Security Resolutions for 2010

What the Information Security manager should aim for

 


– I will identify & locate my critical data
– I will make sure that critical data is not placed in insecure locations eg. a pen drive or a PC with no password
– I will have a relevant set of policies and procedures in place
– I will see that my password policy is implemented across all my applications
– I will ensure that users are not given administrative rights to their PCs
– I will have a good asset & license management system so that I
      a) know what I have
      b) can comply with licensing requirements
      c) can deploy my assets based on need and priority
– I will make sure that I have a comprehensive anti-virus solution that
      a) is installed on all nodes
      b) is set to run scans regularly
      c) has the latest virus definitions on all nodes
– I will ensure that I have a good patch management solution in place
– I will evaluate my backup process and ensure that all critical data is backed up and is retreivable
– I will audit all administrative access; make sure
      a) it is given only to those who require it
      b) administrators do not have access to systems where they are not administrators
      c) that administrative activities are logged and that the admins cannot change these logs
      d) I have a monitoring system that flags unusual administrative activities
– I will ensure that all unnecessary ports are closed, especially on external facing systems
– I will ensure that default passwords are not used on any of my network devices
– I will have an effective change monitoring system in place for
      – configurations
      – new software installations
      – new asset installation
      – access rights modification; especially when admin rights are given
– I will do a vulnerability assessment and penetration testing exercise of all my critical systems and those that face the outside world

 

and the most difficult one…

 

– I will try to bring in a culture of security into the organisation