Re: Latest Draft
"Jeffrey I. Schiller" <jis@mit.edu> Fri, 08 March 1991 03:20 UTC
Received: from nri.reston.va.us by NRI.NRI.Reston.VA.US id aa24441; 7 Mar 91 22:20 EST
Received: from ATHENA.MIT.EDU by NRI.NRI.Reston.VA.US id aa24279; 7 Mar 91 22:12 EST
Received: from BIG-SCREW.MIT.EDU by ATHENA.MIT.EDU with SMTP id AA00453; Thu, 7 Mar 91 22:13:58 EST
Received: by BIG-SCREW (5.57/4.7) id AA24369; Thu, 7 Mar 91 22:13:55 EST
Date: Thu, 07 Mar 1991 22:13:55 -0500
Message-Id: <9103080313.AA24369@BIG-SCREW>
From: "Jeffrey I. Schiller" <jis@mit.edu>
Sender: jis@athena.mit.edu
To: spwg@NRI.Reston.VA.US
Subject: Re: Latest Draft
This message is in response to my previous comments. Basically in my last set of comments I pointed out some issues which I thought should be addressed in the policy. In this message I propose concrete changes in an attempt to address my own concerns. Under the Elaboration section, change Point (3) Subparagraph (iii) from: (iii) There must be a capability to monitor security compliance and respond to incidents involving violation of security. Logs of logins and other security-relevant events are strongly advised, as well as regular audit of these logs. Also recommended is a capability to trace connections and other events in response to penetrations. To (All Uppercase represents my changes): (iii) There SHOULD be a capability to monitor security compliance and respond to incidents involving violation of security. Logs of logins and other security-relevant events are strongly advised, as well as regular audit of these logs. Also recommended is a capability to trace connections and other events in response to penetrations. HOWEVER IT IS IMPORTANT FOR SERVICE PROVIDERS TO HAVE A WELL THOUGHT OUT AND PUBLISHED POLICY ABOUT WHAT INFORMATION THEY GATHER, WHO HAS ACCESS TO IT AND FOR WHAT PURPOSES. MAINTAINING THE PRIVACY OF NETWORK USERS SHOULD BE KEPT IN MIND WHEN DEVELOPING SUCH A POLICY. I also recommend changing subpoint (v) from: (v) Sites and networks which are notified of security incidents should respond in a timely and effective manner. In the case of penetrations or other violations, sites and networks should allocate resources and capabilities to identify the nature of the incident, identify the violator, and limit the damage. A site or network cannot be considered to have good security if it does not respond to incidents in a timely and effective fashion. Similarly, sites and networks should respond when notified of security flaws in their systems. Sites and networks have the responsibility to install fixes in their systems as they become available. To (no uppercase used here, changes should be obvious): (v) Sites and networks which are notified of security incidents should respond in a timely and effective manner. In the case of penetrations or other violations, sites and networks should allocate resources and capabilities to identify the nature of the incident and limit the damage. A site or network cannot be considered to have good security if it does not respond to incidents in a timely and effective fashion. If a violator can be identified, appropriate action should be taken to ensure that no further violations are caused. Exactly what sanctions should be brought against a violator depend on the nature of the incident and the site environment. For example a university may choose to bring internal disciplinary action against a student violator. Similarly, sites and networks should respond when notified of security flaws in their systems. Sites and networks have the responsibility to install fixes in their systems as they become available. -Jeff
- Latest Draft Barbara Fraser
- Re: Latest Draft Jeffrey I. Schiller
- Re: Latest Draft James B. Van Bokkelen