S 2.173 Determining a WWW security strategy

Initiation responsibility: Agency/company management; IT Security Management

Implementation responsibility: Head of IT Section, Administrator

WWW servers are highly attractive targets for hackers, because a successful attack often attracts a great deal of publicity. The provision of security for a WWW server must therefore be given a high priority. Before a WWW server is set up, a WWW security strategy must be defined describing which security measures need to be implemented, and to what extent. The requirements specified in the WWW security strategy can then be used as a basis for regular checking of whether the measures taken are in fact adequate.

The WWW security strategy must include a security strategy for the use of the WWW as well as a security strategy for the operation of a WWW server.

WWW security strategy for the operation of a WWW server

The security strategy for the operation of a WWW server should provide answers to the following questions:

• Who is allowed to load which information onto the server?

• What boundary conditions need to be observed when operating a WWW server?

• How are the staff responsible for the server trained, in particular with regard to potential hazards and the security measures that have to be observed?

• Which files are not allowed to be placed on the WWW server because of their content (for example because the content is confidential, not suitable for publication or is not in line with the company's or agency's policies)?

• What restrictions on accessing the WWW server need to be implemented (see also S 2.175 Setting up a WWW server)?

One part of a security strategy also has to be the regular gathering of information about potential security weaknesses so as to be able to take precautionary action in good time. In addition to the information sources mentioned in S 2.35 Obtaining information on security weaknesses of the system, the "World Wide Web Security FAQ" in particular is a valuable source of security tips on using the WWW. The master copy of this document is to be found at http://www.w3.org/Security/Faq/.

WWW security strategy for using the WWW

The security strategy for using the WWW should provide answers to the following questions:

• Who is given access to the WWW?

• What boundary conditions need to be observed when using the WWW?

• How will users be trained?

• How is the availability of technical assistance for users ensured?

Organisational rules or technical measures are required in order to meet the following conditions, in particular:

• The browsers intended for users should be pre-configured by the administrator so as to automatically achieve the highest possible level of security without further intervention by the users (see also S 5.45 Security of WWW browsers).

• Files whose content is liable to cause offence must be neither placed on nor retrieved from WWW servers. It must be established what type of content is considered offensive.

• After files have been downloaded, they must be explicitly checked for computer viruses.

All rules and instructions concerning the use of the WWW must be specified in writing and should remain available to employees at all times. A sample of such rules is given on the CD-ROM accompanying the IT Baseline Protection Manual, in the Auxiliary Materials directory.

In order to prevent operating errors and to ensure observance of the organisation's internal guidelines, users must be given training before they use the WWW, both in operation of their WWW browser and in the use of the Internet. In particular, they must be made aware of potential hazards and of the security measures that have to be observed.

• Is there a security strategy for the operation of a WWW server?

• Is there a security strategy for the use of WWW services?

• Are the arrangements that have been made adequate?