Security Minimum Standards

Computer security

Mr.PC take a firm stance security and backups, these days there are no winners in taking shortcuts on security and backups only losers. 

We have put together a basic security standards and policies to be treated as a bare minimum level that is required to be in place no mater how small your business is.   

Basic Security Standards

Remote Access
  • Open RDP access not allowed
  • RDP over VPN allowed
  • Multi Factor Authentication Sign-in
Documented Procedures
  • Backup and restore procedure including offsite backups.
  • Escalation and notification steps.
  • General safe email and web browsing.

These procedures require periodic sign-off by authorised personnel.

Servers and Systems
  • Servers and workstations must be on a patch management plan.
  • Servers and workstations must be on a managed antivirus plan.
  • Software installations on workstations must be locked to designated administrators.
  • All backups must be encrypted with offsite cloud backups with a degree of separation (external disk rotation not acceptable)
User Policies

Password complexity requirements:

  • Minimum Length: 8 characters
  • Must contain: numbers, special characters, capital letters, lowercase letters
  • Must not contain: username, first name, last name, email address.
  • Password expiration: 6 months
  • Password reusability: reuse after 3 changes
Router Standards
  • Business-grade firewall (minimum reference device Draytek Vigor2862+)
  • Intrusion detectavsaaion with logging and reporting.
  • No open ports allowed (with certain exceptions)
  • Exchange Servers (TCP 25, 443)
  • Security Systems and DVRs managed by other providers (must be approved by Mr PC).
  • VPN security level - Minimum L2TP/IPSec AES-256 SHA-1 or SSL VPN equivalent.
Email
  • All email correspondence must be via Microsoft Exchange or equivalent. POP3 and IMAP not allowed.
  • All email correspondence must go through an email filtering service.
  • All on-premise email servers must have a publicly trusted SSL certificate.
  • 365 Multi Factor Authentication must be enabled.
  • 365 Geo location blocking must be in place.
  • Email SPF, DKIM & DMARC must be setup.
  • All 365 Emails must have an active backup service. 
BYOD (Bring Your Own Device)

All devices that are used within the business or access the business network: 

  • Must have an embedded elevated administrator account with remote wipe rights.
  • Must have an acceptable antivirus subscription or added to the Mr PC Managed AV plan.
  • Must be kept updated at all times (security patches for OS, antivirus, 3rd party software).
  • Will be subject to random scanning.

Does your ITC Security meet the basics?