Skip to main content
 
A Survey of Key Concepts and Issues for Electronic Recordkeeping

Abstract

Introduction

Review of Key Issues

Electronic Data Interchange

System Administration

Disaster Recovery

Network Security

Digital Spatial Meta Data

Sources of Information
print html versionPrint Chapter (html)
print pdf versionPrint Chapter (pdf)
Network Security

Best Practices

The following security guidelines address the entire Internet community, consisting of users, hosts, local, regional, domestic and international backbone networks, and vendors who supply operating systems, routers, network management tools, workstations and other network components.
  1. Users are individually responsible for understanding and respecting the security policies of the systems (computers and networks) they are using. Users are individually accountable for their own behavior.
  2. Users have a responsibility to employ available security mechanisms and procedures for protecting their own data. They also have a responsibility for assisting in the protection of the systems they use.
  3. Computer and network service providers are responsible for maintaining the security of the systems they operate. They are further responsible for notifying users of their security policies and any changes to these policies.
  4. Vendors and system developers are responsible for providing systems which are sound and which embody adequate security controls.
  5. Users, service providers, and hardware and software vendors are responsible for cooperating to provide security.
  6. Technical improvements in Internet security protocols should be sought on a continuing basis. At the same time, personnel developing new protocols, hardware or software for the Internet are expected to include security considerations as part of the design and development process.
Five areas should be addressed in improving local security:
  1. There must be a clear statement of the local security policy, and this policy must be communicated to the users and other relevant parties. The policy should be on file and available to users at all times, and should be communicated to users as part of providing access to the system.
  2. Adequate security controls must be implemented. At a minimum, this means controlling access to systems via passwords, instituting sound password management, and configuring the system to protect itself and the information within it.
  3. There must be a capability to monitor security compliance and respond to incidents involving violation of security. Logs of logins, attempted logins, and other security-relevant events are strongly advised, as well as regular audit of these logs.
  4. Up-to-date security information is a pre-requisite for sound decision-making and this information must be actively sought on an ongoing basis. The CERT Coordination Center (http://www.cert.org) is an excellent source for information relating to security issues on the Internet.
  5. There must be an established chain of communication and control to handle security matters. A responsible person should be identified as the security contact. The means for reaching the security contact should be made known to all users and should be registered in public directories, and it should be easy for computer emergency response centers to find contact information at any time.
  6. Sites and networks which are notified of security incidents should respond in a timely and effective manner. In the case of penetrations or other violations, sites and networks should allocate resources and capabilities to identify the nature of the incident and limit the damage.