SECURING


The Domino security team

Every organization should have a security team that is responsible for building, implementing, and managing the security infrastructure.

About this task

The team provides central security focus, so that everyone is looking at the problems and solutions in the same way. However, departments in your organization also need to be involved in developing the questions and the answers for implementation of your Domino® security system.

Parent topic: Overview of Domino security

Getting started

About this task

You need to develop a set of security documentation for your organization. There are four basic types of security documents needed for any security implementation:


The Domino security team is responsible for initial direction, feedback, and auditing of these documents. The team must include representatives from each department within the enterprise. With this approach, the security documents created will meet the needs of the entire company. This has the added benefit of creating buy-in from the participating departments.

Most companies will have a matrix of responsibility similar to the one described in the following table:

Table 1. Matrix of responsibility
RoleResponsibility
CEO The CEO needs to be a virtual member of the team. Security must flow from both the top-down and the bottom-up.
CIO / CTO All technology officers need to be members of the team. It is appropriate for these members to delegate their role to someone else, as long as the delegate has the authority to make decisions.
Security officerThis person will be the driver of security in the organization.
Representatives from each functional departmentThese representatives specify business needs and requirements. They must have decision-making authority.
AccountingThey will provide the information for risk analysis.
IT DepartmentThese team members can translate business needs and requirements into technology.
HR / TrainingHR needs to assist with user training. HR is also involved with background checks, privacy of personal information, and termination policies and procedures.
LegalThese team members provide information on the legal implications of anything to do with employees, risk management, or publication of information.
Documentation experts/ technical writersThis group creates and edits the documents.
Incident Response TeamThis team will handle incidents that are not covered by implemented security practices.
Communication specialistsCommunication to the end users about security is critical.
Domino administratorsProvide expertise on the Domino computing environment.

Leveraging end users

About this task

Your users are a critical part of your security implementation. You should communicate to them the importance of your security planning efforts, as well as security guidelines and standards that you develop. Technology alone cannot keep your organization secure. Your users are as important as any firewall or certificate authority in ensuring the success of your security infrastructure.

One way to involve users in security planning is to conduct a survey to determine the level of enterprise security that users expect, as well as the assets they feel should be protected. An anonymous survey is a good way to discover security issues that users may not be willing to express openly.

Note: The most respected and commonly used standard source for security policies and procedures is the ISO17799 standard. The National Institute for Standards and Technology has multiple guidelines for developing security policies, standards, and procedures, including information about ISO I7799.

The core team

Procedure

Once the framework is built, implement the core security team, which should include the following people:

Server administrators

About this task

Server administrators are responsible for managing the overall health and well-being of Domino servers. A major responsibility of a server administrator includes defining and managing server access lists and server restrictions, both for Notes clients and Web users. In large organizations, administration duties may be delegated among several server administrators. In small organizations, a server administrator might serve as the Domino certification administrator and the database manager for system databases, such as the Domino Directory and the log file (LOG.NSF). A server administrator might also be responsible for creating and maintaining File Protection documents for HTTP access and implementing other Web-related security measures.

It is a best practice to separate Domino server administration from operating system server administration, if your organization's IT structure allows this.

You can define several levels of administrator for your organization, depending on the access required to various administration resources. For example, you can set up an administrator for remote console access only, or for system administration access only. These levels of administrative access are defined in the Server document on the Domino server.

Database managers

Procedure

Database managers are responsible for one or more Notes databases or database applications. A major responsibility of a database manager includes managing database access control lists (ACLs). Some organizations will use the concept of a database owner for management of sensitive data.

Certificate authority administrators

Procedure

Certificate authority administrators create and manage Domino certification authorities. They have access to all certifier ID files. For the server-based certification authority, CA administrators can delegate user registration and certificate approval to registration authorities. Otherwise, they are responsible for approving and issuing Internet server and client certificates. Since certification is the cornerstone of Notes and Domino security, delegate responsibility for it with the utmost care.

Registration authority administrators

Procedure

The registration authority role is unique to the server-based certification authority. A registration authority can administer a Domino CA by registering new Notes users and Domino servers without requiring access to the certifier ID and password. Registration authorities can also recertifiy users and, for Internet certifiers, approve client certificate requests and revoke certificates.

Related concepts
Domino server-based certification authority
Administering a Domino CA

Related tasks
Restricting administrator access