A few months ago I was casually discussing roles of IT personnel with a law enforcement professional. This discussion was rather short as we were only briefly going over the scope of duties. However, the discussion got me thinking about how much security is integrated (at least should be) with of IT support staff.
Yes, everyone's job is security but IT needs to make sure security controls are working properly. The emphasis is being more proactive than reactionary. These goals best represent the department, and overall, the organization or agency.
In coordination with other departments, all IT support staff protect information and systems that store this information from compromise by performing the following:
- Know where information is stored, copied, transmitted, and printed.
- Know the planned end of life for information and information systems.
- Protect information by taking appropriate preventative measures and corrective actions to protect information at rest in the data center, in transit through networks or media, and at the end of life.
- Properly protect information systems from viruses, worms, Trojan horses, and other malicious code.
- Install and update antivirus.
- Scan any outside owned external media for malware.
- Be knowledgeable of required technical requirements and policies.
- Take appropriate action to ensure maximum uptime and availability of information. Perform backups and restores using approved best practices.
- Perform data backups and take appropriate measures to protect critical information.
- Ensure only authorized personnel transport off-site backups that are removed from the data center.
- Ensure any electronic media released is properly sanitized or destroyed.
- Use effective configuration management. Allow for timely application of system patches.
- Identify applications, services, and information systems containing software or components affected by recently announced software flaws and potential vulnerabilities resulting from those flaws.
- Employ access control measures.
- Address least privilege and separation of duties.
- Enable event logging of:
- Successful and unsuccessful system log-on attempts.
- Successful and unsuccessful attempts to access, create, write, delete or change permission on a user account, file, directory or other system resources.
- Successful and unsuccessful attempts to change account passwords.
- Successful and unsuccessful actions by privileged accounts.
- Successful and unsuccessful attempts for users to access, modify, or destroy the audit log file.
- Prevent authorized users from utilizing publicly accessible computers.
- Publicly accessible computers include but are not limited to hotel business center computers, convention center computers, public library computers, public kiosk computers, etc.
- Engage in effective account management.
- Ensure that all user IDs belong to currently authorized users.
- Keep login access current, updated, and monitored. Remove or disable terminated, transferred, or associated accounts.
- Authenticate verified users as uniquely identified.
- Prevent multiple concurrent active sessions for one user identification, unless authority is granted based upon operational business needs.
- Prevent usage of shared generic or default administrative user accounts or passwords for any device.
- Use strong password management.
- Follow secure password creation guidelines.
- Follow authorized standard of password rotation.
- Refrain from transmitting in the clear outside of the secure location.
- Obfuscate password display when entering.
- Ensure passwords are only reset for an authorized user.
- Utilize network infrastructure protection measures.
- Take action to protect data from unauthorized public access.
- Control access and monitor boundary protection firewalls. Update configurations and patch firmware as needed.
- Enable and update personal firewall on mobile devices as needed.
- Ensure protected or confidential electronic data is only transmitted on secure network channels using encryption and advanced authentication when leaving data center. No protected or confidential data should ever be transmitted in clear text.
- Ensure any media that is removed from the data center is encrypted in transit by a person or network.
- Refrain from using default accounts on network equipment that pass information like switches, routers, firewalls, etc.
- Communicate and keep appropriate personnel informed of all scheduled and unscheduled network that may involve system downtime.
- Appropriately communicate all security incidents and general misuse.
This was a very basic and high-level list for protecting critical data. Your list will certainly vary depending on needs and equipment.
What would you change or add to the list?