Every organization should have a security team that is responsible for building, implementing, and managing the security infrastructure.

About this task

The team provides central security focus, so that everyone is looking at the problems and solutions in the same way. However, departments in your organization also need to be involved in developing the questions and the answers for implementation of your Domino® security system.

Parent topic: Overview of Domino security

Getting started

About this task

You need to develop a set of security documentation for your organization. There are four basic types of security documents needed for any security implementation:

• Policies are the driving documents for the business. These are typically high level statements about the security needs of the business. Your organization probably already has policy documents for the organization as a whole. You build and, if necessary, expand on these to develop the security policies for your Domino environment.
• Guidelines provide overall guidance on how to support and maintain security in the enterprise.
• Standards are established rules on what will and will not happen in an enterprise. Audits may cover all four types of documents, but the auditor will really focus on the standards set down by a company. Standards typically cover things like minimum password strength, password expiration intervals, server operating systems and physical environments, Internet and dial-in access controls, background checks for administrators, and auditing requirements.
• Procedures typically include specific steps on how to implement security within an enterprise. This will be the bulk of your Domino security documentation, covering everything from how to control Domino and X.509 certifiers to what to do when users have forgotten their Notes® or Internet passwords to what steps to take when an employee leaves an organization. Procedures are developed after the security framework is in place.

Most companies will have a matrix of responsibility similar to the one described in the following table:

Table 1. Matrix of responsibility

Role	Responsibility
CEO	The CEO needs to be a virtual member of the team. Security must flow from both the top-down and the bottom-up.
CIO / CTO	All technology officers need to be members of the team. It is appropriate for these members to delegate their role to someone else, as long as the delegate has the authority to make decisions.
Security officer	This person will be the driver of security in the organization.
Representatives from each functional department	These representatives specify business needs and requirements. They must have decision-making authority.
Accounting	They will provide the information for risk analysis.
IT Department	These team members can translate business needs and requirements into technology.
HR / Training	HR needs to assist with user training. HR is also involved with background checks, privacy of personal information, and termination policies and procedures.
Legal	These team members provide information on the legal implications of anything to do with employees, risk management, or publication of information.
Documentation experts/ technical writers	This group creates and edits the documents.
Incident Response Team	This team will handle incidents that are not covered by implemented security practices.
Communication specialists	Communication to the end users about security is critical.
Domino administrators	Provide expertise on the Domino computing environment.

Leveraging end users

About this task

Your users are a critical part of your security implementation. You should communicate to them the importance of your security planning efforts, as well as security guidelines and standards that you develop. Technology alone cannot keep your organization secure. Your users are as important as any firewall or certificate authority in ensuring the success of your security infrastructure.

One way to involve users in security planning is to conduct a survey to determine the level of enterprise security that users expect, as well as the assets they feel should be protected. An anonymous survey is a good way to discover security issues that users may not be willing to express openly.

Note: The most respected and commonly used standard source for security policies and procedures is the ISO17799 standard. The National Institute for Standards and Technology has multiple guidelines for developing security policies, standards, and procedures, including information about ISO I7799.

The core team

Procedure

Once the framework is built, implement the core security team, which should include the following people:

Server administrators

About this task

Server administrators are responsible for managing the overall health and well-being of Domino servers. A major responsibility of a server administrator includes defining and managing server access lists and server restrictions, both for Notes clients and Web users. In large organizations, administration duties may be delegated among several server administrators. In small organizations, a server administrator might serve as the Domino certification administrator and the database manager for system databases, such as the Domino Directory and the log file (LOG.NSF). A server administrator might also be responsible for creating and maintaining File Protection documents for HTTP access and implementing other Web-related security measures.

It is a best practice to separate Domino server administration from operating system server administration, if your organization's IT structure allows this.

You can define several levels of administrator for your organization, depending on the access required to various administration resources. For example, you can set up an administrator for remote console access only, or for system administration access only. These levels of administrative access are defined in the Server document on the Domino server.

Database managers

Procedure

Database managers are responsible for one or more Notes databases or database applications. A major responsibility of a database manager includes managing database access control lists (ACLs). Some organizations will use the concept of a database owner for management of sensitive data.

Certificate authority administrators

Procedure

Certificate authority administrators create and manage Domino certification authorities. They have access to all certifier ID files. For the server-based certification authority, CA administrators can delegate user registration and certificate approval to registration authorities. Otherwise, they are responsible for approving and issuing Internet server and client certificates. Since certification is the cornerstone of Notes and Domino security, delegate responsibility for it with the utmost care.

Registration authority administrators

Procedure

The registration authority role is unique to the server-based certification authority. A registration authority can administer a Domino CA by registering new Notes users and Domino servers without requiring access to the certifier ID and password. Registration authorities can also recertifiy users and, for Internet certifiers, approve client certificate requests and revoke certificates.

Related concepts
Domino server-based certification authority
Administering a Domino CA

Related tasks
Restricting administrator access

Help on Help

All Help Contents

Help on Help