This are some of my routine and guidelines on how do i protect my network against any intrusion:
- Make sure no one person is controlling the system front to back.
- Require every person logging on to use a password.
- Assign supervisory rights to as few people as possible.
- Back up all systems weekly.
- Have a strict sign-in/sign-out system for backup tapes.
- Always have a current copy of the backup tape stored remotely.
- Do backups of desktops and laptops as well as servers.
- Rotate backup tapes - don't keep using the same one over and over again.
- Change passwords every three months.
- Keep servers in a secured area.
- Stay up-to-date on software patches.
- Use intrusion-detection software that alerts you when you are being hit.
- Make sure two pairs of eyes have checked code before it is entered into the system.
- Have an information security department (at least one person and then one other for every 1,000 users) that is separate from the IT department and reports directly to the chief information officer.
- Spend at least 3% to 5% of the IS budget on information security. Train information security personnel to be aware of any employee who shows signs of being troubled or disgruntled, particularly if that employee holds an information-critical position.
- Beef up security during certain events, such as mergers or downsizings, that could upset workers and cause them to lash out at the company.
- Monitor the network - set up software that will alert you if the person is working in a different part of the network or at a different time than usual.
- Scan e-mail to see what's going out of the company, double-check backup tapes and have someone else do the backups if that person is the one in question.
- Make sure the person in charge of the system is not the same person in charge of the backup.
- Have specific policies and punishments built into employee contracts.
- Make sure critical IS workers are bonded.
