“Security is a process, not a product.” Bruce Schneier
It is usually best to determine a specific goal. A good approach to help with that determination starts with the following questions:
- What are you trying to protect? The security policy will be different depending on whether you want to protect computers or data. In the latter case, you also need to know which data.
- What are you trying to protect against? Is it leakage of confidential data? Accidental data loss? Revenue loss caused by disruption of service?
- Also, who are you trying to protect against? Security measures will be quite different for guarding against a typo by a regular user of the system versus protecting against a determined external attacker group.
The term “risk” is customarily used to refer collectively to these three factors:
- what to protect,
- what should be prevented,
- who might make this happen.
Do not plan some overkill features if the risk doe not worth the effort. On the contrary, do not underestimate the risks and attack impacts.