Guidelines on Securing Public Web Servers

Standardized Configurations

   Organizations should develop standardized secure 

configurations for widely used operating systems and applications.  This will provide 

guidance to Web and network administrators on how to securely configure their 

systems and ensure consistency and compliance with the organizational security 

policy.  Because it only takes one insecurely configured host to compromise a 

network, organizations with a significant number of hosts are especially encouraged to 

apply this recommendation.   

Security Awareness and Training

   A security training program is critical to the 

overall security posture of an organization.  Making users and administrators aware of 

their security responsibilities and teaching the correct practices helps them change 

their behavior to conform to security best practices.  Training also supports individual 

accountability, which is an important method for improving information system 

security.     

Contingency Planning, Continuity of Operations and Disaster Recovery 

Planning

   Contingency planning, continuity of operations and disaster recovery 

planning are plans setup in advance to allow an organization or facility to maintain 

operations in the event of a disruption to their organization.

9

Certification and Accreditation

   Certification in the context of information systems 

security means that a system has been analyzed as to how well it meets all of the 

security requirements of the organization.  Accreditation occurs when the 

organization's management accepts that the system meets the organization's security 

requirements.

 10

3.4  System Security Plan 

The objective of computer security planning is to protect information assets (i.e., information 

and information resources).

11

  Plans that adequately protect information assets require 

managers and information owners   directly affected by and interested in the information 

and/or processing capabilities   to be convinced that their information assets are adequately 

protected from loss, misuse, unauthorized access or modification, unavailability, or undetected 

activities. 

The system security plan provides a basic overview of the security and privacy requirements of 

the subject system and the organization's plan for meeting those requirements. The system 

security plan is also perceived as way of documenting the structured process of planning 

adequate, cost effective security protection for a system. Consequently, the system security 

plan should reflect input from various managers with responsibilities concerning the system, 

including functional end users or information owners, system operations, and system security 

manager.  

9

 For more information see NIST Special Publication 800 34, 

Contingency Planning Guide for Information 

Technology Systems

 (

http://csrc.nist.gov/publications/

)    

10

 For more information on certification and accreditation see NIST Special Publication 800 37, 

Federal Guidelines 

for the Security Certification and Accreditation of Information Technology Systems 

(

http://csrc.nist.gov/publications/

) 

11

 For more information on system security plans, see NIST Special Publication 800 18, 

Guide for Developing 

Security Plans for Information Technology Systems 

(

http://csrc.nist.gov/publications/

)    

(

http://csrc.nist.gov/publications/nistpubs/index.html

)

.

14