Concepts

To effectively create a security policy and plan security measures for your system, you need to understand the following security concepts, some of which are general concepts and some of which are specific to the hardware type.

A small system might have three to five users and a large system might have several thousand users. Some installations have all their workstations in a single, relatively secure area. Others have widely distributed users, including users who connect by dialing in and indirect users connected through personal computers or system networks. Security on this system is flexible enough to meet the requirements of this wide range of users and situations. You need to understand the features and options available so that you can adapt them to your own security requirements. This topic provides an overview of the security features on the system.

System security has three important objectives:

Confidentiality:
  • Protecting against disclosing information to unauthorized people.
  • Restricting access to confidential information.
  • Protecting against curious system users and outsiders.
Integrity:
  • Protecting against unauthorized changes to data.
  • Restricting manipulation of data to authorized programs.
  • Providing assurance that data is trustworthy.
Availability:
  • Preventing accidental changes or destruction of data.
  • Protecting against attempts by outsiders to abuse or destroy system resources.

System security is often associated with external threats, such as hackers or business rivals. However, protection against system accidents by authorized system users is often the greatest benefit of a well-designed security system. In a system without good security features, pressing the wrong key might result in deleting important information. System security can prevent this type of accident.

The best security system functions cannot produce good results without good planning. Security that is set up in small pieces, without planning, can be confusing. It is difficult to maintain and to audit. Planning does not imply designing the security for every file, program, and device in advance. It does imply establishing an overall approach to security on the system and communicating that approach to application designers, programmers, and system users.

As you plan security on your system and decide how much security you need, consider these questions:
  • Is there a company policy or standard that requires a certain level of security?
  • Do the company auditors require some level of security?
  • How important is your system and the data on it to your business?
  • How important is the error protection provided by the security features?
  • What are your company security requirements for the future?

To facilitate installation, many of the security capabilities on your system are not activated when your system is shipped. Recommendations are provided in this topic to bring your system to a reasonable level of security. Consider the security requirements of your own installation as you evaluate the recommendations.