IT security begins with a plan and a checklist. The list provided in this article outlines steps that should be taken as part of a comprehensive approach.
Network Inventory
- Document IP-based assets
- Create a network diagram
- Create a list of all applications used within the company
Security
- Create user account policies
- In Group Policy, enable complex passwords, account lockout, password expiration, and auditing
- Require unique logon IDs
- Require multi-factor password authentication for all cloud-based applications
- Hard drive encryption – use Microsoft Bit Locker with TPM to encrypt PC hard drives, and external backup drives
- Patch management – enable for servers and PCs (Microsoft and third-party vendors)
- Endpoint Protection — purchase antivirus/anti-malware agents for the PCs and servers
- Remote network access — lock down to VPN access only
- Monitoring – perimeter firewall, Active Directory, Windows security event logs
- Consider Intrusion Detection/Intrusion Prevention Systems
- Physical Security– install locks on LAN room and telco closet
Polices
- Employee handbook (as it pertains to IT)
- Acceptable Use Policy section in Employee Handbook
- Employee security awareness training
- IT Security Policy and Procedures
- Vendor management
- Risk Assessment and Gap Analysis
- Change/Control
- Data backup
- Equipment rotation schedule and decommissioning process
Business Continuity and Disaster Recovery Planning
- Business Continuity/Disaster Recovery Plan (keep at least one copy offsite)
- Offsite data backup and server recovery capability
- Second internet circuit configured for automatic failover
- Annual Disaster Recovery testing
- Periodic data backup/recovery testing
Vulnerability Scans and Penetration Testing
- Quarterly testing and remediation report (scan with admin rights for most useful feedback on vulnerabilities)
Periodic Review
- Review authenticated users and computers (review in Active Directory)
- Review users with elevated privileges (aka admin rights)
- Create an annual IT Budget — outline requests for new and replacement technology
- Create a three-year Strategic Plan (also known as an IT roadmap)