Today, the majority of personal computers conform to the IBM/Intel architecture, and most of these run the DOS/Microsoft Windows operating systems (a small but significant percentage still adhere to the proprietary Apple Macintosh architecture). A separate class of desktop machines are those using the UNIX operating system. Often referred to as “workstations”, these UNIX machines are typically more expensive, more powerful, and confined to specialized areas such as engineering and scientific research. While the DOS and Windows 95 operating systems use an open file system, with no provision for separate user accounts on a single machine, UNIX offers tight control of file permissions and multiple accounts. UNIX machines are often used as high-performance back-room data base hosts and World Wide Web servers.

Recently, a new category of machine, the network computer or NC, has been making headlines. In many ways this is simply the re-birth of the diskless PC, several models of which were unsuccessfully marketed in the late 1980s. Both the NC and the diskless PC are machines that have their own processor and random access memory and so perform local processing, but possess no local storage devices. Their operating system is a combination of a ROM-based boot process and server-based network operating system. However, whereas the diskless PC was aimed at solving security, management, and support problems on local area networks, the NC concept has been developed in a wide area context, specifically the Internet, and in particular, the World Wide Web.

Strict categorization of desktop systems is seldom helpful. For example, IBM/Intel-based machines can run powerful versions of UNIX, such as SCO UNIX. Both BSDI UNIX and Linux run on Intel chips and are very popular as Web servers. Furthermore, Microsoft Windows NT and IBM OS/2 both offer a multi-user, multitasking alternative to UNIX, with a familiar graphical user interface (GUI). They also allow you to use a closed file system. What may be helpful is further clarification of the terms PC, workstation, terminal, server, and client.

•  PC: a self-contained computer system with its own processor, storage, and output devices (the screen is perhaps the most basic of output devices). Typically, it is small enough to fit on or under a desk.

•  Workstation: a self-contained computer system with its own processor that is also connected to a server. A workstation does at least some of its own processing and may have its own storage, but may also use or rely on the server for storage.

•  Terminal: a computer access device with screen and keyboard that does not have its own processing or storage capabilities.

•  Server: any computer system that is providing access to its resources to another computer system, for example, a Web server provides a browser/client with access to Web pages stored on the server.

•  Client: any computer system that is accessing resources made available to it by another computer system, for example, a Web browser/client accesses to Web pages stored on a Web server.

DESKTOP SECURITY POLICY AND AWARENESS

As you read in Chapter 4-4-1, every organization should have an information security policy. However, field experience suggests that these policies often fail to address desktop computing issues appropriately or adequately. For example, it is common for companies to have comprehensive policies for mainframe systems that address all contingencies, but only a few specific desktop policies such as antivirus procedures written in response to specific incidents such as a virus infection.

From the Top Down

Effective information security policies are created from the top down, beginning with the organization’s basic commitment to information security formulated as a general policy statement. Here is a good example of a general policy statement:

1.  Timely access to reliable information is vital to the continued success of Megabank.

2.  Protection of Megabank’s information assets and facilities is the responsibility of each and every employee and officer of Megabank.

3.  The information assets and processing facilities of Megabank are the property of Megabank and may only be used for Megabank business as authorized by Megabank management.

When a general policy like this has been agreed to by top management, each employee should be required to sign, upon hiring and each year thereafter, a document consisting of the policy statement and words to this effect:

I have read and understood the company’s information security policy and agree to abide by it. I realize that serious violations of this policy are legitimate grounds for dismissal.

Once you have a general policy like this in place, you can elaborate upon particulars. In the case of desktop systems these include:

•  Password policies (e.g., minimum length, storage of passwords)

•  Backup duties (for individual PCs as well as the network server)

•  Data classification (rating each document for sensitivity, see Chapter 4-1-1)

•  Removable media handling (e.g., who can take diskettes in or out)

•  Encryption (what data will be encrypted, which algorithms to use)

•  Physical security (how is equipment protected against theft/tampering)

•  Access policies (who is allowed to access which machines/files)

There will also need to be policies for specific systems, for example, the accounting department LAN. These can be promulgated by the staff who have responsibility for those systems provided there is oversight and sign-off by the managers of those departments and the security staff.