Introduction to NonStop Operations Management
Security Management
Introduction to NonStop Operations Management–125507
9-2
Basic Security Rules
Basic Security Rules
Before determining how to secure your hardware and software, you should understand
the following basic security rules. Use these rules when establishing your security
program or when reviewing a program that is already in place.
Rule 1 The highest levels of management should support and be committed to a
security program. Management should define the authority and
responsibility for development of a security program and should
implement the program.
Rule 2 The organization’s approach to security should be understood and agreed
to by members of the organization. A formally approved security policy
statement and plan should be developed. A security policy:
•
Establishes the security needs and goals of your company
•
Indicates who should and should not have access to data
•
Describes the protection procedures employees and departments
should follow
Rule 3 A security program starts with risk assessment. You need to determine
what to protect. You can protect assets, confidentiality, command and
control, availability of a service or function, and so on. You can also
determine the probability and importance of the risk. If you cannot
quantify the risk numerically, set qualitative values such as high, medium,
and low.
Rule 4 Staff and users must be able to achieve security goals. The goals should be
realistic, and the rules and tasks should be simple and straightforward. If
the rules and tasks are complicated and cumbersome, people will not
comply.
Rule 5 Security is implemented through a combination of physical barriers,
administrative practices, hardware, and software. For example, the
computer should be physically secure; users should have access only to
what they need; and you should have tools and procedures for enforcing
security.
Rule 6 Separate job duties and responsibilities to a point where collusion is
necessary for fraud to occur. Written job definitions and formally outlined
responsibilities are key elements of this goal. For data processing, you
should define who is responsible for password assignments, file security,
accounting totals, physical access, software changes, and so on.
Rule 7 Establish security transaction logs so that you can determine who is
accountable for transactions and activities. The number and types of
security logs should be in proportion to the level of risk or exposure that
exists.