Databases Reference
In-Depth Information
• New security policies, security architectures, and control mechanisms
should evolve to accommodate this new technology; not change in
principle or design.
Continue to use risk management methodologies as a baseline for decid-
ing how many of the new Internet, intranet, and WWW technologies to use
and how to integrate them into the existing Information Security Distribut-
ed Architecture. As always, ensure that the optimum balance between ac-
cess to information and protection of information is achieved during all
phases of the development, integration, implementation, and operational
support life cycle.
INTERNET AND WWW SECURITY POLICIES AND PROCEDURES
Having said all of this, it is clear that we need new and different policies,
or minimally, an enhancement or refreshing of current policies supporting
more traditional means of sharing, accessing, storing, and transmitting in-
formation. In general, high-level security philosophies, policies, and proce-
dures should not change. In other words, who is responsible for what (the
fundamental purpose of most high-level security policies) does not change.
These policies are fundamentally directed at corporate management, pro-
cess, application and system owners, functional area management, and
those tasked with the implementation and support of the overall IT envi-
ronment. There should be minimal changes to these policies, perhaps only
adding the Internet and WWW terminology.
Other high level corporate policies must also be modified, such as the
use of corporate assets, responsibility for sharing and protecting corpo-
rate information, etc. The second-level corporate policies, usually more
procedure oriented typically addressing more of the “how,” should be
more closely scrutinized and may change the most when addressing the
use of the Internet, intranet, and Web technologies for corporate business
purposes. New classifications and categories of information may need to
be established and new labeling mechanisms denoting a category of infor-
mation that cannot be displayed on the Internet or new meanings to “all al-
low” or “public” data. The term “public,” for instance, when used internally,
usually means anyone authorized to use internal systems. In most compa-
nies, access to internal networks, computing systems, and information is
severely restricted and “public” would not mean unauthorized users, and
certainly not any user on the Internet.
Candidate lower-level policies and procedures for update to accommo-
date the Internet and WWW include external connectivity, network securi-
ty, transmission of data, use of electronic commerce, sourcing and
procurement, electronic mail, nonemployee use of corporate information
and electronic systems, access to information, appropriate use of electron-
ic systems, use of corporate assets, etc.
Search WWH ::
Custom Search