When developing a security strategy, it is important to do it top down. Good security practices require risk assessment, policy development, technology deployment, and follow-up reports and audits. The security technology and implemented policies will define the level of security achieved by a platform or organization.
Risk assessment is important for identifying areas of vulnerability and priorities. From this knowledge, security policies can be developed. Developing security policies involves a thorough analysis to reveal vulnerabilities and their potential harm and to identify possible control mechanisms and their associated costs. Once completed, a cost-benefit analysis should be performed to determine what controls and expenditures are appropriate for the given vulnerabilities. The result is a security plan and policies that describe what the security system will do. The next phase is to implement the policy along with the technology. It is also necessary to provide the end users with training to make sure they understand the security policies and how to use the technologies being implemented. Once the technologies and policies are implemented, it is important to do periodic audits to make sure the vulnerabilities have been addressed and any new ones are identified.
The security system assurance process will provide information describing how well the security system meets the security policies requirements. This provides a feedback mechanism back to the security policies step so that improvements and changes can be made as attacks and vulnerabilities change.