How to Use This Guide
- 1.Read through the controls (in Section 2) and best practices (in Section 3) and understand what types of risks they mitigate. Section 2 controls are generally more technical, while the best practices in Section 3 are more generally designed to serve as a template for policy language for specific practices your organization may need to follow (i.e. travel policy or incident response).
- 2.Select the level of controls appropriate for your organization, and use those controls and best practices described in Section 3 to build your security policy. Appendix A can help walk you through considerations for each control, and help you identify if Baseline or Baseline+ measures are correct for your organization.
- 3.Implement security controls within your organization based upon your new security policy. Appendix B offers additional guidance on how to implement each of the controls.You can jump between the control descriptions in Section 2, the policy assistance in Appendix A, and the implementation guidance in Appendix B by using the links below each headline.
NOTE: As a general rule, do not recycle the same password across multiple accounts. When choosing a password, pick something unique, and make it long. You should focus more on length than on adding in hard-to-remember characters or complex upper/lower case combinations. The use of a "passphrase" - a string of at least 4 unrelated words - instead of a password is encouraged.
Learn How to Spot a Phishing Email MFA can help prevent attackers from accessing an account even when they have a user's account credentials. But, in cases where MFA is not enabled or not available, a username and password is all the attacker needs to break in. One of the most common ways attackers get their hands on user credentials is via phishing emails. Learning how to spot a phish is the best defense against losing control of accounts. The Electronic Frontier Foundation has a guide on how to spot a phishing email or scam here: https://ssd.eff.org/en/module/how-avoid-phishing-attacksIn general, when you receive an email, do not click on links or open files you do not recognize, even if it came from a trusted source. If you're unsure about the origin of a link or document, it is usually worth a quick call or message (through a channel other than email) to the sender. It only takes a minute, and can save hours of headache in the case that your account does become compromised in some way.
A Note on Antivirus Software Organizations may choose to purchase antivirus software, but most major operating systems build in much of the protection LROs need to prevent malware infections. At a bare minimum, your organization should enable either Windows Defender or Apple's Gatekeeper – the default security services on both major operating systems. These services will harden most laptops and desktops against common threats.
- How to enable Windows Defender: https://support.microsoft.com/en-us/help/17464/windows-defender-help-protect-computer
- How to enable Gatekeeper on OSX: https://support.apple.com/en-us/HT202491It is critical to allow these services to run their automatic updates. Without the latest information, these services cannot protect your device against new forms of malicious software.
Note: Encrypting your data provides an important layer of security, but it also runs the risk of data lock-out. It is crucial that you store your encryption key(s) in a safe place, and that you create a back-up plan in the case that you lose a key. Locking yourself out can be costly and may temporarily interrupt the operation of your organization.