Each site has unique security requirements. Some sites requireonly limited measures because they are able to tolerate some formsof unauthorized access with little adverse effect. At the otherextreme are those sites that cannot tolerate even the slightestprobing, such as strategic military defense centers. In betweenare many commercial sites, such as banks.
While there are many considerations in determining your securityneeds, the questions in Event Tolerance as a Measure of Security Requirements can get you started. Your answers can help determine thelevels of your security needs. Also refer to Site Security Policies for a more specific example of site securityrequirements.
Table 1 Event Tolerance as a Measure of Security Requirements
Question: Could you tolerate thefollowing event?
Level of Security RequirementsBased on Toleration Responses
Low
Medium
High
A user knowingthe images being executed on your system
Y
Y
N
A user knowingthe names of another user's files
Y
Y
N
A user accessingthe file of another user in the group
Y
Y
N
An outsiderknowing the name of the system just dialed into
Y
Y
N
A user copyingfiles of other users
Y
N
N
A user readinganother user's electronic mail
Y
N
N
A user writingdata into another user's file
Y
N
N
A user deletinganother user's file
Y
N
N
A user beingable to read sections of a disk that might contain various old files
Y
N
N
A user consuming machine timeand resources to perform unrelated or unauthorized work, possiblyeven playing games
Y
N
N
If you can tolerate most of the events listed, your securityrequirements are quite low. If your answers are mixed, your requirementsare in the medium to high range. Generally, those sites that aremost intolerant to the listed events have very high levels of securityrequirements.
When you review your site's security needs, do not confusea weakness in site operations or recovery procedures as a securityproblem. Ensure that your operations policies are effective andconsistent before evaluating your system security requirements.