Levels of Security Requirements
» Table of Contents |  | | » Glossary | | | » Index | | |
| | |
| ||
| ||
Each site has unique security requirements. Some sites require only limited measures because they are able to tolerate some forms of unauthorized access with little adverse effect. At the other extreme are those sites that cannot tolerate even the slightest probing, such as strategic military defense centers. In between are many commercial sites, such as banks.
While there are many considerations in determining your security needs, the questions in Table 1-1 “Event Tolerance as a Measure of Security Requirements” can get you started. Your answers can help determine the levels of your security needs. Also refer to “Site Security Policies” for a more specific example of site security requirements.
Table 1-1 Event Tolerance as a Measure of Security Requirements
| Question: Could you tolerate the following event? | Level of Security Requirements Based on Toleration Responses | ||
| Low | Medium | High | |
A user knowing the images being executed on your system | Y | Y | N |
A user knowing the names of another user's files | Y | Y | N |
A user accessing the file of another user in the group | Y | Y | N |
An outsider knowing the name of the system just dialed into | Y | Y | N |
A user copying files of other users | Y | N | N |
A user reading another user's electronic mail | Y | N | N |
A user writing data into another user's file | Y | N | N |
A user deleting another user's file | Y | N | N |
A user being able to read sections of a disk that might contain various old files | Y | N | N |
A user consuming machine time and resources to perform unrelated or unauthorized work, possibly even playing games | Y | N | N |
If you can tolerate most of the events listed, your security requirements are quite low. If your answers are mixed, your requirements are in the medium to high range. Generally, those sites that are most intolerant to the listed events have very high levels of security requirements.
When you review your site's security needs, do not confuse a weakness in site operations or recovery procedures as a security problem. Ensure that your operations policies are effective and consistent before evaluating your system security requirements.