When designing an overall system security plan, ask yourself
the following questions:
How are users associated with subjects?
What is the reliability of the authentication mechanism?
What objects contain sensitive information in this
system or application? Is access to those objects controlled?
Does the authorization database reflect the site's
security policy? Who is authorized to gain access to sensitive objects?
Are adequate restrictions in place?
Is the audit trail recording enough or too much
information? Who will monitor it? How often will it be examined?
What programs are functioning as part of the reference
monitor? Which users can modify the security policy and the authorization
database? Is this the desired configuration?
These considerations, as well as the underlying reference
monitor design, apply equally to a timesharing system, a widespread
network, or a single application on a system that grants access
to records in a file or database. The operating system provides
general mechanisms that users and security administrators must apply
to achieve system security. See
Managing the System and Its Data for more information on designing and implementing
a security policy.
HP OpenVMS Guide to System Security
Security Overview
