Each site has unique security requirements. Some
sites require only limited measures because they are able to tolerate
some forms of unauthorized access with little adverse effect. At the
other extreme are those sites that cannot tolerate even the slightest
probing, such as strategic military defense centers. In between are
many commercial sites, such as banks.
While there are many considerations in determining
your security needs, the questions in “Event Tolerance as a Measure of Security Requirements” can get you started. Your answers
can help determine the levels of your security needs. Also see the “Site Security Policies” for a
more specific example of site security requirements.
Table 1-1 Event Tolerance as a Measure of Security Requirements
| Question: Could you
tolerate the following event? | Level of Security Requirements Based on Toleration Responses |
| | Low | Medium | High |
A user
knowing the images being executed on your system | Y | Y | N |
A user
knowing the names of another user's files | Y | Y | N |
A user
accessing the file of another user in the group | Y | Y | N |
An
outsider knowing the name of the system just dialed into | Y | Y | N |
A user
copying files of other users | Y | N | N |
A user
reading another user's electronic mail | Y | N | N |
A user
writing data into another user's file | Y | N | N |
A user
deleting another user's file | Y | N | N |
A user
being able to read sections of a disk that might contain various old
files | Y | N | N |
A user consuming
machine time and resources to perform unrelated or unauthorized work,
possibly even playing games | Y | N | N |
If you can tolerate most of the events listed,
your security requirements are quite low. If your answers are mixed,
your requirements are in the medium to high range. Generally, those
sites that are most intolerant to the listed events have very high
levels of security requirements.
When you review your site's security needs,
do not confuse a weakness in site operations or recovery procedures
as a security problem. Ensure that your operations policies are effective
and consistent before evaluating your system security requirements.
