I use the TFM

View Poll Results: Which search engine do you use most?

Voters
17. You may not vote on this poll
  • MSN

    0 0%
  • Yahoo

    1 5.88%
  • Google

    15 88.24%
  • Ask

    0 0%
  • Dogpile

    0 0%
  • AltaVista

    0 0%
  • Other

    1 5.88%
Page 1 of 4 123 ... LastLast
Results 1 to 10 of 36

Thread: I use the TFM

  1. #1
    Banned
    Join Date
    Nov 2003
    Posts
    1,161

    I use the TFM

    How many here rely on good documentation?

    "The importance of the TFM in supporting the operation of a secure computer system cannot be over estimated. Even if one assumes, hypothetically, that all users of a system and their applications are trusted, and that they will use all of the available protection mechanisms correctly, the system may still be administered and operated in an insecure manner. This may be especially true when administrative users lack the skill, the care, or the interest to use the system properly. ~ NCSC-TG-016 "

  2. #2
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,535
    Yes.. I use TFM.. (isn't The TFM a bit double ?? (TFM == The F-ing Manual) right ??)

    In my case:
    http://www.slackbook.org/ (have the printed edition of Slackware Essentials from http://store.slackware.com/ )
    O'Reilly: LPI Linux Certification in a nutshell
    Ira Pohl & Al Kelley: A Book on C
    Ira Pohl: C++ for C Programmers
    SuSE books that came with the CD/DVD's

    Some more O'Reilly books like Linux in a nutshell
    And ofcourse: http://tldp.org/
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Not sure but knowing !mitationrust a bit and looking at the text itself I do believe he means "Trusted Facility Manual" or "Trusted Facility Management".

    Guide to understanding trusted facility management
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,535
    Ah.. I knew I should have googled NCSC-TG-016

    In that case.. Nope.. Our company will have to move to a different location to ever be a Trusted Facility..
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  5. #5
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716
    Nope. I don't trust anything that has the word "trusted" in its name.
    I came in to the world with nothing. I still have most of it.

  6. #6
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    No I don't!

    The TCSEC was originally published on 15 August 1983
    How many viruses, trojans worms etc have we seen since then................and they hit places that should be compliant?

    The importance of the TFM in supporting the operation of a secure computer system cannot be over estimated
    As soon as I read a statement like that I switch off because I know the rest will be bullcrap...........if real life were like that it would be like painting by numbers, and I could replace most of you with a 286

    The same can be said of design and development methodologies................follow them to the letter and you will design and develop nothing

    Rules are made to be broken, corners to be cut................if you cannot handle that then you had better go live in an ivory tower, because you will not be able to hack it in the real world.

    Whilst theoretical models are all well and good, the real world is driven by practicality affordability and acceptable risk; and those parameters are not within the ambit of the IT function.

    In my experience, the best you can hope for is to get some of the most obvious concepts accepted. The only exception is legislatory compliance, of course.

    My £ 0.02

    If you have any problems with this, just read poor old HTRegz's thread regarding "advice".......that is the real world I am afraid.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  7. #7
    Banned
    Join Date
    Nov 2003
    Posts
    1,161
    Yes it's a manual, more specifically as noted above, the Trusted Facility Manual. I think DoD terminology intimidates people. Trusted Facilities, doesn't always mean nuclear silos. These manuals should reside inside the hands of the local library admin. It's just that they can go that far in terms of describing the systems limits in terms of security. Hence COTS.

    "The manual shall describe the operator and administrator functions related to security, to include changing the security characteristics of a user. DoD 5200.28-STD"

    Basically people (vendor) who know 1,000 times more about the system than you, have documented their knowledge so admins and operators donít have to waste their time (money) to attempt their own research on the systems security configurations. Itís really helpful when the system is first released to the public. One of the manuals purposes.


    I was just curious in the methods you guys use to run your ships. If you guys rely on good documentation.... If you rely on trial and error?

    You will be assimilated RC.

    To me this seems to be the smartest way to accomplish what you're paid to do.

  8. #8
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Hi Rusty~

    If you guys rely on good documentation.... If you rely on trial and error?
    Those are not neccessarily antitheses?

    As I feel that we may be talking at cross purposes here I will outline what I consider to be pretty normal or at least desirable.

    There are 4 fundamental facets of security that must be considered:

    Internal
    External
    Physical
    Systems

    You look at your processes and the procedures and applications that support them.

    You look at your personnel and their responsibilities.

    You allow your personnel sufficient access and authority to discharge those functions, AND ONLY THAT!

    You establish appropriate checks and balances to monitor and manage your processes. By definition that includes the supporting procedures and applications.

    The whole exercise should be conducted from the top down................."bottom up and you will belly up".

    I say that because all organisations have a purpose or functionality. This is NOT to run processes, procedures or applications. They merely enable the organisation to achieve its objectives.

    I do not set great store by vendor's manuals when it comes to processes or security. Firstly they are no substitute for a proper business analysis exercise and secondly, if they were that damn good, why do all these vendors keep releasing security patches (but never a patch for the manuals?)

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  9. #9
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    We use BS7799 (ISO17799 soon to be ISO27000 series) and aim to be compliant with it but not certificated to it. Manuals/documentation/policies and procedures are all used and written in such a way as to be compliant with BS7799.

    We also use a derestricted subset of documents from the 'Manual of Protective Security (MPS)'. The MPS is restricted though I can make a business case to request particular documents.

    I also have to comply with various codes of conduct where we do have to deal with protectively marked documents and hardware is rated against Common Criteria.

  10. #10
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Hi Aspman

    The problem with BS/ISO and most other documentation standards is precisely what they say: "Documentation"

    You can have the crappest policies, processes and procedures on earth, but so long as they are properly documented and adhered to, you will pass certification.

    My point is that they deal with replication rather than quality
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •