Re: Charter

[Ari Huttunen <Ari.Huttunen@xxxxxxxxxxxxxxx>]

Dan Harkins wrote:
> > Some (high-level) general requirements:
> >
> > 4) Maintain or exceed security current strength
> 
> What does this mean? What is the "current strength" against which we'll
> measure the result to make sure we satisfy the requirement?

I suggest that we try to specify some representative usage
situations, and try to estimate the required security features
for each. 

One situation would be a typical corporation and a remotely
connecting employee. Some of the security requirements could be:
- Requirement for identity protection would be low 
- Requirement for authentication and encryption would be high
- The remote user would not be allowed any other internet 
  connectivity to prevent creating holes in the corporation firewall.

A requirement for connectivity by a three letter agency would
place heavy emphasis on identity protection..

A requirement for connectivity to a firewall or a central backbone
router would place heavy emphasis on preventing DoS attacks..

Etc..

Having created a representative sample, we would specify which
modes and authentication methods would be suitable for the task.
A network administrator could then look for the closest 
match when configuring the security of the system.

-- 
Ari Huttunen                   phone: +358 9 859 900
Senior Software Engineer       fax  : +358 9 8599 0452

Data Fellows Corporation       http://www.DataFellows.com 

F-Secure products: Integrated Solutions for Enterprise Security