I'm going through a "questioning everything" stage, which I'm sure some of you will find annoying, but hopefully it'll also be worthwhile in the end. One of those questions is "What are the actual minimum security practices that should be followed by all personnel?" It's an interesting and somewhat challenging question because, despite having no shortage of source materials to answer the question at length, I'm not necessarily convinced that many of the traditional "requirements" are either necessary or universal.
Thus far, all I've been able to come up with is this short list:
* Have a reasonably long password/passphrase.
* Practice safe computing/browsing.
* Don't share sensitive information (e.g., trade secrets, passwords).
* Protect your physical devices (e.g., phones, laptops).
* Report incidents, suspicious behavior, and related concerns.
That's about it. I'm sure there are more things, but in my somewhat jaded and cynical mindset (at the moment, anyway), I'm having a hard time thinking about what else might be universally applicable to all employees in a company.
What do you think? What am I missing?
This is a good list. The only concern I have is with the "Practice safe computing/browsing" item. It's too broad and also could be used as the heading for the remaining items. I would remove this item and replace it with "Enable automated updates and install security patches when they come out."
Another way to tackle the question of minimum security practices is to follow Brian Kreb's 3 Basic Rules for Online Safety:
http://krebsonsecurity.com/2011/05/krebss-3-basic-rules-for-online-safety/
Everything that you said in this article is correct. One should really practice keeping their account safe by putting password (which it is only them who knows about it) and by practicing safe browsing.
Granted, any short list of principles must balance usability against overload. Still, at the risk of venturing into TMI, I think a useful list should really reflect the employee's challenge to manage complex passwords in the context of all life-wide password requirements.
Responsible companies require password rotation with some complexity criteria. That's already multiple complex passwords for any given authentication domain. Multiply this by many such life-wide domains (all stored in the general brain bucket of "passwords I have to remember for my bank, work, gawker.com, etc.,"), and coming up with unrelated, reasonably long password requirements grows unmanageable rather quickly. Perhaps, then, the security principle should be, minimally, application of a reasonably long, easily memorable password _pattern_, not just passphrase.
No?