In carrying contracts with healthcare, State, and Federal contractors; we have seen IT Security relegated by several entities. We have jointly managed IT systems in which third party security specialists oversaw monitoring of the network. And we have participated in third party audits. In every case, the fundamentals were the same. The same good security principles for one are good principles for them all.
In February 2013, President Obama issued and Executive Order on Improving Critical Infrastructure Cybersecurity. This order tasked the National Institute of Standards and Technology (NIST) with setting guidelines for Small Business as a way to self-assess their risks and suggestions on how to mitigate those risks.
- Data backups
- Anti-X (antivirus, antimalware, antispam)
- Next generation firewall (with intrusion prevention)
- Patch management (OS updates, desktop app updates)
- User login management with strong password policies (can included multifactor authentication)
- Appropriate network permissions (Network shares, app data)
- Multiple forms of encryption (disk, email, web-based apps)
- User awareness education (phishing scams, HIPAA & PII handling)
In the related articles section below, we will look at each one of the basic considerations in greater detail.