Defining your security policy

Each installation should have its own unique policies. These policies should be documented in a security plan. Security officers should periodically review their corporate security policy and their current key management system.

The security plan might include these areas:
  • General
    • How many security officers does your organization have?
    • How often is the master key changed?
    • Who is authorized to enter master key parts?
    • Do the key parts you enter from the keyboard need to be masked?
    • Who has access to the secure computer facility?
    • What are the policies for working with service representatives?
    • Will you be using smart card support?
  • Workstation Considerations
    • Who will use the TKE workstation?
    • Where will your workstation be located?
    • Is it only accessible to the security administrators or security officers?
    • How many workstations will there be?
    • Will you use group logon?
    • Who will backup the workstations?
    • Where will the passwords of the security officers be saved?
  • Command Considerations
    • Which commands require multiple signatures?
    • Which crypto modules should be grouped together?
    • How many signatures will be required?
    • Will this affect the availability of the system?
    • Which commands require a single signature?
    • Who will make these decisions?