IT Security Best Practices



The following is a list of best practices that were identified to develop, identify, promulgate, and encourage the adoption of commonly accepted, good security practices. They represent 10 of the highest priority and most frequently recommended security practices as a place to start for today's operational systems. These practices address dimensions of information security such as policy, process, people, and technology, all of which are necessary for deployment of a successful security process. This initial set of practices is targeted toward executive leadership in industry. When adopted, these practices catalyze a risk-management-based approach to ensuring the survivability and security of critical information assets.

General Management System & Network Management
Policy Authentication & Authorization
Risk Management Monitor & Audit
Security Architecture & Design Physical Security
User Issues Continuity Planning & Disaster Recovery



Managers throughout the organization should consider:

  • Information security a normal part of their responsibility and the responsibility of every employee.
  • Clearly defining and assigning information security roles and responsibilities and ensure adequate resources are allocated.
  • Actions which include visible sponsorship and direction, written communications, and staff meeting time on this subject.
  • Creating, enforcing, and regularly reviewing security policies.

2. POLICY:                                                       TOP

  • Develop, deploy, and enforce security policies that satisfy business objectives.
  • Create policies that address key security topic issues such as:
    • Security risk management,
    • Critical asset identification,
    • Physical security
    • System and network management
    • Authentication and authorization
    • Access control
    • Vulnerability management,
    • Incident management
    • Awareness and training
    • Privacy.
    • Ensure that the intent of each policy is reflected in the standards, procedures, practices, training, and security architectures that implement it.


  • Periodically conduct an information security risk evaluation that identifies:
    • Critical information assets
    • Threats to critical assets
    • Asset vulnerabilities and risks
  • Develop and implement a risk mitigation plan resulting from the evaluation
  • Ensure that there is regular review and management of the risks


  • Generate, implement, and maintain an enterprise-wide security architecture, based on satisfying business objectives and protecting the most critical information assets.
  • Deploy a layered approach, including the practices that follow.
  • Use diversity and redundancy solutions for high-risk/high-reliance systems.

5. USER ISSUES                                             TOP

Users include all those who have active accounts, including employees, partners, suppliers,
and vendors. Users consider information security to be a part of their responsibilities, receive
training in all policy topics, and consequences related to policy violations.

  • Establish accountability for each user action
  • Train for accountability and enforce it as reflected in organizational policies and procedures.

Ensure that there is adequate in-house expertise or explicitly outsourced expertise for all
supported technologies (e.g. host and network operating systems, routers, firewalls,
monitoring tools, and applications software), including the secure operation of those


Ensure proper access controls are in place in systems (i.e., user IDs and passwords that are
unique and forced to be changed frequently by the system)


Establish a range of security controls to protect assets residing on systems and
Networks by using the following tools:

  • Access controls Data encryption and virtual private network technologies as required.
  • Perimeter and internal security applications that implement security policy
  • Removable storage media for critical data
  • Deploying a system discard process that eradicates all data from disks and memory prior to disposal.


Regularly check for

  • The integrity of installed software.
  • And eradicate all viruses, worms, Trojan horses, other malicious software, and unauthorized software.
  • And compare all file and directory cryptographic checksums with a securely stored, maintained, and trusted baseline.


  • Provide procedures and mechanisms to ensure the secure configuration of all deployed assets throughout their life cycle of installation, operation, maintenance, and retirement.
  • Apply patches to correct security and functionality problems.
  • Establish and maintain a standard, minimum essential configuration for each type of computer and service.
  • Create a network topology diagram and ensure it is kept up to date.
  • Enable adequate levels of logging.
  • Perform vulnerability assessment and address vulnerabilities when identified.


  • Mandate a regular schedule of backups for both software and data.
  • Validate software and data before and after backup.
  • Verify the ability to restore from backups.



  • Implement and maintain appropriate mechanisms for user authentication and authorization when using network access from inside and outside the organization.
  • Ensure these are consistent with policies, procedures, roles, and levels of restricted access required for specific assets.


  • Protect critical assets when providing network access to users working remotely and to third parties such as contractors and service providers.
  • Use network-, System-, file-, and application-level access controls and restrict access to authorized times and tasks as required.


  • Use appropriate monitoring, auditing, and inspection facilities and assign responsibility for reporting, evaluating, and responding to system and network events and conditions.
  • Regularly use system and networking monitoring tools and filtering and analysis tools, and examine the results.
  • Respond to events that warrant action
  • Ensure that all employees know who to contact when they notice suspicious behavior.


  • Control physical access to information assets and IT services and resources.
  • Use physical access controls where required.
  • Use password-controlled electronic locks for workstations, servers, and laptops that are enabled upon login and after specified periods of activity.
  • Control access to all critical hardware assets.


Develop business continuity and disaster recovery plans for critical assets and ensure that they are periodically tested and found effective.

  • Elements of a BC plan, at a minimum, should include, but are  not limited to, the following:

a.  Procedures for response and recovery that contain predetermined prioritized actions on how to:

                                                              i.      Respond to a disruptive event

                                                            ii.      Activate the plan

                                                           iii.      Recover critical business processes

                                                           iv.      Restore the business back to its state before the incident or disaster occurred

b.  Alternate work locations and work procedures (if necessary) must be identified in case the primary site is unavailable. The plan should also include procedures to equip the alternate work site (telecommunication systems, PCs, and other devices), and contracts with third parties.

c.       Procedures to safeguard and reconstruct the home site.

d.      Procedures to safeguard the alternate site.

e.       Reconstruction plans for the recovery of all systems resources at the original location.

f.       Critical information (such as current names, telephone/pager number of key personnel, etc) on continuity teams, affected staff, customers and suppliers.

g.      Major upstream / downstream applications that contain information system groups that may be affected and critical contact information must be identified.

h.      Time frames for restoring systems to ensure required transaction processing times are met and disruption time is minimized  

  • Elements of a DR plan, at a minimum, should include, but are  not limited to, the following:

a.       The identification of possible disasters that could interrupt access to systems for long periods of time.

b.       Directions to Off-Site Storage locations

c.       Business recovery location

d.      Disaster recovery organization chart/list – action team call tree forinternal contacts and their locations

e.       Hardware and other required inventory needed in the event of a disaster

f.       Application and other required inventory needed in the event of a disaster

g.      Operating system and other required inventory needed in the event of a disaster

h.      Vendor name(s) and contact information

i.        Media, records, and documentation needed for restoration

j.        Recovery procedures and priority of servers, applications, and other dependent systems

k.      Time frames for restoring systems to ensure required transaction processing

l.        Critical file and work in process assessment report

m.    Recovery status report