|
|
Ten Top (Security) Tips
Shane Panjvani, from NCC (the National Computing Centre) lists 10 tips
for Intra and Extranet Security -
- Simply having a firewall isn't enough - it has to be configured properly
and reviewed regularly. When you review it, remember why you installed
it in the first place.
- Your security measures are only as good as the weakest link, and that
includes your employees. Educate them to prevent human and procedural weaknesses,
including password management and reporting of security incidents.
- Review the security of your operating system. Is there a procedure
for reviewing 'root' and other privileged passwords? How many people know
them? How many file permissions are global read and write?
- Do you have a secure file backup system? Is the backup system secure?
Are there appropriate processes for retrieval and recovery?
- Are you aware of the known bugs and weaknesses of e-mail, LAN and web
facilities, and have you take account of them?
- Do know who is making changes to your systems and why? Would you know
if there have been any unauthorised changes?
- Do you have an information security policy? What was it designed to
accomplish and when was it last reviewed? Is it enforced?
- Do you understand the risks facing your organisation? When was a risk
assessment last performed?
- Who is managing your security and how well is it being managed?
- Who determines the access privileges for internal and external users?
Are the privileges on a 'need to know' basis? How often are they reviewed?
The summary of Shane's advice is to understand, manage and review.
|