Site Security Policy Handbook (ssphwg)

Charter_

Chair(s):
     J. Paul Holbrook, ph@sei.cmu.edu
     Joyce K. Reynolds, jkrey@isi.edu
Mailing Lists:
     General Discussion:  ssphwg@cert.sei.cmu.edu
     To Subscribe:  ssphwg-request@cert.sei.cmu.edu
Description of Working Group:

     The Site Security Policy Handbook Working Group is chartered to
     create a handbook that will help sites develop their own
     site-specific policies and procedures to deal with computer
     security problems and their prevention.
     Among the issues to be considered in this group are:

      1. Establishing official site policy on computer security:
          o Define authorized access to computing resources.
          o Define what to do when local users violate the access
            policy.
          o Define what to do when local users violate the access
            policy of a remote site.
          o Define what to do when outsiders violate the access
            policy.
          o Define actions to take when unauthorized activity is
            suspected.
      2. Establishing procedures to prevent security problems:
          o System security audits.
          o Account management procedures.
          o Password management procedures.
          o Configuration management procedures.
      3. Establishing procedures to use when unauthorized activity
         occurs:
          o Developing lists of responsibilities and authorities:
            site management, system administrators, site security
            personnel, response teams.
          o Establishing contacts with investigative agencies.
          o Notification of site legal counsel.
          o Pre-defined actions on specific types of incidents
            (e.g., monitor activity, shut-down system).
          o Developing notification lists (who is notified of
            what).
      4. Establishing post-incident procedures
          o Removing vulnerabilities.
          o Capturing lessons learned.
          o Upgrading policies and procedures.


Goals and Milestones:
                                   1






May 1990      Review, amend, and approve the charter as necessary.
              Examine the partcular customer needs for a handbook and
              define the scope.  Continue wok on an outline for the
              handbook.  Set up a SSPHWG ``editorial board''for future
              writing assignments for the first draft of document.
Jun 1990      Finalize outline and organization of handbook.  Partition
              out pieces to interested parties and SSPHWG editorial
              board members.
Aug 1990      Pull together a first draft handbook for Working Group
              review and modification.
Oct 1990      Finalize draft handbook and initiate IETF Internet Draft
              review process, to follow with the submission of the
              handbook to the RFC Editor forpublication.



                                   2