There are plenty of small to Medium institution in our community. Protecting the information, systems and networks of small to Medium institution is important. But they do not typically have dedicated Information Officers and lack of sufficient resources to secure their information infrastructure effectively. The owners therefore face serious challenges protecting the confidentiality of institution, customer and employee information. The following is a list of Best Practices to Protect Information, Systems and Networks to help small to Medium institution owners in planning and managing secure information systems.
1. Protect Information, Systems, and Networks from Damage by Viruses, Spyware, and Other Malicious Code:-
Small to Medium institution should install antivirus and anti-spyware software on every computer used in their institution operations. The antivirus and anti-spyware software, which is readily available from commercial software vendors, should be updated regularly.
2. Provide Security for Internet Connection:-
Institute computers and networks that have broadband access to the Internet for 24 hours a day every day are exposed to continual hostile threats. Small to Medium institutions should install and keep operational a hardware firewall between their internal networks and the Internet. The firewall function may be provided by a wireless access point or router installed by the small to medium institutions or by a router operated by the Internet Service Provider (ISP) of the small to medium institutions.
3. Install and Activate Software Firewalls on all Institute’s Systems:-
A software firewall should be installed and used on every operational computer system, and should be updated regularly. Software firewalls are needed to supplement the protection provided by hardware firewalls. Some operating systems include firewalls installed as part of the system. Software firewalls are available for purchase from vendors, and sometimes can be obtained free of cost.
4. Patch all Operating Systems and Applications:-
The vendors of major operating systems generally provide patches and updates to their products to correct discovered security problems and to improve functionality of the software. Patches should be applied on institution’s systems regularly, and installed on all new systems and software.
5. Make Backup Copies of Important Institutions Data and Information:-
Copies should be made of all data including word processing documents, electronic spreadsheets, databases, financial files, human resources files, accounts receivable and payable files, and other information used in or generated by the institutions. This will prevent loss of data when there are equipment failures, employee errors, or destruction of data by malicious code.
6. Control Physical Access to Institution’s Computers and Network Components:-
Unauthorized persons should not be allowed to access or to use any institutions’ computers, including laptops. Computers should not be available to access by cleaning crews or by unsupervised repair personnel. Employees working at their computers should position their displays so that they cannot be seen by people walking by an office or by unknown strangers who may walk into an office.
7. Secure Wireless Access Points and Networks:-
Institution owners who use wireless networking should set the wireless access point so that it does not broadcast its Service Set Identifier (SSID). When new devices are acquired, the administrative password that was on the device when it was purchased should be changed. Strong encryption should be used so that data being transmitted between the institutions’ computers and the wireless access point cannot be easily intercepted and read by electronic eavesdroppers.
8. Train Employees in Basic Security Principles:-
Employees should be trained to use the sensitive Institute information properly and to protect the institutions’ and its customer’s information. Employees should receive training on the organization’s information security policies, including the use of computers, networks and Internet connections, the limitations on personal use of telephones, printers, and other business resources, and any restrictions on processing business data at home.
9. Require Individual Accounts for Each Employee Using Institutions Computers and Institutions Applications:-
A separate account should be established for each individual computer user, and strong passwords should be used. Passwords should be changed at least every six months. The employees’ individual accounts should not have access to administrative accounts to avoid the installation and spread of unauthorized software or malicious code.
10. Limit Access to Data and Information by Employees, and Limit the Authority to Install Software:-
Access to all data and to all systems, including financial, personnel, inventory, and manufacturing, should not be provided to any one employee. Access to systems and data should be limited to the specific systems and information that employees need to do their jobs. One employee should not be allowed to both initiate and approve transactions, such as financial transactions.
Taking action now by implementing these Best Practices will reduces the risk of cyber attack, and secures the institute in the long-term