Table of Contents
1. Adopt a policy of strict password Password:
Access to a computer workstation or a file by id and password is the first protection. The password must be individual, difficult to guess and keep secret. It should not be written in any medium. The CIO or IT manager should establish a policy for managing words rigorous Password: Password must be at least 8 characters, including numbers, letters and special characters and must be renewed frequently (eg every 3 months) . The system should force the user to choose a password different from the three that he used previously. Generally assigned by the system administrator, the password must be changed by the user must from the first connection. Finally, systems administrators and network must ensure change passwords they use themselves.
2. Develop a procedure to create and delete user accounts:
Access to workstations and applications must be made using registered user accounts, not “generic” (Account1, Account2 …) in order to eventually be able to trace the actions taken on a file and thus empowering all stakeholders. Indeed, the “generic” accounts do not fully identify a person. This rule should also apply to accounts system and network administrators and other staff responsible for the operation of the information system.
3. Secure workstations:
Positions of agents must be configured so that they automatically lock beyond a period of inactivity (maximum 10 minutes) users should also be encouraged to always lock their position when they are absent from office. These provisions are likely to restrict the risk of fraudulent use of an application in case of temporary absence of the agent of the post. Furthermore, control of the use of USB ports on “sensitive” positions, eg preventing copying of all data contained in a file is highly recommended.
4. Identify exactly who has access to files:
Access to personal data processed in a file should be limited to only people who can legitimately have access to perform the tasks entrusted to them. This analysis depends on “the profile of empowerment” of the agent or employee. The line manager must identify the files that it needs to access and carry out the update of its access rights for each movement or reassignment of an employee to a position. Periodic verification of application profiles and directory access rights on the servers is necessary to ensure the adequacy of rights offered and the reality of positions held by each.
5. Ensure data confidentiality:
The interventions of the various sub-contractors of the information system of a data controller must provide sufficient guarantees in terms of security and privacy with respect to the data to which they may, where appropriate, have access. The law requires well as confidentiality is provided for in the contracts subcontracting. Any work on a provider databases must take place in the presence of an employee of the IT department and be recorded in a register. Data that may be considered “sensitive” under the law, eg health data or data relating to the means of payment, the surplus must be encryption.
6. Secure local network:
An information system should be secure.
A first level of protection must be ensured by safety devices specific logic such as filtering routers (ACL), firewall, anti intrusion sensor, etc.. Reliable protection against viruses and spyware requires a constant watch to update these tools, both on the server and on the positions of the agents. Email should obviously be particularly vigilant. Connections between a business sometimes remote sites or a local authority must be carried out safely, through private bonds or secured by technique of “tunneling” or VPN (virtual private network) channels. It is also essential to secure wireless networks considering the possibility of intercepting remote information circulating: using encryption keys, control of physical addresses of workstations allowed, etc.. Finally, the remote information system by mobile workstations access must be preceded by a user authentication and position. Internet access to e-government tools also require strong security measures, including the use of IPsec, SSL / TLS or HTTPS protocols.
7. Secure Physical access:
Access to sensitive areas such as computer rooms hosting servers and network elements must be limited to authorized personnel. These spaces shall be subject to special security: check clearances, security, locked doors, security code, access control registered badge, etc.. The CIO or IT manager must ensure that the technical documentation, network mappings Plans, contracts, etc.. are also protected.
8. Anticipate the risk of loss or disclosure of data:
The loss or disclosure of data can have several origins: error or malice of an employee or agent, stealing a laptop, hardware failure, or result of water damage or fire. Care must be taken to store data on servers spaces provided for this purpose and subject to regular backups. Backup media should be stored in a separate room that hosts servers, ideally in a fireproof safe. The servers with sensitive data or for capital activity the organization concerned must be saved and can be equipped with a device fault tolerance. It is recommended to write a procedure “emergency – emergency” that describe how quickly trace these servers in case of failure or major disaster. Nomadic media (laptops, USB, PDAs etc.) Must be of a particular security by encryption in terms of the sensitivity of the records or documents they can store. The hardware end of life, such as computers or copiers, must be physically destroyed before being discarded or sanitized their hard drives before being donated to associations. Hard drives and removable storage devices for repair, reassigned or recycled must be first a low-level format for erasing data that can be stored.
9. Anticipate and formalize a security policy of an information system:
The rules relating to computer security should be formalized in a document accessible to all agents or employees. His writing requires prior inventory of potential threats and vulnerabilities facing an information system. It should be regularly evolve this document in the light of changes in computer systems and tools used by the organization concerned. Finally, the “security” parameter must be taken into account before any project related to information system.
10. Users aware of the IT Risks:
The main risk to computer security is human error. Users of information systems should be particularly aware of the IT risks associated with the use of databases. This awareness can take the form of training, dissemination memos, or the periodic sending of factsheets. It will also be formalized in a document, a “computer Charter” type, which will specify the rules to be observed in computer security, but also those relating to the proper use of the telephone, email or internet. This document should also remember the conditions under which an employee or agent can create a file containing personal data, for example, after obtaining the agreement of the responsible, legal, or CIL company or organization in which he works.