28 July 2013

France Rules for Computer Hygiene

Google translation, tidied by Cryptome.

http://cryptome.org/2013/07/fr-computer-hygiene.pdf (FR)

France Rules for Computer Hygiene

INDEX OF RULES

RULE 1 - Have a precise mapping of the computer installation and keep it updated. p. 9

RULE 2 - Have a complete inventory of privileged accounts and keep it updated. p. 10

RULE 3 - Write and maintain arrival and departure procedures for users (Staff, students ...). p. 11

RULE 4 - Limit the number of Internet accesses as strictly necessary. p. 13

RULE 5 - Prohibit the connection of personal devices to the main information system. p. 13

RULE 6 - Know the rules of updates to all components and software used to keep abreast of vulnerabilities in these components and necessary updates. p. 15

RULE 7 - Define a policy update and apply it strictly. p. 16

RULE 8 - Maintain identity each person with access to the system. p. 17

RULE 9 - Define rules for selecting and sizing passwords. p. 17

RULE 10 - Establish technical means to enforce the rules relating to authentication. p. 18

RULE 11 - Do not store passwords in clear text in files on computer systems. p. 18

RULE 12 - Always renew the authentication elements by default (passwords, certificates) on the equipment (network switches, routers, servers, printers). p.19

RULE 13 - Use where a possible high-authentication card chip. p. 19

RULE 14 - Establish a consistent level of security throughout the computer network.

RULE 15 - Technically prohibit the connection of removable media unless strictly necessary, and disable running of autoruns from such supports.

RULE 16 - Use a tool for managing IT infrastructure to deploy security policies and updates on equipment. p. 23

RULE 17 - Manage mobile terminals according to a security policy at least as strict as that of landlines. p. 23

RULE 18 - Where possible prohibit in all cases remote connections on client computers. p. 24

RULE 19 - Encrypt sensitive data, especially on mobile workstations and potentially penetrable support systems. p. 24

RULE 20 - Audit or to frequently audit the configuration of the central directory (Windows Active Directory or LDAP directory, eg, environment). p. 25

RULE 21 - Implement partitioned networks. For stations or servers contain important information for the life of the company, create a subnet protected by a specific interconnection gateway. p. 26

RULE 22 - Avoid the use of infrastructure (Wifi). If the use of these technologies can not be avoided, partition the WiFi access from the rest of the information system network. p. 26

RULE 23 - Always use secure protocols and applications. p. 27

RULE 24 - Secure interconnection gateways to the Internet. p. 29

RULE 25 - Ensure that no network device includes remote interface administration accessible from the Internet. p. 29

RULE 26 - Identify specific objectives of monitoring systems and networks. p. 31

RULE 27 - Prescribe means for analysis of logged events. p. 32

RULE 28 - Prohibit access from the Internet to administrative accounts. p. 33

RULE 29 - Use a dedicated network device management or at least a logically separate network for users. p. 33

RULE 30 - Do not give users administrative privileges. No exception. p. 34

RULE 31 - Do not allow remote access to the corporate network, including network administration, and the job positions of the company that implement strong authentication mechanisms and protecting the integrity and confidentiality of communications with robust means. p. 34

RULE 32 - Always use robust local access control mechanisms. p. 35

RULE 33 - Strictly protect the key allowing access to local and alarm codes. p. 35

RULE 34 - Do not leave open or make available access to the internal network by to the public. p. 36

RULE 35 - Define the rules for use of printers and copiers. p. 37

RULE 36 - Have a disaster recovery and continuity of computer activity ready however short, regularly updated describing how to save critical business data. p. 39

RULE 37 - Set up an alert chain reaction and inform all stakeholders. p. 40

RULE 38 - Do not just treat the infection from one machine without trying to learn how malicious code could be installed on the machine, if it could spread elsewhere in the network and what information was manipulated. p. 40

RULE 39 - Educate users to elementary computer hygiene. p. 43

RULE 40 - To carry out periodic audits of security (at least every years). Each audit must be associated with an action plan whose implementation is followed at the highest level. p. 45