HostedDB - Dedicated UNIX Servers
fips191_37 FIPS PUB 191 Appendix A - LAN Security Policy A computer security policy is a concise statement of top management’s position on information values, protection responsibilities, and organizational commitment.  This policy is one of the key components of an overall computer systems security program.  It is this policy statement that can drive  the  initial  security  requirements  for  a  LAN.   However  it  may  be  appropriate  to  address LAN security goals, responsibilities, etc. with a separate policy to be used in conjunction with the existing broader policy.   This section discusses establishing a security policy that could be applied to a LAN.  It also presents one example of a LAN security policy.  This example policy is for example purposes only.   It is not intended to be used, as is, by an Agency.   The purpose of this example policy is to highlight the issues that should be considered in developing a LAN security policy. The LAN security policy should be issued by the appropriate level of organizational management, i.e, the person in the organization to whom employees covered by this policy ultimately report. The policy should be created by a team of individuals that may include top management, security officers, and LAN management.   The policy should state: • Information value - Management’s position on the value of information; • Responsibilities - Who is responsible for protecting the information on the LAN; • Commitment - The organization’s commitment to protecting information and the LAN; • Applicability - What constitutes the LAN environment and what parts, if any, are exempted. The LAN security policy should be written such that modifications are rarely required.  The need for  changes  may  indicate  that  it  is  too  specific.   For  example,  requiring  that  a  specific  virus detection  package  be  used  and  including  the  name  of  the  package  in  the  policy  may  be  too specific, considering the rapid pace that virus software packages are developed.  It may be more reasonable to merely state that virus detection software should exist on LAN PCs, servers, etc. and let LAN management specify the product. The LAN security policy should clearly define and establish responsibility for the protection of information  that  is  processed,  stored  and  transmitted  on  the  LAN,  and  for  the  LAN  itself. Primary  responsibility  may  be  with  the  data  owner,  i.e.,  the  manager  of  the  organizational component that creates the data, processes it, etc.  Secondary responsibility may then be with the users and end users, i.e. those persons within the organization given access to the information by  those  with  primary  responsibility.   LAN  management  should  clearly  define  the  role  of  the individuals responsible for maintaining the availability of the LAN.  The example LAN security policy   below   defines   responsibilities   for   functional   managers   (who   may   have   primary responsibility),  users  (who  may   have  secondary  responsibility),  LAN  managers  (who  are 39