1. Make Asset list (Inventory) : detailed list of all hardware and software owned by business. Businesses need to make an inventory frequently.
2. Make Threats list: software unpatched or updated, Trojans, worms, audit logging not enabled, Windows updates not kept up to date, no passwords, and unsecured passwords (ex. employees post-it note taped on computer or desk with password written on it).
3. Prioritize Assets and Vulnerabilities: (RISK=Probability X Harm) which assets need to be secured and protected the most? listed in order of importance or value to business.
4. Is the business implementing NACs? (ex. ACLs) ACLs not used or kept up to date, no users that are educated in how to use and monitor ACLs.
5. Is the business implementing IPSs? (ex. Firewalls) firewalls not on or used, Anti-virus/Anti-Spyware/Anti-Malware programs not on and updated regularly.
6. Are there Audit logs to review and identify attempts to access the network? ex. Audit logs from Event Viewer) Past incidences and how to prevent future events.
7. Is the business implementing IAM (Information Assurance Management)? Using STIGs (Security Technical Implementation Guides) for the business, not being adhered to, or not educating users how to prevent data breaches).
8. Are there Back-ups policies? (ex. no back-ups being done, not being done often enough, or not placing back-ups in secure area, using only one tape and the tape gets corrupted or lost) Back up, your back-ups!
9. Are email communications being protected and filtered? Emails and their attachments are the number one way that Trojans, and worms gain access to the network, educate users to not open any emails or attachments from people that they don’t know. When in doubt, DON’T!
10. Is the business using intrusion detection systems (ex. IDS or HIDS)?
11. Are key personnel that are responsible for security of the network educated regarding DoDs policies and guidelines (ex. DoDI 8500.2)?
12. Is physical access to assets and resources being protected? There are companies like ADT offer intrusion detection and prevention, including video surveillance systems. But ADT costs money, and even more important is protecting physical access by using locks and having employees that will adhere to the Security Plan. If the locks aren’t used they are useless!
Education is the number one preventative measure for security breaches! A business may spend an exorbitant amount of money on purchasing all the newest gadgets and software, but if the people don’t know how to use them; then they are wasted revenue. Your employees are your greatest threat to your security! If your people are not trained how to use them, they can cost your business millions. The expense to have your personnel educated on the best procedures to follow to ensure the security of your data, and how to handle security breaches that may occur will be, the best investment in your business that you will ever make.