Site Security Handbook
RFC 1244
| Document | Type |
RFC - Informational
(July 1991; No errata)
Obsoleted by RFC 2196
|
|
|---|---|---|---|
| Last updated | 2013-03-02 | ||
| Stream | Legacy | ||
| Formats | plain text pdf html bibtex | ||
| Stream | Legacy state | (None) | |
| Consensus Boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | RFC 1244 (Informational) | |
| Telechat date | |||
| Responsible AD | (None) | ||
| Send notices to | (None) | ||
Network Working Group P. Holbrook
Request for Comments: 1244 CICNet
FYI: 8 J. Reynolds
ISI
Editors
July 1991
Site Security Handbook
Status of this Memo
This handbook is the product of the Site Security Policy Handbook
Working Group (SSPHWG), a combined effort of the Security Area and
User Services Area of the Internet Engineering Task Force (IETF).
This FYI RFC provides information for the Internet community. It
does not specify an Internet standard. Distribution of this memo is
unlimited.
Contributing Authors
The following are the authors of the Site Security Handbook. Without
their dedication, this handbook would not have been possible.
Dave Curry (Purdue University), Sean Kirkpatrick (Unisys), Tom
Longstaff (LLNL), Greg Hollingsworth (Johns Hopkins University),
Jeffrey Carpenter (University of Pittsburgh), Barbara Fraser (CERT),
Fred Ostapik (SRI NISC), Allen Sturtevant (LLNL), Dan Long (BBN), Jim
Duncan (Pennsylvania State University), and Frank Byrum (DEC).
Editors' Note
This FYI RFC is a first attempt at providing Internet users guidance
on how to deal with security issues in the Internet. As such, this
document is necessarily incomplete. There are some clear shortfalls;
for example, this document focuses mostly on resources available in
the United States. In the spirit of the Internet's "Request for
Comments" series of notes, we encourage feedback from users of this
handbook. In particular, those who utilize this document to craft
their own policies and procedures.
This handbook is meant to be a starting place for further research
and should be viewed as a useful resource, but not the final
authority. Different organizations and jurisdictions will have
different resources and rules. Talk to your local organizations,
consult an informed lawyer, or consult with local and national law
enforcement. These groups can help fill in the gaps that this
document cannot hope to cover.
Site Security Policy Handbook Working Group [Page 1]
RFC 1244 Site Security Handbook July 1991
Finally, we intend for this FYI RFC to grow and evolve. Please send
comments and suggestions to: ssphwg@cert.sei.cmu.edu.
Table of Contents
1. Introduction..................................................... 3
1.1 Purpose of this Work............................................ 3
1.2 Audience........................................................ 3
1.3 Definitions..................................................... 4
1.4 Related Work.................................................... 4
1.5 Scope........................................................... 4
1.6 Why Do We Need Security Policies and Procedures?................ 5
1.7 Basic Approach.................................................. 7
1.8 Organization of this Document................................... 7
2. Establishing Official Site Policy on Computer Security........... 9
2.1 Brief Overview.................................................. 9
2.2 Risk Assessment................................................. 10
2.3 Policy Issues................................................... 13
2.4 What Happens When the Policy Is Violated........................ 19
2.5 Locking In or Out............................................... 21
2.6 Interpreting the Policy......................................... 23
2.7 Publicizing the Policy.......................................... 23
3. Establishing Procedures to Prevent Security Problems............. 24
3.1 Security Policy Defines What Needs to be Protected.............. 24
3.2 Identifing Possible Problems.................................... 24
3.3 Choose Controls to Protect Assets in a Cost-Effective Way....... 26
3.4 Use Multiple Strategies to Protect Assets....................... 26
3.5 Physical Security............................................... 27
3.6 Procedures to Recognize Unauthorized Activity................... 27
3.7 Define Actions to Take When Unauthorized Activity is Suspected.. 29
3.8 Communicating Security Policy................................... 30
3.9 Resources to Prevent Security Breaches.......................... 34
4. Types of Security Procedures..................................... 56
4.1 System Security Audits.......................................... 56
4.2 Account Management Procedures................................... 57
4.3 Password Management Procedures.................................. 57
4.4 Configuration Management Procedures............................. 60
Show full document text