- We started with network protection, focusing on the networks and gateways. We installed a software package that focused on the protection of the network access points.
- We installed desktop protection at individual workstations. The package we chose guarded remote and mobile corporate desktops against unauthorised access and a broad array of threats by combining intrusion detection and response with firewall capabilities.
- We installed a server logging system. We already had one, but it was geared toward the tech support guys, and it wasn't user friendly for managers. We installed a third-party software package that generated a report with which I could view the access to our server. It even gave me a transaction log for a specific period by individual account. It allowed me to review the log for signs of unusual activity or high transaction activity that could point to problems.
- Managers attended a training class given by the security consultant, who explained what had been installed and why.
- We didn't do a vulnerability assessment. This would require an outside consultant to evaluate our server, our Internet use, and our database use for a few weeks. The information from this would be used to give us the ultimate in protection. We passed on this because of the cost.
- We didn't hire someone to remotely monitor our systems periodically for security problems. We decided not to implement this based on our success with the other procedures we implemented.
- Don't have anything on your computer you don't want management to see.
- Don't download anything that isn't 100 percent work-related.
- Make sure the latest virus-check software is on your machine.
- Don't load or bring in software from home to load.
- Let everyone know that you or someone you assigned is going to drop by and check the computer occasionally to see what has been loaded.
- Managers should mention security problems at least monthly during meetings. (When I did this in a later staff meeting, a staff member remembered she didn't have virus software on her machine at home, which was the same machine that she used to access our system when she dialed in.)
- Ensure backups are made of critical machines and that those backups can be read by another computer.
- No one should be on a computer but the employee.
- A 90-day password change policy is in effect. Management has the option to do a password change if needed. The new password can't be within three positions of the previous password. Passwords cannot be reused. For example: The password my1son can't be changed to my2son.
- Never open e-mail from people you don't know.
- Never play or load games on office computers.
- If someone is terminated, take his or her computer passwords away immediately.
Have your say instantly in the Tech Update forum.
Find out what's where in the new Tech Update with our Guided Tour.
Let the editors know what you think in the Mailroom.
