ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaj4_5.4.0.1/rzaj40j0securitypolco.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Security policy and objectives" />
<meta name="abstract" content="Defining what to protect and what to expect of users." />
<meta name="description" content="Defining what to protect and what to expect of users." />
<meta name="DC.Relation" scheme="URI" content="rzaj45zssecurityplanning.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaj45asecureway.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaj40a0internetsecurity.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurzahu401usingdcm.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzain/rzainoverview.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaj45lbasiccorpusage.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1999, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1999, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzaj40j0securitypolco" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Security policy and objectives</title>
</head>
<body id="rzaj40j0securitypolco"><a name="rzaj40j0securitypolco"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Security policy and objectives</h1>
<div><p>Defining what to protect and what to expect of users.</p>
<div class="section"><h4 class="sectiontitle">Your security policy</h4><p><img src="./delta.gif" alt="Start of change" />Each Internet service
that you use or provide poses risks to your iSeries™ system and the network to which
it is connected. A security policy is a set of rules that apply to activities
for the computer and communications resources that belong to an organization.
These rules include areas such as physical security, personnel security, administrative
security, and network security.<img src="./deltaend.gif" alt="End of change" /></p>
<p>Your <strong>security policy</strong> defines what you want to protect
and what you expect of your system users.  It provides a basis for security
planning when you design new applications or expand your current network.
 It describes user responsibilities, such as protecting confidential information
and creating nontrivial passwords. Your security policy should also describe
how you will monitor the effectiveness of your security measures. Such monitoring
helps you to determine whether someone may be attempting to circumvent your
safeguards. </p>
<p><img src="./delta.gif" alt="Start of change" />To develop your security policy, you must clearly
define your security objectives. Once you create a security policy, you must
take steps to put into effect the rules it contains. These steps include training
employees and adding necessary software and hardware to enforce the rules.
Also, when you make changes in your computing environment, you should update
your security policy. This is to ensure that you discuss any new risks that
 your changes impose. You can find an example of a security policy for the
JKL Toy Company in the <span class="keyword"><img src="./delta.gif" alt="Start of change" />IBM<sup>®</sup> Systems Software Information Center<img src="./deltaend.gif" alt="End of change" /></span> in
the "Basic system security and planning" topic.<img src="./deltaend.gif" alt="End of change" /></p>
</div>
<div class="section"><h4 class="sectiontitle">Your security objectives</h4><p>When you create and carry
out a security policy, you must have clear objectives. Security objectives
fall into one or more of these categories:</p>
<dl><dt class="dlterm">Resource protection</dt>
<dd>Your resource protection scheme ensures that only authorized users can
access objects on the system. The ability to secure all types of system resources
is an iSeries strength.
You should carefully define the different categories of users that can access
your system. Also, you should define what access authorization you want to
give these groups of users as part of creating your security policy.</dd>
<dt class="dlterm">Authentication </dt>
<dd>The assurance or verification that
the resource (human or machine) at the other end of the session really is
what it claims to be. Solid authentication defends a system against the security
risk of impersonation, in which a sender or receiver uses a false identity
to access a system. Traditionally, systems have used passwords and user names
for authentication; digital certificates can provide a more secure method
of authentication while offering other security benefits as well. When you
link your system to a public network like the Internet, user authentication
takes on new dimensions. An important difference between the Internet and
your intranet is your ability to trust the identity of a user who signs on.
Consequently, you should consider seriously the idea of using stronger authentication
 methods than traditional user name and password logon procedures provide.
Authenticated users may have different types of permissions based on their
authorization levels.</dd>
<dt class="dlterm">Authorization </dt>
<dd><img src="./delta.gif" alt="Start of change" />The assurance that the
person or computer at the other end of the session has permission to carry
out the request. Authorization is the process of determining who or what can
access system resources or perform certain activities on a system. Typically,
authorization is performed in context of authentication. <img src="./deltaend.gif" alt="End of change" /></dd>
<dt class="dlterm">Integrity </dt>
<dd>The assurance that arriving information
is the same as what was sent out. Understanding integrity requires you to
understand the concepts of data integrity and system integrity.  <ul><li><strong>Data integrity</strong>: Data is protected from unauthorized changes or tampering.
Data integrity defends against the security risk of manipulation, in which
someone intercepts and changes information to which he or she is not authorized.
In addition to protecting data that is stored within your network, you may
need  additional security to ensure data integrity when data enters your system
from  untrusted sources. When data that enters your system comes from a public
network, you may need security methods so that you can do the following: <ul><li><img src="./delta.gif" alt="Start of change" />Protect the data from being <span class="q">"sniffed"</span> and interpreted,
typically by encrypting it.<img src="./deltaend.gif" alt="End of change" /></li>
<li>Ensure that the transmission has not been altered (data integrity).</li>
<li><img src="./delta.gif" alt="Start of change" />Prove that the transmission occurred (nonrepudiation).  In
the future, you might need the electronic equivalent of registered or certified
mail.<img src="./deltaend.gif" alt="End of change" /></li>
</ul>
 </li>
</ul>
<ul><li><strong>System integrity</strong>: Your  system provides consistent, expected results
with expected performance.  For the iSeries, system integrity is the most
commonly overlooked component of security because it is a fundamental part
of iSeries architecture.
 iSeries architecture,
for example, makes it extremely difficult for a mischief-maker to imitate
or change an operating system program when you use security level 40 or 50.</li>
</ul>
</dd>
<dt class="dlterm"><img src="./delta.gif" alt="Start of change" />nonrepudiation <img src="./deltaend.gif" alt="End of change" /></dt>
<dd><img src="./delta.gif" alt="Start of change" />nonrepudiation is proof that a transaction occurred, or that
you sent or received a message.  The use of digital certificates and public
key cryptography to "sign" transactions, messages, and documents supports
nonrepudiation. Both the sender and the receiver agree that the exchange took
place. The digital signature on the data provides the necessary proof.<img src="./deltaend.gif" alt="End of change" /></dd>
<dt class="dlterm">Confidentiality</dt>
<dd><img src="./delta.gif" alt="Start of change" />The assurance that sensitive information remains private and
is not visible to an eavesdropper. Confidentiality is critical to total data
security. Encrypting data by using digital certificates and the Secure Socket
Layer (SSL) helps ensure confidentiality when  transmitting
data across untrusted networks. Your security policy should conclude how you
will provide confidentiality for information within your network as well as
when  information leaves your network. <img src="./deltaend.gif" alt="End of change" /></dd>
<dt class="dlterm">Auditing security activities</dt>
<dd>Monitoring security-relevant events to provide a log of both successful
and unsuccessful (denied) access. Successful access records tell you who is
doing what on your systems.  Unsuccessful (denied) access records tell you
either that someone is attempting to break your security or that someone is
having difficulty accessing your system.</dd>
</dl>
<p><img src="./delta.gif" alt="Start of change" />Understanding your
security objectives helps you create a security policy that includes all your
networking and Internet security needs. You may find it helpful to review
the <a href="rzaj45lbasiccorpusage.htm#rzaj45lbasiccorpusage">JKL Toy
Company e-business scenario</a> as you define your objectives and create
your security policy. The scenario company's Internet usage and security plan
is representative of many real world implementations. <img src="./deltaend.gif" alt="End of change" /></p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaj45zssecurityplanning.htm" title="Use this information to gain a general understanding of the strengths of iSeries security for e-business and the iSeries security offerings available to you.">Planning Internet security</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzaj45asecureway.htm" title="As an iSeries owner exploring options for connecting your systems to the Internet, one of the first questions you will typically ask is, &#34;How do I begin to use the Internet for business purposes?&#34; The second question is, &#34;What should I know about security and the Internet?&#34; The focus of this material is to help you to answer this second question.">iSeries and Internet security considerations</a></div>
<div><a href="rzaj40a0internetsecurity.htm" title="Your security policy defines what you want to protect and what you expect of your system users.">The layered defense approach to security</a></div>
<div><a href="../rzahu/rzahurzahu401usingdcm.htm">Digital certificates</a></div>
<div><a href="../rzain/rzainoverview.htm">Secure Socket Layer (SSL)</a></div>
<div><a href="rzaj45lbasiccorpusage.htm" title="Describes a typical business, the JKL Toy Company which has decided to expand its business objectives by using the Internet. Although the company is fictitious, their plans for using the Internet for e-business and their resulting security needs are representative of many real world company situations.">Scenario: JKL Toy Company e-business plans</a></div>
</div>
</div>
</body>
</html>