Notification What good is a security policy if no one knows about it? Give users a copy of the security policy when you give them their usernames and passwords. Computers should also display a shortened version of the policy when a user attempts to connect; for example, Unauthorized access is prohibited and will be prosecuted to the fullest extent of the law.” One hackerargued that since a computer did not tell him otherwise, anyone was free to connect to and usethe system.
Background Checks Do background checks on all network support staff. This may include calling their previous employers, verifying their college degrees, requiring a drug test, and
checking for any criminal background.
Equipment Access Disable all unused network ports so that nonemployees who happen to be n the building cannot connect a laptop to an unused port and gain access to the network. Also, place all network equipment under lock and key.
Wiring Network wires should not run along the floor where they can be easily accessed. Routers, switches, and concentrators should also not be hooked up in open office space. They should be in locked closets or rooms, with access to those rooms controlled by badge-swiping systems.
Door Locks/Swipe Mechanisms Be sure that only a few, key people know the combination to the cipher lock on data center doors or that only the appropriate people have badges that will allow access to the data center. Change lock combinations often, and never leave server room doors open or unlocked.
Accounts Each user should have their own, unique user account, and employees should not
share user accounts. Even temporary employees should have their own account. Otherwise, you
will not be able to isolate a security breach.
Badges Require everyone to wear an ID badge, including contractors and visitors, and assign
appropriate access levels to contractors, visitors, and employees.
Tracking Require badge access to all entrances to buildings and internal computer rooms.
Track and record all entry and exit to these rooms.
Passwords Reset passwords at least every month. Train everyone on how to create strong
passwords. Set BIOS passwords on every client and server computer to prevent BIOS changes.
Monitor Viewing Block computer monitors so that visitors or people looking through windows can’t see them. Be sure that unauthorized users/persons cannot see security guard stations and server monitors.
Cameras Cameras should cover all entrances to the building and the entire parking lot. Be sure
that cameras are in weather-proof and tamper-proof housings, and review the output at a security monitoring office. Record everything on extended-length tape recorders.
Mail Servers Provide each person with their own e-mail mailbox, and attach an individual
network account to each mailbox. If several people need to access a mailbox, do not give all of
them the password to a single network account. Assign privileges to each person’s network
account. You can then track activity to a single person, even with a generic address such as
DMZ Use a demilitarized zone for all publicly viewable servers, including web servers, FTP
servers, and e-mail relay servers. Do not put them outside the firewall. Servers outside the fire-
wall defeat the purpose of the firewall.
Mail Relay Use a mail-relay server for e-mail. E-mail traffic should not go straight to your
production servers. That would enable a hacker to directly access your server as well. Use a relay server in a DMZ.
Patches Make sure that the latest security updates are installed after being properly tested on
a nonproduction computer.
Backups Store backup tape cartridges securely, not on a shelf or table within reach of someone
working at the server. Lock tapes in a waterproof, fireproof safe, and keep at least some of your
backups off site.
Modems Do not allow desktop modems for any reason. They allow users to get to the Internet
without your knowledge. Restrict modem access to approved server-based modem pools.