General discussion


Minimum Security Standards

By phate5180 ·
I've been asked to compile a list of minimum security standards and to reference what document they came from. I've used NIST-IR 5153 and looked at other publications like FIPS 199 and others. So far I have only managed to find a few policies regarding password length and related topics. There must be a detailed list somewhere where minimum security standards are stated. Can anyone point me in the right direction ASAP? Thanks.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by CG IT In reply to Minimum Security Standard ...

thats quite a broad topic. computer security has gotten very segmented over the last 10 years ranging from securing TCP/IP internet communications to securing workstations on internal networks. There are a multitude of books and reference materials available on topics ranging from Intrustion Detection Systems, Firewall Protection, Web Server hardening, Domain Controller Hardening, Database Server Hardening, Email Server Hardening, Domain level security, Active Directory, Folder security, ad nauseum. list is long.

I found Windows 2000 Security Handbook from Network Professional's Library written by Philip Cox and Tom Sheldon to be an very well rounded, one book reference source for a Windows based network. Gives base concepts for securing Windows based networks across the broad spectrum of network security.

Collapse -

by CG IT In reply to

side notes: Philip Cox is a consultant with System Experts Corporation and has written many articles dealing with security in such magazines as USENIX Association Mag, SANS NT Digest. Tom Sheldon has written 30 books on designing networks and articles of his have been included in PC World Mag,PC Mag,Byte Mag,Windows & .Net Mag. Other contributing authors are Dallas Bishoff Security Consultant and has a list of certifications a mile long, most notable Instructor Certified RSA Instructor and SecurID Support Engineer, Mational Security Agency INFOSEC. David Bork, also with Philip Cox at SystemExperts Corp [won't list his stuff as it's way to long but he's responsible for AT&Ts CP and CPS PKI. Last but not least contributing author is Paul Hill, Senior Programmer and Co-Team Lead of Kerberos Development Team at MIT.

Collapse -

by mlayton In reply to Minimum Security Standard ...

SANS has some good step-by-step guides on a variety of systems, you may want to try there.

Collapse -

by Tocolote In reply to Minimum Security Standard ...

NIST 800-24 has some rules for userids, passwords, and other basic security requirements. The document is for a PBX but the same rules should apply for a network.

Collapse -

by howard_nyc In reply to Minimum Security Standard ...

funny you should mention this... I am in the process of writing a procedure-oriented reference guide on security and related policies...

one of the best things to do is inventory the asset categories at your site.... note I said categories, not the specific items...

a partial Asset Category list would include:
Account ID (Application)
Account ID (Network)
Application (COTS-Client)
Application (COTS-Server)
Application (Custom-Built)
Application (Suites/Packages)
Application (UNKNOWN)
BCP (and Materials)
Business Process
Business Service
Corporate Staff
Desktop Computer
Development Tool
DRP (and Materials)
Floor Plan
Intrusion Detection
IP Address
IT Staff
Key Business Process
Lease Agreement
Maintenance Agreement
Service Agreement
Web Site (External)
Web Site (Internal)
Web Site (Prototypes)

this will focus you on what you have and what you need to do in which order... some things can either wait or be passed off to the subject matter expert (SME) such as the Legal departmen for contract 'n such...

for instance, I have assembled a list of 87 asset categories that I use when writing DRP/BCP documents... not everything applies everywhere, but at the very least I checked there that there was nothing overlooked...

Related Discussions

Related Forums