The parameters of recent U.S. privacy regulations have mirrored regulations developed in the European Union. Some may say that the EU originally gained their inspiration by early U.S. government action on privacy; however, the concept here is an effort has been made to standardize privacy and security regulations across the globe. Therefore, there's a strong likelihood that the eventual security rulings will mimic the EU and global guidelines as well. This ruling will likely require that organizations take the following proactive steps to avert confrontation with any regulatory issues:
Perform a security assessment of the office network.
Install a host-based firewall on all Internet-connected systems.
Install antivirus software (AVS) on all computers and regularly update the signature database.
Secure configuration settings for all computers in your network, including the following settings:
Strong password policy with unique passwords for all users
Auditing of a basic set of transactions
Password-protected screen savers
Regularly back up all client/customer data and securely store the backup disks.
The following sections discuss each of these steps individually.
A security assessment should be performed that will identify the greatest needs for the organization with respect to security risks as well as available resources (manpower and budget). This should come complete with recommended countermeasures and a roadmap to their implementation. Having this assessment in hand will certainly help you to respond quickly if pushed by regulators (and hopefully sooner).
Host-based firewalls are often overlooked but can be a very valuable asset to an overall network security posture. This can be thought of as a "last line" of securitybefore connections reach the destination (target) host, there is one last barrier that they must cross. These firewalls are software programs that reside on the host itself and can monitor incoming and outgoing connections. They can be programmed to accept or reject connections based on the connection's source and destination address and/or port or the service invoked. The firewall can also prompt the user to accept or reject the connection when a connection attempt is made.
These tools don't have to be expensive; in fact, there are quite effective, freely available tools in this category.
Antivirus software may be the first security tool of the digital age to enjoy widespread usage. Still, too many hosts connected to the Internet don't deploy an AVS solution, especially among the small business community, and far too many users don't keep their AVS current.
As the primary means of detecting and protecting against harmful computer viruses, an antivirus product is essential for any host connected to the Internet, along with an automated process for updating the signatures so that updates don't require human intervention. Being human, we're likely to forget to install the updates.
As the deployment of antivirus software has become widespread, the cost of these solutions has declined, and it's simply becoming a necessary expense.
One of the primary vulnerabilities that allow hackers to compromise and then penetrate deeper into a network is insecure configuration of host machines and other networking devises, such as firewalls and routers. In fact, in their list of the top 20 Internet security vulnerabilities, the SANS Institute includes numerous misconfigurations or insecure configurations that have led to network compromise, such as weak passwords, susceptibility to null sessions, default installations, default SNMP strings, and (unnecessary) open ports.
A free software tool is available on the Center for Internet Security web site to scan hosts for the top 20 vulnerabilities. In addition, there are numerous commercially available tools that can scan machines for a host of vulnerabilities. It's a good idea to acquire a vulnerability scanner, whether Open Source or commercial, to periodically assess the configuration of the computers that comprise your network.
Backing Up the Data
As anyone knows who has been using IT for any length of time, computers crash and sometimes take all their data with them. Therefore, it's important to have a reliable backup system even before we discuss the threat of data loss or corruption due to a hacker attack or natural disaster.
Data should be backed up either to tape or a backup server periodically. The frequency of the backup depends on the quantity and criticality of transactions. Nightly backups are recommended; however, weekly backups may be sufficient in certain situation.
One thing to remember is that backup data really should have the same level of protection as the primary data. This doesn't necessarily mean that you need to have secure offsite storage; a locked cabinet may suffice if only select staff can access it.