Re: Latest Draft
"Jeffrey I. Schiller" <jis@mit.edu> Fri, 08 March 1991 03:20 UTC
Received: from nri.reston.va.us by NRI.NRI.Reston.VA.US id aa24441; 7 Mar 91 22:20 EST
Received: from ATHENA.MIT.EDU by NRI.NRI.Reston.VA.US id aa24279; 7 Mar 91 22:12 EST
Received: from BIG-SCREW.MIT.EDU by ATHENA.MIT.EDU with SMTP id AA00453; Thu, 7 Mar 91 22:13:58 EST
Received: by BIG-SCREW (5.57/4.7) id AA24369; Thu, 7 Mar 91 22:13:55 EST
Date: Thu, 07 Mar 1991 22:13:55 -0500
Message-Id: <9103080313.AA24369@BIG-SCREW>
From: "Jeffrey I. Schiller" <jis@mit.edu>
Sender: jis@athena.mit.edu
To: spwg@NRI.Reston.VA.US
Subject: Re: Latest Draft
This message is in response to my previous comments. Basically in my
last set of comments I pointed out some issues which I thought should be
addressed in the policy. In this message I propose concrete changes in
an attempt to address my own concerns.
Under the Elaboration section, change Point (3) Subparagraph (iii) from:
(iii) There must be a capability to monitor security compliance and
respond to incidents involving violation of security. Logs of
logins and other security-relevant events are strongly advised,
as well as regular audit of these logs. Also recommended is a
capability to trace connections and other events in response to
penetrations.
To (All Uppercase represents my changes):
(iii) There SHOULD be a capability to monitor security compliance and
respond to incidents involving violation of security. Logs of
logins and other security-relevant events are strongly advised,
as well as regular audit of these logs. Also recommended is a
capability to trace connections and other events in response to
penetrations. HOWEVER IT IS IMPORTANT FOR SERVICE PROVIDERS TO
HAVE A WELL THOUGHT OUT AND PUBLISHED POLICY ABOUT WHAT
INFORMATION THEY GATHER, WHO HAS ACCESS TO IT AND FOR WHAT
PURPOSES. MAINTAINING THE PRIVACY OF NETWORK USERS SHOULD BE
KEPT IN MIND WHEN DEVELOPING SUCH A POLICY.
I also recommend changing subpoint (v) from:
(v) Sites and networks which are notified of security incidents
should respond in a timely and effective manner. In the case
of penetrations or other violations, sites and networks
should allocate resources and capabilities to identify the nature
of the incident, identify the violator, and limit the damage.
A site or network cannot be considered to have good security if
it does not respond to incidents in a timely and effective fashion.
Similarly, sites and networks should respond when notified of
security flaws in their systems. Sites and networks have the
responsibility to install fixes in their systems as they become
available.
To (no uppercase used here, changes should be obvious):
(v) Sites and networks which are notified of security incidents
should respond in a timely and effective manner. In the case
of penetrations or other violations, sites and networks
should allocate resources and capabilities to identify the nature
of the incident and limit the damage.
A site or network cannot be considered to have good security if
it does not respond to incidents in a timely and effective fashion.
If a violator can be identified, appropriate action should be taken
to ensure that no further violations are caused. Exactly what
sanctions should be brought against a violator depend on the
nature of the incident and the site environment. For example
a university may choose to bring internal disciplinary action
against a student violator.
Similarly, sites and networks should respond when notified of
security flaws in their systems. Sites and networks have the
responsibility to install fixes in their systems as they become
available.
-Jeff
- Latest Draft Barbara Fraser
- Re: Latest Draft Jeffrey I. Schiller
- Re: Latest Draft James B. Van Bokkelen