Share via

Security Best Practices for Information Assurance

  • Article

Security Best Practices for Information Assurance are mandated guidelines usually presented during the on boarding process for new employees and in the form of a refresher course every subsequent year. These very basic principles may seem elementary to experienced computer users, however, if they are not observed routinely it could be the basis for disaster with respect to system availability, integrity, intellectual property, or worse. Not very long ago I saw a news report where sensitive government information was found on a used laptop purchased on one of the free advertisement sites. The previous owner was found to be a former government contractor who stored classified data on his personal computer and failed to scrub it before selling. I suspect this was unintentional but had serious consequences.

I have personally observed countless blunders made by IA trained computer professionals and compiled a list of examples.

  • Don’t allow users to login using service accounts
  • Don’t grant admin group membership based on politics (in a perfect world)
  • Don’t leave a conference room without erasing the whiteboard
  • Don’t write IDs and passwords on post-it notes and stick on your monitor
  • Don’t leave sensitive documents on the printer
  • Don’t let anyone use your login
  • Don’t send sensitive information using public email
  • Don’t send debug or configuration reports to outside support without sanitizing
  • Don’t rely on your screensaver to lock your keyboard when going to lunch
  • Don’t display a list of IDs and passwords on an overhead projector during a meeting

These examples are not IA related, however I’ll mention them anyway.

  • Don’t prop open the door to a secure building or allow someone to tailgate
  • Don’t discuss sensitive information in public.

IA training generally involves the proper handling and labeling of media, what to do with suspicious email, how to handle requests from someone trying to obtain your ID and password, and social engineering. The point of this brief article is that security policies must be observed as a routine and constantly on everyone's mind.