RFC1244 - Page 11

• Title: Site Security Handbook
• Author: J.P. Holbrook, J.K. Reynolds
• Date: July 1, 1991

Page Navigation:

1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50  51  52  53  54  55  56  57  58  59  60  61  62  63  64  65  66  67  68  69  70  71  72  73  74  75  76  77  78  79  80  81  82  83  84  85  86  87  88  89  90  91  92  93  94  95  96  97  98  99  100  101 

Printable Version: RFC1244.PDF

RFC 1244                 Site Security Handbook                July 1991


      decisions on what you want to protect.  The old security adage
      says that you should not spend more to protect something than it
      is actually worth.

      A full treatment of risk analysis is outside the scope of this
      document.  [3, FITES] and [16, PFLEEGER] provide introductions to
      this topic.  However, there are two elements of a risk analysis
      that will be briefly covered in the next two sections:

         1. Identifying the assets
         2. Identifying the threats

      For each asset, the basic goals of security are availability,
      confidentiality, and integrity.  Each threat should be examined
      with an eye to how the threat could affect these areas.

   2.2.2  Identifying the Assets

      One step in a risk analysis is to identify all the things that
      need to be protected.  Some things are obvious, like all the
      various pieces of hardware, but some are overlooked, such as the
      people who actually use the systems. The essential point is to
      list all things that could be affected by a security problem.

      One list of categories is suggested by Pfleeger [16, PFLEEGER,
      page 459]; this list is adapted from that source:

         1. Hardware: cpus, boards, keyboards, terminals,
            workstations, personal computers, printers, disk
            drives, communication lines, terminal servers, routers.

         2. Software: source programs, object programs,
            utilities, diagnostic programs, operating systems,
            communication programs.

         3. Data: during execution, stored on-line, archived off-line,
            backups, audit logs, databases, in transit over
            communication media.

         4. People: users, people needed to run systems.

         5. Documentation: on programs, hardware, systems, local
            administrative procedures.

         6. Supplies: paper, forms, ribbons, magnetic media.






Site Security Policy Handbook Working Group                    [Page 11]