Charter

Chair(s): J. Paul Holbrook <holbrook@cic.net> Joyce K. Reynolds <jkrey@isi.edu>

Security Area Director(s) Steve Crocker <crocker@tis.com>

Mailing lists: General Discussion:ssphwg@cert.sei.cmu.edu To Subscribe: ssphwg-request@cert.sei.cmu.edu Archive:

Description of Working Group:

The Site Security Policy Handbook Working Group is chartered to create a handbook that will help sites develop their own site-specific policies and procedures to deal with computer security problems and their prevention.

Among the issues to be considered in this group are:

1. Establishing official site policy on computer security:
   • Define authorized access to computing resources.
   • Define what to do when local users violate the access policy.
   • Define what to do when local users violate the access policy of a remote site.
   • Define what to do when outsiders violate the access policy.
   • Define actions to take when unauthorized activity is suspected.

2. Establishing procedures to prevent security problems:
   • System security audits.
   • Account management procedures.
   • Password management procedures.
   • Configuration management procedures.

3. Establishing procedures to use when unauthorized activity occurs:
   • Developing lists of responsibilities and authorities: site management, system administrators, site security personnel, response teams.
   • Establishing contacts with investigative agencies.
   • Notification of site legal counsel.
   • Pre-defined actions on specific types of incidents (e.g., monitor activity, shut-down system).
   • Developing notification lists (who is notified of what).

4. Establishing post-incident procedures
   • Removing vulnerabilities.
   • Capturing lessons learned.
   • Upgrading policies and procedures.

Goals and Milestones:

Done Review, amend, and approve the Charter as necessary. Examine the particular customer needs for a handbook and define the scope. Continue work on an outline for the handbook. Set up an SSPHWG ``editorial board for future writing assignments for the first draft of document.

Done Finalize outline and organization of handbook. Partition out pieces to interested parties and SSPHWG editorial board members.

Done Pull together a first draft handbook for Working Group review and modification.

Oct 90 Finalize draft handbook and initiate IETF Internet Draft review process, to follow with the submission of the handbook to the RFC Editor for publication.

Oct 90 Finalize draft handbook and initiate IETF Internet Draft review process, to follow with the submission of the handbook to the RFC Editor forpublication.

Internet Drafts:

No Current Internet drafts.

Request For Comments:

RFC Stat Published Title ——- – ———- —————————————– RFC1244 Jul 91 Site Security Handbook