This document has the following objectives:

1. To briefly discuss threat & risk analysis.
2. To outline the ingredients necessary to define a security policy and to provide a framework (based on standards such as ITSEC and TCSEC) for deciding how tightly systems need to be secured.
3. To outline (sample) policies, processes, structure and responsibilities required in a security organisation.
4. To present current security mechanisms.
5. To briefly present physical security (concerning IT systems).
6. To provide a detailed list of technical guidelines for
* operating systems, applications and networks used in client/server systems. For the moment this report concentrates on Client/Server and Internet systems: NT, FW, Win95, OLTP, Oracle, Sybase, Sun UNIX, Firewalls, WWW/Java and TCP/IP Networks.
* Auditing checklists and "quick overviews" are provided for several types of systems
* DEC, SGI, AIX and HP systems are only partially covered in this document. They need to be covered in more detail (especially for the comparison in the Operating Systems Overview Chapter).
* It is not intended that this document cover VAX , Mainframe, Novell or Macintosh systems.

A detailed list of Security Information resources (such as CERT, FIRST, TCSEC and ITSEC) are listed in the Appendix, along with sample scripts and programs.

Intended Audience:

This document is intended for line managers (chapters 1-4, 6), computer users (chapters 1, 2, 6.2 User Policy), system administrators, security administrators (chapters 7-22) and technical project leaders (chapters 1-7, 15).