hargrove@harlie.corp.sgi.com (Mark Hargrove) (12/29/89)
We are struggling with the problem of forming a reasonable corporate data security policy within our company. What kinds of policies do others have? (I referring specifically to I/S related data). Several sorts of issues emerge: - What kind of security doctrine is appropriate? The so-called "need-to-know" doctrine seems offensive to me; is there an alternate doctrine? - How do you decide *what* to protect? How do you decide who to trust? - We have a large issue over the notion of "downloading" data from the VAX mid-frames to our desktop environment (Macs, PC's, workstations). The issue: the security "envelope" is lost once data moves off of the VAX. Is there really a distinction between data on a Mac/PC and a printed report? - How much effort should be placed on reviewing new applications programs for "proper" security/audit trail code? Should there be a dedicated person/group to perform this function? - How big does a data center need to be (by any measure) before a full time security manager is required? Thoughts and comments on any of these issues would be greatly appreciated.
ash@mlacus.oz (Ash Nallawalla) (01/05/90)
Re computer security policy query: If the "need-to-know" principle sounds offensive to you, I guess you never worked for/with the armed services :-) I still like it, as the end user will not know what the company thinks he ought not to know. Even if the matter is unrelated to confidential information, it may be desirable to limit access to "need-to-know" material, if only to keep the employee occupied with what she/he is paid to do. As an example, although I am "root" at a Xyvision network and onmy Xenix/MS-DOS PC, I do not have similar privileges on the machine that connects me to this newsgroup. I recommend the text "Advanced Auditing - Fundamentals of EDP and Statistical Audit Technology" by Miklos A. Vasarhelyi and THomas W. Lin. Addison-Wesley 1988 ISBN 0 201 05328-4. It is about computer audit, and answers a part of yourquery. The portion you should read is about "internal controls" (the broad topic) and the specific topics of "general control" and "computer application controls". I am writing an internal report for my employers based partly on information in this book. Others on the net may be able torefer you to more specific references. I spent some years in a security-conscious environment and I find thatattitudes outside the government and banking industry are quite different, to put it mildly. It would be helpful to others if you could summarise the responses to your query -- ============================================================================= Ash Nallawalla [D[D[D Tel: +61 3 823-1959 Fax: +61 3 820-1434 ZL4LM/VK3CIT Postal: P.O. Box 539, Werribee VIC 3030, Australia.