40 Information Security rules, principles and advices:

1. 40 Information Security rules, principles and advices:
2. Rule 1 - Have an accurate map of IT installations and keep it updated.
3. Rule 2 - Keep an exhaustive inventory of privileged accounts and ensure this is updated.
4. Rule 3 - Create and apply procedures for the arrival and departure of users (personnel, interns, etc.).
5. Rule 4 - Limit the number of Internet access points for the company to those that are strictly necessary.
6. Rule 5 - Prohibit the connection of personal devices to the organisation's information system.
7. Rule 6 - Know how all software components are updated and keep up-to-date on the vulnerabilities of these components and their required updates.
8. Rule 7 - Define and strictly apply an update policy.
9. Rule 8 - Identify each individual accessing the system by name.
10. Rule 9 - Set rules for the choice and size of passwords.
11. Rule 10 - Set in place technical methods to enable authentication rules to be followed.
12. Rule 11 - Do not store passwords in plain sight in files on information systems.
13. Rule 12 - Systematically renew default authentication settings (password, certificates) on devices (network switches, routers, servers, printers).
14. Rule 13 - Opt, where possible, for strong, smart card authentication.
15. Rule 14 - Implement a uniform level of security across the entire IT stock.
16. Rule 15 - Technically prevent the connection of portable media except where strictly necessary; deactivate the execution of the autorun functions from these types of media.
17. Rule 16 - Use an IT stock management tool that enables the deployment of security policies and updates to machines.
18. Rule 17 - Manage portable machines with a security policy that is at least as stringent as for fixed machines.
19. Rule 18 - Wherever possible, prohibit remote connections to client machines.
20. Rule 19 - Encrypt sensitive data, especially on mobile machines and media that may get lost.
21. Rule 20 - Frequently audit (or have audited) the configuration of the central directory (Active Directory in Windows environments or LDAP directory for example)
22. Rule 21 - Set in place compartmentalised networks. For machines or servers containing information that is of strategic importance to the company, create a subnetwork protected by a specific interconnection gateway.
23. Rule 22 - Avoid the use of wireless (Wifi) infrastructures. If the use of these technologies cannot be avoided, compartmentalise the Wifi access network from the rest of the information system.
24. Rule 23 - Systematically use secure applications and protocols.
25. Rule 24 - Secure InteSrnet interconnection gateways.
26. Rule 25 - Ensure that there are no machines on the network with an administration interface that is accessible via the Internet.
27. Rule 26 - Clearly define the objectives of system and network monitoring.
28. Rule 27 - Define event log analysis methods.
29. Rule 28 - Prohibit all access to the Internet from administration accounts.
30. Rule 29 - Use a dedicated network for the administration of machines or at least a network that is logically separated from the user network.
31. Rule 30 - Do not grant administration privileges to users. Make no exceptions.
32. Rule 31 - Only authorise remote access to the company network, even for network administration, from company machines that use strong authentication mechanisms and protect the integrity and confidentiality of traffic using robust means.
33. Rule 32 - Robust control mechanisms for premises access must imperatively be used.
34. Rule 33 - Keys to access the premises and alarm codes must be scrupulously protected.
35. Rule 34 - Do not leave access sockets to the internal network accessible in locations that are open to the public.
36. Rule 35 - Define rules for the use of printers and photocopiers.
37. Rule 36 - Develop a plan for IT recovery and continuity of activity, even if only in outline, that is regularly updated, setting out how to safeguard the company's essential data.
38. Rule 37 - Implement an alert and reaction chain that all parties involved are familiar with.
39. Rule 38 - Never simply deal with the infection of a machine without attempting to establish how the malware came to be installed on that machine, whether it has spread elsewhere on the network and what data has been accessed.
40. Rule 39 - Make users aware of the basic IT rules.
41. Rule 40 - Periodically carry out a security audit (at least annually). Each audit must be accompanied by an action plan, the implementation of which should be monitored at the highest level.