The Domino® security team

You need to develop a set of security documentation for your organization. There are four basic types of security documents needed for any security implementation:

• Policies are the driving documents for the business. These are typically high level statements about the security needs of the business. Your organization probably already has policy documents for the organization as a whole. You build and, if necessary, expand on these to develop the security policies for your Domino® environment.
• Guidelines provide overall guidance on how to support and maintain security in the enterprise.
• Standards are established rules on what will and will not happen in an enterprise. Audits may cover all four types of documents, but the auditor will really focus on the standards set down by a company. Standards typically cover things like minimum password strength, password expiration intervals, server operating systems and physical environments, Internet and dial-in access controls, background checks for administrators, and auditing requirements.
• Procedures typically include specific steps on how to implement security within an enterprise. This will be the bulk of your Domino® security documentation, covering everything from how to control Domino® and X.509 certifiers to what to do when users have forgotten their Notes® or Internet passwords to what steps to take when an employee leaves an organization. Procedures are developed after the security framework is in place.

The Domino® security team is responsible for initial direction, feedback, and auditing of these documents. The team must include representatives from each department within the enterprise. With this approach, the security documents created will meet the needs of the entire company. This has the added benefit of creating buy-in from the participating departments.

Most companies will have a matrix of responsibility similar to the one described in the following table:

Your users are a critical part of your security implementation. You should communicate to them the importance of your security planning efforts, as well as security guidelines and standards that you develop. Technology alone cannot keep your organization secure. Your users are as important as any firewall or certificate authority in ensuring the success of your security infrastructure.

One way to involve users in security planning is to conduct a survey to determine the level of enterprise security that users expect, as well as the assets they feel should be protected. An anonymous survey is a good way to discover security issues that users may not be willing to express openly.

Server administrators are responsible for managing the overall health and well-being of Domino® servers. A major responsibility of a server administrator includes defining and managing server access lists and server restrictions, both for Notes® clients and Web users. In large organizations, administration duties may be delegated among several server administrators. In small organizations, a server administrator might serve as the Domino® certification administrator and the database manager for system databases, such as the Domino® Directory and the log file (LOG.NSF). A server administrator might also be responsible for creating and maintaining File Protection documents for HTTP access and implementing other Web-related security measures.

It is a best practice to separate Domino® server administration from operating system server administration, if your organization's IT structure allows this.

You can define several levels of administrator for your organization, depending on the access required to various administration resources. For example, you can set up an administrator for remote console access only, or for system administration access only. These levels of administrative access are defined in the Server document on the Domino® server.