Site Security Policy Handbook Working Group (ssphwg) CHARTER Chairpersons: Paul Holbrook/CERT ph@SEI.CMU.EDU Joyce K. Reynolds/USC-ISI jkrey@ISI.EDU Mailing lists: General discussion: ssphwg@cert.sei.cmu.edu To subscribe: ssphwg-request@cert.sei.cmu.edu Description of Working Group: The Site Security Policy Handbook Working Group is chartered to create a handbook that will help sites develop their own site-specific policies and procedures to deal with computer security problems and their prevention. Among the issues to be considered in this group are: 1. Establishing official site policy on computer security: o Define authorized access to computing resources. o Define what to do when local users violate the access policy. o Define what to do when local users violate the access policy of a remote site. o Define what to do when outsiders violate the access policy. o Define actions to take when unauthorized activity is suspected. 2. Establishing procedures to prevent security problems: o System security audits. o Account management procedures. o Password management procedures. o Configuration management procedures. 3. Establishing procedures to use when unauthorized activity occurs: o Developing lists of responsibilities and authorities: site management, system administrators, site security personnel, response teams. o Establishing contacts with investigative agencies. o Notification of site legal counsel. o Pre-defined actions on specific types of incidents (e.g., monitor activity, shut-down system). o Developing notification lists (who is notified of what). 4. Establishing post-incident procedures o Removing vulnerabilities. o Capturing lessons learned. o Upgrading policies and procedures. Objectives and Milestones: o After the group is announced and interested people are on the list, Holbrook will distribute current ideas about the handbook and the outline. o First IETF Meeting (May 1990 - PSC): review, amend, and approve the charter as necessary. Examine the particular customer needs for a handbook and define the scope. Continue work on an outline for the handbook. Set up a SSPHWG ``editorial board'' for future writing assignments for the first draft of document. o Around the June USENIX in California: Finalize outline and organization of handbook. Partition out pieces to interested parties and SSPHWG editorial board members. o Second IETF Meeting (August 1990 - UBC): In the early August 1990 timeframe, pull together a first draft handbook for working group review and modification. o In the October 1990 timeframe, finalize draft handbook and initiate IETF Internet Draft review process, to follow with the submission of the handbook to the RFC Editor for publication.