Skip to content
Contact us
  • There are no suggestions because the search field is empty.

What are the best practices for information security?

Using multi-factor authentication, practicing least privilege, and installing updates regularly are some of the most important practices an organization can follow to secure its assets.

Below is a fairly comprehensive list of the best practices for securing your digital assets. Many of these practices are well-established, while others are newer and showing their value in recent years. The key to security is following these practices consistently, day after day.

  • Use strong passwords - passwords should be at least 12 characters in length and ideally are a phrase that carries significance to the user, so that they are easily remembered. Length is more important than the mixture of characters.
  • Never share passwords - sharing passwords can lead to real problems. Your password leads to access to your online identity. If I have your password, I can "become you." Actions I take as you may be blamed on you. Even your IT department should never need to know your password. 
  • Never write passwords down - similar to never sharing your password, writing your password down may make it available to anyone who comes across it. The same problems may arise from this.
  • Use distinct passwords for distinct sites - using distinct passwords for each service you access reduces "blast radius" when a password is compromised. If the same password is used across many services, an attacker may be able to access information and interrupt the integrity of your data across all of those services.
  • Use password managers - since using distinct passwords is a best practice, it is near impossible to remember the passwords for every service without writing them down, contrary to another best practice. Password managers can safely store your passwords to other services, while being protected by a "master password." This password should be especially complex. The password manager should also be protected by multi-factor authentication.
  • Use multi-factor authentication (MFA or 2FA) - MFA helps to ensure that if a user's first authentication factor, typically a password, is compromised, then the threat actor cannot access the user's account without an additional 2nd form of authentication. This is similar to the requirement to bring two forms of identification when taking critical actions at your local government offices.
  • Lock your device when away - anyone with access to a user's device is acting as that user. Locking devices when away protects against this unauthorized access. On Windows, this can be accomplished easily by pressing the Windows key + L.
  • Use an auto-lock timer - because users are forgetful, always implement an auto-lock timer policy of a short time period (5 minutes or less) to help ensure devices are locked when users are away and mitigate unauthorized access.
  • Practice "least privilege" - only give users the access necessary to perform their duties, and nothing more.
  • Restrict administrative access to devices - users with admin access to their own devices can disable or remove security software or policies designed to protect them from threats.
  • Install updates regularly - software is not perfect. Flaws in the software are vulnerabilities that must be corrected. This is especially important for flaws in operating systems, such as Windows, MacOS, iOS/iPadOS, Android, and Linux. The flaws are often referred to as "holes," and the corrections are referred to as "patches."
  • Use encryption at rest - data sitting in your device may be compromised if the device is lost or stolen, even if the device has a password, unless the data has been encrypted at rest using feature such as BitLocker or FileVault.
  • Use encrypted communication channels - data transferred from one device to another is most often travelling over the Internet, which means it passes through many various intermediate data centers on the way to its destination. Encrypted protocols, such as HTTPS, help ensure that data cannot be read by the intermediate parties who see the bits and bytes filtered through their equipment.
  • Add sensitivity labels to data - sensitivity labels such as "confidential" or "top secret" can be used to ensure "need-to-know" and "least privilege" are properly applied.
  • Monitor third-party access and applications (TPRM) - third-party persons and applications pose a risk to organizations by introducing "outsiders" to an organization's data. Third parties should be thoroughly vetted and monitored throughout their engagements through a process typically referred to as third-party risk management (TPRM).
  • Conduct regular security audits - auditing of changes made to a system, such as a user or group's permissions, and the data being accessed is a vital part of ensuring that access is being properly utilized. 
  • Embrace security awareness training - regular education on security basics for all users helps ensure that organizations are protected from social engineering threats, which seek to trick users into giving away access to organizational assets.
  • Enforce strong physical security controls - physical access to devices that have access to or contain an organization's data seriously compromise the security of the organization. Physical controls must be in place and taken seriously to mitigate this risk.
  • Enforce a clean desk policy - information written or printed on papers which lay around users' desks may pose a security threat if that information is seen by another user or external party without need-to-know. Keep desks clean of papers and information to mitigate this risk.