Site Security Handbook
RFC 1244

Document Type RFC - Informational (July 1991; No errata)
Obsoleted by RFC 2196
Last updated 2013-03-02
Stream Legacy
Formats plain text pdf html bibtex
Stream Legacy state (None)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state RFC 1244 (Informational)
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                        P. Holbrook
Request for Comments:  1244                                       CICNet
FYI: 8                                                       J. Reynolds
                                                                     ISI
                                                                 Editors
                                                               July 1991

                         Site Security Handbook

Status of this Memo

   This handbook is the product of the Site Security Policy Handbook
   Working Group (SSPHWG), a combined effort of the Security Area and
   User Services Area of the Internet Engineering Task Force (IETF).
   This FYI RFC provides information for the Internet community.  It
   does not specify an Internet standard.  Distribution of this memo is
   unlimited.

Contributing Authors

   The following are the authors of the Site Security Handbook.  Without
   their dedication, this handbook would not have been possible.

   Dave Curry (Purdue University), Sean Kirkpatrick (Unisys), Tom
   Longstaff (LLNL), Greg Hollingsworth (Johns Hopkins University),
   Jeffrey Carpenter (University of Pittsburgh), Barbara Fraser (CERT),
   Fred Ostapik (SRI NISC), Allen Sturtevant (LLNL), Dan Long (BBN), Jim
   Duncan (Pennsylvania State University), and Frank Byrum (DEC).

Editors' Note

   This FYI RFC is a first attempt at providing Internet users guidance
   on how to deal with security issues in the Internet.  As such, this
   document is necessarily incomplete.  There are some clear shortfalls;
   for example, this document focuses mostly on resources available in
   the United States.  In the spirit of the Internet's "Request for
   Comments" series of notes, we encourage feedback from users of this
   handbook.  In particular, those who utilize this document to craft
   their own policies and procedures.

   This handbook is meant to be a starting place for further research
   and should be viewed as a useful resource, but not the final
   authority.  Different organizations and jurisdictions will have
   different resources and rules.  Talk to your local organizations,
   consult an informed lawyer, or consult with local and national law
   enforcement.  These groups can help fill in the gaps that this
   document cannot hope to cover.

Site Security Policy Handbook Working Group                     [Page 1]
RFC 1244                 Site Security Handbook                July 1991

   Finally, we intend for this FYI RFC to grow and evolve.  Please send
   comments and suggestions to: ssphwg@cert.sei.cmu.edu.

Table of Contents

1.  Introduction.....................................................  3
1.1  Purpose of this Work............................................  3
1.2  Audience........................................................  3
1.3  Definitions.....................................................  4
1.4  Related Work....................................................  4
1.5  Scope...........................................................  4
1.6  Why Do We Need Security Policies and Procedures?................  5
1.7  Basic Approach..................................................  7
1.8  Organization of this Document...................................  7
2.  Establishing Official Site Policy on Computer Security...........  9
2.1  Brief Overview..................................................  9
2.2  Risk Assessment................................................. 10
2.3  Policy Issues................................................... 13
2.4  What Happens When the Policy Is Violated........................ 19
2.5  Locking In or Out............................................... 21
2.6  Interpreting the Policy......................................... 23
2.7  Publicizing the Policy.......................................... 23
3.  Establishing Procedures to Prevent Security Problems............. 24
3.1  Security Policy Defines What Needs to be Protected.............. 24
3.2  Identifing Possible Problems.................................... 24
3.3  Choose Controls to Protect Assets in a Cost-Effective Way....... 26
3.4  Use Multiple Strategies to Protect Assets....................... 26
3.5  Physical Security............................................... 27
3.6  Procedures to Recognize Unauthorized Activity................... 27
3.7  Define Actions to Take When Unauthorized Activity is Suspected.. 29
3.8  Communicating Security Policy................................... 30
3.9  Resources to Prevent Security Breaches.......................... 34
4.  Types of Security Procedures..................................... 56
4.1  System Security Audits.......................................... 56
4.2  Account Management Procedures................................... 57
4.3  Password Management Procedures.................................. 57
4.4  Configuration Management Procedures............................. 60
Show full document text