Challenges of Securing an Enterprise and Meeting Regulatory Mandates

Security incidents continue to rise globally-up 22% in 2005. Enterprises and service providers alike are faced with the challenge of ensuring a rigorous approach to network security throughout the entire lifecycle of their security programs. Many critical security requirements are currently addressed as an afterthought in a reaction to the security incidents. This results in piecemeal security fixes, which do not provide a comprehensive and cost effective security solution. Network security should be designed around a strong security framework, the available tools, standardized protocols, and where available, easily configured software and hardware. Naturally, in a multi-vendor environment, no end-to-end security solution can be achieved without standards. The Lucent Technologies Bell Laboratories Security Framework, which is the foundation for security standards ITU-T X.805 and ISO/IEC 18028-2, was developed as a comprehensive methodology for assessing and integrating network security across the enterprise. The ISO/IEC 18028 standard, which is broken into five sub-levels, provides guidance on the security aspects of the management, operation and use of IT networks. ISO/IEC 18028-2 defines a standard security architecture, which describes a consistent framework to support the planning, design and implementation of network security for the IT industry. In this paper, we discuss how the standard can be applied as a framework for network security assessment by presenting a threat analysis case study. We also discuss the applicability of the framework for implementing the technical controls for regulatory compliance initiatives. ISO/IEC 18028-2 provides a common and rigorous methodology for defining a robust security program of next generation networks