RFC1244 - Page 81

• Title: Site Security Handbook
• Author: J.P. Holbrook, J.K. Reynolds
• Date: July 1, 1991

Page Navigation:

1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50  51  52  53  54  55  56  57  58  59  60  61  62  63  64  65  66  67  68  69  70  71  72  73  74  75  76  77  78  79  80  81  82  83  84  85  86  87  88  89  90  91  92  93  94  95  96  97  98  99  100  101 

Printable Version: RFC1244.PDF

RFC 1244                 Site Security Handbook                July 1991


      6.3.2.2  Repository of Books, Lists, Information Sources

         Keep an on site collection of books, lists, information
         sources, etc., as guides and references for securing the
         system.  Keep this collection up to date.  Remember, as systems
         change, so do security methods and problems.

      6.3.2.3  Form a Subgroup

         Form a subgroup of system administration personnel that will be
         the core security staff.  This will allow discussions of
         security problems and multiple views of the site's security
         issues.  This subgroup can also act to develop the site
         security policy and make suggested changes as necessary to
         ensure site security.

6.4  Upgrading Policies and Procedures

   6.4.1  Establish Mechanisms for Updating Policies, Procedures,
          and Tools

      If an incident is based on poor policy, and unless the policy is
      changed, then one is doomed to repeat the past.  Once a site has
      recovered from and incident, site policy and procedures should be
      reviewed to encompass changes to prevent similar incidents.  Even
      without an incident, it would be prudent to review policies and
      procedures on a regular basis.  Reviews are imperative due to
      today's changing computing environments.

   6.4.2  Problem Reporting Procedures

      A problem reporting procedure should be implemented to describe,
      in detail, the incident and the solutions to the incident.  Each
      incident should be reviewed by the site security subgroup to allow
      understanding of the incident with possible suggestions to the
      site policy and procedures.

7.  References

   [1] Quarterman, J., "The Matrix: Computer Networks and Conferencing
       Systems Worldwide", Pg. 278, Digital Press, Bedford, MA, 1990.

   [2] Brand, R., "Coping with the Threat of Computer Security
       Incidents: A Primer from Prevention through Recovery", R. Brand,
       available on-line from: cert.sei.cmu.edu:/pub/info/primer, 8 June
       1990.

   [3] Fites, M., Kratz, P. and A. Brebner, "Control and Security of



Site Security Policy Handbook Working Group                    [Page 81]