Is it OK to use boilerplate security policies that I can download off the Internet?
All-in-one systems are great, especially for smaller organizations. They're often easier to set up and manage. Just remember that they're a single point of failure, so be sure to have a contingency plan in place in case something goes wrong. Based on how dependent your organization is on computers and the Internet, a contingency plan for one of these systems could be as simple as having a next day replacement warranty. Just remember to back up your system configuration so you can restore it quickly to the new system when you receive it.
It depends how critical the information is you're trying to protect and how dependent your organization is on the information. If -- and only if -- you regularly keep up with patches, I would suggest an initial test to get a baseline of where you stand and then consider testing for technical vulnerabilities once a quarter or even twice a year. Every situation is different, but this is a general guideline. I've tried locking down my systems, but it only seems to backfire -- users complain about things such as having to remember too many passwords and it takes too long to access shared files on the network. Is there a way to find a balance so I can secure our systems and they can get their work done at the same time?
One of the biggest complaints I hear from end users is that the 'IT department has locked down everything to the point of extreme inconvenience.' Here are some examples: blocking all e-mail attachments, forcing 12-character passwords that must be changed every 30 or 60 days, requiring users to log in two or three times and browsing the network for five minutes just so they can access their home directories.
ll of these things are often seen as legitimate security measures; you've just got to be careful. It all depends on your organization -- the culture, upper management's support for information security, end user awareness and more. You've got to find a good balance between security, convenience and usability. Otherwise, you'll be public enemy No. 1 -- and that's not what you're there for. If you feel the need to lock things down to the point of user aggravation, make sure you have upper management's OK and support first. The bottom line is that you need to keep security as transparent to the end user as possible.Can my wireless network really be made secure?
Sure, I believe so. There are a ton of hardening techniques, most of which are very simple to implement. I cover a lot of these in another webcast you can find on SearchMobileComputing.com called 'Doing wireless LANs the right way.' I know SearchNetworking.com has some good stuff on this. Also stay tuned to SearchSmallBizIT.com for more contributions from me related to wireless networks.
The neat thing is, there are some good vendor solutions emerging that can help with hardening your wireless systems and help implement the new 802.11i security standard for wireless LANs, so you don't have to worry about the technical issues as much. If you're not 100% sure how secure your airwaves are, it would be beneficial to have someone come in and assess your wireless security to make sure everything is locked down.What will it take to get my users to create strong passwords and not write them down and leave them laying around their desks?
I think for smaller organizations, desktop versions of PGP and S/MIME are manageable and reasonable. I don't recommend going with an all-out PKI solution unless you're willing to spend the time, effort or money to implement and manage it or bring someone in to do it for you. Another good option is to install an e-mail firewall that supports SSL and TLS and performs encryption at the network perimeter. This takes encryption and other security responsibilities away from end users and can make e-mail security administration a lot easier. You'll just have to determine whether they are worth the price.