List of best practices for general network security

The 2018 Network Security Best Practice Checklist (Source: Gigamon.com)

  1. Maintain your software
    Network attacks are evolving, and yesterday’s solutions may not be enough to counter tomorrow’s threats. This is why one of the most essential — yet most basic — network security best practices is keeping your antivirus software current. Effective, up-to-date virus software will incorporate tested solutions to some of the most recent known exploits. As such, software updates should be installed immediately as they become available. The most effective antivirus options can protect you in over 90 percent of instances.3 However, no single solution is fool proof, and as threats become more advanced, ongoing antivirus audits and supplemental systems are becoming just as important as installing the latest patches.
  2. Make visibility your top priority
    We tend to view our networks as walled fortresses trying to repel incoming enemy attacks, but in truth sometimes it’s the people inside the walls who are the bigger danger. Nearly 75 percent of all data breaches4 are a direct result of insider threats — and of those threats, 68 percent can be attributed to employee or contractor negligence5 (only 22 percent of insider threats are intentional). The solution? Improved network visibility. Constantly monitoring users within your network may be the single-most important security policy you adopt.6 After all, if you can’t see it, you can’t secure it. By tracking internal network use, you can improve your situational awareness and see what actions may be compromising your network security. You can then move to correct those actions before they turn into something more serious.
  3. Keep a close eye on user permissions
    While unintentional insider threats may be the more widespread problem, intentional ones — where authorized users attempt to steal valuable data — can still cause major damage. In many cases, these kinds of attacks happen as a result of disgruntled employees (or former employees) using their network permissions to access sensitive information. Most businesses have different levels of privileged users but giving anyone access to everything is a huge risk. Never allow any of your users the authorization to security logs and be sure to provide and enforce network-use guidelines for anyone with permission to access network data. Also, be aware of the dangers of BYOD and IoT devices connecting to your network, as these devices can also carry malicious programs or lead to data being taken off premises.
  4. Use a reliable network packet broker to send the right traffic to the right tools
    When it comes to network security, we sometimes err on the side of caution. For example, even though certain tools are designed to be more effective with certain kinds of traffic, many organizations still send all of their network traffic to all of their security tools. Unfortunately, with network speeds, data volume and the number of business applications all increasing, security tools are being pushed beyond the capacity they are built to handle. This increases cost while also slowing down business applications and, ironically enough, leaving networks more open to attack. A much better solution is to give your security tools access to only the traffic they need to analyze, while preventing access to the traffic they don’t need to see. A next generation network packet broker, purpose built for security solutions, can provide traffic intelligence features such as metadata, application session filtering, SSL decryption, masking and more to ensure that appropriate traffic is being optimally routed to inline and out of band security tools. This not only improves network security, but also allows for faster application and network performance.
  5. Stay compliant
    Your organization isn’t the only one that wants to keep your network safe from intruders. Users have a vested interest in ensuring that their sensitive data is kept out of malicious hands, and that means that the government is likewise interested. Federal and other government rules exist to help ensure data security, and businesses and other organizations are expected to comply. Regulations (such as HIPAA, ISO and PCI DSS) may seem like an extra hassle, but they provide a number of reliable network security best practices around policies and procedures that can keep you customers and your business, safe. If you want to keep your network secure in 2018 and beyond, don’t let your compliance slip.
  6. Establish a security policy
    Speaking of regulation and policy, sometimes setting clear expectations and guidelines for your employees can mean the difference between secure and unsecure networks. This will help network users better recognize what is, and what is not acceptable user behavior. Perform a network security risk analysis and see what areas your policy most needs to cover. Of course, guidelines are only useful when employees internalize them. Given the massive amounts of employee onboarding most organizations put their new hires through, it’s not surprising that many employees fail to do more than give network security policies more than a cursory glance. To make sure that employees are contributing to network security, provide on-going security-policy training, including what to do in real-life situations. Also, keep a security-policy expert on-hand, so that when users need further clarification they have someone they can go to.
  7. Always backup your data
    One important thing to remember about digital information is that it can be copied. This means that at any given point in time, your organization can create a backup — essentially a detailed snapshot — of your network data. By then maintaining that data separate from the rest of your network, you’ll have a recent version of your data to fall back on in the event of a damaging cyberattack. Despite this, only about half (51 percent) of businesses keep a data back up, and only 36 percent of enterprises back up their business data completelyBe sure to regularly back up your entire network, so that no single breach has the capacity to completely obliterate the information your company depends on.
  8. Don’t forget about third-party users
    Many businesses outsource to third-party contractors, and that often means that those contractors need some level of access to the organization’s network. That said, if internal employees represent a major threat to your network security, then third-party users are at least as dangerous. Allowing third-party contractors network access increases the number of system access points, and in turn creates more potential entry locations for malicious attacks. If you work with contracted employees or agencies, never allow them more data access than is absolutely necessary. At the same time, carefully evaluate any contractors before you commit to work with them. If they are compliant with regulatory requirements, and if they follow effective security policies, they’ll be less likely to turn into a liability.
  9. Educate your users
    Network security best practices can help you create an effective plan of defense for your vital data, but if your users aren’t doing their part, then your network will always be vulnerable. This means that if you want to secure your data, you need to secure the users who access it. Train your employees on how to recognize and report specific threats, create strong passwords, and use and access data correctly. Your security best practices are only as good as those who follow them. Educate your employees on how to protect your network, and you’ll have another reliable line of defense between your data and the threats that could compromise it.

When cloud storage or server use come into the picture

 

CMMC in the Near-Term

CMMC will not be required for all contractors immediately and will be phased in for certain DoD-identified contractors beginning in September 2020. When fully operational, the CMMC will be mandatory for all entities doing business with the DoD at any level. Prime contractors, and their subcontractors, will be required to meet one of the five CMMC trust levels, and demonstrate that cybersecurity has been sufficiently implemented through the completion of independent validation activities. Initial Award, or continuance, of a DoD contract will be dependent upon CMMC compliance. No contractor organizations will be permitted to receive or share DoD information related to programs and projects without having completed the CMMC process. At the time that a contractor’s contract is up for renewal they must be CMMC compliant.

In January 2020 the CMMC will release a checklist for contractors which will allow them to identify how well they currently comply with the framework, and to assist with planning and implementing security maturity tasks. The CMMC will be included as a component of Requests for Information (RFIs) in mid-2020 and is expected to be included in Requests for Proposal (RFPs) by late 2020. The required CMMC compliance level will be contained in sections L & M of RFPs, making cybersecurity an “allowable cost” in DoD contracts.

CMMC will combine elements of various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933, and others, into one unified standard for CUI cybersecurity.

CMMC Timeline

  • May 2019: Version 0.1
  • July 2019: Version 0.2 identified and reviewed
  • September 2019: Version 0.4 released
  • October 2019: CMMC implemented requirements released
  • November 2019: Version 0.6 to be released for public review
  • January 2020: Version 1.0 finalization expected; compliance checklist released
  • June 2020: CMMC will begin appearing in RFIs
  • September 2020: CMMC Will Begin Appearing in RFPs

Link to CMMC latest documentation

404 Page Not Found.

If you found this page you got to the wrong place.

You will be redirected back to the home page in 8 seconds or Click here to go back to the home page..

 

American Disabilites Act started in 1990. This act requires businesses to provide equal access for employees and customers with disabilities. The law started out with just the physical world, but the law covers such things as websites and mobile apps.

The full guidelines are expected to be release in 2018 business owners are currently liable. Any court cases this law does allow private individuals to bring a claim to court. If the private individual wins a business could be liable for compensation such court costs.

SCDIT can help you get your site complient. Contact us and we can help.

For persons with disabilities experiencing difficulties accessing content on a particular website, please use the Contact form.  In this form, please indicate the nature of your accessibility issue/problem and your contact information so we can address your issue or question.

The Department of Homeland Security has some tools to evalute your website. Click here to download their tools. 

We often use WebAIM's contrast checker when building our pages.