Chris, That's a very nice list indeed! I too am saving it for reference. My company also had no information security program to speak of when I started here last year, so we're both pretty much in similar situations.
One area I didn't see you mention too much, although you did allude to it when you mentioned item #25, but what about your security policies (particularly acceptable use)? Is that also in your realm, or is that left to HR? I got my acceptable use policy approved in the Spring of this year, and while it still needs some updating, it's better than nothing. Our next step is to institute a strong sanction and enforcement policy for IT security breaches, otherwise, policies are pointless. Anyway, just some thoughts. Kenneth W. Kubiak, Information Security Officer Information Technology Department Buffalo Hearing and Speech Center 50 E. North Street . Buffalo . New York . 14203-1002 [EMAIL PROTECTED] (716) 885-8318 x284 http://www.bflohearspeech.org -----Original Message----- From: Chris Berry [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 18, 2002 4:05 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Defense plan >That's quite a list of improvements. I am actually saving it as a >reference. I've done quite a bit of it already, but there is always room for improvement. Would you believe that everyone had the same password when I got here? Speaking of passwords, I forgot to add: 25) Require passwords meet complexity rules, and be changed on a regular basis. >What about physical server security, backups, backup tape storage and >access? Don't know if these are even an issue, but I figured I'd drop >them >in just in case. I have considered physical security, but I forgot to add it to my list, good point. I have a backup plan, and while I consider backups very important, I didn't really think they were part of my security setup, other than as part of the physical security issue, and virus scanning. So to sum up: 26) Ensure physical security prevents unauthorized access. Oh, and I've been removing the cd-rom and disk drives from the workstations to help prevent software installation. I guess that's: 27) Remove external input devices such as cd-roms and disk drives where possible Chris Berry [EMAIL PROTECTED] Systems Administrator JM Associates "I have found the way, and the way is Perl." _________________________________________________________________ Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com