Defining your security policy
Each installation should have its own unique policies. These policies should be documented in a security plan. Security officers should periodically review their corporate security policy and their current key management system.
The security plan might include these areas:
- General
- How many security officers does your organization have?
- How often is the master key changed?
- Who is authorized to enter master key parts?
- Do the key parts you enter from the keyboard need to be masked?
- Who has access to the secure computer facility?
- What are the policies for working with service representatives?
- Will you be using smart card support?
- Workstation Considerations
- Who will use the TKE workstation?
- Where will your workstation be located?
- Is it only accessible to the security administrators or security officers?
- How many workstations will there be?
- Will you use group logon?
- Who will backup the workstations?
- Where will the passwords of the security officers be saved?
- Command Considerations
- Which commands require multiple signatures?
- Which crypto modules should be grouped together?
- How many signatures will be required?
- Will this affect the availability of the system?
- Which commands require a single signature?
- Who will make these decisions?