Page Navigation:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101
Printable Version: RFC1244.PDF
RFC 1244 Site Security Handbook July 1991
2. Establishing Official Site Policy on Computer Security
2.1 Brief Overview
2.1.1 Organization Issues
The goal in developing an official site policy on computer
security is to define the organization's expectations of proper
computer and network use and to define procedures to prevent and
respond to security incidents. In order to do this, aspects of
the particular organization must be considered.
First, the goals and direction of the organization should be
considered. For example, a military base may have very different
security concerns from a those of a university.
Second, the site security policy developed must conform to
existing policies, rules, regulations and laws that the
organization is subject to. Therefore it will be necessary to
identify these and take them into consideration while developing
the policy.
Third, unless the local network is completely isolated and
standalone, it is necessary to consider security implications in a
more global context. The policy should address the issues when
local security problems develop as a result of a remote site as
well as when problems occur on remote systems as a result of a
local host or user.
2.1.2 Who Makes the Policy?
Policy creation must be a joint effort by technical personnel, who
understand the full ramifications of the proposed policy and the
implementation of the policy, and by decision makers who have the
power to enforce the policy. A policy which is neither
implementable nor enforceable is useless.
Since a computer security policy can affect everyone in an
organization, it is worth taking some care to make sure you have
the right level of authority in on the policy decisions. Though a
particular group (such as a campus information services group) may
have responsibility for enforcing a policy, an even higher group
may have to support and approve the policy.
2.1.3 Who is Involved?
Establishing a site policy has the potential for involving every
computer user at the site in a variety of ways. Computer users
Site Security Policy Handbook Working Group [Page 9]