security polic
Click on the red underlined text to get to the source
...
This handbook is a guide to setting computer security policies and
procedures for sites that have systems on the Internet. This guide
...
...
This guide is only a framework for setting security policies and
procedures. In order to have an effective set of policies and
procedures, a site will have to make many decisions, gain agreement ...
... Internet community. However, this document should be useful to any
site that allows communication with other sites. As a general guide
to security policies, this document may also be useful to sites with
isolated systems.
...
...
The IETF Security Policy Working Group (SPWG) is working on a set of
recommended security policy ...
... Security Policy Working Group (SPWG) is working on a set of
recommended security policy guidelines for the Internet [23]. These
...
...
This document covers issues about what a computer security policy
should contain, what kinds of procedures are need to enforce
security ...
... security, and some recommendations about how to deal with the
problem. When developing a security policy, close attention should
be made not only on the security needs and requirements ...
... physical security. These things are
essential in setting and implementing effective security policy, but
this document leaves treatment of those issues to other documents.
We will try to provide some pointers in that direction.
...
... Why Do We Need Security Policies and Procedures? ...
...
Setting security policies and procedures really means developing a
plan for how to deal with computer security. One way to approach
...
...
The basic form of each section is to discuss issues that a site might
want to consider in creating a computer security policy and setting
procedures to implement that policy. In some cases, possible options
are discussed along with the some of the ramifications of those
...
...
Section 5 discusses incident handling: what kinds of issues does a
site face when someone violates the security policy. Many decisions
will have to made on the spot as the incident occurs, but many of the
options and issues can be discussed in advance. At very least,
...
... security concerns from a those of a university.
Second, the site security policy developed must conform to
existing policies, rules, regulations and laws that the
organization is subject ...
... implementable nor enforceable is useless.
Since a computer security policy can affect everyone in an
organization, it is worth taking some care to make sure you have
the right level of authority ...
... groups concerned with
security who would consider a computer security policy to be their
area. Some of the types of groups that might be involved include
...
...
A key element of a computer security policy is making sure
everyone knows their own responsibility for maintaining security.
...
... everyone knows their own responsibility for maintaining security.
A computer security policy cannot anticipate all possibilities;
however, it can ensure that each kind of problem does have someone
assigned to deal with it.
...
...
One of the most important reasons for creating a computer security
policy is to ensure that efforts spent on security yield cost
effective benefits. Although this may seem obvious, it is
...
...
There are a number of issues that must be addressed when developing a
security policy. These are:
1. Who is allowed to use the resources?
...
...
One step you must take in developing your security policy is
defining who is allowed to use your system and services. The
...
... accountable to some authority and this should also be identified
within the site's security policy. If the people you grant
privileges to are not accountable, you run the risk of losing
...
... need to define actions based on the type of violation, you also
need to have a clearly defined series of actions based on the kind
of user violating your computer security policy. This all seems
rather complicated, but should be addressed long before it becomes
necessary as the result of a violation.
...
...
In the event that a local user violates the security policy of a
remote site, the local site should have a clearly defined set of
administrative actions to take concerning that local user. The
...
... site should also be prepared to protect itself against possible
actions by the remote site. These situations involve legal issues
which should be addressed when forming the security policy.
...
...
The local security policy should include procedures for
interaction with outside organizations. These include law
enforcement agencies, other sites, external response team
...
... identified. If the culprit is an employee or a student, the
organization may choose to take disciplinary actions. The computer
security policy needs to spell out the choices and how they will be
selected if an intruder is caught.
...
...
Once the site security policy has been written and established, a
vigorous process should be engaged to ensure that the policy
statement is widely and thoroughly disseminated and discussed. A
...
... In addition to the initial efforts to publicize the policy, it is
essential for the site to maintain a continual awareness of its
computer security policy. Current users may need periodic reminders
New users should have the policy included as part of their site
introduction packet. As a condition for using the site facilities,
...
...
The security policy defines what needs to be protected. This section
discusses security procedures which specify what steps will be used
...
... discusses security procedures which specify what steps will be used
to carry out the security policy.
...
... Security Policy Defines What Needs to be Protected ...
...
The security policy defines the WHAT's: what needs to be protected,
what is most important, what the priorities are, and what the general
...
... security problems should be.
The security policy by itself doesn't say HOW things are protected.
That is the role of security ...
... role of security procedures, which this section
discusses. The security policy should be a high level document,
giving general strategy. The security ...
... detail, the precise steps your site will take to protect itself.
The security policy should include a general risk assessment of the
types of threats a site is mostly likely to face and the consequences
of those threats (see section 2.2). Part of doing a risk assessment
...
... the risk they face, and other areas that aren't protected enough.
Starting with the security policy and the risks it outlines should
ensure that the procedures provide the right level of protect for all
assets.
...
... The controls that are selected represent the physical embodiment
of your security policy. They are the first and primary line of
defense in the protection of your assets. It is therefore most
...
... Common sense is the most appropriate tool that can be used to
establish your security policy. Elaborate security schemes and
mechanisms are impressive, and they do have their place, yet there
...
... Sections 2.4 and 2.5 discussed the course of action a site should
take when it suspects its systems are being abused. The computer
security policy should state the general approach towards dealing
with these problems.
...
... Communicating Security Policy ...
...
Security policies, in order to be effective, must be communicated to
both the users of the system and the system maintainers. This
section describes what these people should be told, and how to tell
...
... This section discusses software, hardware, and procedural resources
that can be used to support your site security policy.
...
... When a security audit is mandated, great care should be used in
devising tests of the security policy. It is important to clearly
identify what is being tested, how the test will be conducted, and
results expected from the test. This should all be documented and
...
... identify what is being tested, how the test will be conducted, and
results expected from the test. This should all be documented and
included in or as an adjunct to the security policy document
itself.
...
... itself.
It is important to test all aspects of the security policy, both
procedural and automated, with a particular emphasis on the
automated mechanisms used to enforce the policy. Tests should be
...
...
Keep in mind that there is a limit to the reasonableness of tests.
The purpose of testing is to ensure confidence that the security
policy is being correctly enforced, and not to "prove" the
absoluteness of the system or policy. The goal should be to
obtain some assurance that the reasonable and credible controls
...
... absoluteness of the system or policy. The goal should be to
obtain some assurance that the reasonable and credible controls
imposed by your security policy are adequate.
...
... network management may have rules about what the
network may be used for. Therefore, it is important for any security
policy to define an adequate account management procedure for both
administrators ...
... development process. However, it is certainly applicable in a
operational sense as well. Consider that the since many of the
system level programs are intended to enforce the security policy, it
is important that these be "known" as correct. That is, one should
not allow system level programs (such as the operating system ...
... and authorized hardware configuration should be given due
consideration in your security policy.
...
... deemed desirable.
All four steps should provide feedback to the site security policy
committee, leading to prompt re-evaluation and amendment of the
...
... addresses and fax numbers) in the site
security policy is strongly recommended. To aid prompt
acknowledgment and understanding of the problem, the flaw should be
described in as much detail as possible, including details about how
...
... security problems and multiple views of the site's security
issues. This subgroup can also act to develop the site
security policy and make suggested changes as necessary to
ensure site security.
...
...
This book serves as a good guide to the issues encountered
in forming computer security policies and procedures. The
book is designed as a textbook for an introductory course
in information systems security ...
... of a configuration audit, the completed change can be
verified to be functionally correct, and for trusted
systems, consistent with the security policy of the system.
[NTISS]
...