A best practice guide for information technology: 12 essential rules for securing your digital equipment.

(Translated from: Guide des Bonnes Pratiques de l’informatique. 12 règles essentielles pour sécuriser vos équipements numériques.)
(www.ssi.gouv.fr/uploads/2015/03/guide_cgpme_bonnes_pratiques.pdf). Version 1.1.1 – Janvier 2017 20170111-1014. Licence Ouverte/Open Licence (Etalab – V1). Agence Nationale de la Sécurité des Systèmes d’information. ANSSI – 51, boulevard de la Tour-Maubourg – 75700 PARIS 07 SP.

By Edward Eggleston

(Part 6)

11. Separate personal and professional IT usage.

Paul often brought work home at night. Without his knowledge, his personal computer was attacked. Based on information this home system contained, the attacker could penetrate the internal network of his company. Sensitive information was stolen then provided to their competition.

Usage and security measures are different for personal and professional communication equipment (computers, smart phones, etc.).

BYOD (Bring your own device) is a practice where employees use their personal equipment (computer, smart phone, tablet, etc.) in a professional context. Even if this solution is more and more common, it poses data security problems (theft or loss of devices, intrusions, lack of control over equipment use by coworkers, loss of data when personnel leave).

In this context, it is recommended to separate your personal and professional IT usage:

a) Do not send work related electronic messages on the same service accounts used for personal activities.
b) Do not store professional data on personal equipment (USB sticks, telephones, etc.) or on personal online storage services.
c) For the same reasons, avoid connecting removable personal storage (USB sticks, removable hard drives, etc.) to company computers.

 
If you do not apply these best practices, you are risking the theft of sensitive company information by hostile individuals if they take control of your personal equipment.

12. Take care with personal and professional information, and with your digital identity.

Alain received an email offering participation in a contest for winning a laptop. For this he needed to give his email address. He did not win, but began receiving many unwanted messages.

Data you provide on the Internet escapes instantly. Also, there are hostile individuals practicing “social engineering”. They gather your personal information, often by fraud and without your knowledge. This is done to ascertain passwords, to get access to your IT systems; they take your identity or carry out industrial espionage.

In this context, it is advisable to be extremely careful with your personal information on the Internet:

a) Be careful in filling out online forms:
1. Only give information that is strictly necessary.
2. Consider refusing in cases where authorization to keep or share your data is requested.

b) Only give access to a minimum of personal or professional information on social networks, and show caution in your interactions with other users.
c) Consider a regular review of security and confidentiality settings.
d) Finally, use several email addresses for different online purposes: one address for more serious use (banks, job searches, professional activity…) and an address for other online services (forums, competitive gaming…).

In summary:

In order to efficiently reinforce the security of your IT equipment and data, you can carry out and enhance the 12 best practices listed in this guide with these measures:

a) Have a designated individual for IT security in your organization.
b) Write an IT policy.
c) Use data encryption software (for storage and data exchange).
d) Strengthen the configuration of your workstation and use tested security solutions (firewalls, antivirus software).
e) Before storing files from USB ports on your computer, scan them with antivirus software.
f) Turn off automatic execution of removable data sources on your computer.
g) Turn off your computer during periods of prolonged inactivity (at night, over weekends, during vacations).
h) Check and monitor your system, especially by using the events log, in order to react to suspicious activity (user connections outside usual work schedules, massive data transfer away from the organization, connection attempts through inactive accounts, …).