Dec
8

End of Year Cleanup

Do you know you data, computers and networks? I mean, really know them?

The end of the year is a good time to take stock of your security measures and operational practices and do some maintenance.

I like to ask the question Where are we? at the end of the year. What is being done to protect the information assets of my company or myself and family? After I have a good grasp of this, then I like to ask myself the logical next question, which is Where do we want to be? Comparing the two gives some idea of where to focus my information security energies.

Yeah, I know that previous paragraph is pretty vague.

How about some specific ideas when asking that Where are we? question.

  • Do I know where all the important data is being stored? Is it all on the hard drive of one notebook computer? Or, is some stored on my computer, some stored on my wife’s computer? Maybe it is stored on a file server on the network!
  • What am I doing to protect the data on my notebook computer? Am I doing backups? How do I know that the backups can be used?
  • What if my notebook computer gets stolen and my personal financial information (with bank account numbers and passwords) is stored on it? What am I doing to encrypt or adequately protect that data?
  • If you host your own web services, you should evaluate the access rules on your firewall. Do I really need to allow access on the ports that I have open?
  • Am I patching the OS on my servers? Do I test patches in a controlled environment before installing them on the production servers?What about the patch level of my workstations? Am I using Automatic Updates (on Windows) to keep them updated?
  • When was the last time I changed the WEP/WPA key on my wireless access? Am I using WEP or WPA or something else? Am I sure that only authorized people know what it is? Maybe the neighbors are leaching the signal!
  • Do I have any idea of what “normal” traffic looks like on my network? What applications are being used – P2P, chat, BitTorrent, webcams? What about filtering? Is my filtering functioning as desired?
  • When was the last time that I forced password changes for users? How about administrator/root accounts?

Wow! That sounds like a lot of work! It’s not, really, but these things need to be considered periodically.

In the next entry, I will be discussing the Where do we want to be? question.

- Dan

Posted by d.strom, cissp, gsec, gsna Backups, Data Integrity, Planning Subscribe to RSS feed

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>