management
Click on the red underlined text to get to the source
... The audience for this document are system and network administrators,
and decision makers (typically "middle management") at sites. For
brevity, we will use the term "administrator" throughout this
...
... needs to have the acceptance and support of all levels of employees
within the organization. It is especially important that corporate
management fully support the security policy process otherwise there
is little chance that they will have the intended impact. The
...
... responsible management ...
... The list above is representative of many organizations, but is not
necessarily comprehensive. The idea is to bring in representation
from key stakeholders, management who have budget and policy
authority, technical staff who know what can and cannot be supported,
...
... It must clearly define the areas of responsibility for the
users, administrators, and management.
...
... privileges to
protect assets from loss or disclosure by specifying acceptable
use guidelines for users, operations staff, and management. It
should provide guidelines for external connections, data
...
... An Accountability Policy which defines the responsibilities of
users, operations staff, and management. It should specify an
audit capability, and provide incident handling guidelines
(i.e., what to do and who to contact if a possible intrusion is
...
... Supporting Information which provides users, staff, and
management with contact information for each type of policy
violation; guidelines on how to handle outside queries about a
...
... Once your security policy has been established it should be clearly
communicated to users, staff, and management. Having all personnel
sign a statement indicating that they have read, understood, and
agreed to abide by the policy is an important part of the process.
...
... networks and the routers which interconnect them. Infrastructure
also includes network management (e.g., SNMP), services (e.g., DNS ...
... IP address spoofing, packet sniffing, etc. Users and site management
must appreciate the risks involved. If you decide to provide walk-up
connections ...
... encrypting your backups to provide additional protection
of the information once it is off-site. However, be aware that
you will need a good key management scheme so that you'll be
able to recover data at any point in the future. Also, make
sure you will have access to the necessary decryption ...
... critical
systems) might be the reason for not analyzing an incident. Of
course, this is an important management decision; but all involved
parties must be aware that without analysis the same incident may
happen again.
...
... enforcement and other external agencies to assure that multi-agency
involvement occurs. The level of involvement will be determined by
management decisions as well as legal constraints.
...
... point to be made is that all sites should have policies in place.
Without defined policies and goals, activities undertaken will remain
without focus. The goals should be defined by management and legal
counsel in advance.
...
... confusion. While it is more difficult to describe the incident to a
non-technical audience, it is often more important. A non-technical
description may be required for upper-level management, the press, or
law enforcement liaisons. The importance ...
... details will provide evidence for prosecution efforts, providing the
case moves in that direction. Documenting an incident will also help
you perform a final assessment of damage (something your management,
as well as law enforcement officers, will want to know), and will
provide the basis for later phases of the handling process:
...
... contact all involved parties to discuss the decision. In the absence
of predefined procedures, the person in charge of the incident will
often not have the power to make difficult management decisions (like
to lose the results of a costly experiment by shutting down a
system). A final activity that should occur during this stage of
...
... also help justify an organization's computer security effort to
management.
...
... security policy and has developed procedures to assist in the
configuration and management of your technology in support of those
policies. How nice it would be if you could sit back and relax at
this point and know that you were finished with the job of security ...
... British Standard, BS Tech Cttee BSFD/12, Info. Sec. Mgmt, "BS 7799 : 1995 Code of Practice for Information Security Management", British Standards Institution, London, 54, Effective 15 February 1995. ...
... Department of Defense, "Password Management Guideline", CSC-STD-002-85, 12 April 1985, 31 pages. ...
... Security - Virus Highlights Need for Improved Internet Management", United States General Accounting Office, Washington, DC, 1989. ...
... W. Lu and M. Sundareshan, "Secure Communication in Internet Environments: A Hierarchical Key Management Scheme for End-to-End Encryption", IEEE Transactions ...
... NCSC, "A Guide to Understanding CONFIGURATION MANAGEMENT in Trusted Systems", NCSC-TG-006, Version-1, 28 March 1988, 31 pages. ...
... National Institute of Standards and Technology, "Computer Viruses and Related Threats: A Management Guide", NIST Special Publication 500-166, August 1989. ...
... I. Palmer, and G. Potter, "Computer Security Risk Management", Van Nostrand Reinhold, NY, 1989. ...
... M. Ranum, "An Internet Firewall", Proceedings of World Conference on Systems Management and Security, 1992. ...