Page Navigation:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75
Printable Version: RFC2196.PDF
RFC 2196 Site Security Handbook September 1997
The "Internet" is a collection of thousands of networks linked by a
common set of technical protocols which make it possible for users of
any one of the networks to communicate with, or use the services
located on, any of the other networks (FYI4, RFC 1594).
The term "administrator" is used to cover all those people who are
responsible for the day-to-day operation of system and network
resources. This may be a number of individuals or an organization.
The term "security administrator" is used to cover all those people
who are responsible for the security of information and information
technology. At some sites this function may be combined with
administrator (above); at others, this will be a separate position.
The term "decision maker" refers to those people at a site who set or
approve policy. These are often (but not always) the people who own
the resources.
1.4 Related Work
The Site Security Handbook Working Group is working on a User's Guide
to Internet Security. It will provide practical guidance to end users
to help them protect their information and the resources they use.
1.5 Basic Approach
This guide is written to provide basic guidance in developing a
security plan for your site. One generally accepted approach to
follow is suggested by Fites, et. al. [Fites 1989] and includes the
following steps:
(1) Identify what you are trying to protect.
(2) Determine what you are trying to protect it from.
(3) Determine how likely the threats are.
(4) Implement measures which will protect your assets in a cost-
effective manner.
(5) Review the process continuously and make improvements each time
a weakness is found.
Most of this document is focused on item 4 above, but the other steps
cannot be avoided if an effective plan is to be established at your
site. One old truism in security is that the cost of protecting
yourself against a threat should be less than the cost of recovering
if the threat were to strike you. Cost in this context should be
remembered to include losses expressed in real currency, reputation,
trustworthiness, and other less obvious measures. Without reasonable
knowledge of what you are protecting and what the likely threats are,
following this rule could be difficult.
Fraser, Ed. Informational [Page 4]