 |  | Member Login |
 | | | | | |||||
|
Chapters
By: Steve Duell Introduction This document is intended to open a discussion on various Internet security topics related to ASIS Chapter websites and their activities. The primary security aspects of an ASIS Chapter website include:
This document will attempt to describe philosophies on Chapter website security and methodologies that will ensure the protection described above. Philosophy Security for a Chapter website needs to be helpful rather than a hindrance. In its purist form, a Chapter with only a single webpage needs to protect access only to the webpage for modification purposes. Whereas, access to the webpage for viewing should be open to everyone. One purpose for ASIS is the mutual cooperation between security professionals. Closing a Chapter website from access by the general public would reduce public and professional awareness of ASIS. Chapter website should encourage visitors to join ASIS and should give them a good idea of the benefits of membership. The casual visitor should learn enough information to help them in deciding to join ASIS and to provide a level of professional security information and techniques to be useful yet which does not compromise intelligence issues. Security Issues Choosing which aspects need to be placed behind security protection means looking at what really needs to be protected. Transition of Administration The annual turnover of Chapter Administration will always be the most active period for reporting and performing changes to the website's access and maintenance authorization. Because the date for this transition will be known well in advance, there will be ample time to gather and process the updates for the website. Key Players Webmaster
Committee Chairman
Treasurer
Chapter Chairman
Chapter Vice-Chairman
Recommendations
Which Content Should You Protect?
Based on the table above, we see that if the information is of a general nature then we can make it available to the general public. However, if the information would reveal a member's confidential data or would release confidential security information to the public, then the content is protected from access by the general public. Password Protected Subwebs This is a wonderfully simple method for segregating and protecting confidential website content. Multiple subwebs can be used to create areas that are divided within the protected content. For instance, you could use one password protected subweb for members only website content and use a second password protected subweb for your Chapter's committee members only. Rotating Passwords There are a variety of occasions when it would be advisable to change one or more passwords. The following is a partial list of situations where a new password should be considered:
E-Commerce Transactions By definition, e-commerce transactions are to be considered a security issue. A secured e-commerce transaction requires the following five components:
General Rules of Thumb Don'ts
Do's
Robots Robots are used by Internet Search Engines to look for web page content. These robots can also follow links on your web pages and record any email addresses that they come across. Insert the following code examples into your webpage according to which is appropriate for that individual webpage's content for enhanced security. The line of code that you choose needs to be placed between the <head> and </head> tags.
It is strongly suggested that you use the first choice from the list above on web pages with confidential or sensitive information. Content Security "Loose lips, sink ships," used to be the phrase to remind us to be careful about what we were saying since others might hear us and learn more than they should know. This same philosophy needs to be applied to Chapter website content. In public areas of the website, content should be informative but not revealing. In members-only areas of the website, outdated content should be removed as quickly as possible. For instance, in the public area might be described public knowledge about a local crime activity whereas specific details about the crime would only appear in the members-only area where they would only be available to security professionals who could assist in the capture. Links away from the website Hyperlinks that lead away from the Chapter website should be periodically investigated. Some of the destination web pages may have been removed or their contents may have changed so that they are no longer relevant to the original reason for pointing to them. Hyperlinks pointing away from the Chapter website should never give the visitor the impression that the destination is part of the Chapter website. This can be achieved by making the destination appear in a new browser window or by a small phrase letting the visitor know that they will be leaving the Chapter website when they follow the hyperlink. In some cases, external hyperlinks may be part of a service being used by the Chapter such as a shopping cart service or a third-party event registration company. The Chapter should assume the responsibility for handling any disputes between visitors and the vendors. If possible, there should be a seamless integration with the website in these cases because the vendor is working under the direction and responsibility of the Chapter. Privacy Policies and Procedures ASIS members are entitled to privacy and the knowledge of where information that they submit via the Chapter is going to be sent. It is against ASIS policy to sell or otherwise redistribute the confidential information of its members. A good procedure is to provide a hyperlink to an online version of the ASIS Privacy Policies from any form that is located on a Chapter website. ASIS members should expect their webmaster to protect their website from over-invasive search engine robots. Pages with confidential information should be robot safeguarded. Under no circumstances should security ever be compromised by giving out passwords from anyone calling you. Whenever a password is to be issued, the member should be contacted directly and told what the password is. Naturally, the safest method for communicating passwords is at Chapter meetings where a visual identification can be confirmed. Non-Disclosure Agreements Depending on the activities of the local Chapter website, on occasion it may be necessary for a vendor or third-party to have access to confidential information. In these circumstances, it is advisable to have the party sign a non-disclosure agreement on behalf of the local ASIS Chapter. Although the NDA will not actually stop any theft, it does provide a modicum of legal recourse if the Chapter information becomes compromised. Eligible Webmasters and Maintenance Personnel To reduce security risks and confusion during the maintenance of the website, it is recommended that personnel with website maintenance authorization remain at a minimum. The Website Committee should keep track of the website authorization status. Full Time Authorization -
Intermittent Authorization -
Limited Access -
Permissions - * It should be noted in many cases that it will be the Webmaster who actually performs the task of setting up passwords and granting permission levels for the website. Permission for various levels of authorization to access the website shall be restricted to:
Exceptions
Discussion The reason for setting up this level of administration is not just to protect the Chapter from the obvious security risks. It also provides the Chapter with a built-in methodology for maintaining website security integrity. Lastly, this level of administration affords the Chapter a cross-reference source for IDs and passwords should anything unexpected happen to the currently authorized personnel. If the website offers a password protected members' area, it is recommended that the Membership committee work closely with the Webmaster to make sure that only legitimate local Chapter members are granted access. Local members should be fully approved for ASIS membership before they are granted access to the website. Third Party Content Setting aside the issues of inappropriate content, third part content can pose potential problems for the Chapter website. These problems may take the form of content delivery delays, bandwidth overuse, and disruptions in the normal operation of the Chapter website. Depending on the placement of this third party content within password protected areas of the website, there may be additional security risks. Third Party content to be particularly wary of include: Java applets, custom non-[D]HTML scripts, and page hit counters. Virus Protection All content to be placed on the website should be scanned for viruses using the most recent virus detection data file release. All software physically offered by the Chapter shall also be scanned including, but not limited to, floppy diskettes, CD-ROMs, Zip disks, and magnetic tape mediums. A regular virus scanning maintenance program should be established on all computers that will access to modifying the website's content. Passwords Passwords shall always be protected from intentional and accidental discovery. Do's
Don'ts
Broadcast Message Lists Broadcast Message Lists should be carefully monitored and their usage should be strictly controlled. The list of email recipients should be closely guarded to protect members from being covertly added to non-requested message lists. The following recommendations are made:
Email Digests Email Digests are not recommended for security issues or information dissemination. Summary Obviously, this document does not go into all of the current Chapter website security issues however it does address the majority of the most common concerns and provides a general set of guidelines for ASIS Chapters to follow in setting up and maintaining their website security procedures. |
