Tuesday, October 02, 2007

Practical(?) IT Security:
10 Policies & Procedures

As a follow-up to my posting containing 10 Practical IT Security Counter-measures, here are policies and procedures that I recommend that organizations and households adopt to enhance security. These are listed in no particular order. I am not sure how practical these recommendations really are. After all, even I violate one or two of these from time to time.
  1. WiFi is a security problem. Encryption is good, but it doesn't deal with the reliability problem. Wire your network. Yes, it is more expensive and troublesome to set up a wired network. However, you will have very little trouble with wires once you've got them installed. You won't have to worry about encryption, interference and eavesdropping. You'll be able to upgrade and integrate your different networks (data, voice, video, etc.) over time.
  2. Portable storage devices (laptop PCs, notebook PCs, PDAs, smartphones, USB thumb drives, etc.) are security problems. Avoid them if possible. When there is a strong business case to get a portable device, strong passwords shall be required for access and data shall be stored in an encrypted "vault" on the device.
  3. Strong security shall be required for access to each PC and local-area network services. Fingerprint readers, two-factor authentication schemes, complex passwords, etc. are acceptable approaches to strong security.
  4. All electronic work (documents, data, emails, etc.) shall be stored on network file storage devices. Portable devices shall be docked periodically and files synchronized to network storage.
  5. Network file storage shall be automatically backed up according to a security plan/schedule.
  6. All work (electronic and hard-copy) shall be archived and destroyed according to a security plan/schedule. Keeping information for longer than you have or need to exposes you to potential liabilities.
  7. No downloading or listening to music. Downloading music is often illegal. Listening to music uses bandwidth which may be scarce.
  8. Never send an email that you would not be comfortable seeing taken out of context and printed in the newspaper under your byline. Emails have a way of coming back to haunt you and/or the company.
    • Do not send or forward jokes, pictures, videos, etc. via email. It is hard to know where they will end up, and they can backfire. Videos especially take up valuable bandwidth and storage space in your mailbox.
  9. 90% of all email today is SPAM. SPAM can contain viruses, adware and spyware. It also takes up scarce bandwidth and mailbox storage.
    • Delete, do not open any email you are not expecting.
    • Turn off the "preview pane" in your email reader because viewing a message in the preview pane constitutes opening an email. Sometimes when you open an html-formatted email, it communicates back to the sender, validating your email address, inviting more SPAM.
    • After receiving an unwanted email message from a sender, do not try and "opt out" of receiving further messages. It probably won't work and it serves to validate your address for the SPAMMER.
    • Do not take the time to report SPAM to "the authorities." It is not your job to police the net.
    • Do not put your email address on your website. Use a web form instead that lets people send a message to you from their browser.
  10. Email messages are not secure unless you encrypt them. Encrypt emails that contain confidential information such as user names, passwords, account numbers, health information, etc. It is not hard to do. But, if your correspondent is not able or willing to receive encrypted email, fax confidential information instead.

No comments: