Strategies

• Policy
  • User confidentiality agreements
  • Systems administrator guidelines and agreements
  • Identified information security officer
  • Understand and consider the policies of the larger jurisdiction within which you operate
  • Be sensitive to the policies of your partner and user organizations
  • Have an appropriate disaster avoidance/recovery plan and test it at least once a year.


• Stronger access control
  • Enforce non-guessable passwords
  • Consider two-factor authentication (like SecureID)
  • Only consider Public Key Infrastructure (PKI) when you have the organizational infrastructure to support it, and when location independence is less important


• Encryption
  • Use SSL for webservers
  • Consider VPNs for encryption of non-web traffic (BI products, administrative query)
  • Fully evaluate encryption requirements of ancillary communications (e-mail, file submissions)


• Secure server
  • Apply all known operating system and application server patches (see Microsoft's new Security Toolkit)
  • Remove any unnecessary services
  • Audit systems actively; review event logs; investigate any suspicious activity
  • Do not require server consoles to be logged in for application to run
  • Do not allow direct access by users to the database server.


• Secure network
  • Deploy firewalls generously
  • Weigh benefits of data stream inspection against possible performance degradation
  • Audit network actively; review event logs; investigate any suspicious activity


• Secure Desktop
  • Ensure virus protection software is in place and up-to-date
  • Enforce 128-bit encryption
  • Whenever possible use server-side components only
  • Do not use unsigned controls
  • Recognize that some users may disable certain browser features to enhance security (e.g., cookies, Java, Javascript) that may interfere with your application