ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvdevelopsecpol.htm

154 lines
9.6 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Develop a security policy" />
<meta name="abstract" content="This topic defines a security policy and explains the process for creating a security policy." />
<meta name="description" content="This topic defines a security policy and explains the process for creating a security policy." />
<meta name="DC.Relation" scheme="URI" content="rzamvplansecstrat.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamvdevelopchangepolicy.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="developsecpol" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Develop a security policy</title>
</head>
<body id="developsecpol"><a name="developsecpol"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Develop a security policy</h1>
<div><p>This topic defines a security policy and explains the process for
creating a security policy.</p>
<p>Each internet service that you use or provide poses risks to your system
and the network to which it is connected. A <strong>security policy</strong> is a set
of rules that apply to activities for the computer and communications resources
that belong to an organization. These rules cover areas such as physical security,
personnel security, administrative security, and network security. Your security
policy defines what you want to protect and what you expect of your system
users. It provides a basis for security planning when you design new applications
or expand your current network. It describes user responsibilities, such as
protecting confidential information and creating nontrivial passwords.</p>
<p>Your security policy should also describe how you will monitor the effectiveness
of your security measures. Such monitoring helps you to determine whether
someone might be attempting to circumvent your safeguards. To develop your
security policy, you must clearly define your security objectives. Once you
create a security policy, you must take steps to put into effect the rules
that it contains.</p>
<p>You might find it useful to send security guidelines to all of your employees
to emphasize your security policies regarding physical and system security.
In these guidelines, you should include instructions about how to protect
system security, such as signing off workstations, using passwords appropriately,
and protecting the network from unauthorized intruders. The security policy
could also explain the procedure for training employees and installing necessary
software and hardware to ensure system security.</p>
<p>Remember that you can always change your security policy. When you make
changes in your computing environment, you should update your security policy
to address any new risks that these changes impose. Most companies find they
need more strict security as they grow.</p>
<div class="section" id="developsecpol__stepsecpolicy"><a name="developsecpol__stepsecpolicy"><!-- --></a><h4 class="sectiontitle">Perform the following steps to develop
a security policy</h4><ol><li>Talk with other members of your organization, such as security auditors,
to better determine your security needs.</li>
<li>Examine the technologies that you use in your company. For example, if
your system is connected to the Internet, you will want a more restrictive
security environment to protect your system from outside Internet users.</li>
<li>Determine your overall approach to security, as follows:<dl><dt class="dlterm">Strict</dt>
<dd>A strict policy is a need-to-know security scheme. In a strict security
environment, you give users access only to the information and functions that
they need to do their jobs. All others are excluded. Many auditors recommend
the strict approach.</dd>
<dt class="dlterm">Average</dt>
<dd>An average security policy gives users access to objects, based on the
authorities that you have assigned them.</dd>
<dt class="dlterm">Relaxed</dt>
<dd>In a relaxed security environment, you allow authorized users access to
most objects on the system. You restrict access only to confidential information.
A single department or small company might use the relaxed approach on their
systems.</dd>
</dl>
</li>
<li>Determine what information assets require protection. To assist with this
determination, consider confidentiality, competitiveness, and operations:<dl><dt class="dlterm">Confidentiality</dt>
<dd>Information that is not generally available to people in your company.
Payroll is an example of confidential information. Another example of confidential
information is new technical information that has not yet been announced to
the public.</dd>
<dt class="dlterm">Competitiveness</dt>
<dd>Information that gives you an advantage over your competition, such as
product specifications, formulas, and pricing guidelines.</dd>
<dt class="dlterm">Operations</dt>
<dd>Information on your computer that is essential for the daily operations
of your business, such as customer records and inventory balances.</dd>
</dl>
</li>
<li>Create a statement of company policy regarding security. This is an agreement
between you and the top officials in the company. Your security policy should
state what your overall approach is and what assets require protection. <a href="#developsecpol__example1">Example of a security policy</a></li>
<li>Create a draft of your security policy. <a href="#developsecpol__example2">Example: Company security memo</a></li>
<li>As you work through the planning process, take additional notes that you
will use to complete the security policy.</li>
<li>Complete the security policy and distribute it to the employees in your
company. Use it as you implement and monitor the security on the system.</li>
</ol>
<p>After you have created a security policy, you can choose your <a href="rzamvseclvlterm.htm#seclvlterm">Security levels</a> on the system.</p>
</div>
<div class="section" id="developsecpol__example1"><a name="developsecpol__example1"><!-- --></a><h4 class="sectiontitle">Example of a security policy</h4><div class="figborder"><span class="figcap">Figure 1. Company Security Policy</span><div class="p"><strong>Overall Approach</strong><ul class="simple"><li>Relaxed: Most people need access to most information.</li>
</ul>
</div>
<div class="p"><strong>Critical Information</strong><ul><li>Contracts and special pricing</li>
<li>Payroll (Only Accounting can set and change credit limits for customers.)</li>
<li>Customer and inventory records </li>
</ul>
</div>
<div class="p"><strong>General Rules</strong><ul><li>Every system user has a user profile.</li>
<li>Users must change their password every 60 days.</li>
<li>Users must use the latest security patches.</li>
</ul>
</div>
</div>
</div>
<div class="section" id="developsecpol__example2"><a name="developsecpol__example2"><!-- --></a><h4 class="sectiontitle">Example: Company security memo</h4><div class="figborder"><span class="figcap">Figure 2. Company Security Memo</span><p><strong>Security of the New System</strong></p>
<div class="p">You have all attended an information meeting about our new system. Those
who will use the system have started training and will begin processing customer
orders next week. Observe the following security guidelines when working on
your system:<ul><li>Everyone who needs to use the system will receive a user ID and a password.
You will be required to change your password the first time you sign on the
system and every 90 days after that. Passwords must be 8 characters in length
and contain a combination of letters and numbers. Passwords must not contain
your name, userid, or other personal information.</li>
<li>Do not share your password with anyone. If you forget your password, go
to the technical support web site for instructions on resetting your password.</li>
<li>Lock your system using the screen-saver password when you are away from
your desk.</li>
<li>Lock up confidential information when you go home for the day. Examples
of confidential information include contract and special pricing information,
and payroll records.</li>
</ul>
</div>
</div>
</div>
</div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="rzamvdevelopchangepolicy.htm">Change a security policy</a></strong><br />
You can use iSeries™ Navigator to view and manage policies for
your system.</li>
</ul>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvplansecstrat.htm" title="This topic describes various aspects of planning a security strategy.">Plan your security strategy</a></div>
</div>
</div>
</body>
</html>