marchany@vtserf.cc.vt.edu (Randy Marchany) (05/21/91)
Archive-name: security/internet/ietf-security-policy-handbook/1991-05-20 Archive-directory: cert.sei.cmu.edu:/pub/ssphwg/ [128.237.253.5] Original-posting-by: marchany@vtserf.cc.vt.edu (Randy Marchany) Original-subject: IETF Security Policy Working Group Handbook (long) Reposted-by: emv@msen.com (Edward Vielmetti, MSEN) I posted a query a while ago asking about other sites' policies on setting computer usage policies. I received a number of replies and thought I would summarize the major points here to start the discussion. We are a major university in VA and are responsible for maintaining a mixed vendor OS environment (IBM, DEC, Sun, HP, DG, Next, Apple). We also have an extensive workstation network. We are currently teaching system management seminars and one of the things we want to impress upon the new system managers is responsible user behavior. So with this intro, this is a summary of the internet responses we received. 1. The IETF has a security policy working group that is putting together a "guidebook" for setting security policies at internet sites. This guide book is geared toward the system managers at a particular site. The working draft is available via anonymous FTP from cert.sei.cmu.edu under the pub/ssphwg directory. I have a copy of it and it is quite helpful. A brief outline of the document is: I. Establishing official site policy on computer security/use. A. Who makes the policy? What are their responsibilities? B. Risk Assessment - Don't spend more on security than what you're protecting is worth. C. Define authorized access to computing resources. D. Handling Policy Violations. E. Publicizing the policy. II. Establishing procedures to "prevent" security problems. A. System security audits B. Account management procedures C. Configuration management procedures D. Procedures for recognizing unauthorized activity. E. How to deal with unauthorized activity F. Communicating lessons learned G. Resources to prevent security breaches III. Incident Handling A. Evaluation B. Types of notification C. Response E. Legal/Investigative F. Documentation Logs G. Establishing post-incident procedures At the university level, it is important to establish a uniform policy for the entire university. While the political ramifications of the previous sentence are obvious, a useful argument to adopt such a policy is that of liability. The statement need not be specific, but can be a general statement such as: "computer usage at XXXX must not be contrary to international, Federal, state and local laws." and it should contain specific references to the laws. Some of these laws are: the Computer Fraud and Abuse Act of 1986, 18 USC section 1030, the Computer Virus Eradication Act of 1989, HR5061, HR55 (amendments to USC 18, sect. 1030), Interstate Transportation of Stolen Property, 18 USC sect. 2314, the VA Computer Crimes Act, VA Article 7.1. With the general statement in place, a series of statements on Computer Use/Access can be drawn up citing more specific examples of unacceptable behavior, penalties, etc. and these can be used for training/education. The three main areas of setting up a policy are 1) defining the policy 2) teaching your users the policy 3) enforcing the policy. Some ways of being able to verify that the policy was given to the user is to have them sign a form stating that they are aware of the policy. This gives the sysmgr proof that the user was aware of the policy. A number of sites sent me copies of their "user" forms. While it is a paperwork nightmare, it is a sure way of defining your user community. It is more work but the burden of prood will be on us and so I think it's worth it in the long run. My main concern is in section III.E,F of the above outline. I'm sure some of you have run across an employee/student who send obscene mail thru the net. I'm sure there are a number who couldn't do anything to the offender because the logs were not secure. There needs to be some type of training program/document from the police/FBI agencies that can help system managers collect, protect and document any evidence of abuse in a manner that won't be subject to challenge in court. The "chain of evidence" is crucial to successful prosecution yet, I'd be willing to bet that 95% of all sysmgrs don't know how to preserve it. Are there any agencies that provide training seminars to sysmgr types? Well, I've said enough for now. Hope this gets the ball rolling. -Randy Marchany VA Tech Computing Center Blacksburg, VA 24060 Internet: marchany@vtserf.cc.vt.edu -- comp.archives file verification cert.sei.cmu.edu total 856 -rw-r--r-- 2 ssphwg 229030 May 7 13:52 ssphwg.collection -rw-rw---- 1 ssphwg 21158 Apr 3 09:27 #spwg-policy-18mar.txt# -rw-r--r-- 1 ssphwg 2702 Mar 28 08:24 README -rw-rw---- 1 ssphwg 22495 Mar 28 08:18 spwg-policy-18mar.txt -rw-rw---- 1 ssphwg 558 Mar 28 08:16 #Index# -rw-rw---- 1 ssphwg 2521 Mar 28 08:09 ssphwg-minutes-91mar.txt -rw-r--r-- 1 ssphwg 558 Feb 26 11:48 Index -rw-r--r-- 1 3217 21172 Feb 26 11:37 spwg-policy-26feb.txt -rw-r--r-- 1 ssphwg 27726 Nov 28 10:06 spwg-policy-28nov.txt -rw-r--r-- 1 ssphwg 249218 Nov 26 15:47 ssph-draft-28nov.txt -rw-r--r-- 1 ssphwg 11170 Nov 1 1990 ssphwg-minutes-90may.txt -rw-r--r-- 1 ssphwg 1195 Nov 1 1990 ssphwg-minutes-90july.txt -rw-r--r-- 1 ssphwg 19126 Oct 17 1990 spwg-policy-9oct.txt -rw-r--r-- 1 ssphwg 130344 Sep 12 1990 ssph-draft-12sep.txt -rw-r--r-- 1 ssphwg 94707 Sep 6 1990 ssphwg.short.collection -rw-r--r-- 1 ssphwg 13165 Jul 5 1990 outline-jul5 -rw-r--r-- 1 ssphwg 3009 Jun 27 1990 ssphwg.charter.txt found ietf-security-policy-handbook ok cert.sei.cmu.edu:/pub/ssphwg/