28 July 2013
France Rules for Computer Hygiene
Google translation, tidied by Cryptome.
France Rules for Computer Hygiene
INDEX OF RULES
RULE 1 - Have a precise mapping of the computer installation and keep it
updated. p. 9
RULE 2 - Have a complete inventory of privileged accounts and keep it updated.
RULE 3 - Write and maintain arrival and departure procedures for users (Staff,
students ...). p. 11
RULE 4 - Limit the number of Internet accesses as strictly necessary. p.
RULE 5 - Prohibit the connection of personal devices to the main information
system. p. 13
RULE 6 - Know the rules of updates to all components and software used to
keep abreast of vulnerabilities in these components and necessary updates.
RULE 7 - Define a policy update and apply it strictly. p. 16
RULE 8 - Maintain identity each person with access to the system. p. 17
RULE 9 - Define rules for selecting and sizing passwords. p. 17
RULE 10 - Establish technical means to enforce the rules relating to
authentication. p. 18
RULE 11 - Do not store passwords in clear text in files on computer systems.
RULE 12 - Always renew the authentication elements by default (passwords,
certificates) on the equipment (network switches, routers, servers, printers).
RULE 13 - Use where a possible high-authentication card chip. p. 19
RULE 14 - Establish a consistent level of security throughout the computer
RULE 15 - Technically prohibit the connection of removable media unless strictly
necessary, and disable running of autoruns from such supports.
RULE 16 - Use a tool for managing IT infrastructure to deploy security policies
and updates on equipment. p. 23
RULE 17 - Manage mobile terminals according to a security policy at least
as strict as that of landlines. p. 23
RULE 18 - Where possible prohibit in all cases remote connections on client
computers. p. 24
RULE 19 - Encrypt sensitive data, especially on mobile workstations and
potentially penetrable support systems. p. 24
RULE 20 - Audit or to frequently audit the configuration of the central directory
(Windows Active Directory or LDAP directory, eg, environment). p. 25
RULE 21 - Implement partitioned networks. For stations or servers contain
important information for the life of the company, create a subnet protected
by a specific interconnection gateway. p. 26
RULE 22 - Avoid the use of infrastructure (Wifi). If the use of these
technologies can not be avoided, partition the WiFi access from the rest
of the information system network. p. 26
RULE 23 - Always use secure protocols and applications. p. 27
RULE 24 - Secure interconnection gateways to the Internet. p. 29
RULE 25 - Ensure that no network device includes remote interface administration
accessible from the Internet. p. 29
RULE 26 - Identify specific objectives of monitoring systems and networks.
RULE 27 - Prescribe means for analysis of logged events. p. 32
RULE 28 - Prohibit access from the Internet to administrative accounts. p.
RULE 29 - Use a dedicated network device management or at least a logically
separate network for users. p. 33
RULE 30 - Do not give users administrative privileges. No exception. p. 34
RULE 31 - Do not allow remote access to the corporate network, including
network administration, and the job positions of the company that implement
strong authentication mechanisms and protecting the integrity and confidentiality
of communications with robust means. p. 34
RULE 32 - Always use robust local access control mechanisms. p. 35
RULE 33 - Strictly protect the key allowing access to local and alarm codes.
RULE 34 - Do not leave open or make available access to the internal network
by to the public. p. 36
RULE 35 - Define the rules for use of printers and copiers. p. 37
RULE 36 - Have a disaster recovery and continuity of computer activity ready
however short, regularly updated describing how to save critical business
data. p. 39
RULE 37 - Set up an alert chain reaction and inform all stakeholders. p.
RULE 38 - Do not just treat the infection from one machine without trying
to learn how malicious code could be installed on the machine, if it could
spread elsewhere in the network and what information was manipulated. p.
RULE 39 - Educate users to elementary computer hygiene. p. 43
RULE 40 - To carry out periodic audits of security (at least every years).
Each audit must be associated with an action plan whose implementation is
followed at the highest level. p. 45