Best Practices | Microsoft Windows Security Resource Kit

Best Practices

Clearly establish and enforce all policies and procedures.
Many security incidents are accidentally created by IT personnel who have not followed or understood change management procedures or have improperly configured security devices, such as firewalls and authentication systems. Your policies and procedures should be thoroughly tested to ensure that they are practical, clear, and provide the appropriate level of security.
Provide comprehensive training on tools to your incident response team.
Ensure that you provide training to your Computer Security and Incident Response Team (CSIRT) on the use and location of tools that will be used during an incident response. Consider providing portable computers preconfigured with these tools to ensure that no time is wasted installing and configuring tools when responding to an incident. These systems and the associated tools must be properly protected when not in use.
Verify your backup and restore procedures.
Be aware of where backups are maintained, who can access them, and your procedures for data restoration and system recovery. Make sure that you regularly verify backups and media by selectively restoring data. Ensure that your backup retention policy supports incident response by including trusted copies of incident response tools and process documents in any offsite backup.
Assemble all relevant communication information.
Ensure that you have contact names and phone numbers for people within your organization that need to be notified (including members of the CSIRT, those responsible for supporting all your systems, and those in charge of media relations). You will also need details for contacting your ISP and local and national law enforcement agencies. Consider contacting local law enforcement agencies before an incident happens to ensure you understand proper procedures for communicating incidents and collecting evidence.
Always conduct post mortem reviews of security incidents.
Make sure to hold a session to discuss what can be learned from each incident and incorporate those lessons into your organization s policies, procedures, build process, and network design. Given the amount of effort typically associated with responding to an incident, missing out on this potential benefit would be a shame.