Our firm has examined a wide variety of clients in a number of different industries. Considering the criticality of many client systems and networks, it is interesting that some companies neglect the basics that help ensure the security of their data. The following tips are by no means inclusive of all of the security precautions your company should be taking, but they are a start.
Ensure the right people have the right access
Employees are constantly turning over and changing roles. It is important to have a process in place to help ensure that as employees turn over or change roles, their access remains commensurate with their job responsibilities. New access requests should be approved by an appropriate level of management prior to access being granted. Access should also be removed or disabled for terminated employees in a timely manner. In addition to having a process to add and remove access, it is a good idea to perform periodic access reviews to ensure access remains appropriate over time.
Require and use strong passwords
Systems that authenticate using Microsoft Active Directory should be configured to systematically require the use of complex passwords. This can be accomplished by setting the group policy object’s password policy to require the use of complex passwords. If your application does not use Active Directory to authenticate, determine if your application can be configured to require password complexity and configure it to do so. If you are not able to systematically enforce password complexity, you should educate users on the importance of using complex passwords and changing them periodically. The following are some best practices for password requirements:
- Have a minimum of eight characters
- Contain a combination of lowercase and uppercase alphanumeric characters and symbols
- Should not contain any part of the user name that is associated with the password
- Be changed every 60 – 90 days
- Should not be the same as any of the user’s previous 10 passwords
Ensure patching and antivirus levels are up to date
It is important to ensure that applications and operating systems are up to date on patch and antivirus levels to help mitigate the risk of known security vulnerabilities. Ensure that your company has a process for periodically scanning applications, operating systems, and hardware to ensure that patching and antivirus levels are up to date. Tools such as Microsoft WSUS (Windows Server Update Services) can be used to manage the distribution of patches to computers. Tools such as McAfee’s ePolicy Orchestrator (ePO) can be used to periodically scan and update antivirus definitions. In conjunction with tools used to scan applications and infrastructure, have a process to follow up on repeated failed update attempts to ensure they are eventually applied successfully.
While these tips are by no means inclusive of all of the security precautions your company should be taking, they are a good start to helping ensure the security of your systems and infrastructure. Don’t get caught neglecting the basics.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.