Path: utzoo!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!sun-barr!lll-winken!arisia!sgi!shinobu!odin!odin.sgi.com!hargrove From: hargrove@harlie.corp.sgi.com (Mark Hargrove) Newsgroups: comp.infosystems Subject: Data Security Policy Message-ID: Date: 29 Dec 89 09:33:31 GMT Sender: news@odin.SGI.COM Distribution: comp Organization: Silicon Graphics, Inc., Mtn. View, CA Lines: 26 We are struggling with the problem of forming a reasonable corporate data security policy within our company. What kinds of policies do others have? (I referring specifically to I/S related data). Several sorts of issues emerge: - What kind of security doctrine is appropriate? The so-called "need-to-know" doctrine seems offensive to me; is there an alternate doctrine? - How do you decide *what* to protect? How do you decide who to trust? - We have a large issue over the notion of "downloading" data from the VAX mid-frames to our desktop environment (Macs, PC's, workstations). The issue: the security "envelope" is lost once data moves off of the VAX. Is there really a distinction between data on a Mac/PC and a printed report? - How much effort should be placed on reviewing new applications programs for "proper" security/audit trail code? Should there be a dedicated person/group to perform this function? - How big does a data center need to be (by any measure) before a full time security manager is required? Thoughts and comments on any of these issues would be greatly appreciated.