SysAdmin Class Teaches Ins and Outs of a Good Local Security Policy

76

Sarah Kiden had never used Linux before she landed a job four years ago as a Web and E-learning Administrator at Uganda Christian University in Kampala. There she is in charge of maintaining the university’s information systems on servers that largely run Linux.

She had taken one college course in Information Technology, which gave her enough background to get started, she said. The rest she learned on her own, on the job, through trial and error and a lot of hard work.

Sarah Kiden“Many times I was not even sure that I was doing the right thing,” Kiden said via email.

Seeking more formal training, she applied for a Linux Foundation training scholarship last fall and was one of five winners to receive free registration for a Linux training course of their choice. In December she completed the Linux Foundation’s Linux System Administration (LF242) course online. The four-day class covers how to install, administer, configure and upgrade a Linux system running Red Hat, SUSE, or Debian/Ubuntu.

The training has given Kiden more confidence to take on system administration tasks such as setting up LDAP, group ownership, access control lists and others aspects of user management, she said. And one section covering local security was especially helpful to her.

“I realized that many organizations do not have security policies; those that have policies do not put attention to updating them regularly, yet security threats and solutions change all the time,” she said. “Issues such as security and backup will be at the back of my mind as I administer systems.”

Creating a Local Security Policy

Organizations can prepare for a security breach by first creating a written security policy that’s simple and easy to understand and not “lore as passed around a campfire,” said Kevin Smallwood, who taught the system administration course at the Linux Foundation. A good security policy assesses risks and specifies enforcement actions, as well as what to do in the event of a security breach, he said. It should also assess the cost and personnel needed and detail the methods for protecting confidentiality, data integrity, availability, consistency, control and audit capabilities.

“A security policy (also) promotes a philosophy; do you allow everything, unless you explicitly disallow it, or do you disallow everything, unless you explicitly allow it?,” Smallwood said. “With thought and planning, a security policy will prepare an organization for what they hope will never happen.”

Kiden has taken this advice to heart and has already talked to her technical manager about creating a security policy for the university.

“I would definitely encourage my colleagues to take a course from Linux Foundation. The courses are highly practical and there is so much to learn,” Kiden said. “In addition, Linux Foundation is a well-established and well-known organization and it is fulfilling to have had my training there.” 

For more information on available Linux Foundation training courses, visit training.linuxfoundation.org.