154 lines
9.6 KiB
HTML
154 lines
9.6 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Develop a security policy" />
|
|
<meta name="abstract" content="This topic defines a security policy and explains the process for creating a security policy." />
|
|
<meta name="description" content="This topic defines a security policy and explains the process for creating a security policy." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamvplansecstrat.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamvdevelopchangepolicy.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="developsecpol" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Develop a security policy</title>
|
|
</head>
|
|
<body id="developsecpol"><a name="developsecpol"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Develop a security policy</h1>
|
|
<div><p>This topic defines a security policy and explains the process for
|
|
creating a security policy.</p>
|
|
<p>Each internet service that you use or provide poses risks to your system
|
|
and the network to which it is connected. A <strong>security policy</strong> is a set
|
|
of rules that apply to activities for the computer and communications resources
|
|
that belong to an organization. These rules cover areas such as physical security,
|
|
personnel security, administrative security, and network security. Your security
|
|
policy defines what you want to protect and what you expect of your system
|
|
users. It provides a basis for security planning when you design new applications
|
|
or expand your current network. It describes user responsibilities, such as
|
|
protecting confidential information and creating nontrivial passwords.</p>
|
|
<p>Your security policy should also describe how you will monitor the effectiveness
|
|
of your security measures. Such monitoring helps you to determine whether
|
|
someone might be attempting to circumvent your safeguards. To develop your
|
|
security policy, you must clearly define your security objectives. Once you
|
|
create a security policy, you must take steps to put into effect the rules
|
|
that it contains.</p>
|
|
<p>You might find it useful to send security guidelines to all of your employees
|
|
to emphasize your security policies regarding physical and system security.
|
|
In these guidelines, you should include instructions about how to protect
|
|
system security, such as signing off workstations, using passwords appropriately,
|
|
and protecting the network from unauthorized intruders. The security policy
|
|
could also explain the procedure for training employees and installing necessary
|
|
software and hardware to ensure system security.</p>
|
|
<p>Remember that you can always change your security policy. When you make
|
|
changes in your computing environment, you should update your security policy
|
|
to address any new risks that these changes impose. Most companies find they
|
|
need more strict security as they grow.</p>
|
|
<div class="section" id="developsecpol__stepsecpolicy"><a name="developsecpol__stepsecpolicy"><!-- --></a><h4 class="sectiontitle">Perform the following steps to develop
|
|
a security policy</h4><ol><li>Talk with other members of your organization, such as security auditors,
|
|
to better determine your security needs.</li>
|
|
<li>Examine the technologies that you use in your company. For example, if
|
|
your system is connected to the Internet, you will want a more restrictive
|
|
security environment to protect your system from outside Internet users.</li>
|
|
<li>Determine your overall approach to security, as follows:<dl><dt class="dlterm">Strict</dt>
|
|
<dd>A strict policy is a need-to-know security scheme. In a strict security
|
|
environment, you give users access only to the information and functions that
|
|
they need to do their jobs. All others are excluded. Many auditors recommend
|
|
the strict approach.</dd>
|
|
<dt class="dlterm">Average</dt>
|
|
<dd>An average security policy gives users access to objects, based on the
|
|
authorities that you have assigned them.</dd>
|
|
<dt class="dlterm">Relaxed</dt>
|
|
<dd>In a relaxed security environment, you allow authorized users access to
|
|
most objects on the system. You restrict access only to confidential information.
|
|
A single department or small company might use the relaxed approach on their
|
|
systems.</dd>
|
|
</dl>
|
|
</li>
|
|
<li>Determine what information assets require protection. To assist with this
|
|
determination, consider confidentiality, competitiveness, and operations:<dl><dt class="dlterm">Confidentiality</dt>
|
|
<dd>Information that is not generally available to people in your company.
|
|
Payroll is an example of confidential information. Another example of confidential
|
|
information is new technical information that has not yet been announced to
|
|
the public.</dd>
|
|
<dt class="dlterm">Competitiveness</dt>
|
|
<dd>Information that gives you an advantage over your competition, such as
|
|
product specifications, formulas, and pricing guidelines.</dd>
|
|
<dt class="dlterm">Operations</dt>
|
|
<dd>Information on your computer that is essential for the daily operations
|
|
of your business, such as customer records and inventory balances.</dd>
|
|
</dl>
|
|
</li>
|
|
<li>Create a statement of company policy regarding security. This is an agreement
|
|
between you and the top officials in the company. Your security policy should
|
|
state what your overall approach is and what assets require protection. <a href="#developsecpol__example1">Example of a security policy</a></li>
|
|
<li>Create a draft of your security policy. <a href="#developsecpol__example2">Example: Company security memo</a></li>
|
|
<li>As you work through the planning process, take additional notes that you
|
|
will use to complete the security policy.</li>
|
|
<li>Complete the security policy and distribute it to the employees in your
|
|
company. Use it as you implement and monitor the security on the system.</li>
|
|
</ol>
|
|
<p>After you have created a security policy, you can choose your <a href="rzamvseclvlterm.htm#seclvlterm">Security levels</a> on the system.</p>
|
|
</div>
|
|
<div class="section" id="developsecpol__example1"><a name="developsecpol__example1"><!-- --></a><h4 class="sectiontitle">Example of a security policy</h4><div class="figborder"><span class="figcap">Figure 1. Company Security Policy</span><div class="p"><strong>Overall Approach</strong><ul class="simple"><li>Relaxed: Most people need access to most information.</li>
|
|
</ul>
|
|
</div>
|
|
<div class="p"><strong>Critical Information</strong><ul><li>Contracts and special pricing</li>
|
|
<li>Payroll (Only Accounting can set and change credit limits for customers.)</li>
|
|
<li>Customer and inventory records </li>
|
|
</ul>
|
|
</div>
|
|
<div class="p"><strong>General Rules</strong><ul><li>Every system user has a user profile.</li>
|
|
<li>Users must change their password every 60 days.</li>
|
|
<li>Users must use the latest security patches.</li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div class="section" id="developsecpol__example2"><a name="developsecpol__example2"><!-- --></a><h4 class="sectiontitle">Example: Company security memo</h4><div class="figborder"><span class="figcap">Figure 2. Company Security Memo</span><p><strong>Security of the New System</strong></p>
|
|
<div class="p">You have all attended an information meeting about our new system. Those
|
|
who will use the system have started training and will begin processing customer
|
|
orders next week. Observe the following security guidelines when working on
|
|
your system:<ul><li>Everyone who needs to use the system will receive a user ID and a password.
|
|
You will be required to change your password the first time you sign on the
|
|
system and every 90 days after that. Passwords must be 8 characters in length
|
|
and contain a combination of letters and numbers. Passwords must not contain
|
|
your name, userid, or other personal information.</li>
|
|
<li>Do not share your password with anyone. If you forget your password, go
|
|
to the technical support web site for instructions on resetting your password.</li>
|
|
<li>Lock your system using the screen-saver password when you are away from
|
|
your desk.</li>
|
|
<li>Lock up confidential information when you go home for the day. Examples
|
|
of confidential information include contract and special pricing information,
|
|
and payroll records.</li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<ul class="ullinks">
|
|
<li class="ulchildlink"><strong><a href="rzamvdevelopchangepolicy.htm">Change a security policy</a></strong><br />
|
|
You can use iSeries™ Navigator to view and manage policies for
|
|
your system.</li>
|
|
</ul>
|
|
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvplansecstrat.htm" title="This topic describes various aspects of planning a security strategy.">Plan your security strategy</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |