16.4 Getting Users Involved
In Chapter 7, we discussed the steps you can take to create and implement a security policy and security plan. When it comes to web site security, one of the steps you can take with the greatest payoff in security is to make your policies clear and available to your users. Here are some ways you can let visitors to your site know what you expect from them and what they can expect from you:
Create and post a security policy screen that each user must acknowledge each time they access your site
Force each user to sign an agreement to observe your security policy before they can get a logon to your site
Post information about the users' rights when accessing your web site
The policy you post should outline the rules you intend to enforce and the consequences to the user if the rules are broken.
16.4.1 Educating Users
If you post a policy, you will need to ensure that you can enforce that policy. For example, if your intranet policy says that there are sites or newsgroups your employees are not permitted to access, you will have to be able to monitor their activities to ensure that they are not accessing those sites. If you are going to audit user actions, you have an obligation to notify your users of that fact.
You should be sure that you are able to enforce any policies you post. In the case of an intranet, you should try to involve your users in helping you enforce policies. Show them what steps they can take to keep the system and their data safe. The more your site visitors know about what you expect:
The better they can comply with your security requests
The less likely they are to intentionally violate the rules
The more they can help you to protect the system
If you can show them the ramifications of having the system compromised loss of data and time loss from being unable to access the system you might gain their support to help keep the system safe.
16.4.2 Enforcing Policies
As with any other form of computer security, you need to decide how you are going to enforce the policies you have defined to help ensure that your web site provides a safe place for users to conduct business with your company and a secure environment for your computers and databases.
Although you need to define internally the steps you are prepared to take to enforce your web site policy, you will not want to publicize these steps to the outside community. Publicly mapping out the steps you are taking to close a security hole may actually help outside intruders compromise your system.
16.4.3 Communicating with Other Sites
If you know and trust the people who administer the sites that are either physically or logically near yours, you might want to stay in contact with them to share information. For instance, if you are with the government, you might want to develop contacts with other government web site managers. Likewise, if you are with a university, staying in touch with other university web site managers might be of benefit to you. If another site suffers a break-in and the site administrator lets you know what happened and how, you will be better able to protect your own site from the same situation. However, sharing information can add an extra amount of risk. If your system is compromised, be careful just how much and what kind of information you pass on to other sites with which you are in contact. For example, using email to share information is not a good idea in this situation.
| || |
Although operating system intruder detection is beyond the scope of this book, we would like to call your attention to a wonderful intruder detection checklist supplied by CERT-CC (the Computer Engineering Response Team Coordination Center). You can access this list through CERT-CC's web site at http://www.cert.org or download it from ftp:// info .cert.org/pub/tech_tips/intruder_detection_checklist