Site Security Policies
| | |
| ||
| ||
An organization's management usually establishes a brief security policy for its employees to emphasize the behavior it expects of them. For example, such a policy may state that employees should not give away company data or share passwords.
The managers of divisions or computer sites develop the detailed security policy. It is a written set of guidelines on the use of passwords and system accounts, physical access to the computer systems, communication devices, and computer terminals, and the types of security-relevant events to audit. These security guidelines might be followed by more specific statements applying to particular operating system enviroments.
The complexity of a security policy eventually depends on whether the division has high, medium, or low security requirements. “Understanding System Security”Chapter 1 provides a set of questions that can help an organization determine its needs.
As an example, a site security policy often defines which company employees have access to certain systems and the type of access available to the personnel performing nonroutine tasks and development. Sometimes a policy can provide an intricate set of rules for determining system access. “Example of a Site Security Policy” presents the policy developed by one division.
Table 6-1 Example of a Site Security Policy
| Security Area | Site Requirements |
|---|---|
Passwords | Schedule for password changes. |
Process for controlling minimum password length and expiration periods. | |
Schedule for system password changes. | |
Accounts | Procedure to grant accounts on computer systems, for example, statement of need, signature of requester, requester's manager, system manager, or person setting up the account. (Accounts can never be shared.) |
Procedure to deactivate accounts due to organizational changes, for example, employee transfers or terminations. | |
Timetable for reauthorizing accounts, usually once every 6 to 12 months. | |
Directive to deactivate accounts that are not used on a regular basis. | |
Time periods for access. | |
Timetable for expiring accounts. | |
Procedure for requesting privileges that rigorously controls allocation. | |
Requirement to use nonprivileged accounts for privileged users performing normal system activity. | |
Schedule for verifying inactive accounts. | |
List of approved security tools. | |
Security events to audit | Logins from selected or all sources. |
Changes to authorization file records. | |
Other uses of privilege and system management actions. | |
Modifications to the known file list through the Install utility. | |
Modification to the network configuration database, using the network control program (NCP). | |
Physical access to the computer room | A written list of authorized personnel with the reason for access included. Typically, one person would be responsible for keeping this list current. |
Storage of a visitor log in a secure area. | |
Locked access doors and a documented procedure for assigning keys, key cards, and combinations. (These access controls change periodically and on transfer or termination of employees.) | |
Physical access to terminals and personal computers located outside the computer room | Use of programs to log out terminals that have not been used for a given period of time. |
Security awareness programs for the organization (beyond computer personnel); topics may include:
| |
Dialup numbers | List of authorized users. |
Schedule for changing numbers periodically and procedures for notifying users of number changes. | |
A policy to minimize publishing dialup numbers. | |
Policy about changing passwords periodically and when employees with access are terminated. | |
Password protection, either in the modems or terminal servers, or system passwords on host dialup ports. | |
Documentation available about:
| |
Communications | Denial of access into privileged accounts if using passwords over TCP/IP, LAT, or Ethernet links. |
Use of authentication cards for network logins into privileged accounts. |