Site Security Policy Handbook (ssphwg) Charter Chair(s): J. Paul Holbrook Joyce K. Reynolds Security Area Director(s) Steve Crocker Mailing lists: General Discussion:ssphwg@cert.sei.cmu.edu To Subscribe: ssphwg-request@cert.sei.cmu.edu Archive: Description of Working Group: The Site Security Policy Handbook Working Group is chartered to create a handbook that will help sites develop their own site-specific policies and procedures to deal with computer security problems and their prevention. Among the issues to be considered in this group are: \begin{enumerate} \item Establishing official site policy on computer security: \begin{itemize} \item Define authorized access to computing resources. \item Define what to do when local users violate the access policy. \item Define what to do when local users violate the access policy of a remote site. \item Define what to do when outsiders violate the access policy. \item Define actions to take when unauthorized activity is suspected. \end{itemize} \item Establishing procedures to prevent security problems: \begin{itemize} \item System security audits. \item Account management procedures. \item Password management procedures. \item Configuration management procedures. \end{itemize} \item Establishing procedures to use when unauthorized activity occurs: \begin{itemize} \item Developing lists of responsibilities and authorities: site management, system administrators, site security personnel, response teams. \item Establishing contacts with investigative agencies. \item Notification of site legal counsel. \item Pre-defined actions on specific types of incidents (e.g., monitor activity, shut-down system). \item Developing notification lists (who is notified of what). \end{itemize} \item Establishing post-incident procedures \begin{itemize} \item Removing vulnerabilities. \item Capturing lessons learned. \item Upgrading policies and procedures. \end{itemize} \end{enumerate} Goals and Milestones: Done Review, amend, and approve the Charter as necessary. Examine the particular customer needs for a handbook and define the scope. Continue work on an outline for the handbook. Set up an SSPHWG ``editorial board for future writing assignments for the first draft of document. Done Finalize outline and organization of handbook. Partition out pieces to interested parties and SSPHWG editorial board members. Done Pull together a first draft handbook for Working Group review and modification. Oct 90 Finalize draft handbook and initiate IETF Internet Draft review process, to follow with the submission of the handbook to the RFC Editor for publication. Oct 90 Finalize draft handbook and initiate IETF Internet Draft review process, to follow with the submission of the handbook to the RFC Editor forpublication. Internet Drafts: No Current Internet drafts. Request For Comments: RFC Stat Published Title ------- -- ---------- ----------------------------------------- RFC1244 Jul 91 Site Security Handbook