1 About this document
1.1 How to read this document
Look at the table of contents to understand the structure of this document. Go to the
section that interests you.
- If you're interested in detailed technical guidelines, read section "Practical IT
Security Summary" (it's only 1-2 pages) first, then go to the topic in Part III which
interests you.
- An index, abbreviations list and references list are available at the end of this
document.
- The symbols and
are used extensively in this document to refer to a sensitivity and availability level
classification and not paragraph numbering. See also the sections classification and practical
security summary.
1.2 Scope / Objectives
This document has the following objectives:
- To briefly discuss threat & risk analysis.
- To outline the ingredients necessary to define a security policy and to provide a
framework (based on standards such as ITSEC and TCSEC) for deciding how tightly systems
need to be secured.
- To outline (sample) policies, processes, structure and responsibilities required in a
security organisation.
- To present current security mechanisms.
- To briefly present physical security (concerning IT systems).
- To provide a detailed list of technical guidelines for
- operating systems, applications and networks used in client/server systems. For the
moment this report concentrates on Client/Server and Internet systems: NT, FW, Win95,
OLTP, Oracle, Sybase, Sun UNIX, Firewalls, WWW/Java and TCP/IP Networks.
- Auditing checklists and "quick overviews" are provided for several types of
systems
- DEC, SGI, AIX and HP systems are only partially covered in this document. They need to
be covered in more detail (especially for the comparison in the Operating Systems Overview
Chapter).
- It is not intended that this document cover VAX , Mainframe, Novell or Macintosh
systems.
A detailed list of Security Information resources (such as CERT, FIRST, TCSEC and
ITSEC) are listed in the Appendix, along with sample scripts
and programs.
1.3 Who should read this document?
- Line managers (Chapters 1-4, 6).
- Computer Users (Chapters 1, 2, 6.2 User Policy)
- System administrators, Security administrators: Chapters 7-22
- Technical Project leaders: Chapters 1-7, 15.
1.4 Corrections/Mistakes
Feedback and notification of corrections or mistakes are welcome. Please send them to book at boran.com with a subject line of "IT Security
Cookbook".
1.5 Copyright
See welcome1.html.