<<Project Name>>

Security Plan
Customer Name
Directions for using template:
Read the Guidance (Arial blue font in brackets) to understand the information that
should be placed in each section of this template. Then delete the Guidance and
replace the placeholder within <<Begin tet here!! with "our response. There ma" be
additional Guidance in the Appendi of some documents# which should also be
deleted once it has been used.
$ome templates ha%e four le%els of headings. The" are not indented# but can be
differentiated b" font t"pe and si&e:
'eading ( ) Arial Bold (* font
'eading + ) Arial Bold ,talic (- font
'eading . ) Arial Bold (. font
'eading . ) Arial Bold ,talic (+ font
/ou ma" elect to indent sections for readabilit".
Author
Author 0osition
1ate
2ersion: (.3
345+(5+3(-
2002 Microsoft Corporation. All rights reserved.
The information contained in this document represents the current view of Microsoft Corporation on the issues
discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not
be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accurac of an
information presented after the date of publication.
This document is for informational purposes onl. MICROSOFT MAKES NO WARRANTIES E!PRESS OR
IMP"IE# IN T$IS #OC%MENT&
Microsoft and !isual Basic are either registered trademarks or trademarks of Microsoft in the "nited #tates and$or
other countries.
345+(5+3(-
Revision & Sign-off Sheet
6hange Record
1ate Author 2ersion 6hange Reference
Re%iewers
7ame 2ersion Appro%ed 0osition 1ate
1istribution
7ame 0osition
1ocument 0roperties
,tem 1etails
1ocument Title $ecurit" 0lan
Author
6reation 1ate
8ast 9pdated
345+(5+3(-
Table of Contents
$ummar"..........................................................................................................................
$olution :%er%iew and :wner........................................................................................
:b;ecti%es........................................................................................................................
$olution 1escription........................................................................................................
Assignment of $ecurit" Responsibilit"......................................................................-
General $olution 1escription.....................................................................................-
$olution <n%ironment.................................................................................................-
$olution ,nterconnection and ,nformation $haring................................................-
,nformation $ensiti%it" and 6riticalit" Assessment...............................................-
Threats............................................................................................................................=
>anagement 6ontrols....................................................................................................?
Risk Assessment and >anagement............................................................................?
Re%iew of $ecurit" 6ontrols......................................................................................?
Rules of Beha%ior.....................................................................................................(3
:perational 6ontrols....................................................................................................(3
0ersonnel $ecurit"....................................................................................................(3
$ensiti%it" 8e%el...................................................................................................(3
Re@uired Background $creenings........................................................................(3
Restriction of 9ser Access....................................................................................(3
0rocess for 9ser Accounts....................................................................................(3
$eparation of 1uties.............................................................................................((
9ser Accountabilit"..............................................................................................((
Termination 0rocedures........................................................................................((
0h"sical and <n%ironmental 0rotection....................................................................((
0roduction and ,nformation 6ontrols.......................................................................((
6ontingenc" 0lanning..............................................................................................(+
$"stem 'ardware and $oftware >aintenance 6ontrols...........................................(+
1ata ,ntegrit"52alidation 6ontrols...........................................................................(.
,ncident Response 6apabilit"...................................................................................(.
1ocumentation.........................................................................................................(-
$ecurit" Awareness and Training.............................................................................(-
Technical 6ontrols........................................................................................................(-
,dentification and Authentication.............................................................................(=
0assword 0olic"....................................................................................................(=
Account 8ockout 0olic".......................................................................................(=
Aerberos 0olic"....................................................................................................(=
8ogical Access 6ontrols...........................................................................................(=
0ublic Access 6ontrols.............................................................................................(*
Audit 0olic"..............................................................................................................(*
:ngoing $ecurit" >anagement....................................................................................(4
Appendi A: $ecurit" 1efinitions................................................................................(B
Appendi B: Guidelines for :ngoing $ecurit" >anagement......................................(?
345+(5+3(- (
345+(5+3(- +
%Intro'uction to t(e Tem)late
#escri)tion& The #ecurit 'lan describes how the solution will be brought to
acceptable securit levels in order to operate successfull. This plan describes what
securit threats will e(ist and how implementing securit standards will mitigate
those.
*usti+ication, The #ecurit 'lan will identif development, test, and deploment
activities that will design, build, and implement a secure solution. Those activities will
be incorporated into the teams) plans and increase customer confidence that the
solution will meet with securit e(pectations. The process of developing the #ecurit
'lan produces a series of securit standards intended to reduce the securit risks to
an acceptable level. Before these securit standards can be implemented, the
customer should decide whether the implementation costs of the measures is aligned
with risk reduction, and whether the risks are reduced to an acceptable level.
*Team Role Primary, Release Mana-ement is responsible for the development of
the #ecurit plan. #e.elo)ment plas a primar role in providing content to the plan
that ensures that technical implementation of the securit features is feasible.
Pro-ram Mana-ement ensures that the #ecurit 'lan in developed with +ualit and
is incorporated into the Master 'ro,ect 'lan.
Team Role Secon'ary, All roles are responsible for reviewing the plan to ensure its
e(ecution is feasible.-.
345+(5+3(- .
Summary
%#escri)tion, 'rovide an overall summar of the contents of this document.
*usti+ication, #ome readers ma need to know onl the highlights of the plan, and
summari/ing creates that user view. 0t also enables the full reader to know the
essence of the document before the e(amine the details..
<<Begin tet here!!
Solution O.er.ie/ an' O/ner
%#escri)tion, The #olution 1verview and 1wner section describes the overall
solution and how critical the solution is in the organi/ation. This should include the
name of the group responsible for the solution and the specific owners of the solution
2name, title, address, phone and fa( number, email address3..
<<Begin tet here!!
O0jecti.es
%#escri)tion, The 1b,ectives section defines the primar drivers that were used to
create the securit approach and the ke ob,ectives of that approach. A secure
solution would tpicall have the following ob,ectives&
4ata is complete& no data has been lost
4ata is accurate& no data has been corrupted
4ata is accessible& authori/ed users can access the data in a timel and
useful fashion
5o unauthori/ed access& onl authori/ed users access data
*usti+ication, 0dentifing the drivers and ob,ectives signals to the customer that
Microsoft has carefull considered the situation and created an appropriate securit
approach..
<<Begin tet here!!
Solution #escri)tion
%#escri)tion, The #olution 4escription section provides descriptive information on
the solution in general and the aspects of the solution that present securit issues.
*usti+ication, This information is the basis for developing securit re+uirements, as it
identifies scenarios that demand securit analsis..
<<Begin tet here!!
345+(5+3(- -
Assignment of Security Responsibility
%#escri)tion, The Assignment of #ecurit 6esponsibilit section describes the roles
and responsibilities of all users having access to the solution. This should include the
appro(imate number of authori/ed users and their phsical locations..
<<Begin tet here!!
General Solution Description
%#escri)tion, The 7eneral #olution 4escription section describes the solution)s
function or purpose and the information it processes. 4escribe the processing flow of
the solution from input to output. 8ist user organi/ations 2internal 9 e(ternal3 and the
tpe of data and processing provided to them..
<<Begin tet here!!
Solution Environment
%#escri)tion, The #olution :nvironment section provides a general description of the
solution)s environmental or technical factors that raise special securit concerns 2dial;
up lines, open network, etc.3 0nclude a diagram of architecture here or in an
Appendi(, if applicable. 4escribe the primar computing platform2s3 used and the
principal solution components, including hardware, software, and communications
resource. 0nclude an securit software protecting the solution and information. 8ist
the phsical location2s3 of the solution..
<<Begin tet here!!
Solution Interconnection an' In+ormation S(arin-
%#escri)tion, 1rgani/ations ma consider re+uiring that a written authori/ation, such
as a statement of understanding or agreement, be obtained prior to connection with
other solutions and$or sharing sensitive data$information. The #olution
0nterconnection and 0nformation #haring section lists all those interconnections and
identifies an such agreements. 0f the solution is to be connected to an e(ternal
sstem not covered b a securit plan, provide a brief discussion of an securit
concerns that need to be considered for protection. This section should also include a
description of the rules for interconnecting sstems and for protecting shared data..
<<Begin tet here!!
In+ormation Sensiti.ity an' Criticality Assessment
%#escri)tion, The 0nformation #ensitivit and Criticalit Assessment section
describes, in general terms, the information handled b the solution and the need for
protective measures. 0t should list the tpes of sensitive information the solution
accesses. :(amples ma include administrative, financial, grant$contract, patient,
proprietar, research, 'rivac Act. :ach of the information tpes should be
characteri/ed using the three basic protection re+uirements 2confidentialit, integrit,
and availabilit3. The level of protection re+uired is determined b an evaluation of
the sensitivit and criticalit of the information processed, the relationship of the
345+(5+3(- =
solution to the organi/ation<s mission, and the economic value of the solution
components.
"se the sensitivit and criticalit definitions found in the Appendi(
Below are two tables that can be used to define solution protection re+uirements. The
second is more granular. #elect the level of detail appropriate to our pro,ect. 0t ma
be applicable to include a statement of the estimated risk and magnitude of harm
resulting from the loss, misuse, or unauthori/ed access to or modification of
information in the solution..
#stem 'rotection
6e+uirements
=igh Medium 8ow
Confidentialit
0ntegrit
Availabilit
0nformation Tpe
Confidentialit
2=igh, Medium or
8ow3
0ntegrit Availabilit
Administrative
>inancial
7rant$Contract
'atient
'roprietar
6esearch
'rivac Act
1ther 2specif3
T(reats
%#escri)tion, The Threats section provides a comprehensive analsis of the possible
threats to the solution. A classification of the different kinds of threats to +ualit
information deliver is suggested in the following table. This includes deliberate and
non;deliberate threats. This is not meant to be e(haustive ? add threats appropriate
to the sub,ect solution.
"sing the M#> 6isk management approach, generate a baseline list of securit
threats and estimate @3 the probabilit of the threat being reali/ed and 23 the
magnitude or impact of the loss should that risk occur. 'robabilit will be estimated
using a 0 2low3 to @ 2high3 scale for risk probabilit and a @ 2low3 to A 2high3 for risk
impact. The product of probabilit times impact ields risk e(posure. 6isks will be
prioriti/ed b the magnitude of risk e(posure and appropriate mitigation and
contingenc plans developed for the highest priorit risks.
0mpact&
345+(5+3(- *
4ata is complete& no data has been lost
4ata is accurate& no data has been corrupted
4ata is accessible& authori/ed users can access the data in a timel and
useful fashion
5o unauthori/ed access& onl authori/ed users access data.
Im)act on Solution Ris1
Pro0a0ility
Miti-ation )lan or
contin-ency )lan
4
a
t
a

c
o
m
p
l
e
t
e
n
e
s
s
4
a
t
a

A
c
c
u
r
a
c

4
a
t
a

a
c
c
e
s
s
"
n
a
u
t
h
o
r
i
/
e
d

d
a
t
a

a
c
c
e
s
s
2=igh
2 8ow
2Modif as necessar3
En.ironmental
Cire
:ffsite backup# business
continuit" plan
Clood
:ffsite backup# raised
floors# business continuit"
plan
$torm (including
lightning)
$urge protectors# go offline
during lightning polic"
<arth@uake
:ffsite backup# business
continuit" plan
'eat
>onitored# temperature
controlled room#
temperature monitors inside
ser%ers# fan and filter
inspections
6old
>onitored# temperature
controlled room
$tatic electricit"
Grounding cables
$prinklers
:ffsite backup# business
continuit" plan
1ust and dirt
Regular inspection and
replacement of dust filters
3Tec(nolo-y4
0ower surges or sags
90$ with sag protection
0ower interruption
90$ with batter" backup
>agnetic
D7o magnetsE policies
6omputer
%ulnerabilities
'ard dri%es
RA,1# Backups# locks#
format before reuse polic"#
large $6$, dri%es
0ower supplies
Redundanc"
345+(5+3(- 4
6ables and
connectors
0h"sical securit"#
documentation# labeling#
audits
>emor"
>aimum memor"
609 speed
9pgradeable multiprocessor
machines
:ther
semiconductor
components
'ardware standard
configurations
Router %ulnerabilities
Redundanc"#
documentation# audits#
training
0acket filters
Redundanc"#
documentation# audits#
training
$oftware
%ulnerabilities
$oftware
design
1esign re%iews# managed
de%elopment process#
training# setting constraints
and identif"ing limits
$oftware
construction
6ode re%iews# managed
de%elopment process#
training# source code control
$oftware
testing
6ode re%iews# managed
de%elopment process#
dedicated test engineers#
automated testing tools#
training
$oftware
documentation
>anaged de%elopment
process# documentation
standards# document %ersion
control
6onfiguration
errors
Training# documentation#
audits# automated
deplo"ment
8icense limits
eceeded
Auditing# training
7etworking and
telecommunications
%ulnerabilities
1omain or
account design
Training# documentation#
audits# use of 7T
Resource
access control
Training# documentation#
audits# use of 7T
Transmitting
passwords in
the clear
Training# configuration
documentation# use of 7T#
10A and $$8 or other
encr"ption methods
Cailure to use
authentication
Training# configuration
documentation# use of 7T#
10A# and $$8 or other
345+(5+3(- B
methods
authentication methods
0acket filter
configuration
errors
Training# configuration
documentation
>odem dialup
(RA$)
$eparate securit" policies#
callFback# 7T# RA1,9$#
audits# RA$ policies#
training
>anagement
s"stems
configuration
Training# configuration#
audits
3$uman Acti.ity4
0assword loss or
compromise
Training# policies# use of
strong password
technologies
,ntroduction of
%iruses# worms# etc.
Training# policies# %irus
scanning software
1eliberate Attacks on
data integrit"
2irus scanning software#
training# data access
policies# 7TC$# password
protection of resources
D9ser errorE
Training# software design
and configuration# audits#
backups# policies# limiting
user rights
$oftware
reconfiguration
Backups# limiting
administrator rights#
policies# configuration
documentation# training# use
of D8ockedFdownE desktop
configuration
Tro;an horses
9se Dtrusted codeE or
components from DtrustedE
sources
Trapdoors
9se Dtrusted codeE or
components from DtrustedE
sources
Registr" attacks
0h"sical securit" of ser%ers#
limit access to 7T registr"
9nappro%ed software
installation
Training# policies# audits
<cessi%e use of
bandwidth
0lanning# performance
monitoring# training
9nauthori&ed internal
users
7T securit" accounts#
monitoring# strong
passwords# principle of least
pri%ilege
1enial of ser%ice
attacks
$er%ice 0acks# 0ro"#
Training
Theft
0h"sical securit"# locks#
training# policies
1ata theft %ia
0h"sical securit"# locks#
345+(5+3(- ?
cop"
training# policies# auditing
'ardware theft
0h"sical securit"# locks#
training# policies
8aptops with
dialup
capabilit"
1o not Dsa%e password#E
separate RA$ passwords#
dialback# training# policies
Backup tapes
Training# policies and
procedures# auditing#
testing# offsite storage#
ph"sical securit"
E.ol.in- En.ironmental Constraints
8egislation (e.g.
regarding length of
cr"ptographic ke"s for
eport# or use of
encr"ption)
Collow standards bodies.
9se industr" standards when
possible
0ublic opinion
9se industr" standards when
possible# ha%e standard#
documented operational
procedures with periodic
re%iew process
Mana-ement Controls
%#escri)tion& The Management Controls section describes the management;level
approach to controlling securit for the solution. This includes risk assessment
processes, risk reviews, and the behavioral e(pectations of all individuals who work
within the solution..
Risk Assessment an !anagement
%#escri)tion, The 6isk Assessment and Management section describes the risk
assessment methodolog to be used to continuousl identif the threats and
vulnerabilities of the solution. This should include information about an e(isting
assessments and those conducted in the future. >or e(isting assessments, state who
conducted it and when. >or future assessments, identif the group that will conduct
the assessment and the e(pected fre+uenc of that assessment. 0f there is no
e(isting solution risk assessment, include a milestone date 2month and ear3 for its
completion..
<<Begin tet here!!
Revie" of Security Controls
%#escri)tion, The 6eview of #ecurit Controls section identifies an independent
securit reviews that will be conducted on the solution. 0nclude information about the
tpe of securit evaluation to be performed, who will performed the review, and the
purpose of the review..
<<Begin tet here!!
345+(5+3(- (3
Rules of #ehavior
%#escri)tion, The 6ules of Behavior section describes the written set of rules of
behavior established for the solution. These should be made available to ever user
prior to the user receiving access to the solution with a signature page to
acknowledge receipt. The rules of behavior should clearl delineate responsibilities
and e(pected behavior of all individuals with access to the solution. The should state
the conse+uences of inconsistent behavior or non;compliance. The should also
include appropriate limits on interconnections to other solution..
<<Begin tet here!!
O)erational Controls
%#escri)tion& The 1perational Controls section describes the operational;level
approach to controlling securit for the solution. This includes personnel controls,
phsical and environmental protections, and other operational securit processes..
<<Begin tet here!!
$ersonnel Security
%#escri)tion, The 'ersonnel #ecurit section defines how the solution users will be
managed to ensure securit..
<<Begin tet here!!
Sensiti.ity "e.el
%#escri)tion, The #ensitivit 8evel section describes how positions are reviewed for
sensitivit level..
<<Begin tet here!!
Re5uire' 6ac1-roun' Screenin-s
%#escri)tion, The 6e+uired Background #creenings section describes an
background screenings that are appropriate for positions to which emploees are
assigned..
<<Begin tet here!!
Restriction o+ %ser Access
%#escri)tion, The 6estriction of "ser Access section describes how user access is
restricted to the minimum amount necessar to perform their assignments..
<<Begin tet here!!
345+(5+3(- ((
Process +or %ser Accounts
%#escri)tion, The 'rocess for "ser Accounts section describes the process for
re+uesting, establishing, issuing, and closing user accounts..
<<Begin tet here!!
Se)aration o+ #uties
%#escri)tion, The #eparation of 4uties section describes how critical functions are
divided among different individuals..
<<Begin tet here!!
%ser Accounta0ility
%#escri)tion, The "ser Accountabilit section describes the mechanisms that are in
place for holding users responsible for their actions..
<<Begin tet here!!
Termination Proce'ures
%#escri)tion, The Termination 'rocedures section describes the friendl and
unfriendl user termination procedures..
<<Begin tet here!!
$hysical an Environmental $rotection
%#escri)tion, The 'hsical and :nvironmental 'rotection section describes the
phsical protection in the area where solution processing takes place 2e.g., locks on
terminals, phsical barriers around the building and processing area, etc.3. >actors to
address include phsical access, fire safet, failure of supporting utilities, structural
collapse, plumbing leaks, interception of data, mobile and portable sstems..
<<Begin tet here!!
$rouction an %nformation Controls
%#escri)tion, The 'roduction and 0nformation Controls section provides a snopsis
of the procedures that support the solution)s operations. 4escribe the controls used
for the processing, storing, and disposing of information and media as well as the
labeling and distribution procedures for the information. The controls used to monitor
the installation of software updates should also be listed. Below is a sampling of
topics that ma be reported in this section&
0s there a =elp 4esk or group that offers advice and can respond to securit
incidents in a timel mannerB
Are there procedures in place documenting how to recogni/e, handle, report,
and track incidents and$or problemsB
4o these procedures outline how to categori/e and prioriti/e incidentsB
345+(5+3(- (+
Are there procedures to ensure unauthori/ed individuals cannot read, cop,
alter, or steal printed or electronic informationB
Are there procedures for ensuring that onl authori/ed users pick up, receive,
or deliver input and output information and mediaB
Are there audit trails for receipt of sensitive inputs$outputsB
Are there procedures for restricting access to output productsB
0s there internal$e(ternal labeling for sensitivit 2e.g., 'rivac Act,
'roprietarB3
0s there e(ternal labeling with special handling instructions 2e.g., log$inventor
identifiers, controlled access, special storage instructions, release or
destruction dates3B
Are there audit trails for inventor managementB
0s there a media storage vault or librar containing phsical, environmental
protection controls$proceduresB
Are there procedures for saniti/ing electronic media for reuseB
Are there procedures for controlled storage, handling, or destroing spoiled
media or media that cannot be effectivel saniti/ed for reuseB
Are there procedures for shredding or other destructive measures for
hardcop media when no longer re+uiredB.
<<Begin tet here!!
Contingency $lanning
%#escri)tion, The Contingenc 'lanning section briefl describes the contingenc
plan that would be followed to ensure the solution continues to be processed if the
supporting 0T sstem were unavailable. 0f a formal Backup and 6ecover 'lan has
been completed, reference the plan. The contingenc plan should include
descriptions for the following&
Agreements of backup processing
4ocumented backup procedures including fre+uenc 2dail, weekl, monthl3
and scope 2full, incremental, and differential backup3
8ocation of stored backups and generations of backups
Are tested contingenc$disaster recover plans in placeB =ow often are the
testedB
Are all emploees trained in their roles and responsibilities relative to the
emergenc, disaster, and contingenc plansB
Coverage of backup procedures, e.g., what is being backed upB.
<<Begin tet here!!
System &ar"are an Soft"are !aintenance Controls
%#escri)tion, The #stem =ardware and #oftware Maintenance Controls section
briefl describes the plans that involve the maintenance of solution hardware and
software. The plan should include descriptions for the following&
345+(5+3(- (.
Are there restrictions$controls on those who perform hardware and software
maintenance and repair activitiesB
Are there procedures used for controlling remote maintenance services where
diagnostic procedures or maintenance is performed through
telecommunications arrangementsB
Are software warranties managed to minimi/e the cost of upgrades and cost;
reimbursement or replacement for deficienciesB
4escribe an formal change control process in place.
0s there version control that allows association of components to the
appropriate application$sstem versionB
Are all changes to the solution components documentedB
Are there impact analses to determine the effect of proposed changes on
e(isting securit control to include the re+uired training for both technical
and user communities associated with the change in hardware$softwareB
Are there change identification, approval, and documentation proceduresB
Are there procedures for ensuring contingenc plans and other associated
documentation are updated to reflect sstem changesB.
<<Begin tet here!!
Data %ntegrity'(aliation Controls
%#escri)tion, The 4ata 0ntegrit$!alidation Controls section briefl describes the
plans that involve the maintenance of data integrit$validation controls. The plan
should include descriptions for the following&
0s virus detection and elimination software installedB 0f so, are there
procedures for updating virus signature files, automatic and$or manual
virus scans, and virus eradication and reportingB
Are integrit verification tools or programs used b the solution to look for
evidence of data tampering, errors, and omissionsB
0s an intrusion detection tool installed to monitor the solutionB
Are procedures in place to handle and close out securit incidentsB
Are other network securit software packages usedB
0s solution performance monitoring used to anal/e performance logs in
real time to look for availabilit problems, including active attacks, and
solution and network slowdowns and crashesB.
<<Begin tet here!!
%ncient Response Capability
%#escri)tion, The 0ncident 6esponse Capabilit section briefl describes the plans
that involve the maintenance of incident reporting. The plan should include
descriptions for the following&
345+(5+3(- (-
Are there procedures for reporting incidents handled either b solution
personnel or e(ternallB
Are there procedures for recogni/ing and handling incidents, i.e., what files
and logs should be kept, who to contact, and whenB
Cho receives and responds to alerts$advisories, e.g., vendor patches,
e(ploited vulnerabilitiesB
Chat preventative measures are in place, i.e., intrusion detection tools,
automated audit logs, penetration testingB.
<<Begin tet here!!
Documentation
%#escri)tion, The 4ocumentation section defines the documentation 2descriptions of
the hardware and software, policies, procedures, and approvals3 related to
information securit in the solution. 4escribe the procedure used to update an
documentation. Also list the phsical location of documentation. :(amples ma
include&
!endor documentation of hardware$software
>unctional re+uirements
4esign specifications
#ource code documents
Testing procedures and results
6ecords of verification reviews$site inspections
#tandard operating procedures
"ser rules$manuals
:mergenc procedures
Contingenc plans
6isk assessments.
<<Begin tet here!!
Security A"areness an Training
%#escri)tion, The #ecurit Awareness and Training section describes the tpe and
fre+uenc of solution;specific securit training provided to emploees and contractor
personnel 2workshops, formal classroom, focus groups, role;based training, and on;
the;,ob training3. 0t also describes the procedures for assuring that emploees and
contractor personnel have been provided ade+uate training..
<<Begin tet here!!
345+(5+3(- (=
Tec(nical Controls
%#escri)tion& The Technical Controls section describes the technical controls for
ensuring the solution)s securit. This includes identification, authentication, and
access policies and controls..
%entification an Authentication
%#escri)tion, The 0dentification and Authentication section describes the solution)s
user authentication control mechanisms 2password, token, and biometrics3. 0ndicate
the fre+uenc of password changes, describe how changes are enforced, and
identif who changes the passwords 2the user, the sstem administrator, or the
application$sstem. The following three sub;sections should be completed if an
additional password sstem is used in the solution..
<<Begin tet here!!
Pass/or' Policy
%Ma(imum 'assword Age
Minimum 'assword Age
Minimum 'assword 8ength
'asswords must meet comple(it re+uirements of installed password filter
Allow storage of passwords using reversible encrption for all users in the
domain
"ser must logon to change password.
<<Begin tet here!!
Account "oc1out Policy
%Account lockout threshold
8ockout duration
6eset account lockout after.
<<Begin tet here!!
Ker0eros Policy
%#escri)tion, 4escribe how user logon restrictions are enforced and ma(imum
lifetime for user ticket..
<<Begin tet here!!
)ogical Access Controls
%#escri)tion, The 8ogical Access Controls section describes the controls in place to
authori/e or restrict the activities of users and personnel within the solution. 4escribe
hardware or software features that are designed to permit onl authori/ed access to
or within the solution, to restrict users to authori/ed transactions and functions,
and$or to detect unauthori/ed activities. The following ma appl&
345+(5+3(- (*
4escribe how access rights are granted. Are privileges granted based on ,ob
functionB
4escribe how users are restricted from accessing the operating sstem or
other sstem resources not re+uired in the performance of their duties.
4escribe controls to detect unauthori/ed transaction attempts b authori/ed
and$or unauthori/ed users. 4escribe an restrictions to prevent users from
accessing the solution outside of normal work hours or on weekends.
0ndicate if encrption is used to prevent access to sensitive files as part of the
solution access control procedures.
4escribe the rationale for electing to use or not use warning banners, and
provide an e(ample if banners are used..
<<Begin tet here!!
$ublic Access Controls
%#escri)tion, The 'ublic Access Control section applies if the public accesses the
solution. This section describes the additional securit controls used to protect the
solution<s integrit and to protect the confidence of the public in the solution. #uch
controls include segregating information made directl accessible to the public from
official agenc records. 1thers ma include&
#ome form of identification and authentication
Access controls to limit what the user can read, write, modif, or delete
Controls to prevent public users from modifing information in the sstem
4igital signatures
C4;61M for on;line storage of information for distribution
Copies of information for public access available on a separate sstem
Controls to prohibit the public from accessing live databases
!erification that programs and information distributed to the public are
virus;free
Audit trails and user confidentialit
#stem and data availabilit
8egal consideration.
<<Begin tet here!!
Auit $olicy
%#escri)tion, The Audit 'olic section briefl describes the following elements of an
audit polic&
Audit Account 8ogon events
Audit Account Management
345+(5+3(- (4
Audit 4irector #ervice Access
Audit 8ogon :vents
Audit 1b,ect Access
Audit 'olic Change
Audit 'rivilege "se
Audit 'rocess Tracking
Audit #stem :vents.
<<Begin tet here!!
On-oin- Security Mana-ement
%#escri)tion, The 1ngoing #ecurit Management section addresses the process of
determining if the securit standards are in place and adhered to, if the fulfill the
re+uirements during operation, and if the are still relevant or should be altered after
changes have taken place. This section should address three elements of this
process&
Maintaining the 8evel of #ecurit
Checking the use of Corporate #ecurit #tandards
Checking targets and reaction to changes
7uidelines for these processes can be found in Appendi( B..
345+(5+3(- (B
A))en'i7 A, Security #e+initions
%Sensiti.ity,
Con+i'entiality refers to information that re+uires protection from unauthori/ed
disclosure.
Inte-rity refers to information that must be protected from unauthori/ed,
unanticipated, or unintentional modification.
A.aila0ility refers to information or services that must be available on a timel basis
to meet mission re+uirements.
Criticality,
"o/ Sensiti.ity information re+uires a minimal amount of protection. This level
includes information considered to be in the public domain.
Me'ium Sensiti.ity includes important data that must be protected from
unauthori/ed alteration. This level includes information pertaining to correspondence
and other document files whose release needs to be controlled.
$i-( Sensiti.ity information re+uires the greatest safeguards at the user level. =igh
sensitivit information includes, but is not limited to, highl critical or proprietar
information, financial or grant data, or records sub,ect to the 'rivac Act..
345+(5+3(- (?
A))en'i7 6, 8ui'elines +or On-oin- Security
Mana-ement
9Maintainin- t(e "e.el o+ Security
The level of securit attained after implementing the corporate securit standard can
onl be maintained if&
1rgani/ational regulations allow the maintenance of the securit standards
during current operation.
6esponsibilities have been clearl designated.
#tandards are regularl checked to see if the are applied.
#ecurit standards are reinforced if new hotspots become known.
Corporate securit standards are ad,usted in line with changes in personnel,
organi/ation, hardware, or software.
C(ec1in- t(e use o+ Cor)orate Security Stan'ar's
0n order to maintain the level of securit re+uired, it must be ensured that all
corporate securit standards are emploed in precisel the manner described in the
#ecurit 'lan.
This must be guaranteed for all solutions during both the planning and operation
stages. Checks should be carried out as to whether the proper securit standards
have been completel and correctl implemented. 'eriodical tests should be carried
out as to whether these corporate securit standards are used correctl, adhered to
and whether the are accepted. 6andom testing can be useful in this regard.
Assessment reports should be compiled automaticall as part of the corporate
securit standards. The results of these checks should be passed on to a corporate
securit officer and the 0T securit group so that appropriate action can be taken
should problems arise.
C(ec1in- Tar-ets an' Reaction to C(an-es
B checking the targets, management should get a clear picture of
Chat the Corporate securit standards have achieved compared to the
targets stated in the securit goals.
345+(5+3(- +3
Chether what has alread been achieved complies with the securit
re+uirements of the compan and whether securit activities have been
successful.
0n the event that these checks show that the actual risk differs from the accepted risk
defined in the securit goals, resources should be made available in order to change
this situation. Moreover, it should be ensured that all changes regarding securit are
handled correctl. >or e(ample&
Changes in tasks or priorities for the compan
'hsical modifications, for e(ample, after moving premises
Changes in threats and$or hotspots
These changes have a significant effect on the securit risks and should be detected
as soon as possible in order to allow action to be taken in good time..
345+(5+3(- +(