NCJ Number
123886
Journal
Computer Security Journal Volume: 5 Issue: 2 Dated: (1990) Pages: 65-73
Date Published
1990
Length
9 pages
Annotation
This paper describes policies and procedures that will assist management to decide when to allow computer access and how to implement such connections in a secure manner.
Abstract
Inter-company networking includes an internal user (normally an employee) and an external user (one not employed by the company). Both legal and technical controls are needed in employing basic computer security when dealing with an external user. Appropriate legal agreements include contracts describing the work to be performed, confidential disclosure agreements if data to be shared is proprietary, and loan agreements if terminals or other hardware are loaned to the external user. Technical control measures will vary from system to system depending on the type of processor, the operating system, and the application. All external connections must be registered with the site administrator and fully documented. Risk categories are defined as high, medium, and low. Controls and required management approval are proportional to the risk. If equipment is loaned to vendors or other external users, basic physical controls, such as motion detectors and alarm systems, should be required. A certification review, including business controls review, connection review, and technical review, should take place before each medium- or high-risk connection goes into service to further ensure security of access.