Periodically Train Employees on Security Awareness to Reduce the Risk of

Errors and Damages

Best Practice (Good)

Provide detailed information technology security awareness training to new and
existing personnel at regular intervals (yearly, quarterly, etc.), including contractors
and other users of information systems that support the operations and assets of the
organization. Security awareness training should be supplemented by the distribution
of informational resources when policies are updated.

Benefits:
Training employees and keeping them up-to-date on security awareness reduces the
risk of potential errors and damages from occurring through human error, including
falling prey to phishing emails or other spam content that seeks to place malware or
malicious software on the company's network.

n agency should:

 Periodically assess the risk and magnitude of the harm that could result from
the unauthorized access, use, disclosure, disruption, modification, or
destruction of its information and information systems.
 Develop risk-based policies and procedures that cost-effectively reduce
information security risks throughout the life cycle of each information system
in its information security programs.
 Develop subordinate system security plans for providing adequate security for
networks, facilities, and systems or groups of information systems (as
appropriate).
 Provide appropriate security awareness training to personnel, including
contractors and other users of information systems that support its operations
and assets.
 Test and evaluate the effectiveness of information security policies, procedures,
and practices as frequently as the risk level requires but no less than annually.
 Create a process for planning, implementing, evaluating, and documenting
remedial action to address any deficiencies in information security policies,
procedures, and practices.
  Establish procedures for detecting, reporting, and responding to security
incidents, which may include using automated tools; mitigating risks associated
with such incidents before substantial damage is done; and notifying and
consulting with the information security incident center and other entities, as
appropriate, including law enforcement agencies and other relevant officials.
 Establish plans and procedures to ensure continuity of operations for
information systems that support its operations and assets. Test plans to
ensure they work.
 Develop, maintain, and annually update an inventory of major information
systems.

IT best practices: 7 quick tips

1. The more “standard” your environment, the better. Complexity in your

technology environment – at both the hardware and software level – will
make support more difficult, and possibly more expensive. It could also
make your team less productive; if everyone has the same products, they’re
able to learn from each other and use the tools more effectively.

2. Keep your hardware and software up-to-date. Your servers and

workstations need to stay patched, your firewall needs the latest firmware,
and your software needs the latest bug fixes. If you fall behind on your
updates, you’ll end up vulnerable to both performance and security issues.
Mind your warranties and support subscriptions, too – letting them lapse
will only increase your risk of prolonged downtime.

3. Don’t ever think you are “secure.” Complacency is dangerous, especially

when it comes to security. Cyber threats are constantly changing and
evolving, so you need to assess your vulnerabilities on a regular, ongoing
basis. This is especially important for organizations that are subject to
compliance regulations, since the price you’ll pay for a violation can be
quite high.
4. Avoid single points of failure. This goes for your hardware and your people.
Back up your data, and have redundancy in critical networking pieces like
your firewall so that you can remain productive in the event of hardware
failure. Try not to put all your eggs in one basket as far as your support
goes, too; even if you trust your IT person completely, have them document
their knowledge in detail so that you aren’t dead in the water if something
were to happen to them.
 5. Focus on ROI. Before you make any changes to your technology, ask
yourself what the business impact will be. Is it going to mitigate risk?
Make your team more engaged and productive? Boost morale? Technology
for technology’s sake has no value, so try to view your decisions through a
business lens.

6. Keep your culture in mind, too. When it comes to choosing your equipment
and software packages, consider how they will uphold your company’s
culture. Does your team have a flexible work environment, which you can
support by providing laptops or tablets to your staff? Does your core
communication tool need to support silly off-topic banter, or does it need
to be more restrictive?

7. If you don’t want to deal with it, outsource it. If there’s a portion of your IT
support you don’t want your internal team to have to worry about, if you
don’t want to deal with managing an internal IT team at all, or if you want
to outsource your entire technology environment to another provider in the
form of virtual desktops or otherwise, look into outsourcing.

Key Elements of Network Security  MAINTAINING YOUR ANTI-MALWARE. Having

centralized anti-virus and anti-spam is a good start, but your protection is only as
good as your maintenance; if your software cannot keep up with the latest threats, you
are vulnerable.  PATCHING YOUR SERVERS AND WORKSTATIONS. Regular patching
is key to securing any weaknesses in your operating systems.  KEEPING YOUR
FIREWALL (AND FIRMWARE) UPDATED. Your firewall protects the place where your
network meets the Internet. Just like your anti-virus needs to be kept up-to-date, so
does your firewall by way of firmware updates; your device must keep pace with the
evolution of cyber threats.  HAVING ROBUST BACKUP AND DISASTER RECOVERY.
This will keep you operational no matter what happens (even if you get hit by
ransomware, one of the most nefarious hacks out there).  ENFORCING POLICIES.
Create and implement a mobile device policy, and employee separation policy, an
equipment use policy, a password policy, and a data privacy policy.  EDUCATING
YOUR STAFF. Do they know how to identify a dangerous email? How to avoid sites
that are rife with malware? How to create a strong password (and not need to write it
onto a sticky note)? Technical defenses mean little if your staff is not properly and
regularly trained.  HAVING PERIODIC SECURITY AUDITS. You won’t truly know
where your network stands with regard to security and vulnerabilities unless you have
a comprehensive security audit. They are costly, but oftentimes the investment is less
than what a successful attack will cost you.
 1 10 best practices to protect your company’s digital security

Malicious attacks on corporate IT systems are becoming more frequent and

sophisticated. The consequences of an intrusion can be disastrous, and can even
threaten a company’s very survival. Here are 10 best practices to reinforce IT security.

2 1. Engage and train users.

A user is a weak link in a company’s security if he or she hasn’t been educated about
security issues or adequately trained in best practices. And overall IT system
security is only as strong as its weakest link! Every user must know which data is
considered sensitive and be familiar with the company’s security policy and related
guidelines. For example, basic rules could include: never re-using a personal
password at work; not connecting personal equipment to the company network;
locking the session on one’s work station before stepping away from it; knowing the
procedure to follow when suspecting a potential breach; etc. Companies can organize
spot-training on specific issues — for example, an information session on phishing,
on ransomware, on the risks associated with USB keys, etc.

3 2. Secure work stations.

Companies must develop a policy on which software can and can’t be installed on
work stations. This could take the form of a list of applications and browser
extensions, or application installations requiring authorization by the IT department.
You may want to host authorized applications on your own server as a way to
guarantee their authenticity. Furthermore, work stations must always be up-to-date
and equipped with at least antivirus and antispam software, and a local firewall that
is correctly set up. Volumes and partitions where user data are stored must be
encrypted and regularly backed up on unconnected systems. Encrypting laptops,
especially those that leave the premises, is vital because of the heightened risk of
theft or loss.

4 3. Localize sensitive data.

All companies must manage their sensitive information, i.e. any data whose loss or
theft could be damaging or even disastrous. Companies must know at all times
where the data resides and on which physical equipment it is located, in order to
define specific security measures. Data that resides on external systems (for
example, on the cloud, on an IaaS, or on a PaaS) must be accorded special treatment
due to their specific risks, and some thought must be given to the merit of
 externalizing this data in light of security issues. Identifying sensitive data also
allows you to better control associated access rights.

5 4. Ensure tight management of user accounts.

Companies must constantly ensure a flawless management of user accounts,

removing them as soon as employees leave the company and regularly reviewing
accounts in order to ensure the appropriate level of rights. For example, you don’t
want to grant more rights than is necessary; not everyone needs administrator
rights. You’ll also want to ensure the proper configuration of access rights to
sensitive data. Finally, in the interest of traceability, never allow generic multi-user
accounts; you’re much safer banking on single-user accounts.

6 5. Provide clear guidelines for password creation.

Users must receive detailed guidelines on how to create robust passwords. The
guidelines must strictly forbid the writing down of passwords on physical media
(notepads, whiteboards, etc.) or non-encrypted digital media (“passwords.txt”, email,
etc.). Users who must juggle several complex identifiers should use a password
management system (KeePass, EnPass, 1Password, etc.).

7 6. Strengthen authentication procedures.

To boost the security of strategic accounts, use a two-step verification process. This
involves authenticating a user with a password, plus another identifier such as a
physical item in the user’s possession (a FIDO U2F USB key, an OpenPGP card, an
RFID chip, a token, a single-use code sent via SMS, etc.), biometric data
(fingerprints, voice recognition, iris scanning, etc.), or even a geographic location (the
connecting device must be within a certain physical location).

8 7. Limit the devices authorized to connect to the company network.

Devices that can connect to the internal network must be under the company’s
jurisdiction. Devices belonging to visitors or to employees are a vulnerability over
which the company has no control. To accommodate these needs, you’re better off
creating a specific Wi-Fi network entirely separate from the rest of the company
infrastructure, while offering a decent level of security (WPA2, soon to be WPA3, AES
CCMP, regular password changes). At the same time, you should control the use of
external USB keys on company systems.
9 8. Encrypt all data transmitting over the Internet.

Any non-encrypted data circulating on the Internet is vulnerable: emails, exchanges

with cloud platforms, SaaS, etc. All these communications must go through secure
protocols (HTTPS, IMAPS, SMTPS, POP3S, SFTP, etc.) Remember that email always
travels on networks in an unencrypted manner. Assume that any information sent
by email can be intercepted and read by anyone, unless the contents are encrypted
using OpenPGP, PGP, GPG or another encryption method. Also, if users need to
connect remotely to company systems over the Internet (for example, itinerant
employees, teleworkers), compel them to do so through a secure tunnel such as a
VPN.

10 9. Partition the network.

You should isolate machines that offer services visible on the Internet (for example,
Web hosting) from the rest of your company network (by creating “demilitarized
zones”). Also, your network architecture should be partitioned to stop an attack on
one machine from spreading to all other machines. For example, you can create
separate zones for different systems with similar security needs, and implement
traffic filtering between zones using a firewall.

11 10. Don’t forget physical security.

Access to server rooms must be restricted with passcards or similar systems. Of

course, you should avoid unaccredited employees or external suppliers accessing
these strategic rooms unescorted. Also, you should secure or deactivate network
plugs in public spaces.

12 Information Security Best Practices

How Strong is Your Information Security Program?
Traditionally, documented security policies have been viewed as nothing more than a
regulatory requirement. While this may have been true in the past, building a strong
information security program (ISP) is a business imperative as you fight to keep the
customers you have and work to attract new ones. Your information security policies
can either work to help you grow your business or signal a red flag that security is not
a top priority.

No matter how strong your security posture is now, if you don’t document it, it won’t
last. You must assume that people instrumental in building your security environment
will eventually move on. In that respect, training the replacement is a lot less painful
and much more effective with a written guide. Without a policy manual, the new
employee would eventually learn what to do but would you really want to risk a
security incident while they are trying to figure it out?

It’s important to understand that there is no procedure, policy, or technology that will
ever be 100% secure. It just doesn’t exist. You can, however, endeavor to get as close
to perfect as possible.

Lack of a documented security policy is a huge red flag when determining liability in
the event of an incident. You do not know when the next attack will happen and if
someone is aggressively targeting you, they will cause pain. When it comes time to
defend yourself, no matter the strength of your security environment, the lack of a
documented information security program is a message that management has not
taken data security seriously. This perception becomes increasingly dangerous when
we’re talking about a court of law and an untold number of potential customers in the
court of public opinion.

Whether you are currently without a policy or want to ascertain where yours fits along
the continuum, here are key components that should be in a best practices ISP.

The Information Security Officer

The first thing that any security program must do is establish the presence of the
Information Security Officer. Depending on the size of your security environment, this
could be a full-time position or a current employee who has the availability to take on
further duties.

Besides the time element, the organization must clearly define the expectations of the
Information Security Officer and determine if an individual is capable to fill the role.
During a later post I will describe the attributes that ascertain “capability”, but the
complete lack of someone in this role means that information security is not a priority
in your organization.

End User Acceptable Use Guidelines

Your policy should contain specific language detailing what employees can do with
“your” workstations. While we hope that all company property is used for company
purposes, this just isn’t the case in real life. Instruct employees as to what is
considered business use and explain the risks of downloading games or using tools
like instant messaging.

Software Updates and Patches

What’s your stance when it comes to patch management? Do you require patches and
upgrades to be implemented immediately? Are you sure you’re actually doing what
your policy says?

Random checks to confirm you are following your own rules is the best way to monitor
the activity.

If you’re scratching your head at my use of the phrase “patch management”,

understand that if you don’t keep up to date on your system patches and upgrades,
you leave yourself wide open for the most basic of hacks. If you never update, your
vulnerabilities are exponentially increased. Your best practices Information Security
Program should clearly document your patch management procedures and frequency
of the updates.

Vendor Management
You’re only as strong as your weakest link, and when you work with third-party
providers their information security downfall can become your issue. Make sure you
document which vendors receive confidential information and how this information is
treated when in the custody of the vendor. The lack of strict vendor guidelines could
increase the risk of releasing your customers’ private information.

Physical Security
Documents don’t walk out of the office on their own. Having strict rules about who can
physically access your offices and how they gain entry can decrease the likelihood that
an unauthorized individual is present to steal information. The next step is to ensure
that your policy documents how physical information is stored and destroyed.

Data Classification and Retention

Lessen your liability by classifying exactly what type of data you need and how long
you need it. A breach is bad enough, what’s worse is if data is stolen that you didn’t
need to keep or shouldn’t have had to begin with. In the case of TJX (“PCI DSS
auditors see lessons in TJX data breach” TechTarget March 1, 2007), many of the
credit card numbers affected had no business purpose in being kept.
Password Requirements and Guidelines
Your employees dread having another password to remember. The more complicated
the requirements you make to ensure security, the more they decide to write them
down and expose them to others. Establish a strong password policy but stay within
reason for your employees. Sometimes, a little additional training as to why the policy
is the way it is can be all you need to gain acceptance.

Wireless Networking
There is no doubt that the implementation of wireless networks has saved many
organizations both time and money in comparison with traditional cabling. As you
decide what type of network connectivity to adopt, understand that with increased
flexibility allowed by wireless, a stronger encryption standard is required to ensure
there is no abuse.

Employee Awareness Training

How well informed are your employees to identify or prevent a security incident? Each
and every one of your employees can act as a member of your own security army with
some simple training. The first step in recruiting them for the cause is to set the
expectations appropriately and communicate those expectations in your policy.

Incident Response
Hands down, the worst time to create an incident response program is when you are
actually having an incident. You can’t undo what has happened and you’re in crisis
mode dealing with the after effects of the breach.
Not the time to be putting policy to paper.

Your reputation is severely at risk, and if you respond inadequately you risk making it
worse with law enforcement as well as your customers. Act as if a breach is inevitable
and take the time to develop the language and procedures you will use in the event of
an incident to ensure you’re prepared when the time comes.

Annual Updates and Reporting

Don’t let all your hard work go to waste. The worst thing to do after investing time and
resources into your information security program is to allow it to sit on the shelf and
become obsolete. Threats and risks are changing daily and it is imperative that your
policies stay up to date. Requiring an annual review, with results are reported to the
Board of Directors and senior management, will help to ensure that your program
remains current and can handle any future incidents.

Feel free to use this list in either building your program or as a checklist to determine
your current status. Additionally, other good resources include the National Institute
of Standards and Technology and the SANS Institute. The most successful policy will
be one that blends in with the culture of your organization rather than just existing to
fill a regulatory requirement. In doing so, you increase the security posture of your
organization with as little effort as possible and help ensure you don’t become another
statistic in the evening news.
10 Essential Cybersecurity Best Practices

It is important to take a layered approach with your organization’s security. These ten
cybersecurity best practices are items you may not have considered, but definitely
should.
1. Implement a Formal IS Governance Approach

Establishing and maintaining an information security framework is a great place to

start. This framework is more important than every shiny tool in your security stack,
as it should align your assurance strategies and support the business.
When selecting one of these methods, ensure your program provides the ability to
employ a risk-based approach and enables your teams to detect incidents, investigate
effectively, and respond quickly.
2. Stop Data Loss
Most enterprises rely on employee trust, but that won’t stop data from leaving the
company. The truth is, users steal data. A recent survey of more than 1,500 security
professionals found that data exfiltration from an endpoint is the top security concern
of 43% of them. Now, more than ever, it is extremely important to control
access, monitor vendors and contractors as well as employees, and know what your
users are doing with company data to reduce data leakage.

3. Detect Insider Threat

It’s true that employees are your biggest assets, but they can also be your biggest risk.
While well-trained users can be your security front line, you still need technology as
your last line of defense. Monitoring user activity allows you to detect unauthorized
behavior and verify user actions are not violating security policy. Insider threats may
go undetected, but the fact of the matter is insider breaches are extremely costly.

4. Back Up Data
Backing up your files may seem like common sense, but any organization that has
been hit with ransomware – such as Petya or Wannacry– will tell you how important it
is to ensure this best practice. It is crucial for organization to have a full working back
up of all of data not only from a basic security hygiene prospective, but also to combat
emerging attacks.

5. Beware of Social Engineering

The technology and IT security policies you implement doesn’t replace the need for
common sense or eliminate human error. Social engineering tactics have been used
successfully for decades to gain login information and access to encrypted files.
Attempts may come from phone, email or other communications with your users. The
best defense is to…

6. Educate and Train Your Users

No matter how gifted, your users will always be your weakest link when it comes to
information security. That doesn’t mean you can’t limit the risk through regularly
educating your users on cybersecurity best practices. Training should include how
to: recognize a phishing email, create and maintain strong passwords, avoid
dangerous applications, ensure valuable information is not taken out of the company
in addition to other relevant user security risks.

In these sessions, it may feel like you are putting your people to sleep or it might be
going in one ear and out the other, but training your people on proper cyber security
hygiene is critically important. Finding creative techniques to make the training stick
will go a long way.

7. Outline Clear Use Policies for New Employees and 3rd Parties

To strengthen and clarify the education for cybersecurity best practices you give your
users, you should clearly outline the requirements and expectations your company
has in regards to IT security when you first hire them. Make sure employment
contracts and SLAs have sections that clearly define these security requirements

8. Update Software and Systems

With cyber-criminals constantly inventing new techniques and looking for new
vulnerabilities, an optimized security network is only optimized for so long. Even as
recent as a couple months ago, organizations fell victim to a major breach with
the Heartbleed vulnerability. To keep your network protected, make sure your software
and hardware security is up to date with the latest and greatest.
9. Create an Incident Response Playbook

No matter how well you follow these best practices, you still may get breached. In fact,
nearly half of organizations suffered a security incident in the past year. If you do,
having a response plan laid out ahead of time will allow you to close any
vulnerabilities, limit the damage of a breach, and allow you to remediate effectively.

10. Maintain Compliance

Hopefully these best practices are a useful guideline for keeping your business safe,
but you do have another set of guidelines available to you. Regulations like HIPAA, PCI
DSS and ISOoffer standards for how your business should conduct its security. More
than a hassle, which you need to prepare audit logs for, compliance can help guide
your business.

Final Thoughts
There are countless cybersecurity best practices and strategies that should be
considered, and these are just a few of the ones that we think are most important. Are
there any essential best practices that we missed? Feel free to reach out to us directly
on Twitter @ObserveIT to share your thoughts and exchange insights.

Physical Access to Premises:

Biometric access

Physical access control

RFID cards, key fobs and photo ID cards – and everything you need to manage their entire life cycle. We
also offer an attractive, flexible and robust RFID reader.

Information Security Policy