Network Security Checklist

When a big business is hacked you hear about it on the news – in the past year companies including TalkTalk and Carphone Warehouse hit the headlines when
they fell victim to data breaches – but what you don’t hear so much about is when small firms are attacked. Historically cyber criminals haven’t targeted
smaller firms but since last year there has been a huge rise in these attacks and in a recent Government Security Breaches Survey 74% of small organisations
reported a security breach last year (2015)

It is impossible to make a modern business network 100% secure but there are certain measures that should be taken to help to mitigate the risks. Our
recommendations below are based around the requirements for the Government’s Cyber Essentials Scheme plus a few additional recommendations of our
own.

This is list of suggestions provided free of charge by Micro Plus Computers. This is a list of our top recommendations but you should make your own decisions
as to which of these you implement and add others that are applicable to your business. This information is supplied as-is and may be considered as part of
your overall data security and cyber security processes. Please feel free to use this as a starting point and build it up for your own organisation. Bear in mind
that your organisation should have a separate data protection policy and internet and email usage policy that may already cover some of these points or could
be updated to include some of the following.

If you need any assistance in implementing any of these suggestions or would like information as to how any of these standards can be enforced rather than
voluntary then please contact Micro Plus Computers via email [email protected]

You should also consider where these might be applicable to any third party contractors that work with your organisation that have access to your IT systems
(for example external technical support, software companies, accountants, photo copier companies, CCTV maintenance, premises access controls, telephone
companies)

Micro Plus Computers Ltd – Tel 01691 670960

Oswestry, Shropshire SY10 8NU
www.micro-plus.co.uk
Requirement Yes No Ongoing
Firewall
The organisation should have a firewall or equivalent in place to protect their internal network and devices against unauthorised access
The password on the firewall device should be changed from the default to an alternative strong password
The firewall password is:
at least 8 characters long
not the same as the username
does not contain any identical characters next to each other
is not a dictionary word
includes upper and lower case letters, numbers and special characters
has not been reused within a predetermined time period
has not been used for another account
Each rule set on the firewall must be approved by an authorised individual and documented including an explanation of the business need for this
rule.
Unapproved or vulnerable services should be blocked at the gateway firewall
Any permissive firewall rules that are no longer required should be disabled as soon as possible
The firewall’s boundary administration settings should not be accessible from the internet

Requirement Yes No Ongoing

Computers and Network Devices (including Wireless Access Points and Routers)
All computers and devices on the network must comply with the following in order to give a ‘Yes’ response.
All unnecessary user accounts, guest or admin accounts should be removed or disabled
All user account passwords meet the following requirements:
has been changed from the default password
at least 8 characters long
not the same as the username
does not contain any identical characters next to each other
is not a dictionary word
includes upper and lower case letters, numbers and special characters
has not been reused within a predetermined time period
has not been used for another account

Micro Plus Computers Ltd – Tel 01691 670960

Oswestry, Shropshire SY10 8NU
www.micro-plus.co.uk
Requirement Yes No Ongoing
Computers and Network Devices (including Wireless Access Points and Routers) - continued
All unnecessary software applications and utilities should be removed or disabled
All auto-run features should be disabled including for removable storage media and for network folders
An operating systems with integrated desktop firewall should be used on desktop PCs and laptops and configured to block unapproved connections
by default. In Windows operating systems from Windows 7 onwards this is built in but needs to be active and configured.

Requirement Yes No Ongoing

User Accounts
All users accounts and their privileges should be subject to an approval process and should be documented
Admin privileges and any other special access privileges should be restricted to authorised individuals and documented
Admin accounts should only be used to perform admin tasks and not for everyday access
Admin accounts should be set to require a password change every 60 days or less
Every individual user should have a unique user name and user account
Every user password should meet the following requirements:
at least 8 characters long
not the same as the username
does not contain any identical characters next to each other
is not a dictionary word
includes upper and lower case letters, numbers and special characters
has not been reused within a predetermined time period
has not been used for another account
Any user account with special privileges or admin rights should be removed or disabled when no longer required or if the individual changes role or
leaves the organisation or after a predefined length of inactivity (eg. if the account is not used for 90 days then it is disabled)

Micro Plus Computers Ltd – Tel 01691 670960

Oswestry, Shropshire SY10 8NU
www.micro-plus.co.uk
Requirement Yes No Ongoing
Malware Protection
Malware protection software is to be installed on all computers that can access the internet or are capable of accessing the internet
Malware protection software is to be kept up to date daily
Malware protection software should be configured to scan files automatically upon
access and to scan web pages when being accessed via a web browser
Malware protection software should be configured to perform regular scans of all
Files
Malware protection software should prevent connections to malicious websites on the internet (e.g. by using website blacklisting).
Software Patch Management
Software on any devices that are connected to or are capable of connecting to the internet must be licensed and supported to ensure
vulnerabilities are investigated and patches made available.
All software updates and security patches that are made available should be installed in a timely manner
Any unsupported software should be removed from any computer or device capable of connecting to the internet

Additional Recommendations Yes No Ongoing

Wireless Protected Setup (WPS) to be disabled on all wireless devices

Universal Plug n Play (UPnP) to be disabled

Guest WiFi access to be implemented for visitors and employee owned devices

Employee owned devices that can access company email or information will require malware software

All network servers must have a daily automated backup solution with backup data stored securely offsite (encrypted)

Encryption of all sensitive data stored on mobile devices and removable storage devices

Do not allow staff to use file sharing or cloud storage services for company data such as DropBox, OneDrive, Google Drive, iCloud – unless they are
authorised by and secured for your organisation.

Staff should not be permitted to use personal social media accounts on organisation-owned devices or on any devices connected to the network
unless specifically authorised to do so.

Micro Plus Computers Ltd – Tel 01691 670960

Oswestry, Shropshire SY10 8NU
www.micro-plus.co.uk
This is list not exhaustive, not applicable in every organisation and no guarantees of security are implied. Feel free to make use of these suggestions when
building your own policy.

Aside from all of the talk about hackers and external attacks, still the greatest threat to any organisation’s network and data security is its employees. It’s not
just the disgruntled staff members or those about to leave to set up in competition that you need to be aware of – the most common data breaches are caused
unintentionally by uninformed staff members.

Please make use of our separate list of suggestions for making your staff aware of cyber security risks.

If you would like a copy, please email [email protected] and ask for our Staff Awareness Cyber Security Checklist

Micro Plus Computers Ltd – Tel 01691 670960

Oswestry, Shropshire SY10 8NU
www.micro-plus.co.uk