Filter
Top Products
Chapter 5. Solution design 97
5.2.3 Remediation requirements
Examining the operational maintenance related requirements we found that the
following pain points are the requirement drivers:
Desktop security requirements became so complex that most of the
non-technical end users cannot track the policy changes on their own.
Increasing numbers of mobile users are outside of the scope of the desktop
policy enforcement realized with Active Directory®.
Installation of hotfixes, security updates, and network supplicant software
must be strictly controlled due to change management process requirements.
Enforcement of security policy without facilitating the remediation process
results in productivity loss and an increased number of help desk calls.
Finally, one of the ABBC general functional requirements is
an ability to institute
and enforce emergency change procedures for the company security posture
policy
. The associated pain point is straightforward. Consider a scenario where a
potential severity-one Windows vulnerability has become public and Microsoft
has issued a hotfix for this vulnerability, which is of sufficient severity that the
normal change procedure documented in 2.3.2, “Security policy life cycle
management” on page 30, is not practical. However, while incorporating the
emergency change procedure, maintaining employee productivity must also be
considered, as ABBC must continue to do business and serve its customer base.
In addition, the solution has to consider the bandwidth and resource limitations of
the ABBC help desk staff and system administrators. The ABBC help desk
cannot sustain a deluge of help requests from scores of users who are suddenly
denied access for noncompliance. Combined with the ability to institute
emergency posture-policy changes, remediation requirements also include the
need to be able to push a critical system update, such as a severity-one hotfix.
Fortunately, all of the requirements can be met by combining posture checks with
network access enforcement and an automatic remediation facility.
5.2.4 Solution functional requirements
ABBC has well-defined security policies for their servers, as well as the existing
infrastructure to measure and track compliance via the IBM Tivoli Security
Compliance Manager product. However, ABBC lacks a technical method to
check security compliance of the users’ workstations, which are known to contain
a lot of the company’s sensitive data. Thus, as we examine the requirements,
along with the pain points, we find that they can be condensed into three
functional requirements.
The first functional requirement is to
centrally manage and track the workstation
compliance status
for all the users’ workstations, both stationary and mobile. This