Security policy ‐ an individual view
| Published date | 01 June 2001 |
| Pages | 17-22 |
| DOI | https://doi.org/10.1108/03055720010803970 |
| Date | 01 June 2001 |
| Author | John Harlow |
| Subject Matter | Information & knowledge management |
VINE 123 — 17
Security policy – an
individual view
by John Harlow, Computing Service,
University of Bath
The paper discusses the need for a s ecurity
policy and how one can be drawn up and
implemented. It includ es a model Information
Security Managem ent Policy.
Introduction
We live in a society which is becoming increas-
ingly more paranoid about security and inviolable
security systems - on a personal level consider the
basic requirements of insurers for home insurance -
and it is arguable that the more we ad vertise our
security-mindedness the more likely we are to face
breaches. Of course we all take security seriously,
and some more than others, but are we clear as to
which are the minimum levels which need to be in
place? Are we even clear abo ut what we mean by
security in the context of its impact on the day-to-
day life of an educational institution?
What do we mean by security?
For computing services, at the most fundamental
level, security means maintaining the integrity of
the institution’s core systems such as the network
itself, ce ntral servers and cen tral fi lestore. “At-
tacks” on these services can either be “soft” as in
hacking or “hard” as in physical damage or theft
and, of course, a “hard” attack can eas ily result in
substantial “soft” damage through data-loss.
Integrity-maintenance can also include non-
compromise of the institution’s “good name”. For
example we certainly do not want our users com-
promising other institutions’ systems or bringing
the service and/or institution into disrepute through
questionable web sites, for example.
System integrity can also be compromised by
“abuse” of the system(s), one-to-one or one-to-
many, classic examples being mail bombs or denial
of service attacks as well as time-wasting by
uneducated or deliberately devious users.
The paradox is that the security “guru” may
actually be the institution’s largest risk if, for
example, due to underfunding the expertise resides
in one person only; not just because the expertise
would be lost if the person were lost but because
the expertise may not be at the level required or
expected.
It is arguable that the act of talking about how we
handle security at our institution is, in itself, a
breach of secur ity....
“We feel secure in the
knowledge that...”
This is a phrase that is in common usage, covering
a multitude of issues from knowing our car is
being serv iced correctly because the garage is
manufacturer-certified, to the front door being
locked when we go to bed. But we should be
cautious about using such phrases when describing
security levels for fragile computing/network
infrastructures, because lack of clarity could result
in serious accusations. Thus: -
“Feel” - security is sometimes more about feelings
than actualities - senior institution managers need
to “feel” that systems are “secure” without neces-
sarily understanding the mechanisms. Indeed, it is
arguable that if senior institution managers be-
lieved they had some understanding of security
mechanisms, their meddling could compromise
security.
“Secure” - usually means comfortable, confident
that, as far as possible, everything is in place to
ensure that all the diverse systems will, normally,
perform faultlessly.
“In the knowledge that.” - we are fully informed,
we have consi dered all t he options and possibilities.
So if w e find o urselves saying “We feel secu re in
the knowledge that everything possible has been
done to ensure the highest levels of system security
and data integrity.” we need to be clear that we are
saying, effectively, the machine room will never
burn down, the security guru will not die during a
free-fall parachute jump, the authentication servers
can not be compromised by a brilliant Maths
undergraduate and so on.
To continue reading
Request your trial