HP OpenVMS Guide to System Security: OpenVMS Version 8.4 > Chapter 6 Managing the System and its Data

Site Security Policies

An organization's management usually establishes a brief security policy for its employees to emphasize the behavior it expects of them. For example, such a policy may state that employees should not give away company data or share passwords.

The managers of divisions or computer sites develop the detailed security policy. It is a written set of guidelines on the use of passwords and system accounts, physical access to the computer systems, communication devices, and computer terminals, and the types of security-relevant events to audit. These security guidelines might be followed by more specific statements applying to particular operating system enviroments.

The complexity of a security policy eventually depends on whether the division has high, medium, or low security requirements. “Understanding System Security”Chapter 1 provides a set of questions that can help an organization determine its needs.

As an example, a site security policy often defines which company employees have access to certain systems and the type of access available to the personnel performing nonroutine tasks and development. Sometimes a policy can provide an intricate set of rules for determining system access. “Example of a Site Security Policy” presents the policy developed by one division.

Table 6-1 Example of a Site Security Policy

Security Area Site Requirements

Passwords

Schedule for password changes.

 

Process for controlling minimum password length and expiration periods.

 

Schedule for system password changes.

Accounts

Procedure to grant accounts on computer systems, for example, statement of need, signature of requester, requester's manager, system manager, or person setting up the account. (Accounts can never be shared.)

 

Procedure to deactivate accounts due to organizational changes, for example, employee transfers or terminations.

 

Timetable for reauthorizing accounts, usually once every 6 to 12 months.

 

Directive to deactivate accounts that are not used on a regular basis.

 

Time periods for access.

 

Timetable for expiring accounts.

 

Procedure for requesting privileges that rigorously controls allocation.

 

Requirement to use nonprivileged accounts for privileged users performing normal system activity.

 

Schedule for verifying inactive accounts.

 

List of approved security tools.

Security events to audit

Logins from selected or all sources.

 

Changes to authorization file records.

 

Other uses of privilege and system management actions.

 

Modifications to the known file list through the Install utility.

 

Modification to the network configuration database, using the network control program (NCP).

Physical access to the computer room

A written list of authorized personnel with the reason for access included. Typically, one person would be responsible for keeping this list current.

 

Storage of a visitor log in a secure area.

 

Locked access doors and a documented procedure for assigning keys, key cards, and combinations. (These access controls change periodically and on transfer or termination of employees.)

Physical access to terminals and personal computers located outside the computer room

Use of programs to log out terminals that have not been used for a given period of time.

 

Security awareness programs for the organization (beyond computer personnel); topics may include:

  • Maintaining a list of approved software.

  • Keeping desktops clear of hardcopy information relating to the computer system, network passwords, and other system account information.

  • Locking disks and file cabinets.

  • Keeping diskettes inaccessible in or near workstations.

  • Keeping keys out of open view.

Dialup numbers

List of authorized users.

 

Schedule for changing numbers periodically and procedures for notifying users of number changes.

 

A policy to minimize publishing dialup numbers.

 

Policy about changing passwords periodically and when employees with access are terminated.

 

Password protection, either in the modems or terminal servers, or system passwords on host dialup ports.

 

Documentation available about:

  • A dial-back system

  • Details about the network

  • Terminal equipment installed

  • Terminal switching systems

  • Details about all terminal devices connected to the network

  • Details about all dialup equipment

Communications

Denial of access into privileged accounts if using passwords over TCP/IP, LAT, or Ethernet links.

 

Use of authentication cards for network logins into privileged accounts.