Here are some industry-wide best practices we follow:
-
Our administrators use a specific administrator account to perform security-related functions. Since account activity is audited and tracked, this establishes accountability. Administrators use a separate account for everyday account administration activities.
-
Administrators ensure they log out when their task is complete or leave their workstation.
-
Periodically examine the membership of all security groups, especially those who can access sensitive data.
-
Disable access of terminated employees to avoid loss, theft, or unauthorized access.
-
Educate and encourage staff to follow best practices:
-
Disable the web browser "auto-remember" feature.
-
Do not write down passwords.
-
Use complex passwords. A password is considered strong when:
-
It has eight characters or more with at least one upper and lower case character.
-
It has at least one numeric character.
-
It has at least one punctuation character.
-
It does not contain the names of family members, pets, or birth dates.
-
It is not a common dictionary word.
-
-