Re: Draft Security Policy

[J Paul Holbrook <ph@cert.sei.cmu.edu>]

Steve Blair questions why the paragraph talking about security as
protection of unauthorized information and so forth was included in
the draft.

My reading is that this paragraph defines what the term 'security'
means in the context of this policy.

This policy is essentially the 'security constitution' for the
Internet.  As such, it has to define the scope and direction for more
specific security policies and procedures that will be created by
organizations that own resources on the Internet.  This part of the
document is meant to point out that any comprehensive security policy
should address ALL the areas mentioned in this paragraph. 

I disagree with Steve Blair about the statement as a whole.  I
think that the statement is succinct, clear, and that all the parts
are useful.  It is couched in "security-speak", but that's not
inappropriate; the terms used have well-defined meaning in computer
security circles.  The people defining organization-specific
policies based on the Internet policy will need to have some
understanding of computer security issues in order to write a good
policy.  (Incidentally, part of the function of the Site Security
Policy Handbook being produced by the SSPHWG is to serve as a
guide to computer security issues for organizations trying to write
security policies.  So there is a place where these kinds of terms can
be better explained.)

I have some questions and comments on Steve's comments.

   >> Security is understood to include protection of the privacy of 
   >>  information

   OK, that's fairly clear, and by the "computer" terminology is
   redundant to the mission of the document.

Steve, I don't understand your comment here.  What is redundant?
Privacy of information on computer systems is a concern distinct from
other security concerns.

Robert Van Cleef has already commented on denial service, so I'll
leave that one.

Steve proposes the rewording

   Security includes the protection of private materials and their
   unauthorized use, modification, and/or access by unauthorized
   individuals.  Security also includes the system<->system
   interactions which could impair, or deny services to selected
   systems.

The term 'private materials' doesn't seem to be right.  It seems too
broad, and although I think Steve is trying to make sure this covers
all the bases, it doesn't seem to come off right.

The paragraph in the draft focuses on two things: protection of
information, and protection of systems.  This seems to capture all of
what 'private material' covers, and covers it in a more general
fashion.  I like the focus on 'information' because that makes it
independent of where the information is: whether it's information
going over the network, sitting on a router, or on a system, it's all
potentially vulnerable and may need to be protected.  In this context,
"protecting information against unauthorized modification", as it says
in the draft, seems to make clear sense: security concerns about
information apply any place the information may exist: on hosts, in
transit over nets, passing through routers, or any other place.

Steve's term "system<->system" also misses part of the problem, because it
misses the human part of the problem.  Problems come from both
systems and people.  Though the Internet worm was programmed threat,
here at the CERT we've seen far more examples of people on the other
end of an attack.


J. Paul Holbrook  / ssphwg co-chair
CERT/CMU
ph@cert.sei.cmu.edu