A best practice guide for information technology: 12 essential rules for securing your digital equipment.

(Translated from: Guide des Bonnes Pratiques de l’informatique. 12 règles essentielles pour sécuriser vos équipements numériques.)

(www.ssi.gouv.fr/uploads/2015/03/guide_cgpme_bonnes_pratiques.pdf). Version 1.1.1 – Janvier 2017 20170111-1014. Licence Ouverte/Open Licence (Etalab – V1). Agence Nationale de la Sécurité des Systèmes d’information. ANSSI – 51, boulevard de la Tour-Maubourg – 75700 PARIS 07 SP.

By Edward Eggleston

(Part 2)

3) Identify users and service providers in your system

Noémie used an administrative account at work for Internet activity. She clicked inadvertently on a link specially designed to draw her to an “infected” page. This automatically installed a malicious program on her machine. The attacker could then disable her antivirus program. They also gained access to all of her data, including a database of her (company’s) clients.

When using your computer, your use rights are more or less elevated. Generally these rights are “user” level or “administrative”.

a) For routine computer activity (for the Internet, reading email, using office programs, games, …) a user level account is fully adequate.

b) The administrative account is only for global computer functions (managing user accounts, modifying security policies, installing or updating programs, …).

Recent operating systems allow for direct access to global functions on your machine without changing accounts: if a user-level account is in effect, the administrative password is requested for desired changes. The admin account then permits important computer modifications.

In an organizational setting:

a) Admin account use should be reserved for IT departments, if present.

b) If no IT department is present, protect access to admin functions. Employees should only have user-level accounts. Admin accounts are not for navigating the Internet.

c) Identify users and their system privileges precisely. All cannot benefit from admin rights.

d) Delete anonymous and generic accounts (intern, contacts, press, etc.). Each user must be identifiable (by name) in order to carry out specific system functions for them.

e) Have specific IT procedures in place for supervising personnel entering and leaving the organization. These procedures should grant appropriate IT system rights, and especially, to revoke them when personnel leave.

4) Make regular backups

Patrick, a businessman, lost all of his client files after a computer crash. He had not backed up his data.

To ensure the security of your data, it is strongly recommended to make regular backups (daily or weekly for example). This will maintain data access following an operating system problem or attack. For data storage, you can use an external hard drive reserved (only) for this purpose, or, lacking this, a writable CD or DVD that can be stored away from the computer; this copy should be kept outside the facility. The object is to protect the data copy from fire, flood, or theft (if the computer containing the original is stolen). Particular attention is also needed to the effective life of these measures.

Before storing data on Internet platforms (often known as “cloud” services), be aware these storage sites may be targeted for cyberattack and have particular associated risks.

a) Risks for data confidentiality

b) Legal risks connected to uncertainty about actual storage locations

c) Risks connected to data availability and integrity

d) Risks related to contracts that cannot be reversed

Know the general usage conditions for a cloud service. Typical contracts for generic use do not cover risks like those listed above.

As possible, do not hesitate to consult technical and legal specialists to make sure contracts are personalized and appropriate for your enterprise.

Maintain data confidentiality with encryption software before storing it in cloud services. This prevents unauthorized reading of your data by a third party.

Consult an appropriate authority to find additional information on external IT services and security. In the US, agencies like the GSA or US-CERT (US Computer Emergency Readiness Team) are possible sources. [The original source cites ANSSI for France.]