Guidelines on Securing Public Web Servers

security system and the management of risk for a system. The types of control 

measures shall be consistent with the need for protection of the system.

14

Operational Controls

   This section addresses security methods that focus on 

mechanisms that primarily are implemented and executed by people (as opposed to 

systems).  These controls are put in place to improve the security of a particular 

system (or group of systems).  They often require technical or specialized expertise   

and often rely upon management activities as well as technical controls.  This section 

describes the operational control measures (in place or planned) that are intended to 

meet the protection requirements of the information system. 

Technical Controls

   Technical controls focus on security controls that the computer 

system executes.  The controls can provide automated protection from unauthorized 

access or misuse, facilitate detection of security violations, and support security 

requirements for applications and data.  The implementation of technical controls, 

however, always requires significant operational considerations and should be 

consistent with the management of security within the organization. This section 

describes the technical control measures (in place or planned) that are intended to 

meet the protection requirements of the major application. 

3.5  Human Resources for Securing a Web Server 

The greatest challenge and expense in developing and securely maintaining an public Web 

presence is providing the necessary human resources to adequately perform the required 

functions.  Many organizations fail to fully realize the amount of expense and skills required to 

field a secure public Web server.  This failure often results in overworked employees and 

insecure systems.   From the initial planning stages, an organization needs to determine the 

necessary human resource requirements.  Appropriate and sufficient human resources are the 

single most important aspect of Web server security.  Organizations should also consider the 

fact that in general technical solutions do NOT substitute for skilled and experienced 

personnel.  

When considering the human resource implications of developing and deploying a Web 

server, organizations should consider the following: 

Required Personnel

   What types of personnel are going to be required?  This would 

include such positions as system and Web administrators, Webmasters, network 

administrators, ISSOs, etc. 

Required Skills

   What are the required skills to adequately plan, develop and 

maintain the Web server in a secure manner?  Examples would include, operating 

system administration, network administration, active content expertise, 

programming, etc. 

Available Personnel

   What are the available human resources within the 

organization?  In addition, what are their current skill sets and are they sufficient for 

14

 For more detail on management controls, see NIST Special Publication 800 12, 

An Introduction to Computer 

Security:  The NIST Handbook.

16