RFC 1244 (rfc1244) - Page 2 of 102


Site Security Handbook



Alternative Format: Original Text Document

< Previous
Next >


RFC 1244                 Site Security Handbook                July 1991


   Finally, we intend for this FYI RFC to grow and evolve.  Please send
   comments and suggestions to: ssphwg@cert.sei.cmu.edu.

Table of Contents

1.  Introduction.....................................................  3
1.1  Purpose of this Work............................................  3
1.2  Audience........................................................  3
1.3  Definitions.....................................................  4
1.4  Related Work....................................................  4
1.5  Scope...........................................................  4
1.6  Why Do We Need Security Policies and Procedures?................  5
1.7  Basic Approach..................................................  7
1.8  Organization of this Document...................................  7
2.  Establishing Official Site Policy on Computer Security...........  9
2.1  Brief Overview..................................................  9
2.2  Risk Assessment................................................. 10
2.3  Policy Issues................................................... 13
2.4  What Happens When the Policy Is Violated........................ 19
2.5  Locking In or Out............................................... 21
2.6  Interpreting the Policy......................................... 23
2.7  Publicizing the Policy.......................................... 23
3.  Establishing Procedures to Prevent Security Problems............. 24
3.1  Security Policy Defines What Needs to be Protected.............. 24
3.2  Identifing Possible Problems.................................... 24
3.3  Choose Controls to Protect Assets in a Cost-Effective Way....... 26
3.4  Use Multiple Strategies to Protect Assets....................... 26
3.5  Physical Security............................................... 27
3.6  Procedures to Recognize Unauthorized Activity................... 27
3.7  Define Actions to Take When Unauthorized Activity is Suspected.. 29
3.8  Communicating Security Policy................................... 30
3.9  Resources to Prevent Security Breaches.......................... 34
4.  Types of Security Procedures..................................... 56
4.1  System Security Audits.......................................... 56
4.2  Account Management Procedures................................... 57
4.3  Password Management Procedures.................................. 57
4.4  Configuration Management Procedures............................. 60
5.  Incident Handling................................................ 61
5.1  Overview........................................................ 61
5.2  Evaluation...................................................... 65
5.3  Possible Types of Notification.................................. 67
5.4  Response........................................................ 71
5.5  Legal/Investigative............................................. 73
5.6  Documentation Logs.............................................. 77
6.  Establishing Post-Incident Procedures............................ 78
6.1  Overview........................................................ 78
6.2  Removing Vulnerabilities........................................ 78
6.3  Capturing Lessons Learned....................................... 80



Site Security Policy Handbook Working Group


< Previous
Next >


Web Standards & Support:

Link to and support eLook.org Powered by LoadedWeb Web Hosting
Valid XHTML 1.0! Valid CSS! eLook.org FireFox Extensions