SECURING
Every organization should have a security team that is responsible for building, implementing, and managing the security infrastructure.
About this task
The team provides central security focus, so that everyone is looking at the problems and solutions in the same way. However, departments in your organization also need to be involved in developing the questions and the answers for implementation of your Domino® security system.
Parent topic: Overview of Domino security
Getting started
You need to develop a set of security documentation for your organization. There are four basic types of security documents needed for any security implementation:
Most companies will have a matrix of responsibility similar to the one described in the following table:
Table 1. Matrix of responsibility
Leveraging end users
Your users are a critical part of your security implementation. You should communicate to them the importance of your security planning efforts, as well as security guidelines and standards that you develop. Technology alone cannot keep your organization secure. Your users are as important as any firewall or certificate authority in ensuring the success of your security infrastructure.
One way to involve users in security planning is to conduct a survey to determine the level of enterprise security that users expect, as well as the assets they feel should be protected. An anonymous survey is a good way to discover security issues that users may not be willing to express openly.
Note: The most respected and commonly used standard source for security policies and procedures is the ISO17799 standard. The National Institute for Standards and Technology has multiple guidelines for developing security policies, standards, and procedures, including information about ISO I7799.
The core team
Procedure
Once the framework is built, implement the core security team, which should include the following people:
Server administrators
Server administrators are responsible for managing the overall health and well-being of Domino servers. A major responsibility of a server administrator includes defining and managing server access lists and server restrictions, both for Notes clients and Web users. In large organizations, administration duties may be delegated among several server administrators. In small organizations, a server administrator might serve as the Domino certification administrator and the database manager for system databases, such as the Domino Directory and the log file (LOG.NSF). A server administrator might also be responsible for creating and maintaining File Protection documents for HTTP access and implementing other Web-related security measures.
It is a best practice to separate Domino server administration from operating system server administration, if your organization's IT structure allows this.
You can define several levels of administrator for your organization, depending on the access required to various administration resources. For example, you can set up an administrator for remote console access only, or for system administration access only. These levels of administrative access are defined in the Server document on the Domino server.
Database managers
Database managers are responsible for one or more Notes databases or database applications. A major responsibility of a database manager includes managing database access control lists (ACLs). Some organizations will use the concept of a database owner for management of sensitive data.
Certificate authority administrators
Certificate authority administrators create and manage Domino certification authorities. They have access to all certifier ID files. For the server-based certification authority, CA administrators can delegate user registration and certificate approval to registration authorities. Otherwise, they are responsible for approving and issuing Internet server and client certificates. Since certification is the cornerstone of Notes and Domino security, delegate responsibility for it with the utmost care.
Registration authority administrators
The registration authority role is unique to the server-based certification authority. A registration authority can administer a Domino CA by registering new Notes users and Domino servers without requiring access to the certifier ID and password. Registration authorities can also recertifiy users and, for Internet certifiers, approve client certificate requests and revoke certificates.
Related concepts Domino server-based certification authority Administering a Domino CA
Related tasks Restricting administrator access