Manage Learn to apply best practices and optimize your operations.

Designing a strategic Windows security plan: A 12-step program

If you're planning a major Vista upgrade, now is a good time to review your organization's Windows strategic security plan. IT management guru Harris Kern lays out a twelve step program for designing a strategic security plan in the pre-Vista era.

Harris Kern
If you're planning to roll out Microsoft Vista -- and who isn't, eventually -- one of your biggest priorities should be to design a strategic Windows enterprise security plan. A good plan starts with management buy-in, identifies, categorizes, and prioritizes security requirements and ends with a monitoring process. Harris Kerns outlines a 12- step program that you can use to be prepared for Microsoft Vista.

In spite of all the recent media attention, many organizations still lack effective and strategic enterprise security plans that outline what companies must do to protect themselves against major external and internal IT security threats. There are twelve best steps to take when you are developing, reviewing and implementing a strategic enterprise IT security plan.

  1. Identify an executive sponsor. An executive sponsor -- C-Level or VP -- will champion and support the enterprise strategic security program.

  2. Identify a security process owner. That would be you, Mr. Windows IT manager. You will manage all Windows IT security processes and activities on a daily basis and will assemble and manage a cross-functional team.. You will also sit on the technical security review board, which develops standards and implementation plans for various security policiesm and report to the board about what measures you've taken to secure the Windows environment.

  3. Define strategic security goals. You and your team will define and prioritize specific Windows enterprise strategic security goals. There are three aspects to consider about the Windows data you want to secure: its availability, its integrity and its level of confidentiality..

  4. Establish review boards. There should be two separately chartered review boards in your organization. The first is an executive-level review board in charge of providing direction, goals, and policies concerning Windows enterprise-wide security issues. The second board is comprised of senior analysts and specialists, who are qualified to evaluate the technical feasibility of security policies and initiatives proposed by the executive board, and set enforceable security standards and procedures..

  5. Identify, categorize, and prioritize requirements. Representatives from each of the two review boards, should meet to identify security requirements and categorize them according to key areas for security issues

  6. Review current state of security. You and your team must take a thorough inventory of all current Windows security-related items to determine what you have in-house and what needs to be developed or purchased.

  7. Establish a Windows security organization. Based on input from the two review boards, the requirements' list, and the inventory of current security policies, tools and metrics, establish a centralized security department or unit to be headed by a Windows security manager.

  8. Develop policy statements. Based on your inventory of existing Windows security policies, eliminate obsolete or ineffective policies, modify those policies requiring changes, and develop necessary new policies.

  9. Assemble planning teams. Cross-functional teams should be created to develop implementation plans for new Windows security policies, procedures, initiatives, and tools proposed by the two security review boards.

  10. Review and approve plans. The executive Windows security review board should oversee the Windows security implementation plans and review any policy, budget, schedules, and priorities for efficiency and effectiveness.

  11. Evaluate the Windows security plan's technical feasibility. The Windows security review board should evaluate the Windows security implementation plans for technical feasibility and adherence to standards.

  12. Assign, schedule, and execute plan implementation. Individuals or teams should be assigned responsibilities and schedules to execute the Windows security plans. After the plans are properly implemented, they should be evaluated for their effectiveness. In addition, auditors should monitor employee adherence to plans and accountability of assigned personnel.

Harris Kern is the author of 44 IT and self-help books. He is recognized as the foremost authority on providing practical guidance for solving IT management issues. Harris is the founder behind Harris Kern's Enterprise Computing Institute and the best-selling series of books published by Prentice Hall. The series includes titles such as IT Services, IT Organization and CIO Wisdom. Harris can be reached at

Dig Deeper on Enterprise infrastructure management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.