topic Re: Security guide for OpenVMS in Operating System - OpenVMS

Security guide for OpenVMS

Wim Van den Wyngaert — Tue, 06 Nov 2007 02:33:41 GMT

For SOX, we need to write a security guide.
We have a template from the Unix platform.

Does any one have a guide that he can/may post or mail to myname@ing.be(myname : . after first name, use a - to replace the blanks in my last name).

Subjects :
Security model in short.
Network access regulations (all protocols, secices and additional secured services).
User creation, ...

Wim

Re: Security guide for OpenVMS

Jon Pinkley — Tue, 06 Nov 2007 14:21:32 GMT

Bruce Claremont of Migration Specialties Inc. has some stuff over at www.openvms.org you may be interested in looking at.

In the featured articles section you will find "Using OpenVMS to Meet a Sarbanes-Oxley Mandate" which has two parts.

A related article "Adventures in Consulting: OpenVMS System Login Parameters Sheet for Site Security Manual" has some useful info as well.

http://www.openvms.org/stories.php?story=06/07/14/4624233

Re: Security guide for OpenVMS

Hoff — Tue, 06 Nov 2007 20:01:57 GMT

Pointers to US Federal Guidelines for OpenVMS and other security- and OpenVMS-related are in the http://64.223.189.234/node/43 OpenVMS Security Checklist article.

Re: Security guide for OpenVMS

Colin Butcher — Wed, 07 Nov 2007 05:15:58 GMT

Hello Wim,

Such security policy documents tend to be very site and environment specific if they're going to be of real value. Sure, there are general principles that you can apply, but creating that kind of policy document requires a reasonable understanding of the way the business functions as well as how it makes use of the various systems and processes.

I suspect you'll just have to do the necessary work yourslves, or if you don't have the internal resources or abilities then you'll have to bring someone in to help you do it. Hoping to borrow and plagiarise someone else's security policy documents would probably be just as much work and may well not succeeed as well as creating your own in the first place. I'm also not sure that many other companies would be willing to share that level of knowledge about their systems with you.

Cheers, Colin (http://www.xdelta.co.uk).

Re: Security guide for OpenVMS

Robert Gezelter — Wed, 07 Nov 2007 05:48:33 GMT

Wim,

Having worked on many security guidelines of many types over the years, I must echo Colin's comments.

The "OpenVMS Guide to System Security" is a good place to start, insofar as the capabilities of what CAN be done.

The US Federal guidelines (referenced by Hoff, if I recall correctly) are also quite useful, in terms of what is considered appropriate in the US Federal context with the capabilities described in the Guide to System Security.

The UNIX template from your firm is also useful, in that it will give you an example of what your firm's management structure has already had blessed (or is in the process of "blessing").

If I were preparing an OpenVMS set of guidelines, I would use the firm-specific UNIX guidelines as a rough guide (the actual policy documents that they are based upon would be far more useful, and for that matter, appropriate).

However, I would be careful about facets of the UNIX policies that are peculiar to UNIX, as well as OpenVMS areas that do not exist in the UNIX space, for these are the areas where there will, of necessity, be differences.

It is hard to speak of these in the generic sense, since almost every one has been different, in one aspect or another.

- Bob Gezelter, http://www.rlgsc.com

Re: Security guide for OpenVMS

Wim Van den Wyngaert — Wed, 14 Nov 2007 04:12:21 GMT

Not what I was looking for but a very intresting document.
http://www.ncms-emeraldcoast.org/securemyis/download/SEC-W-0024-OpenVMS.doc

Wim