The Domino® security team

Every organization should have a security team that is responsible for building, implementing, and managing the security infrastructure.

About this task

The team provides central security focus, so that everyone is looking at the problems and solutions in the same way. However, departments in your organization also need to be involved in developing the questions and the answers for implementation of your Domino® security system.

Getting started

About this task

You need to develop a set of security documentation for your organization. There are four basic types of security documents needed for any security implementation:

  • Policies are the driving documents for the business. These are typically high level statements about the security needs of the business. Your organization probably already has policy documents for the organization as a whole. You build and, if necessary, expand on these to develop the security policies for your Domino® environment.
  • Guidelines provide overall guidance on how to support and maintain security in the enterprise.
  • Standards are established rules on what will and will not happen in an enterprise. Audits may cover all four types of documents, but the auditor will really focus on the standards set down by a company. Standards typically cover things like minimum password strength, password expiration intervals, server operating systems and physical environments, Internet and dial-in access controls, background checks for administrators, and auditing requirements.
  • Procedures typically include specific steps on how to implement security within an enterprise. This will be the bulk of your Domino® security documentation, covering everything from how to control Domino® and X.509 certifiers to what to do when users have forgotten their Notes® or Internet passwords to what steps to take when an employee leaves an organization. Procedures are developed after the security framework is in place.

The Domino® security team is responsible for initial direction, feedback, and auditing of these documents. The team must include representatives from each department within the enterprise. With this approach, the security documents created will meet the needs of the entire company. This has the added benefit of creating buy-in from the participating departments.

Most companies will have a matrix of responsibility similar to the one described in the following table:

Table 1. Matrix of responsibility

Role

Responsibility

CEO

The CEO needs to be a virtual member of the team. Security must flow from both the top-down and the bottom-up.

CIO / CTO

All technology officers need to be members of the team. It is appropriate for these members to delegate their role to someone else, as long as the delegate has the authority to make decisions.

Security officer

This person will be the driver of security in the organization.

Representatives from each functional department

These representatives specify business needs and requirements. They must have decision-making authority.

Accounting

They will provide the information for risk analysis.

IT Department

These team members can translate business needs and requirements into technology.

HR / Training

HR needs to assist with user training. HR is also involved with background checks, privacy of personal information, and termination policies and procedures.

Legal

These team members provide information on the legal implications of anything to do with employees, risk management, or publication of information.

Documentation experts/ technical writers

This group creates and edits the documents.

Incident Response Team

This team will handle incidents that are not covered by implemented security practices.

Communication specialists

Communication to the end users about security is critical.

Domino® administrators

Provide expertise on the Domino® computing environment.

Leveraging end users

About this task

Your users are a critical part of your security implementation. You should communicate to them the importance of your security planning efforts, as well as security guidelines and standards that you develop. Technology alone cannot keep your organization secure. Your users are as important as any firewall or certificate authority in ensuring the success of your security infrastructure.

One way to involve users in security planning is to conduct a survey to determine the level of enterprise security that users expect, as well as the assets they feel should be protected. An anonymous survey is a good way to discover security issues that users may not be willing to express openly.

Note: The most respected and commonly used standard source for security policies and procedures is the ISO17799 standard. The National Institute for Standards and Technology has multiple guidelines for developing security policies, standards, and procedures, including information about ISO I7799.

The core team

Procedure

Once the framework is built, implement the core security team, which should include the following people:

Server administrators

About this task

Server administrators are responsible for managing the overall health and well-being of Domino® servers. A major responsibility of a server administrator includes defining and managing server access lists and server restrictions, both for Notes® clients and Web users. In large organizations, administration duties may be delegated among several server administrators. In small organizations, a server administrator might serve as the Domino® certification administrator and the database manager for system databases, such as the Domino® Directory and the log file (LOG.NSF). A server administrator might also be responsible for creating and maintaining File Protection documents for HTTP access and implementing other Web-related security measures.

It is a best practice to separate Domino® server administration from operating system server administration, if your organization's IT structure allows this.

You can define several levels of administrator for your organization, depending on the access required to various administration resources. For example, you can set up an administrator for remote console access only, or for system administration access only. These levels of administrative access are defined in the Server document on the Domino® server.

Database managers

Procedure

Database managers are responsible for one or more Notes® databases or database applications. A major responsibility of a database manager includes managing database access control lists (ACLs). Some organizations will use the concept of a database owner for management of sensitive data.

Certificate authority administrators

Procedure

Certificate authority administrators create and manage Domino® certification authorities. They have access to all certifier ID files. For the server-based certification authority, CA administrators can delegate user registration and certificate approval to registration authorities. Otherwise, they are responsible for approving and issuing Internet server and client certificates. Since certification is the cornerstone of Notes® and Domino® security, delegate responsibility for it with the utmost care.

Registration authority administrators

Procedure

The registration authority role is unique to the server-based certification authority. A registration authority can administer a Domino® CA by registering new Notes® users and Domino® servers without requiring access to the certifier ID and password. Registration authorities can also recertifiy users and, for Internet certifiers, approve client certificate requests and revoke certificates.