RFC1244 - Page 30

• Title: Site Security Handbook
• Author: J.P. Holbrook, J.K. Reynolds
• Date: July 1, 1991

Page Navigation:

1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50  51  52  53  54  55  56  57  58  59  60  61  62  63  64  65  66  67  68  69  70  71  72  73  74  75  76  77  78  79  80  81  82  83  84  85  86  87  88  89  90  91  92  93  94  95  96  97  98  99  100  101 

Printable Version: RFC1244.PDF

RFC 1244                 Site Security Handbook                July 1991


      The procedures for dealing with these types of problems should be
      written down.  Who has authority to decide what actions will be
      taken?  Should law enforcement be involved?  Should your
      organization cooperate with other sites in trying to track down an
      intruder?  Answers to all the questions in section 2.4 should be
      part of the incident handling procedures.

      Whether you decide to lock out or pursue intruders, you should
      have tools and procedures ready to apply.  It is best to work up
      these tools and procedures before you need them.  Don't wait until
      an intruder is on your system to figure out how to track the
      intruder's actions; you will be busy enough if an intruder
      strikes.

3.8  Communicating Security Policy

   Security policies, in order to be effective, must be communicated to
   both the users of the system and the system maintainers.  This
   section describes what these people should be told, and how to tell
   them.

   3.8.1  Educating the Users

      Users should be made aware of how the computer systems are
      expected to be used, and how to protect themselves from
      unauthorized users.

      3.8.1.1  Proper Account/Workstation Use

         All users should be informed about what is considered the
         "proper" use of their account or workstation ("proper" use is
         discussed in section 2.3.2).  This can most easily be done at
         the time a user receives their account, by giving them a policy
         statement.  Proper use policies typically dictate things such
         as whether or not the account or workstation may be used for
         personal activities (such as checkbook balancing or letter
         writing), whether profit-making activities are allowed, whether
         game playing is permitted, and so on.  These policy statements
         may also be used to summarize how the computer facility is
         licensed and what software licenses are held by the
         institution; for example, many universities have educational
         licenses which explicitly prohibit commercial uses of the
         system.  A more complete list of items to consider when writing
         a policy statement is given in section 2.3.

      3.8.1.2  Account/Workstation Management Procedures

         Each user should be told how to properly manage their account



Site Security Policy Handbook Working Group                    [Page 30]