1 About this document

• 1.1 How to read this document
• 1.2 Scope / Objectives
• 1.3 Who should read this document?
• 1.4 Corrections/Mistakes
• 1.5 Copyright

1.1 How to read this document

Look at the table of contents to understand the structure of this document. Go to the section that interests you.

• If you're interested in detailed technical guidelines, read section "Practical IT Security Summary" (it's only 1-2 pages) first, then go to the topic in Part III which interests you.
• An index, abbreviations list and references list are available at the end of this document.
• The symbols     and  are used extensively in this document to refer to a sensitivity and availability level classification and not paragraph numbering. See also the sections classification  and practical security summary.

1.2 Scope / Objectives

This document has the following objectives:

1. To briefly discuss threat & risk analysis.
2. To outline the ingredients necessary to define a security policy and to provide a framework (based on standards such as ITSEC and TCSEC) for deciding how tightly systems need to be secured.
3. To outline (sample) policies, processes, structure and responsibilities required in a security organisation.
4. To present current security mechanisms.
5. To briefly present physical security (concerning IT systems).
6. To provide a detailed list of technical guidelines for
   • operating systems, applications and networks used in client/server systems. For the moment this report concentrates on Client/Server and Internet systems: NT, FW, Win95, OLTP, Oracle, Sybase, Sun UNIX, Firewalls, WWW/Java and TCP/IP Networks.
   • Auditing checklists and "quick overviews" are provided for several types of systems
   • DEC, SGI, AIX and HP systems are only partially covered in this document. They need to be covered in more detail (especially for the comparison in the Operating Systems Overview Chapter).
   • It is not intended that this document cover VAX , Mainframe, Novell or Macintosh systems. 

A detailed list of Security Information resources (such as CERT, FIRST, TCSEC and ITSEC) are listed in the Appendix, along with sample scripts and programs. 

1.3 Who should read this document?

• Line managers (Chapters 1-4, 6).
• Computer Users (Chapters 1, 2, 6.2 User Policy)
• System administrators, Security administrators: Chapters 7-22
• Technical Project leaders: Chapters 1-7, 15. 

1.4 Corrections/Mistakes

Feedback and notification of corrections or mistakes are welcome. Please send them to book at boran.com with a subject line of "IT Security Cookbook". 

1.5 Copyright

See welcome1.html.