Develop and maintain policies to implement each of the best practices in this section.

Educate users.

Establish incident response capabilities.

Ensure that you know which business functions are critical to your organization. Then, take whatever steps necessary to protect these functions in case of interruptions or disasters.

Develop a plan to continue all critical business functions in case of an interruption. This business continuity plan (BCP) should cover all aspects of your organization.

Define recovery time objectives (RTO) for each critical resource. Identify resources required for the recovery process. You’ll need to identify which parts of your recovery plan are sequential and which ones you can work on simultaneously.

Develop a backup plan for each resource that minimizes the impact on performance while keeping secondary copies of data as up to date as possible. Explore various options, including alternate sites and virtualization.

Document all backup and recovery procedures. Train all primary and backup personnel on all procedures.

Test all recovery procedures rigorously. Conduct at least one full interruption recovery test each year.

Review your complete recovery plan quarterly (or more frequently), and adjust for any infrastructure changes.

Update old password policies. Consult current National Institute of Standards and Technology (NIST) guidelines (https://pages.nist.gov/800-63-3/) for recommendations.

Do not write down passwords. Use passwords you can remember. When you write down passwords, they are easier for an attacker to find and use.

Never encrypt individual files—always encrypt folders. This keeps any sensitive data from ever being written to the disk in plaintext.

Designate two or more recovery agent accounts per organizational unit. Designate two or more computers for recovery, one for each designated recovery agent account.

Avoid using print spool files in your print server architecture, or make sure that print spool files are generated in an encrypted folder. This keeps sensitive information from being stored in plaintext on a print server.

Require strong passwords for all virtual private network (VPN) connections.

Trust only certificates from certificate authorities (CAs) or trusted sites. Train users to reject certificates from unknown or untrusted sites.

Require two-factor authentication (2FA) for access requests to sensitive information.

Install anti-malware software on all computers.

Enable all real-time scanning (shield) options.

Update signature databases and software daily.

Perform a complete scan of all hard drives and Solid State Drives (SSDs) at least weekly.

Perform a quick scan after installing or updating any software.

Enable boot-time virus checking, including boot sector and memory scan at startup options.

Remove administrator rights from all normal users.

Apply software and OS security patches.

Block outbound network connections that are not required for your applications.

Automate as many backup operations as possible. Create logs and reports that make problems with backup operations easy to recognize.

Verify all backup operations. A secondary copy of data with errors may be no better than damaged primary copy data.

Export all encryption recovery keys to removable media and store the media in a safe place. Physically store your Encrypting File System (EFS) or BitLocker recovery information in a separate, safe location.

Encrypt the My Documents folder for all users. Since most people use My Documents for most document files, encrypting this folder will protect the most commonly used file folder.

Use multifactor authentication when using BitLocker on OS volumes to increase volume security.

Store recovery information for BitLocker in Active Directory Domain Services (AD DS) to provide a secure storage location.

Disable standby mode for portable computers that use BitLocker. BitLocker protection is in effect only when computers are turned off or in hibernation.

When BitLocker keys have been compromised, either format the volume or decrypt and encrypt the entire volume to remove the BitLocker metadata.

Use the strongest level of encryption that your situation allows for VPNs.

Use Secure Socket Tunneling Protocol (SSTP) IKEv2 for VPNs when possible. IKEv2 is the newest VPN protocol from Microsoft.

Disable Service Set Identifier (SSID) broadcasting for wireless networks.

Never use Wired Equivalent Privacy (WEP) for wireless networks—use only Wi-Fi Protected Access (WPA/WPA2/WPA3).