If you haven’t already, hire or appoint a dedicated security resource on staff to establish company wide security best practices and policies.

Analyze and document your business processes. You have to know your standard procedures before you can implement controls or security measures on those processes. In this phase, you should identify and classify the business data on your network by sensitivity and confidentiality requirements…determine who has access to the data and how they access and use it…and decide where you need to implement controls.

Create a comprehensive company-wide set of security policies. These policies should address everything from appropriate use of company resources to treatment and handling of confidential data. For guidance about effective security policies, see the Security Risk Management Guide.

Educate users on an ongoing basis about company policies and security best practices. You may want to distribute The Information Workers Security Handbook to all your employees. View the complete guide.

If you haven’t already, consider deploying Windows Server 2003 Service Pack 1 and Windows XP Professional Service Pack 2. The security enhancements in these operating systems can help you reduce patch management costs.

Make sure you have a solution such as Windows Server Update Services or Systems Management Server (SMS) to help you assess, control, and automate the deployment of Microsoft software updates for Windows and other Microsoft products like Office and Exchange. These solutions also have comprehensive reporting capabilities to help you demonstrate your ongoing compliance efforts.

Monitor your systems for missing security updates using a tool such as Microsoft Baseline Security Analyzer 2.0 or SMS. These tools also provide extensive reporting capabilities so you can easily demonstrate compliance to company auditors.

Install and maintain anti-malware solutions such as antivirus and anti-spyware across desktops and servers. Consider implementing Sybari Antigen on your email gateways and at the perimeter. I also encourage you to test out the beta of Microsoft Windows AntiSpyware.

Employ complimentary security programs such as host-based and desktop firewalls, host and network based intrusion detection, and prevention. For example, you can deploy the host-based firewall available in ISA Server 2004 and Windows desktop firewall in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1.

Evaluate the use of the IPSec capabilities in Windows Server 2003, Windows XP and Windows 2000 to help isolate and protect critical network segments from security threats. This additional layer can also help address security concerns introduced when partners or vendors need to connect to your network.

If you haven’t already, deploy Active Directory in Windows Server 2003. Active Directory provides centralized management of your user accounts, so you can ensure that all digital identities and privileges are up-to-date. It also helps you audit the users in your environment more easily.

Implement role-based access control…where application permissions are mapped to organizational roles rather than individual users…to ensure that only the appropriate people in your environment can access data and applications.

Use strong authentication. Start by implementing a strong password policy. Password policy features in Windows Server 2003 can help you enforce your policy. Next, take advantage of the Security and authentication Services in Windows Server 2003 and complementary partner solutions to deploy additional factors of authentication. You can use Smart Cards, biometric devices, or tokens for access to data that you classified as “sensitive” or confidential during your security review.

Consider implementing Windows Rights Management Services (RMS) and the Information Rights Management feature in Office 2003 to help safeguard confidential information, such as customer information and financial records. It enables information workers to define exactly how information can be used, such as who can open, modify, print, forward or take other actions with the message and any attachments. You can also develop RMS templates for the consistent application of document controls.

Deploy a solution to provide secure archiving. For example, Liquid Machines offers Gateway-based Document and E-mail Control solutions that complement Windows Rights Management Solution.

Additionally, consider implementing the Encrypting File System in Windows Server 2003 and Windows XP as an additional layer of security to help protect your data. This is especially important if a laptop or mobile device is lost or stolen.

Consider deploying an enterprise reporting system. For example, you can use Microsoft System Center Reporting Manager with SMS 2003 or Microsoft Operations Manager to streamline your report management. System Center Reporting consolidates change and configuration information from SMS 2003 and event and performance information from Microsoft Operations Manager to give you easy access to reports.

Perform assessments on a regular basis to assess the effectiveness of your security policies.

Be prepared to modify and update your security policies as necessary and be sure to communicate policy updates to your employees on an ongoing basis.