There are two sources of security problems outside the operating
system domain: employee carelessness and facility vulnerability. If
you have a careless or malicious employee or your facility is insecure,
none of the security measures discussed in this guide will protect
you from security breaches.
Most system penetration occurs through these environmental
weaknesses. It is much easier to physically remove a small reel of
tape than it is to break access protection codes or change file protection.
HP strongly encourages you to stress environmental
considerations as well as operating system protection when reviewing
site security.
This book discusses operating system security
measures. When deciding which of these measures to implement, it is
important for you to assess site security needs realistically. While
instituting adequate security for your site is essential, instituting
more security than actually necessary is costly and time-consuming.
When deciding which security measures to apply
to your system, remember the following:
The most secure system
is also the most difficult to use.
Increasing security can
increase costs in terms of slower access to data, slower machine operations,
and slower system performance.
More security measures
require more personnel time.
The operating system provides the basic mechanisms
to control access to the system and its data. It also provides monitoring
tools to ensure that access is restricted to authorized users. However,
many computer crimes are committed by authorized users with no violation
of the operating system's security controls.
Therefore, the security of your operation depends
on how you apply these security features and how you control your
employees and your site. By first building appropriate supervisory
controls into your application and designing your application with
the goal of minimizing opportunities for abuse, you can then implement
operating system and site security features and produce a less vulnerable
environment. For an example of one organization's security plan,
see “Managing the System and its Data”.