Question

Describe the security architecture phases that will effectively ensure the confidentiality, availability, and integrity of the Web database.

Answer 1

Answer:

Phase 1: Assessment and Analysis

Assessing and analyzing an organization’s data security needs involves the identification of vulnerabilities, threats, and assets existing within an environment’s devices, resources, and vendor relationships.

A security audit must be thorough and exhaustive, searching for every type of potential threat that may exist within the database environment. Threats can range from social engineering gaps to external firewall faults. They can be present within any of the computer, network, and database layers, so all types of security should be addressed.

By identifying risks, defining the likelihood of a threat to an asset, and determining the cost of a breached or lost asset, you can prioritize and plan reasonable measures to counteract these threats.

Steps often taken to complete a risk assessment can include:

1. Creating a list of all devices and resources within a database environment.
2. Identifying the vulnerabilities and assets involved with each resource and device.
3. Defining the value of these assets as well as the cost of any damage from the threats.
4. Prioritizing your security measures.

Phase 2: Design and Modeling

The design and modeling phase involves the creation of policies and prototype security architecture that fit an organization’s needs. The policies created will rely strictly on the results of the assessment and analysis phase.

The prioritized lists of threats dictate how the model is developed and what policies are put into place. In the design and modeling phase, security policies and procedures are created, necessary firmware and software changes are defined, and security tools or applications that are used to minimize risk are identified.

The entire organization must be included in this process. From senior management to human resources to network users, all should be made aware of the security efforts taking place. Involving the entire organization in this process will ensure policies are correctly focused and realistic for both user and business needs.

Steps often taken to complete a risk assessment may include:

1. Define the policies and procedures that need to be put into place.
2. Define the firmware and software changes that support the policies defined in step one.
3. Identify the implementation plan.
4. Create baselines to determine success and failure.
5. Define a plan for user training and awareness.

Phase 3: Deployment

During deployment, the security policies, firmware, and tools defined in previous phases are put into place. These security measures are deployed using the steps that were defined in the design and modeling phase.

A test environment is often created to simulate the environment in which deployment will take place. Firmware and software is purchased and also tested to ensure that unforeseen variables do not affect the overall deployment and security goals.

Changes to user training and awareness are put into place in this phase as well.

Steps often taken in Phase 3 can include:

1. Adjust user training and awareness based on user acceptance.
2. Test firmware and software changes in a controlled simulation environment.
3. Deploy changes as defined by the deployment plan.

Phase 4: Management and Support

The management and support phase involves the ongoing support, maintenance, and assessment of the security architecture deployed in phase three. During this phase, performance of the security system is monitored, and any failures or breaches would result in the reevaluation of the security architecture.

Security policies can go through minor changes, yet too many small changes or a failure in a system may initiate the need to repeat the entire process from the beginning.

Steps often taken to complete a risk assessment may include:

1. Monitoring performance of security architecture as well as user security awareness and training.
2. Revising policy as necessary.
3. Identifying the need for a reassessment and initiate the start of the security life cycle.