HP OpenVMS Guide to System Security > Chapter 1 Understanding System Security

Levels of Security Requirements

  Table of Contents

  Glossary

  Index

Each site has unique security requirements. Some sites require only limited measures because they are able to tolerate some forms of unauthorized access with little adverse effect. At the other extreme are those sites that cannot tolerate even the slightest probing, such as strategic military defense centers. In between are many commercial sites, such as banks.

While there are many considerations in determining your security needs, the questions in Table 1-1 “Event Tolerance as a Measure of Security Requirements” can get you started. Your answers can help determine the levels of your security needs. Also refer to “Site Security Policies” for a more specific example of site security requirements.

Table 1-1 Event Tolerance as a Measure of Security Requirements

Question: Could you tolerate the following event?Level of Security Requirements Based on Toleration Responses
 LowMediumHigh

A user knowing the images being executed on your system

YYN

A user knowing the names of another user's files

YYN

A user accessing the file of another user in the group

YYN

An outsider knowing the name of the system just dialed into

YYN

A user copying files of other users

YNN

A user reading another user's electronic mail

YNN

A user writing data into another user's file

YNN

A user deleting another user's file

YNN

A user being able to read sections of a disk that might contain various old files

YNN

A user consuming machine time and resources to perform unrelated or unauthorized work, possibly even playing games

YNN
 

If you can tolerate most of the events listed, your security requirements are quite low. If your answers are mixed, your requirements are in the medium to high range. Generally, those sites that are most intolerant to the listed events have very high levels of security requirements.

When you review your site's security needs, do not confuse a weakness in site operations or recovery procedures as a security problem. Ensure that your operations policies are effective and consistent before evaluating your system security requirements.