RFC1244 - Page 13

• Title: Site Security Handbook
• Author: J.P. Holbrook, J.K. Reynolds
• Date: July 1, 1991

Page Navigation:

1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50  51  52  53  54  55  56  57  58  59  60  61  62  63  64  65  66  67  68  69  70  71  72  73  74  75  76  77  78  79  80  81  82  83  84  85  86  87  88  89  90  91  92  93  94  95  96  97  98  99  100  101 

Printable Version: RFC1244.PDF

RFC 1244                 Site Security Handbook                July 1991


         rogue packet, jamming, or by a disabled network component.  A
         virus might slow down or cripple a computer system.  Each site
         should determine which services are essential, and for each of
         these services determine the affect to the site if that service
         were to become disabled.

2.3  Policy Issues

   There are a number of issues that must be addressed when developing a
   security policy.  These are:

      1.  Who is allowed to use the resources?
      2.  What is the proper use of the resources?
      3.  Who is authorized to grant access and approve usage?
      4.  Who may have system administration privileges?
      5.  What are the user's rights and responsibilities?
      6.  What are the rights and responsibilities of the
          system administrator vs. those of the user?
      7.  What do you do with sensitive information?

   These issues will be discussed below.  In addition you may wish to
   include a section in your policy concerning ethical use of computing
   resources.  Parker, Swope and Baker [17, PARKER90] and Forester and
   Morrison [18, FORESTER] are two useful references that address
   ethical issues.

   2.3.1  Who is Allowed to use the Resources?

      One step you must take in developing your security policy is
      defining who is allowed to use your system and services.  The
      policy should explicitly state who is authorized to use what
      resources.

   2.3.2  What is the Proper Use of the Resources?

      After determining who is allowed access to system resources it is
      necessary to provide guidelines for the acceptable use of the
      resources.  You may have different guidelines for different types
      of users (i.e., students, faculty, external users).  The policy
      should state what is acceptable use as well as unacceptable use.
      It should also include types of use that may be restricted.

      Define limits to access and authority.  You will need to consider
      the level of access various users will have and what resources
      will be available or restricted to various groups of people.

      Your acceptable use policy should clearly state that individual
      users are responsible for their actions.  Their responsibility



Site Security Policy Handbook Working Group                    [Page 13]