Re: Draft Security Policy
J Paul Holbrook <ph@cert.sei.cmu.edu> Thu, 18 October 1990 17:28 UTC
Received: from taos.cert.sei.cmu.edu by NRI.NRI.Reston.VA.US id aa07398; 18 Oct 90 13:28 EDT
Received: from localhost by taos.cert.sei.cmu.edu (5.61/2.3) id AA02135; Thu, 18 Oct 90 13:23:48 -0400
Message-Id: <9010181723.AA02135@taos.cert.sei.cmu.edu>
To: Steven Blair <sblair@synoptics.com>
Cc: ssphwg@cert.sei.cmu.edu, psrg-interest@venera.isi.edu, spwg@NRI.Reston.VA.US
Subject: Re: Draft Security Policy
In-Reply-To: Your message of "Thu, 18 Oct 90 05:56:19 PDT." <9010181256.AA29330@excalibur.synoptics.com>
Date: Thu, 18 Oct 1990 13:23:45 -0400
From: J Paul Holbrook <ph@cert.sei.cmu.edu>
Status: O
Steve Blair questions why the paragraph talking about security as protection of unauthorized information and so forth was included in the draft. My reading is that this paragraph defines what the term 'security' means in the context of this policy. This policy is essentially the 'security constitution' for the Internet. As such, it has to define the scope and direction for more specific security policies and procedures that will be created by organizations that own resources on the Internet. This part of the document is meant to point out that any comprehensive security policy should address ALL the areas mentioned in this paragraph. I disagree with Steve Blair about the statement as a whole. I think that the statement is succinct, clear, and that all the parts are useful. It is couched in "security-speak", but that's not inappropriate; the terms used have well-defined meaning in computer security circles. The people defining organization-specific policies based on the Internet policy will need to have some understanding of computer security issues in order to write a good policy. (Incidentally, part of the function of the Site Security Policy Handbook being produced by the SSPHWG is to serve as a guide to computer security issues for organizations trying to write security policies. So there is a place where these kinds of terms can be better explained.) I have some questions and comments on Steve's comments. >> Security is understood to include protection of the privacy of >> information OK, that's fairly clear, and by the "computer" terminology is redundant to the mission of the document. Steve, I don't understand your comment here. What is redundant? Privacy of information on computer systems is a concern distinct from other security concerns. Robert Van Cleef has already commented on denial service, so I'll leave that one. Steve proposes the rewording Security includes the protection of private materials and their unauthorized use, modification, and/or access by unauthorized individuals. Security also includes the system<->system interactions which could impair, or deny services to selected systems. The term 'private materials' doesn't seem to be right. It seems too broad, and although I think Steve is trying to make sure this covers all the bases, it doesn't seem to come off right. The paragraph in the draft focuses on two things: protection of information, and protection of systems. This seems to capture all of what 'private material' covers, and covers it in a more general fashion. I like the focus on 'information' because that makes it independent of where the information is: whether it's information going over the network, sitting on a router, or on a system, it's all potentially vulnerable and may need to be protected. In this context, "protecting information against unauthorized modification", as it says in the draft, seems to make clear sense: security concerns about information apply any place the information may exist: on hosts, in transit over nets, passing through routers, or any other place. Steve's term "system<->system" also misses part of the problem, because it misses the human part of the problem. Problems come from both systems and people. Though the Internet worm was programmed threat, here at the CERT we've seen far more examples of people on the other end of an attack. J. Paul Holbrook / ssphwg co-chair CERT/CMU ph@cert.sei.cmu.edu
- Draft Security Policy Richard Pethia
- Re: Draft Security Policy postel
- Re: Draft Security Policy Steven Blair
- Re: Draft Security Policy J Paul Holbrook
- Re: Draft Security Policy Steven Blair
- Re: Draft Security Policy Robert E. Van Cleef