be legally implicated and
can be liable for any losses or complications.
Companies with security documentation have
the satisfaction of knowing that their IT security
is appropriately scoped and designed. Also, they
will generally have mechanisms in place to vet
and update the plan regularly, ensuring the
highest level of security possible.

Info-Tech Research Group

Lack of business buy-in prevents some organizations from

performing proper security planning

Do these three steps to get business buyin:

Business culture lacks an awareness of security.

Security planning is required, and there is
insufficient resources currently in place to start
and keep the momentum moving forward.
- Team Member, Utilities
Business culture and management perceptions
need to change to bring more focus on security
awareness.
- Manager, Manufacturing

Many things keep us from performing security

planning; other priorities, limited resources and
the perception that we are not a strong candidate
for security incursions.
- Manager, Public Administration
The security plan is our most valuable piece of
security documentation, but its intangible nature
makes it hard for non-technology business
management to understand.
- CIO, Finance

Planning is difficult when the business is not on

board:
It is difficult to get the time and resources necessary
to complete the planning if the business does not see
the benefit of the exercise.
Justifying the budget required to purchase the tools to
become secure is difficult when the business is not
security
focused.
Info-Tech
Research Group

10

Deployments gone wrong;

the problems of not using a formal Security Plan
Security Gaps

Not Meeting
Business
Requirements

Informal, ad-hoc security

planning results in security
gaps as the organization fails to
implement the right tools in the
right order to maximize
security.

Neglecting to formally establish

what the business security
requirements are can result in
failing to appropriately serve
and protect the business. This
can be costly in the long run.

Example: An organization that

had recently purchased a
Unified Threat Management
solution that included gateway
anti-malware protection
decided that endpoint antimalware was no longer
necessary. When one of their
remote employees who had
been disconnected from the
network connected to it with his
infected laptop, a virus ran
rampant through the network
since the endpoints were all
unprotected. With proper
planning the organization would
have considered the risks that
remote workers presented and
Info-Tech
Research
would
be required
to Group
take the
necessary steps to mitigate

Example: A sales organization

that had plans to move to
online sales never conveyed
this to IT and IT never asked
what the business plans were
as they never went through the
IT Security Planning process.
The organizations Security
Network Architecture
supported the old
requirements but not the new
direction. When the new
direction was communicated, IT
was unprepared to support the
needs of the company. In the
end IT needed to delay the
business move to online sales
while they changed the
gateway security infrastructure.

Inappropriate Tools in
Place
Info-Tech research shows that
companies with no formal IT
Security Plan in place show
significant randomness in the
tools they choose and the order
in which these are
implemented.
Example: A financial
organization that needs to meet
specific compliance
requirements purchased
Content Filtering and Data
Leakage Protection systems
after implementing baseline
tools when they should have
implemented a Management
System next to monitor all of
the tools they already had in
place. The high cost of the
Management System caused
them to look for cheaper tools
first. This misalignment resulted
in the organization failing to
provide conclusive reporting for
security auditing purposes. 11

Getting Planning Started

Building the
Right
Architecture

5 Main Inputs Drive Security

Network Architecture

Security Network Architecture

and Roadmap Planning Tool

Developing an Implementation Roadmap

Info-Tech Research Group

12

Five factors drive the components and layout of Security

Network Architecture

Security Network Architecture Decisions Based On All Five Factors

Info-Tech Research Group

13

The degree to which each of the five factors affects an

organization will dictate the complexity of the Security Plan

The higher the

organizations
tolerance for
risk, the fewer
security tools
they will need
in place.
Organizations
in highly
regulated
industries
generally have
a low tolerance
for risk.
Carefully
determine your
organizations
risk tolerance
as this will
have a notable
impact on the
suite of
security tools
needed.

Sensitive data
and
confidential
information
must be
rigorously
protected to
prevent it from
being stolen or
lost.
Organizations
that have
sensitive data
will need to
implement
Data Leakage
Protection,
Intrusion
Detection and
Prevention and
Encryption.

Info-Tech Research Group

Remote
workers need
access to the
same tools that
they use when
physically
present in the
office.

A business that
needs to be
running 24/7
has very
different needs
from one that
is open from 9
to 5.

Virtual Private
Networks
(VPN) and
Network
Access Control
(NAC) are two
essential tools
for securely
supporting
these
employees.

To ensure that
the business
has access to
the internet
and other tools
that they need,
dual firewalls
are required in
order to
minimize
downtime in
the case of a
failure.

Online
businesses
cannot afford
to have their
websites
unavailable to
their
customers as
this likely
represent a
significant loss
in revenue.
Online
businesses
must have dual
routers in place
to minimize
downtime in
the case of a
failure

14

Create your ideal Security Network Architecture using

Info-Techs Security Architecture & Roadmap tool
The Security Network Architecture and Roadmap Planning Tool will accomplish
two things:
1. Create the organizations ideal security architecture.
2. Create the organizations ideal security tool deployment roadmap.
The Business Requirements
Questionnaire tab of the tool
takes answers to five questions
that will gauge how each of the
factors discussed previously
affects your organization.

Based on these responses, the

organizations ideal security
architecture is presented on
the next tab of the tool along with
an explanation of why the
different components are
required.
There is an example of a network
diagram on the following slide for
a company in the Financial
Services industry.

Info-Tech Research Group

15

Sample network architecture for a financial services organization

Sample network architecture from
the Security Network
Architecture and Roadmap Tool.
The organization requires a high level of security
protection. Endpoints should be protected with antimalware and strong authentication and encryption
should be used on laptops and sensitive servers.
The organization require a granularly segmented
network to create security zones and since the
organization is an online business, dual Internet
connections and firewalls are needed to mitigate website
and network downtime.
DLP is recommended in the organization to protect
sensitive data from loss or theft. Content Filtering is also
recommended as it will ensure that no unauthorized
websites or other materials are viewed from company
endpoints.
NAC should be implemented to protect static endpoints
on the network. The organization should ensure that An
IDP system should be used to prevent unauthorized or
malicious access to data.
Finally, a Management System should be used to
properly track, monitor and maintain security systems.

Info-Tech Research Group

Risk Tolerance: Low

Presence of Sensitive Data:
Yes
Remote Users: Yes
Hours of Operation: 24/7
Online Business: Yes

16

Getting Planning Started

Building the Right Architecture
Developing a
Roadmap

Info-Tech Research Group

The importance of
roadmaps

Compliance vs.
Security

Ideal
implementation
orders

17

Security Planning is not a wasted exercise; companies with plans

implement tools in secure orders that keep costs low
Would Security improve if tools
deployed differently?

Would money be saved if tools

deployed differently?

N=
33

N=
33

Takeaways:

Takeaways:

55% of organizations with plans in place felt that

their security would not have improved if they
had deployed their tools in a different order.

Only 6% of organizations with plans in place felt

that they would have saved money if they had
deployed their tools in a different order.

Security planning leads organizations to

deploy their IT Security tools in the best
order to support enterprise security
requirements.

Security planning pays off; organizations

without Plans felt that they could have
saved money had they implemented in a
different order.

Info-Tech Research Group

18

Knowing what tools to implement is only half the battle; knowing

ideal implementation order is the other
Depending on the complexity and specific needs of your organization, you will
require different suites of security tools. There is a right way and a wrong way to
implement these tools. Deploy these tools in the order that best meets your
organizations needs. Your ideal order will depend on whether the organization
focuses on security or compliance.

Baseline Tools
Baseline tools are those that should
be implemented in the same order,
regardless of the company and
whether they focus on security or
compliance.

Security vs. Compliance

Companies will need to choose
whether they should focus on
security or compliance. The ideal
implementation order for each of
these focuses is different.

Info-Tech Research Group

19

Choose between compliance and security; each has a different

affect on the order in which tools are implemented
Baseline tools remain the same as they are
required by all companies regardless of size,
requirements, or priorities.

The Importance of Security and

Compliance in Organizations

Implementation order required to make an

organization more secure or more compliant are
very different. Ensure the organization picks
the right factor to focus on. Be sure to validate
this decision with the business side.
For many organizations this is an easy decision
but for companies that are in heavily
regulated industries and have a strong
requirement for having the most secure
environment possible, this decision becomes
more complicated.

Info-Tech Research Group

20

Baseline security tools; deployed first in all organizations

Gateway
Firewall

Endpoint
Anti-Malware

Gateway
Anti-Malware

Required by
all
companies.

Required by
all
companies.

Required by
all
companies.

Should
always be
the first
security tool
implemented
.

Essential on
all endpoints
to protect
them from
infection
from viruses
and malware.

Detects and
blocks
malware as it
enters and
exits the
organization.

Basic
Network
Segmentatio
Required by
n most
companies.
This is the
most basic
network
structure, it
is a network
segmentation
that
separates
users from
servers.

NAC and VPN

Required by
companies
with large
numbers of
remote
users.
Ensures that
remote
workers will
have full,
secure
access to the
corporate
network.

Blocks
Firewalls
monitor the
Blocks
unwanted
data
unwanted
inbound and
traversing
inbound and
outbound
outbound
traffic.
the corporate
network,
traffic.
looking
for tools are those needed by all organizations, regardless of their priorities or focus.
Baseline
security
suspicious
The activity.
baseline tools should ideally be implemented in the order above to ensure basic security protection is

available .

The vast majority of companies surveyed by Info-Tech for this study implemented these baseline tools
first.

Refer to Appendix I for a more complete explanation of each of the tools.

Info-Tech Research Group

21

Compliance as a major motivator?

Focus on reporting and data protection first

Management
System

IDP
Necessary for
organizations
that house
sensitive
data and for
those with a
low tolerance
for risk.
It prevents
intrusions
into the
corporate
network from
unauthorized
third parties.

Consolidates
the reporting
and
notification
functions of
all security
tools.
Organizations
that need to
meet
stringent
compliance
requirements
need this tool
for reporting
purposes.

Encryption
Prevents
unauthorized
third parties
from viewing
and
accessing
sensitive
company
data by
making it
unreadable
without the
proper
decryption
key.

Enhanced
Authenticatio
n Required
when an
organization
supports
remote
workers.
Ensures that
remote
workers will
have full,
secure
access to the
corporate
network.

Spending time and money on a formal security plan is essential in order to ensure
compliance with state mandates
- Team Member, Education Services

Refer to Appendix I for a more complete explanation of each of tools.

Info-Tech Research Group

22

Compliance as a major motivator?

Focus on reporting and data protection first (continued)

1
0Data
Leakage
Protection
Organizations
that house
sensitive and
confidential
data must
have this in
place.
These
systems
prevent the
purposeful or
inadvertent
transmission
of data
outside of the
enterprise.

11

Content
Filtering
Proper
content
filtering
restricts the
type of
information,
data, and
code that can
enter the
organization
via the
Internet.

12
Tier Network
Segmentatio
n First separate
user and
server
networks
attached to
core network.
Then
separate
these
networks into
trusted and
untrusted
users and
servers.

13

Internal
Firewalls
Regulates
and restricts
traffic to and
from servers
containing
sensitive
data.
Access to the
server is
based on a
set of predefined rules.

Refer to Appendix I for a more complete explanation of each of tools.

Info-Tech Research Group

23

Implement dedicated protection tools

if security is the bigger concern

Content
Filtering

IDP
Necessary for
organizations
that house
sensitive
data and for
those with a
low tolerance
for risk.
It prevents
intrusions
into the
corporate
network from
unauthorized
third parties.

Proper
content
filtering
restricts the
type of
information,
data, and
code that can
enter the
organization
via the
Internet.

Data
Leakage
Protection
Organizations
that house
sensitive and
confidential
data must
have this in
place.
These
systems
prevent the
purposeful or
inadvertent
transmission
of data
outside of
the
enterprise.

Encryption
Prevents
unauthorized
third parties
from viewing
and
accessing
sensitive
company
data by
making it
unreadable
without the
proper
decryption
key.

Refer to Appendix I for a more complete explanation of each of tools.

Info-Tech Research Group

24

Implement dedicated protection tools

if security is the bigger concern (continued)

1
0Enhanced
Authenticatio
n

Required
when an
organization
supports
remote
workers.
Ensures that
remote
workers will
have full,
secure
access to the
corporate
network.

11

Tier Network
Segmentatio
n

First separate
user and
server
networks
attached to
core network.
Then
separate
these
networks into
trusted and
untrusted
users and
servers.

12
Internal
Firewalls

13

Management
System

Regulates
and restricts
traffic to and
from servers
containing
sensitive
data.

Consolidates
the reporting
and
notification
functions of
all security
tools.

Access to the
server is
based on a
set of predefined rules.

Organizations
that need to
meet
stringent
compliance
requirements
need this tool
for reporting
purposes.

Management tools are purely for the effectiveness of monitoring and support. The tools and
processes themselves are the real risk mitigation agents.
- CISO, Manufacturing

Refer to Appendix I for a more complete explanation of each of tools.

Info-Tech Research Group

25

Determine your ideal deployment roadmap using Info-Techs

Security Network Architecture & Roadmap tool
The Security Network Architecture and Roadmap Planning Tool will accomplish
two things:
1. Create the organizations ideal security architecture.
2. Create the organizations ideal security tool deployment roadmap.
The Roadmap Input Page
determines which tools suggested
are in place and ranks compliance,
cost and security factors.
This information determines tool
implementation order, which is
presented in a step by step format.
Some of the information included
in each step will be:
Tool purpose
How the tool works
Relative cost of the tool
Approximate time to implement
Implementation skill required
There is an example of a roadmap
on the following slide for a
company in the Financial Services
industry.
Info-Tech Research Group

26

Sample Implementation Roadmap:

Financial Services Organization
Sample roadmap from the
Security Network Architecture
and Roadmap Tool.
A online business with remote users, sensitive data
and a low tolerance for risk requires a complex
architecture. Security tools should be implemented
in the following order for the organization to be most
secure:
1.Gateway Firewall
2.Endpoint Anti-Virus/Malware
3.Gateway Anti-virus Malware
4.Basic Segmented Network
5.Dual Firewalls
6.Dual internet connections
7.NAC and VPN
8.Intrusion Detection and Prevention
9.Content Filtering
10.Data Leakage Protection
11.Endpoint Encryption
12.Enhanced Authentication
13.Tiered Segmented Network
14.Internal Firewalls
15.Management System

Info-Tech Research Group

(Only first three steps of roadmap

shown)
Risk Tolerance: Low
Presence of Sensitive Data:
Yes
Remote Users: Yes
Hours of Operation: 24/7
Online Business: Yes

27

Summary
Formal security planning saves time and money and improves
the security stance of the organization.
There are three steps in creating a security plan:
1. Planning and Requirements Gathering
Not only an IT exercise. Get this business input at this stage. Determine what the
organization needs now and in the future and plan accordingly.

2. Determining the appropriate suite of security tools for the

organization
Use the information from the Planning and Requirements Gathering process to fuel
this stage.

3. Determining the order of security tool implementation

Consider the organizations priorities to determine the ideal order.

Companies need to decide whether they have a focus on

security or compliance in order to determine the tool
deployment order that best suits their needs.

Info-Tech Research Group

28

Appendix I
Description of security solutions
Info-Techs standardized security architectures use up to fifteen different security
solutions:
Gateway firewalls
Dual gateway firewalls
Internal firewalls
Gateway anti-malware
Endpoint anti-malware
Dual Internet connections
Segmented networks
Tiered networks

Virtual Private Networks (VPN)

Intrusion detection & prevention
Content filtering
Data Leakage Protection (DLP)
Network Access Control (NAC)
Endpoint encryption
Enhanced authentication
Security management technologies

The following slides describe these tools. Each slide shows a sample security
architecture diagram and highlights the position of the tool in question in that
diagram. The slides also indicate the relative (low, moderate, high) cost, time and
skill requirements for each tool.
Low cost indicates something that should be affordable by most enterprises while high cost
may be affordable only by larger enterprises.
Low time indicates a deployment on the order of days to weeks while high time indicates
deployment on the order of months to years.
Low skill indicates a deployment that requires no specialized expertise while high skill
indicates a deployment that requires significant expertise.
Info-Tech Research Group

29

Appendix I-a
Gateway Firewall
Firewalls are a baseline security
protection mechanism required by all
organizations, regardless of their size of
perceived threats. Firewalls regulate the
inbound and, in some cases, the
outbound flow of traffic. They can be
deployed singly or in pairs.
Firewalls evaluate whether traffic can be
allowed to enter the network based on
comparison to in-place rules. Creating a
detailed and specific ruleset that
specifies what constitutes appropriate
traffic is they key to good firewall
functionality.

Cost: Low to Moderate

Time: Low
Skill: Low
Info-Tech Research Group

30

Appendix I-b
Internal Firewall
Internal firewalls work in exactly the
same manner as gateway firewalls
except that they are used to filter
internal network traffic only. They are
generally deployed to protect
particularly sensitive network segments.
Firewalls evaluate whether traffic can be
allowed to enter the network segment
based on comparison to in-place rules.
Creating a detailed and specific ruleset
that specifies what constitutes
appropriate traffic is they key to good
firewall functionality.

Cost: Low
Time: Low
Skill: Low to Moderate
Info-Tech Research Group

31

Appendix I-c
Gateway Anti-Malware
Gateway Anti-Malware detects and
blocks malware as it attempts to enter
the enterprise network. The solution can
also be configured to scan outbound
traffic for malware threats which can
limit distribution and eliminate the
reputation hit associated with spreading
security threats.
Gateway Anti-Malware can be
integrated into gateway firewalls or
deployed as separate device depending
on the needs of the organization. It
scans incoming files and applications
for signatures that match known
threats, quarantining or deleting them
when discovered.
Cost: Low
Time: Low
Skill: Low
Info-Tech Research Group

32

Appendix I-d
Endpoint Anti-Malware
Endpoint Anti-Virus/Malware is one of
the most basic security technologies that
an enterprise can deploy. The primary
function of this solution is to detect and
block malware as it is received at the
endpoint and thereby reduce the spread
of threats.
Endpoint Anti-Virus/Malware is
software that is installed directly on to
endpoints such as servers and
workstations. It scans the files and
applications for signatures that match
known threats, quarantining or deleting
them when discovered.

Cost: Low
Time: Low
Skill: Low
Info-Tech Research Group

33

Appendix I-e
Dual Internet Connection
Dual Internet connections are essential
for online businesses; those needing to
provide access to their website 24/7.
They ensure a far greater uptime
potential to ensure that clients that are
looking for the enterprise's website are
always able to find it.
Dual Internet connections require dual
front-end routers. Each connection
should be capable of handling all of the
enterprise's network traffic. If one
router fails, the other takes over all of
the functions, preventing downtime or
latency. Specialized networking will be
required to ensure appropriate
distribution of traffic in this structure.
Cost: Moderate
Time: Low to Moderate
Skill: Moderate
Info-Tech Research Group

34

Appendix I-f
Segmented Internal Network
Basic network segmentation is the first
step in network architecture complexity
for those migrating from flat networks.
At a minimum, basic network
segmentation should separate users
from the servers. This allows servers to
be protected at a higher level without
security tools having to be deployed
across the entire network.
Uses configurational rules within
network infrastructure to create virtual
network segments that have different IP
address ranges from one another. For
traffic to pass between these segments
they must traverse the switch where
security rules can be applied.
Cost: Low
Time: Low to Moderate
Skill: Low to Moderate
Info-Tech Research Group

35

Appendix I-g
Tiered Internal Network
Tiered network segmentation takes
network segmentation one step further,
increasing the granularity with which
the network is divided. Tiered
segmented networks increase security
by providing better isolation of sensitive
data and/or processes.
Uses configurational rules within
network infrastructure to create virtual
network segments that have different IP
address ranges from one another. For
traffic to pass between these segments
they must traverse the switch where
security rules can be applied.

Cost: Low
Time: Low to Moderate
Skill: Moderate
Info-Tech Research Group

36

Appendix I-h
Virtual Private Networks
Network Access Control (NAC) and
Virtual Private Networks (VPN) help
protect organizations from threats that
might be leverage by allowing inbound
connections to internal networks by
privileged devices (such as remote
laptops). VPN allows remote user to
connect to the network while preventing
session hijacking and sniffing type
attacks.
VPN creates encrypted point-to-point
communications channels through
which remote users connect to internal
network resources.

Cost: Low to Moderate

Time: Low to Moderate
Skill: Low to Moderate
Info-Tech Research Group

37

Appendix I-i
Intrusion Detection & Prevention
IDP is a network alarm system. The
solution monitors traffic for anomalous
behavior and intrusion/attacks
signatures and can issue alerts, or take
independent corrective action in
response. Generally configured to
monitor inbound traffic only, the
solution can also monitor two-way
traffic flow making it useful sometimes
for the protection of sensitive internal
network segments.
IDP sensors can issue alerts to
administrative staff for manual
intervention or can initiate automated
responses..
Cost: Moderate to High
Time: Moderate to High
Skill: Moderate to High
Info-Tech Research Group

38

Appendix I-j
Content Filtering
Content filtering helps businesses avoid
legal issues by blocking unauthorized
inbound web content (websites, web
applications, file sharing sites, etc.)
from being accessed. Secondarily, these
tools block access to websites that may
host malware and other threats, directly
improving security.
Proper content filtering restricts the
type of information, data, and code that
can enter the organization via the
Internet. Administrators are able to
specify what types of content employees
are permitted to view and at what times
they are allowed to do so.
Cost: Low to Moderate
Time: Moderate
Skill: Moderate
Info-Tech Research Group

39

Appendix I-k
Data Leakage Protection
Data Leakage Protection is designed to
monitor for and block the outbound
distribution of sensitive data. These
solutions work best for protecting
against the accidental loss of
information and are especially valuable
for organizations that house
confidential or otherwise sensitive data.
Analyzes files in transit for disallowed
data by looking for keywords and data
patterns and then enforces policy-based
restrictions. Any time the pattern is
noted, the transmission can be
quarantined or disallowed and alerts
issued to both users and administrators.
Cost: Moderate
Time: Moderate
Skill: Moderate
Info-Tech Research Group

40

Appendix I-l
Network Access Control
Network Access Control (NAC) and
Virtual Private Networks (VPN) help
protect organizations from threats that
might be leverage by allowing inbound
connections to internal networks by
privileged devices (such as remote
laptops). NAC ensures that remote
devices meet the security requirements
of the network and are not injecting
threats that bypass gateway controls.
NAC uses signature based scanning to
determine the security configuration of
a device that is attempting to connect to
the network. Where the configuration
does not meet standards, devices can be
quarantined for remediation.
Cost: Moderate
Time: Moderate
Skill: Moderate to High
Info-Tech Research Group

41

Appendix I-m
Endpoint Encryption
Encryption is a "last line of defense"
type security solution and is designed to
ensure that even if systems are illicitly
accessed, any information they house
will not be subject to loss. Encryption is
typically most often applied to systems
and media that can be easily accessed
(laptops, backup tapes) or stores of
particularly sensitive data (databases).
Encryption protects data by making it
unreadable using an encryption key.
This data can only be made readable by
the use of the corresponding decryption
key. Encryption can be applied to entire
databases or to slices of data within
files.
Cost: Moderate
Time: Moderate to High
Skill: Moderate
Info-Tech Research Group

42

Appendix I-n
Enhanced Authentication
Enhanced Authentication is necessary
when passwords are not sufficient to
protect an organization's systems.
Enhanced Authentication uses multiple
factors of authentication (something
you know, something you have,
something you are) to establish a
greater level of confidence that
authenticated users are who they claim
to be.
Uses additional factors of
authentication to positively identify
users. Additional factors include second
factor (something you have) and third
factor (something you are).
Cost: Moderate to High
Time: Moderate to High
Skill: Moderate to High
Info-Tech Research Group

43

Appendix I-o
Security Management Technologies
A number of different types of Security
Management systems exist including
Security Information Management
(SIM), Identity & Access Management
(IAM) and Governance, regulation &
Compliance (GRC) software. These tools
offer heightened monitoring and into
user and system activity and can also
block inappropriate actions in some
cases.
Management systems consolidate the
reporting, notification and maintenance
functions of all of the security tools and
provide one interface to control them.

Cost: High
Time: High
Skill: High
Info-Tech Research Group

44

Appendix II
Methodology
This solution set used data collected from a survey conducted in April 2010 on the topics of
Security Policy development, deployment and enforcement. 117 responses were received.

Info-Tech Research Group

45

Appendix II
Methodology
This solution set used data collected from a survey conducted in April 2010 on the topics of
Security Policy development, deployment and enforcement. 117 responses were received.

Info-Tech Research Group

46