Large organizations have a number of options when it comes to creating and enforcing security policies. In many cases, large companies will outsource this task and take advantage of templates and procedures that have been highly codified by a company specialized in creating security policies and enabling you to keep track of policy compliance. Smaller companies don't have this option because of the large capital expenditures required to contract with these large service providers.
However, there are a collection of security policies that any Microsoft shop can put in place that will help improve the overall security posture of any small or medium sized business. For example, consider the following:
- Make sure that employees keep their Windows operating system and Office applications and other business applications up to date with the latest security updates. Enabling Microsoft Update will automatically make sure that Microsoft applications are updated.
- Require strong passwords (those that contain numbers, letters, and characters), but don't require that employees change them every two weeks: 45 to 90 days is a standard range. You can use the Windows Server 2008 password policies to ensure that passwords are complex and are changed on a regular basis
- Make sure your policies are based on the concept of least privilege. Least privilege means that users and even administrators have access to resources they need to get their jobs done, and nothing more.
- Make sure that your policies include clear statements on the results of non-compliance and confirm that upper management and legal supports these statements. There's no better way to see failure of security policies than not backing them up with punitive actions when they're violated.
- Security requirements will continuously change. Make sure that you schedule a regular review of your security policies, such as twice a year, and update your policies documents as required. During this review you may decide that you need to invest in additional security related software or hardware. Include budget considerations during these review periods.
- Different jobs require different levels of access. Make sure that when employees change positions within the company that their access is governed by their current positions, not by those of positions previously held by the users. You can leverage Active Directory Security Groups to accomplish this goal
- Make sure to deprovision user accounts before a user leaves the company. This helps insure that a disgruntled former employee isn't able to leverage his credentials to change, delete or copy data from corporate servers.
- Insider attacks are the most common and harmful attacks seen on networks today. Often these attacks aren't malicious, but are due to users have access to information they should not have, or due to inadequate access controls placed on file, Web and database servers. Make sure you conduct a comprehensive review of where your data is stored, and who has access to that data and remove access from users who clearly do not need access to that data in order to do their jobs
- Many users will need access to data while out of the office. Make sure you deploy a remote access solution, such as ISA Server 2006 or the Intelligent Application Gateway 2007 to provide a secure remote access solution that enables least privilege connections for roving users
By employing just this small group of policies, you'll find that you have significantly increased the overall security posture of your organization and reduced the risk of data destruction, compromise and loss.
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
MVP - Microsoft Firewalls (ISA)