A best practice is a leading technique, methodology, or technology that through experience has proved to be reliable. Best practices tend to produce a consistent and quality result. The following short list of best practices focuses on the user and is found in security policies. These best practices go a long way toward protecting users and the organization. Policies should require the following practices:

• Attachments—Never open an email attachment from a source that is not trusted or known.
• Encryption—Always encrypt sensitive data that leaves the confines of a secure server; this includes encrypting laptops, backup tapes, emails, and so on.
• Layered defense—Use an approach that establishes overlapping layers of security as the best way to mitigate threats.
• Least privilege—The principle of least privilege is that individuals should have only the access necessary to perform their responsibilities.
• Best fit privilege—The principle of best fit access privilege holds that individuals should have the limited access necessary to fulfill their responsibilities and have their access managed efficiently.
• Patch management—Be sure all network devices have the latest security patches including user desktop and laptop computers. Patch management is an essential part of a layered defense. Even when you do everything right, there may be a vulnerability in the vendor’s system or application. An effective patch management program mitigates many of these risks.
• Unique identity—All users accessing information must use unique credentials that identify who they are; the only exception is public access of a publicly facing website.
• Virus protection—Virus and malware prevention must be installed on every desktop and laptop computer.