Security Principles
Organisations and individual users need to work together to ensure secure interactions with Iroha installations. This topic explains the basic principles behind this cooperation.
General Security Principles
Use a Virtual Private Network (VPN):
- Whenever accessing sensitive data or resources, especially over public networks, use a VPN to establish a secure connection that safeguards your information.
Use a firewall for network protection:
- Strengthen home and/or office networks by setting up a firewall that helps to counter unauthorized access and protect the connected devices from viruses and malware.
Secure physical and digital information:
- Safeguard physical documents containing sensitive information in a secure location, and ensure digital documents are encrypted and stored in password-protected folders.
Keep Regular Data Backups:
- Always have copies of your important information saved somewhere safe. This way, if you lose your data or something goes wrong, you can quickly get everything back on track. Keep these backups in a different secure place from where you usually keep your data.
Security Principles for Individual Users
Adopt robust authentication rules:
Utilise strong and unique passwords for all accounts.
Never reuse passwords.
Set up 2FA whenever possible. 2FA improves the overall security by not only requiring a password, but also an additional factor such as an OTP, fingerprint, or a third-party app-based authentication (e.g., Google Authenticator).
Avoid using SMS authentication as the second factor. There is no guarantee that malicious software is not monitoring all of your SMS messages. For example, Android applications cannot be limited to only accessing the messages intended specifically for them.
Exercise caution in digital communication:
Set up an email client to sign and verify signatures of all the received emails. While it is possible to impersonate the sender's address and even pose as a bank, it is not possible to fake a signature.
Disable both HTML messages and loading of external resources from unknown or unverified addresses.
Learn about common phishing techniques to recognise and avoid suspicious emails, links, and requests for personal information.
Set up an email client to sign and verify signatures of all the received emails. While it is possible to impersonate the sender's address and even pose as a bank, it is not possible to fake a signature.
Safeguard personal information:
When communicating with unfamiliar individuals, especially on the phone or online, be careful about sharing private information.
Consider independently researching the individuals or organizations you are communicating with to confirm the legitimacy of their identity.
Be mindful of the personal information you share on social media platforms, as malicious parties can exploit this information.
Security Principles for Organisations
Establish clear security policies and procedures:
Develop well-defined security policies and protocols for all employees dealing with sensitive data. Thoroughly train employees to adhere to these guidelines, mitigating the risk of negligent actions.
Ensure that security policies are accessible to all employees and are regularly reviewed and updated to reflect changing security landscapes.
Provide the security policies with examples and scenarios to make them more relatable and actionable for employees.
Cultivate employee awareness:
Educate employees about data and operational security measures. Heightened awareness and comprehensive training are pivotal in fortifying organizational security.
Encourage employees to report any suspicious activities or security concerns promptly.
Protect physical infrastructure:
Restrict physical entry to servers and infrastructure. Set up access controls that only allow authorised personnel to enter restricted areas.
Ensure that access control measures are regularly reviewed and updated to align with evolving security needs.
Consider implementing biometric access controls for sensitive areas to enhance physical security.
Deploy security monitoring:
Enforce a comprehensive security monitoring system that scrutinizes activities and identifies potential security breaches.
Implement automated alerts to promptly notify security personnel of any unusual or unauthorized activities.
Consider using machine learning algorithms to enhance the system's ability to detect anomalies and potential threats.
Employ staff or designate personnel to oversee database security, identify, track and address software vulnerabilities, and conduct regular checks on critical machines for the presence of unauthorized software not included in the approved list.
Conduct recurring security audits:
Perform routine security audits to evaluate vulnerabilities and confirm that established security measures align with the commonly-accepted standards and regulations.
Consider hiring external security experts for periodic assessments to gain an impartial evaluation of your organization's security condition.
Implement an access control system:
- Set up a role-based access control system to ensure that employees only have access to the resources and information necessary for their roles.
Embrace Continuous Improvement:
Recognize that security is a continuous process. Maintain ongoing assessment of security measures and proactively enhance them to address emerging threats and challenges.
Consider establishing a feedback loop that encourages employees to contribute security improvement suggestions, fostering the culture of continuous enhancement.