The interconnectedness of our increasingly electronic economy poses business and security risks that together mandate new consciousness for responsible computing, asserts the Cutter Consortium Business Technology Council.
The group suggests companies consider the following actions as part of a responsible computing strategy:
1. Establish strong identity management for access to the network. The best identity management includes three things: 1) something you know (passwords), 2) something you have (smart cards), and 3) something you are (biometrics). At a minimum, you should require at least two of these things.
2. Password management and administration must be strictly controlled. Outsource this to a foreign country or an outside entity at your peril.
3. Manage security patching aggressively. Strive for a process that allows all desktops to be patched in two days or less.
4. Divide your network into subnets with firewalls in between. Carefully control traffic through the firewalls.
5. Don't rely on firewalls as the primary protection. They are necessary but insufficient as a means of protecting your company.
6. Manage all outbound traffic as aggressively as you manage all inbound traffic.
7. Conduct regular network vulnerability assessments with appropriate security companies.
8. Eliminate modems.
9. Secure all wireless networks.
10. Deploy intrusion-protection devices and methods.
11. Deploy thin-client devices wherever possible; they aren't vulnerable to infections.
12. Carefully manage all interfaces between your company and others. Protect yourself and your partners. Every contract should specify mutual security practices. Allow no connections to companies with sloppy security practices.
13. Inspect the software development practices of software vendors to determine their methods to control the insertion of back doors in their products. Require the disclosure of all known back doors.
14. Develop a comprehensive, responsible computing policy and communicate this policy to every employee. Develop methods to enforce the policy.
15. Regularly review security scenarios and establish an emergency response plan.
This article was originally published by Cutter Consortium, www.cutter.com. Copyright 2005 Cutter Consortium. All rights reserved. Reproduced with permission.
Proactive Security
Stories in this report:
- Proactive Security
- Security on the Offensive
- Baked-In Security
- Intrusion-Prevention Systems: Erecting barriers
- Supersmart Security
- Secure the People
- Security Quiz
- Security Data Points
- Making Security Everyone's Business
- 15 Tips for Responsible Computing
- How to Plan for a Possible Network Attack
- Book Excerpt: Exploiting Software
- Q&A: Quality Software Means More Secure Software
- No Agreement on Oath Authentication
- Freebie Security Scanners