Computer Security Manual

SEC|POL|AO12
NOT TO BE SHOWN OUTSIDE BT
ISIS Directive
Computer Security Manual
Origin: Security and Investigation Directorate
Issue 7: March 1993

Foreword by the chairman

Amendment record sheet

List of effective pages

1 Introduction and scope

• Introduction
  
• Scope and purpose
  
• Relationship to the previous issue
  
• Structure of the manual
  
• Feedback
  
• Use of the CSM by suppliers and contractors
  
• Acknowledgements

2 Objectives and policy

• Introduction
  
• Corporate policy on electronic system security
  
• Objective
  
• Relationship to other security policies
  
• Responsibility for security
  
• Derivation of security requirements
  
• Security policy for the life cycle
  
• Security evaluation, certification and accreditation
  
• Security approvals
  
• Product security

3 Communications and network security

• Introduction
  
• System interconnection
  
• Network management
  
• Network architecture
  
• Threats to networked systems
  
• Cryptographic protection
  
• Electronic Mail Systems

4 Electronic systems insta11ations

• Introduction
  
• Accommodation
  
• Services
  
• Electronic system equipment sign posting
  
• Physical access control strategy
  
• Personnel access
  
• System or master consoles
  
• Other terminals
  
• Communications rooms and equipment
  
• Media libraries and disaster stores

5 Personal computers

• 5.1 Introduction
  
• 5.2 Personal security responsibility
  
• 5.3 PC and data access security
  
• 5.4 Security of software
  
• 5.5 Personal computer communications
  
• 5.6 Contingency planning
  
• 5.7 File Servers

6 User access to computers

• 6.1 Introduction
  
• 6.2 Regulating access to computers
  
• 6.3 Identification
  
• 6.4 Passwords
  
• 6.5 Limitations of password security
  
• 6.6 Logging on
  
• 6.7 Logging off
  
• 6.8 User privileges
  
• 6.9 Access to user files
  
• 6.10 Customer access to BT computers
  
• 6.11 Contractors

7 Software and data

• 7.1 Introduction
  
• 7.2 Software installation and maintenance
  
• 7.3 Log facilities and system data
  
• 7.4 Data sensitivity
  
• 7.5 Storage
  
• 7.6 Disposal of media
  
• 7.7 Computer viruses

8 Administration

• 8.1 Introduction
  
• 8.2 Personnel
  
• 8.3 Disaster protection

9 Data protection act

• 9.1 Introduction
  
• 9.2 Data protection act principles
  
• 9.3 Definitions
  
• 9.4 Registration

Glossary

Foreword by the chairman

The Information Security Code, Computer Security Manual and Physical Security Handbook define the ways in which we can maintain a secure environment. They clarify our responsibilities and provide the expert guidance which we can use to achieve and maintain the levels of security appropriate to the various activities of BT. The rules outlined in these publications are mandatory.

IDT Vallance