Kevin Mitnick, in his latest book The Art of Intrusion, offers sound and succinct advice:
"Ensuring proper configuration management is a critical process that should not be ignored. Even if you properly configure all hardware and software at the time of installation and you keep up-to-date on all essential security patches, improperly configuring just a single item can create a crack in the wall."
So what defines a "best practice"?
"Processes and activities that have been shown in practice to be the most effective."
Let's look at it holistically (imagine).
Have you conducted regular internal audits, including reviewing logs and accounts?
Do test your servers regularly via scans and vulnerabilty tests?
When was the last time you updated your Policies and Procedures? If your P & P content include references to Windows 95, it might be time.
Do you patch regularly?
Do you educate your users regularly (a constant, ongoing effort)?
Are these not best practices?
Enough questions...some answers:
Though specific to the University of Wisconsin-Madison, one of the best overviews I've seen for information security best practices can be found at UW-Standards & Practices. In particular, "Information security is not an end-destination of itself but an ongoing task intended to reduce risk. It is not a binary solution secure or insecure but rather a continuum of practices to help minimize exposures of the CIA of information."
Kevin D. Mitnick, The Art of Intrusion, Wiley, 2005 
|< Prev||Next >|