Site Security Policies

If both a Table of Contents and Search form are not displayed in separate frames along with this one, you may wish to redisplay this book in a frameset, beginning with the first page.

HP OpenVMS Guide to System Security

Security for the System Administrator

Managing the System and Its Data

Role of a Security Administrator

Tools for Setting Up a Secure System

Site Security Policies

An organization's management usually establishes a brief security policy for its employees to emphasize the behavior it expects of them. For example, such a policy may state that employees should not give away company data or share passwords.

The managers of divisions or computer sites develop the detailed security policy. It is a written set of guidelines on the use of passwords and system accounts, physical access to the computer systems, communication devices, and computer terminals, and the types of security-relevant events to audit. These security guidelines might be followed by more specific statements applying to particular operating system enviroments.

The complexity of a security policy eventually depends on whether the division has high, medium, or low security requirements. Understanding System SecurityChapter 1 provides a set of questions that can help an organization determine its needs.

As an example, a site security policy often defines which company employees have access to certain systems and the type of access available to the personnel performing nonroutine tasks and development. Sometimes a policy can provide an intricate set of rules for determining system access. Example of a Site Security Policy presents the policy developed by one division.

Table 1 Example of a Site Security Policy
Security Area Site Requirements

Passwords
Schedule for password changes.

Process for controlling minimum password length and expiration periods.

Schedule for system password changes.

Accounts
Procedure to grant accounts on computer systems, for example, statement of need, signature of requester, requester's manager, system manager, or person setting up the account. (Accounts can never be shared.)

Procedure to deactivate accounts due to organizational changes, for example, employee transfers or terminations.

Timetable for reauthorizing accounts, usually once every 6 to 12 months.

Directive to deactivate accounts that are not used on a regular basis.

Time periods for access.

Timetable for expiring accounts.

Procedure for requesting privileges that rigorously controls allocation.

Requirement to use nonprivileged accounts for privileged users performing normal system activity.

Schedule for verifying inactive accounts.

List of approved security tools.

Security events to audit
Logins from selected or all sources.

Changes to authorization file records.

Other uses of privilege and system management actions.

Modifications to the known file list through the Install utility.

Modification to the network configuration database, using the network control program (NCP).

Physical access to the computer room
A written list of authorized personnel with the reason for access included. Typically, one person would be responsible for keeping this list current.

Storage of a visitor log in a secure area.

Locked access doors and a documented procedure for assigning keys, key cards, and combinations. (These access controls change periodically and on transfer or termination of employees.)

Physical access to terminals and personal computers located outside the computer room
Use of programs to log out terminals that have not been used for a given period of time.

Security awareness programs for the organization (beyond computer personnel); topics may include:
Maintaining a list of approved software.

Keeping desktops clear of hardcopy information relating to the computer system, network passwords, and other system account information.

Locking disks and file cabinets.

Keeping diskettes inaccessible in or near workstations.

Keeping keys out of open view.

Dialup numbers
List of authorized users.

Schedule for changing numbers periodically and procedures for notifying users of number changes.

A policy to minimize publishing dialup numbers.

Policy about changing passwords periodically and when employees with access are terminated.

Password protection, either in the modems or terminal servers, or system passwords on host dialup ports.

Documentation available about:
A dial-back system

Details about the network

Terminal equipment installed

Terminal switching systems

Details about all terminal devices connected to the network

Details about all dialup equipment

Communications
Denial of access into privileged accounts if using passwords over TCP/IP, LAT, or Ethernet links.

Use of authentication cards for network logins into privileged accounts.

**Table 1** **Example of a Site Security Policy**
Security Area	Site Requirements
Passwords	Schedule for password changes.
	Process for controlling minimum password length and expiration periods.
	Schedule for system password changes.
Accounts	Procedure to grant accounts on computer systems, for example, statement of need, signature of requester, requester's manager, system manager, or person setting up the account. (Accounts can never be shared.)
	Procedure to deactivate accounts due to organizational changes, for example, employee transfers or terminations.
	Timetable for reauthorizing accounts, usually once every 6 to 12 months.
	Directive to deactivate accounts that are not used on a regular basis.
	Time periods for access.
	Timetable for expiring accounts.
	Procedure for requesting privileges that rigorously controls allocation.
	Requirement to use nonprivileged accounts for privileged users performing normal system activity.
	Schedule for verifying inactive accounts.
	List of approved security tools.
Security events to audit	Logins from selected or all sources.
	Changes to authorization file records.
	Other uses of privilege and system management actions.
	Modifications to the known file list through the Install utility.
	Modification to the network configuration database, using the network control program (NCP).
Physical access to the computer room	A written list of authorized personnel with the reason for access included. Typically, one person would be responsible for keeping this list current.
	Storage of a visitor log in a secure area.
	Locked access doors and a documented procedure for assigning keys, key cards, and combinations. (These access controls change periodically and on transfer or termination of employees.)
Physical access to terminals and personal computers located outside the computer room	Use of programs to log out terminals that have not been used for a given period of time.
	Security awareness programs for the organization (beyond computer personnel); topics may include: Maintaining a list of approved software. Keeping desktops clear of hardcopy information relating to the computer system, network passwords, and other system account information. Locking disks and file cabinets. Keeping diskettes inaccessible in or near workstations. Keeping keys out of open view.
Dialup numbers	List of authorized users.
	Schedule for changing numbers periodically and procedures for notifying users of number changes.
	A policy to minimize publishing dialup numbers.
	Policy about changing passwords periodically and when employees with access are terminated.
	Password protection, either in the modems or terminal servers, or system passwords on host dialup ports.
	Documentation available about: A dial-back system Details about the network Terminal equipment installed Terminal switching systems Details about all terminal devices connected to the network Details about all dialup equipment
Communications	Denial of access into privileged accounts if using passwords over TCP/IP, LAT, or Ethernet links.
	Use of authentication cards for network logins into privileged accounts.

Role of a Security Administrator

Tools for Setting Up a Secure System