Guidelines on Securing Public Web Servers


    


Standardized Configurations


   Organizations should develop standardized secure 


configurations for widely used operating systems and applications.  This will provide 


guidance to Web and network administrators on how to securely configure their 


systems and ensure consistency and compliance with the organizational security 


policy.  Because it only takes one insecurely configured host to compromise a 


network, organizations with a significant number of hosts are especially encouraged to 


apply this recommendation.   


    


Security Awareness and Training


   A security training program is critical to the 


overall security posture of an organization.  Making users and administrators aware of 


their security responsibilities and teaching the correct practices helps them change 


their behavior to conform to security best practices.  Training also supports individual 


accountability, which is an important method for improving information system 


security.     


    


Contingency Planning, Continuity of Operations and Disaster Recovery 


Planning


   Contingency planning, continuity of operations and disaster recovery 


planning are plans setup in advance to allow an organization or facility to maintain 


operations in the event of a disruption to their organization.


9


   


    


Certification and Accreditation


   Certification in the context of information systems 


security means that a system has been analyzed as to how well it meets all of the 


security requirements of the organization.  Accreditation occurs when the 


organization's management accepts that the system meets the organization's security 


requirements.


 10


     


3.4  System Security Plan 


The objective of computer security planning is to protect information assets (i.e., information 


and information resources).


11


  Plans that adequately protect information assets require 


managers and information owners   directly affected by and interested in the information 


and/or processing capabilities   to be convinced that their information assets are adequately 


protected from loss, misuse, unauthorized access or modification, unavailability, or undetected 


activities. 


The system security plan provides a basic overview of the security and privacy requirements of 


the subject system and the organization's plan for meeting those requirements. The system 


security plan is also perceived as way of documenting the structured process of planning 


adequate, cost effective security protection for a system. Consequently, the system security 


plan should reflect input from various managers with responsibilities concerning the system, 


including functional end users or information owners, system operations, and system security 


manager.  


                                                   


9


 For more information see NIST Special Publication 800 34, 


Contingency Planning Guide for Information 


Technology Systems


 (


http://csrc.nist.gov/publications/


)    


10


 For more information on certification and accreditation see NIST Special Publication 800 37, 


Federal Guidelines 


for the Security Certification and Accreditation of Information Technology Systems 


(


http://csrc.nist.gov/publications/


) 


11


 For more information on system security plans, see NIST Special Publication 800 18, 


Guide for Developing 


Security Plans for Information Technology Systems 


(


http://csrc.nist.gov/publications/


)    


(


http://csrc.nist.gov/publications/nistpubs/index.html


)


.


14






Unlimited Web Hosting






  

    
  

  

    
  

  

    
TotalRoute.net Business web hosting division of Vision Web Hosting Inc. All rights reserved.