fips191_37
FIPS PUB 191
Appendix A - LAN Security Policy
A computer security policy is a concise statement of top managements position on information
values, protection responsibilities, and organizational commitment. This policy is one of the key
components of an overall computer systems security program. It is this policy statement that can
drive the initial security requirements for a LAN. However it may be appropriate to address
LAN security goals, responsibilities, etc. with a separate policy to be used in conjunction with
the existing broader policy. This section discusses establishing a security policy that could be
applied to a LAN. It also presents one example of a LAN security policy. This example policy
is for example purposes only. It is not intended to be used, as is, by an Agency. The purpose
of this example policy is to highlight the issues that should be considered in developing a LAN
security policy.
The LAN security policy should be issued by the appropriate level of organizational management,
i.e, the person in the organization to whom employees covered by this policy ultimately report.
The policy should be created by a team of individuals that may include top management, security
officers, and LAN management. The policy should state:
Information value - Managements position on the value of information;
Responsibilities - Who is responsible for protecting the information on the LAN;
Commitment - The organizations commitment to protecting information and the LAN;
Applicability - What constitutes the LAN environment and what parts, if any, are exempted.
The LAN security policy should be written such that modifications are rarely required. The need
for changes may indicate that it is too specific. For example, requiring that a specific virus
detection package be used and including the name of the package in the policy may be too
specific, considering the rapid pace that virus software packages are developed. It may be more
reasonable to merely state that virus detection software should exist on LAN PCs, servers, etc.
and let LAN management specify the product.
The LAN security policy should clearly define and establish responsibility for the protection of
information that is processed, stored and transmitted on the LAN, and for the LAN itself.
Primary responsibility may be with the data owner, i.e., the manager of the organizational
component that creates the data, processes it, etc. Secondary responsibility may then be with the
users and end users, i.e. those persons within the organization given access to the information
by those with primary responsibility. LAN management should clearly define the role of the
individuals responsible for maintaining the availability of the LAN. The example LAN security
policy below defines responsibilities for functional managers (who may have primary
responsibility), users (who may have secondary responsibility), LAN managers (who are
39