Guidelines on Securing Public Web Servers

patches and fixes from the vendor or computer security incident response teams) or within the 

organization (e.g., the Security Office).  The administrators are responsible for the following 

activities, associated with Web servers: 

Install and configure systems in compliance with the organizational security 

policy(ies) and standard system/network configurations 

Maintain systems in a secure manner, through frequent backups, timely application of 

patches   

Monitoring system integrity, protection levels, and security related events 

Following up with detected security anomalies associated with their information 

system resources 

Conducting security tests as required. 

3.3 Management 

Practices 

Appropriate management practices are the most critical to operating and maintaining a secure 

Web server.  Security practices entail the identification of an organization's information 

system assets and the development, documentation, and implementation of policies, standards, 

procedures and guidelines that ensure confidentiality, integrity, and availability of information 

system resources.    

To ensure the security of a Web server and the support network infrastructure, the following 

practices should be implemented: 

Organizational Information System Security Policy

   A security policy should 

outline who in the organization is responsible for particular areas of information 

security (e.g., implementation, enforcement, audit, review).  The policy should also 

specify what the basic information system security policies are and their intended 

internal purpose.  The policy must be enforced consistently throughout the 

organization in order to be effective.  Generally the CIO and upper management are 

responsible for drafting the organization's security policy.   

Configuration/Change Control and Management

   Is the process of controlling 

modification to a system's design, hardware, firmware and hardware which provides 

sufficient assurance the system is protected against the introduction of an improper 

modification prior to, during, and after system implementation.  Configuration control 

leads to consistency with the organization information system security policy.  

Configuration control is traditionally overseen by a configuration control board that is 

the final authority on all proposed changes to an information system.   

Risk Assessment and Management

   Risk assessment is the process of analyzing 

and interpreting risk.  It involves determining the assessment's scope and 

methodology, collection and analyzing risk related data, and interpreting the risk 

analysis results.  Collecting and analyzing risk data requires identifying assets, threats, 

vulnerabilities, safeguards, consequences, and the probability of a successful attack.  

Risk management is the process of selecting and implementing of controls to reduce 

risk to a level acceptable to the organization.   

13