MyNotes - Low or No Cost Options for Improving Network/Information Security

Source: http://goo.gl/8hFai

The following are ideas shared at the Texas CTO 2012 Winter Meeting. The focus of the roundtable discussion was:
Low or No Cost Options for Improving Network/Information Security
What ideas would you add?

MyNotes:

Education:
  1. Educate users about security and why it’s important.
  2. If you need a note to remember a password, use a hint instead of the password itself.
  3. No post it notes with passwords!
Password Conventions:
  1. Set minimum password policies and educate users about them.
  2. Substitute numbers for letters.
  3. Use pass phrases or short sentences as an easier to remember way to meet complexity rules.
Systems:
  1. Prevent booting up from USB or external/removable media.
  2. Exchange ActiveSync can enforce a passcode on a mobile device and wipe data if needed (e.g. in case of loss or theft).
  3. Auto-anchor Mobility is a configuration included in many current network manufacturer OS’s that allows for secure tunneling of wireless devices, useful for BYOD and personal devices.
  4. Physical access control (proximity cards)
  5. Identity Management and single (or synced) sign on (e.g. Identity Automation)
  6. Data Loss Prevention (e.g. Websense)
  7. Disable/turn-off outside wireless access points during non-school hours
  8. Physical security for data centers and NOCs with security cameras for monitoring access
  9. Encrypt data on portable devices.
  10. Network access control
  11. Enforce BIOS passwords.
  12. Limit physical access to USB drives (e.g. hardware keyloggers).
  13. Deny all executable files from external media like USB.
  14. Use SSL inspection of web traffic to look for malware downloads.
Processes:
  1. System notifications of retired/terminated/moved employees leaving the system to IT upon exit from the District.
  2. Consider how cloud technologies impact or dictate local policy.
  3. Consider digital brokering of data, and syncing data with single sign on
  4. Changing IT roles, e.g. network administrators becoming data administration and engineering
  5. Design infrastructure such that wireless authentication capabilities are extended similarly to the wired network.
  6. Consider a one-time or periodic audit, such as that offered by Verizon.
  7. Put policies around network and information security in place.
  8. Apply wireless security measures where BYOD is being used in classes (coordinate with instructional team).
Security Tools:
  1. Vericept: helps report on data loss
  2. Dionynx provides 24x7 monitoring of key systems.
  3. Network security audit: Verizon, IBM are two providers.
Increasing IT Staff Expertise/Utilization:
  1. Problem: long-term employees tend to become comfortable in their jobs and stagnate. It can be rough to get rid of problem employees.
  2. Possible solutions:
    1. Require certification/continuing education.
    2. Cross-training between employees to span pockets of expertise
    3. Document critical systems.
    4. Stress the importance of self-improvement.
    5. Make them competitive with one another.
    6. Create an ethics document and have all staff members sign it.
    7. Show them the big picture and how they fit into it.
    8. Have the entire IT department attend confidentiality training for online testing.



Get Blog Updates via Email!
Enter your email address:
Delivered by FeedBurner


Everything posted on Miguel Guhlin's blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure

Comments

Popular posts from this blog

#Chromecast Add-Ons to Play Various Video File Formats

Free Professional Learning! Education On Air #googleedu

10 Steps to a Blended Learning Classroom #MIEexpert #MIE #tceamie1