The following are ideas shared at the Texas CTO 2012 Winter Meeting. The focus of the roundtable discussion was:
Low or No Cost Options for Improving Network/Information Security
What ideas would you add?
- Educate users about security and why it’s important.
- If you need a note to remember a password, use a hint instead of the password itself.
- No post it notes with passwords!
- Set minimum password policies and educate users about them.
- Substitute numbers for letters.
- Use pass phrases or short sentences as an easier to remember way to meet complexity rules.
- Prevent booting up from USB or external/removable media.
- Exchange ActiveSync can enforce a passcode on a mobile device and wipe data if needed (e.g. in case of loss or theft).
- Auto-anchor Mobility is a configuration included in many current network manufacturer OS’s that allows for secure tunneling of wireless devices, useful for BYOD and personal devices.
- Physical access control (proximity cards)
- Identity Management and single (or synced) sign on (e.g. Identity Automation)
- Data Loss Prevention (e.g. Websense)
- Disable/turn-off outside wireless access points during non-school hours
- Physical security for data centers and NOCs with security cameras for monitoring access
- Encrypt data on portable devices.
- Network access control
- Enforce BIOS passwords.
- Limit physical access to USB drives (e.g. hardware keyloggers).
- Deny all executable files from external media like USB.
- Use SSL inspection of web traffic to look for malware downloads.
- System notifications of retired/terminated/moved employees leaving the system to IT upon exit from the District.
- Consider how cloud technologies impact or dictate local policy.
- Consider digital brokering of data, and syncing data with single sign on
- Changing IT roles, e.g. network administrators becoming data administration and engineering
- Design infrastructure such that wireless authentication capabilities are extended similarly to the wired network.
- Consider a one-time or periodic audit, such as that offered by Verizon.
- Put policies around network and information security in place.
- Apply wireless security measures where BYOD is being used in classes (coordinate with instructional team).
- Vericept: helps report on data loss
- Dionynx provides 24x7 monitoring of key systems.
- Network security audit: Verizon, IBM are two providers.
Increasing IT Staff Expertise/Utilization:
- Problem: long-term employees tend to become comfortable in their jobs and stagnate. It can be rough to get rid of problem employees.
- Possible solutions:
- Require certification/continuing education.
- Cross-training between employees to span pockets of expertise
- Document critical systems.
- Stress the importance of self-improvement.
- Make them competitive with one another.
- Create an ethics document and have all staff members sign it.
- Show them the big picture and how they fit into it.
- Have the entire IT department attend confidentiality training for online testing.
Get Blog Updates via Email!
Everything posted on Miguel Guhlin's blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure