Cover V12, I04

Article

apr2003.tar

syslog

In February, when this column was written, the U.S. Department of Homeland Security released its "National Strategy to Secure Cyberspace" (http://www.whitehouse.gov/pcipb/). Among other things, the plan encourages companies to regularly review their technology security policies as part of an overall strategy for protecting computer systems from attacks.

You do have a security policy, don't you? If not, it's high time. The need for a thorough, up-to-date, enforceable security policy within every organization can hardly be overstated, and there are many resources to help systems administrators facilitate development of such policies.

SANS (http://www.sans.org) maintains a security policy resource page that provides general guidelines, links, and templates, along with a security policy primer describing how to build a security policy from the ground up. The security policy primer was taken from Michele Guel's certification course -- a foundation course for those seeking to become Certified Information Security Officers. Guel states the objectives of a security policy as follows: to define appropriate behavior; to set the stage in terms of necessary tools and procedures; to communicate a consensus; and to provide a foundation for response to inappropriate action. These are broad objectives that must be broken down into manageable chunks. To help, the SANS resource page also offers sample security documents covering specific policy topics, including encryption, acceptable use, application service providers, auditing, remote access, and wireless communication.

As part of its "Short Topics in System Administration" series, SAGE (The System Administrators Guild, http://www.sage.org) offers A Guide to Developing Computing Policy Documents. This booklet explains why every site needs a policy, what a policy document should contain, who should draft it, and to whom it should apply. This booklet provides comprehensive guidelines for computing policy in general, one subset of which is computing security. The SAGE site also provides an online computing policy template that outlines essential areas of coverage.

The IETF (Internet Engineering Task Force) site also provides a guide to developing computer security policies and procedures in RFC 2196 (http://www.ietf.org/rfc/rfc2196.txt?Number=2196). This document covers such topics as risk assessment, firewalls, authentication, security services and procedures, incident handling, and confidentiality. Other sites providing relevant policy information and guidelines are the Computer Security Resource Center (http://www.csrc.nist.gov) and the COAST Security Archive (http://www.cerias.purdue.edu/coast/archive/). I encourage you to check out these resources and review your organization's security policies on a regular basis.

Sincerely yours,

Amber Ankerholz
Editor in Chief

 
© 2003 CMP Media LLC. All Rights Reserved.
www.sysadminmag.com