Kevin Mitnick, in his book The Art of Intrusion, offers sound and succinct advice:
Ensuring proper configuration management is a critical process that should not be ignored. Even if you properly configure all hardware and software at the time of installation and you keep up-to-date on all essential security patches, improperly configuring just a single item can create a crack in the wall.[1]
So what defines a "best practice"?
Processes and activities that have been shown in practice to be the most effective.[2]
Let's look at it holistically (imagine).
-
Have you conducted regular internal audits, including reviewing logs and accounts?
-
Do you utilize the CIS Critical Security Controls as a guide post for success in control practices?
-
Do test your servers regularly via scans and vulnerabilty tests?
-
When was the last time you updated your Policies and Procedures? If your P & P content include references to Windows 95, it might be time.
-
Do you patch regularly?
-
Do you educate your users regularly (a constant, ongoing effort)?
Enough questions…some answers:
Though specific to the University of Wisconsin-Madison, one of the best overviews I've seen for information security best practices can be found at UW-Standards & Practices. In particular:
Information security is not an end-destination of itself but an ongoing task intended to reduce risk. It is not a binary solution secure or insecure but rather a continuum of practices to help minimize exposures of the CIA of information.[3]
[1] Kevin D. Mitnick, The Art of Intrusion, Wiley, 2005
[2] it.csumb.edu/departments/data/glossary.html
[3] http://www.cio.wisc.edu/security/