| 1. |
Anti-Virus - by now, almost every individual and company
has experienced the frustration and expense which accompanies virus infections
(and this despite having purchased and installed anti-virus protection).
Anti-virus software should be automatic, updated daily, and not capable
of being turned off. It should be installed on the server, as well as all
desktops. Laptop users should not be able to log into the network unless
it has been verified that their AntiVirus protection is up to date.
|
| 2. |
Acceptable Usage Policy - your network users need to
know your company's policies regarding personal use of e-mail, personal web
surfing, floppy disks, software, directory access, and related. You need
to document this training.
|
| 3. |
Data BackUp/Integrity - data backups are business critical
should it become necessary to restore from them, and not only servers but
desktops, too (the CEO's and CFO's, for example) should be included in the
daily routine. BackUps need to be automatic, and verified, and stored off-site,
and rotated properly so that if the last good data is from two weeks ago,
you have that data available from which to restore.
|
| 4. |
Firewall - If you are connected to the Internet, you need a firewall, Period. If you have remote dial-in users, you also need VPN. The firewall software or firmware should be kept up to date with the latest version and patches.
|
| 5. |
UPS - Every device that is critical, or contains critical information, should be powered through an uninterruptible power supply.
|
| 6. |
Software Patches and Updates - every day, dozens of software security flaws are discovered, and patches developed. All software should be examined to be sure that the most up to date, tested versions are installed. This should be verified on a regular basis.
|
| 7. |
Internal Risk Assessment - on the near side of the net, the areas of concern include communication services, operating systems, key applications, and routers. We scan for weak or missing passwords, deactivated logging functions, ineffective permissions and policies, Trojans, and other vulnerabilities known to be used by external and internal threats to your network.
|
| 8. |
External Vulnerability Assessment - from the Internet, we scan for NT and 2000 vulnerabilities, open ports, unneeded services and banners, in all more than 500 known vulnerabilities.
|
| 9. |
Organizational Risk Assessment - Other than the solid foundation that every organization requires, the real first step in managing risk is to understand what your risks are in relation to your organization's mission and its key assets. A comprehensive risk evaluation should strive to include every asset, threat, and vulnerability to the information and systems of the organization, and to rank them according to the damage a failure could cause. (A very strong case can be made for this to be the first step an organization takes in beginning to manage network risk, but this can be a time consuming operation, and delaying the above steps until after the assessment is completed could be unwise.)
|
| 10. |
Content Inspection - are your employees using company
e-mail and Internet service to look for jobs, shop online, check their stocks,
send off-color jokes? You should control this situation, instead of ignoring
it.
|
| 11. |
Intrusion Detection - if your network is attacked or compromised
by hackers, how will you know it? Many product offerings in this field offer
so many false alarms that they are actually counter-productive.
|
| 12. |
Emergency Response - does your company have a plan for
responding to network emergencies? If your mail server is being used to
mount a dDOS attack against another network, what will you do? If your e-mail
client suddenly starts sending the same message to every contact on your
server, how do you respond? Are your responses practiced as with fire drills?
|
| 13. |
Disaster Recovery - what are your plans to recover from
an act of God or nature, such as a fire or electrical surge? Will you handle
everything internally, or call upon outsourced assistance? Are you sure
that your mission critical assets will be available from which to restore?
What will you do for phone service, short term financing, postal service?
Will your associates work from home offices while the recovery takes place?
|
| 14. |
Secure e-mail - In the coming months, companies will become more and more concerned about the security of their e-mail messages, which can wander around the Internet and be intercepted accidentally or intentionally by third parties. How secure is your e-mail?
|
| 15. |
Spyware removal - unbeknownst to most, many websites and downloaded programs will infect your PCs with applets, which furnish information about you and your network to their servers. We can remove these.
|
| 16. |
Trash shredding - if you don't do it, you should. (This
backdoor exists in almost every organization, shame on all of us).
|
