RFC2196 - Page 6

• Title: Site Security Handbook
• Author: B. Fraser
• Date: September 1, 1997

Page Navigation:

1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50  51  52  53  54  55  56  57  58  59  60  61  62  63  64  65  66  67  68  69  70  71  72  73  74  75 

Printable Version: RFC2196.PDF

RFC 2196              Site Security Handbook              September 1997


   (2)  Software: source programs, object programs,
        utilities, diagnostic programs, operating systems,
        communication programs.

   (3)  Data: during execution, stored on-line, archived off-line,
        backups, audit logs, databases, in transit over
        communication media.

   (4)  People: users, administrators, hardware maintainers.

   (5)  Documentation: on programs, hardware, systems, local
        administrative procedures.

   (6)  Supplies: paper, forms, ribbons, magnetic media.

1.6.3  Identifying the Threats

   Once the assets requiring protection are identified, it is necessary
   to identify threats to those assets.  The threats can then be
   examined to determine what potential for loss exists.  It helps to
   consider from what threats you are trying to protect your assets.
   The following are classic threats that should be considered.
   Depending on your site, there will be more specific threats that
   should be identified and addressed.

   (1)  Unauthorized access to resources and/or information
   (2)  Unintented and/or unauthorized Disclosure of information
   (3)  Denial of service

2.  Security Policies

   Throughout this document there will be many references to policies.
   Often these references will include recommendations for specific
   policies. Rather than repeat guidance in how to create and
   communicate such a policy, the reader should apply the advice
   presented in this chapter when developing any policy recommended
   later in this book.

2.1  What is a Security Policy and Why Have One?

   The security-related decisions you make, or fail to make, as
   administrator largely determines how secure or insecure your network
   is, how much functionality your network offers, and how easy your
   network is to use.  However, you cannot make good decisions about
   security without first determining what your security goals are.
   Until you determine what your security goals are, you cannot make
   effective use of any collection of security tools because you simply
   will not know what to check for and what restrictions to impose.



Fraser, Ed.                Informational                        [Page 6]