fips191_38
FIPS PUB 191
responsible for implementing and maintaining LAN security and availability), and local
administrators (who are responsible for maintaining security in their part of the LAN
environment). Local administrators are usually responsible for one or a subset of the servers and
workstations on a LAN. These responsibilities were compiled from [OLDE92], [COMM91],
[WACK91], and [X9F292].
An Example LAN Security Policy
Purpose
The information residing on the XYZ Agency local area network (LAN) is mission critical. The
size and complexity of the LAN within XYZ has increased and now processes sensitive
information. Because of this specific security measures and procedures must be implemented to
protect the information being processed on the XYZ LAN. The XYZ LAN facilitates sharing
of information and programs by multiple users. This environment increases security risk and
requires more stringent protection mechanisms than would be needed for a standalone
microcomputer (PC) operation. These expanding security requirements in the XYZ computing
environment are recognized by this policy which addresses the use of the XYZ LAN.
This policy statement has two purposes. This first is to emphasize for all XYZ employees the
importance of security in the XYZ LAN environment and their role in maintaining that security.
The second is to assign specific responsibilities for the provision of data and information security,
and for the security of the XYZ LAN itself.
Scope
All automated information assets and services that are utilized by the XYZ Agency Local Area
Network (LAN) are covered by this policy. It applies equally to LAN servers, peripheral
equipment, workstations, and personal computers (PCs) within the XYZ LAN environment. XYZ
LAN resources include data, information, software, hardware, facilities, and telecommunications.
The policy is applicable to all those associated with the XYZ LAN, including all XYZ
employees, vendors, and contractors utilizing the XYZ LAN.
Goals
The goals of the XYZ information security program are to ensure the integrity, availability and
confidentiality of data which are sufficiently complete, accurate, and timely to meet the needs
40