IT security guidelines

Here are some IT security guidelines you should have in mind when designing your IT infrastructure:

• Rule of least privilege – also known as the principle of least privilege, this rule states that minimal access is provided to the required network resources. In practice, this means giving a user only those privileges which are essential to that user’s work. All user accounts should run with fewest privileges as possible, and you should also launch applications with as few privileges as possible.

• Defense in depth – this concept suggests that multiple layers of security controls should be placed throughout an IT infrastructure, in order to provide redundancy in case when a security control fails or a vulnerability is exploited. Security should be implemented on nearly every point in the network, so if a single system fails, the security of the whole IT infrastructure isn’t compromised. One example of this concept is filtering traffic at a perimeter router, filtering again at a firewall, using IDSs and IPSs to analyze traffic before it reaches the servers, and using host-based security solutions at the servers, as well.

• Separation of duties – also known as the segregation of duties, this concept states that more than one person should be involved in a task completition. This reduces the possibility for a single individual to compromise a critical process.

• Auditing – the process of accounting and keeping records about what is occurring on the network. When something changes in a network, the record of this event should be sent to an accounting server using protocols such as syslog.