Recommendations

There are numerous threats that could cause you and your site problems. Some of these are related to Grid infrastructure and some are not. We have identified a number of recommendations that you can implement at sites to help reduce the risks from these threats. You can either browse the list below, or concentrate on the top 12 recommendations to Grid sites.

If you would like to comment or feedback on any of the recommendations concerning you or your community please feel free to contact us.

List of all recommendations

Recommendations	Technical	Administrative	Educational
R0 : Perform a Site security risk assessment		√
R1 : Create and review your information security policy		√
R2 : Allocate information security responsibilities		√
R3 : Establish confidentiality and exchange agreements and procedures		√
R4 : Maintain contacts with special interest groups	√		√
R5 : Record ownership and responsibility for assets	√	√
R6 : Define acceptable use for assets		√
R7 : Establish information classification guidelines		√
R8 : Encourage information security awareness, education and training			√
R9 : Provide physical protection, guidelines and procedures	√	√	√
R10 : Protect equipment from disruptions in supporting utilities	√	√
R11 : Assure secure disposal or re-use of equipment and media	√	√
R12 : Document your operating procedures	√		√
R13 : Manage changes to information processing facilities and systems	√	√
R14 : Separate your development, test, and operational facilities	√	√
R15 : Implement capacity management	√
R16 : Install and regularly update malicious code detection and repair software for example anti-virus	√		√
R17 : Control the execution of mobile code	√		√
R18 : Establish backup and restore policies and procedures	√	√	√
R19 : Implement intrusion detection and prevention mechanisms including firewalls	√
R20 : Control access to your network and network services	√
R21 : Ensure resiliency of important services and information	√
R22 : Improve user awareness and security for e-mail communications	√		√
R23 : Enable audit logging of user activities, exceptions and security events	√	√
R24 : Ensure protection of log information	√	√
R25 : Establish access control policies and procedures based on security requirements	√	√
R26 : Restrict and control the allocation of privileges	√	√
R27 : Implement a formal management process for password allocation	√	√
R28 : Enforce good practices in the selection and use of passwords		√	√
R29 : Ensure that unattended equipment is appropriately protected	√
R30 : Adopt appropriate security measures for remote and mobile computing	√	√
R31 : Establish training and guidelines for secure programming	√		√
R32 : Establish a formal application integration/qualification process		√
R33 : Implement automated patch management	√	√
R34 : Harden the security of computer and network systems and services	√
R35 : Establish a procedure for reporting security events and weaknesses		√
R36 : Establish a CSIRT and incident response procedures		√
R37 : Implement procedures and tools to monitor for unauthorised activities	√
R38 : Ensure compliance with intellectual property rights requirements		√
R39 : Protect your confidential and sensitive data	√	√	√
R40 : Prevent misuse of information processing facilities		√
R41 : Centrally manage accounts	√	√
R42 : Centrally manage patches and system configurations	√	√
R43 : Provide integrated identity management	√	√
R44 : Ensure resources link to the people in charge of them	√	√
R45 : Define responsibilities using roles and groups	√	√	√
R46 : Restrict Intranet access to authorised devices	√
R47 : Restrict Internet access to authorised connections	√
R48 : Segregate networks dedicated to sensitive devices	√
R49 : Expand the use of application gateways	√
R50 : Strengthen authentication and authorization	√
R51 : Increase the use of security and vulnerability assessment tools	√
R52 : Adapt incident detection to high speed networks (10Gbps)	√
R53 : Strengthen and promote network monitoring tools	√
R54 : Enhance spam filter tools and mailing security	√
R55 : Review and enforce existing security policies		√	√
R56 : Adapt training to requirements of users, developers and system administrators		√	√
R57 : Integrate security training and best practice into organisational structures		√	√
R58 : Maintain administrative procedures in step with evolving security needs		√
R59 : Enforce account policies and procedures		√
R60 : Regulate the use and coexistence of legacy Operation Systems	√	√
R61 : Segregate networks with different security policies	√	√	√
R62 : Define policies of rights and duties	√	√	√

Alternatively, you may wish to browse the recommendations based on your role:

Copyright (c) Members of the ISSeG Collaboration 2008	Top of page	Home page
	This is version 5.2 of the website - view release notes -view visitor statistics

	Training and Dissemination web site
	Integrated Site Security for Grids	A project co-funded by EU FP6 programme