Managing Systems and Workgroups: A Guide for HP-UX System Administrators
Administering a System: Managing System Security
Planning System Security
Chapter 8744
Planning System Security
There is no one single method for developing a security policy. The
process below provides a general approach.
• Form a security policy. The policy will help you to make appropriate
choices when you need to make difficult decisions later on.
• Identify what you need to protect. These are your assets such as
employees, hardware, data (on-site and off-site), and documentation.
• Identify potential threats to your assets. These include threats from
nature (floods, earthquakes), ignorance and lack of training, and
intentional security breaches.
• Evaluate the likelihood of these threats damaging your assets.
• Rank the risks by level of severity and determine your cost for
reducing that risk; this is also known as risk assessment.
• Lastly, implement measures that will protect your assets in a cost
effective manner.
Establishing your security policy should be a joint effort between the
technical staff and senior management. Your security policy should
conform to whatever laws and regulations to which your organization is
subject.
Common Security Practices
Common security practices include the following:
• Restrict login access to software to those with legitimate need.
• When they are not using their terminals, have users log off, use the
lock command on simple terminals, or set a screen lock. See lock (1).
Many window systems, such as CDE, can be configured to lock
automatically after a defined period of inactivity. You can also
configure the autologout features of csh and other shells.
• Decentralize computer duties by rotating responsibilities among
operators.
• Store backup tapes at bonded, offsite depositories.