We all face it - the daily barrage of spam, now infested with zero-day malware attacks, not to mention the risks of malicious insiders, infected laptops coming and going behind our deep packet-inspecting firewalls and intrusion-prevention systems. Some even have to worry about how to prove steps of due care and due diligence towards a growing roster of regulatory compliance pressures.

What can you do under so much extreme pressure to make 2007 a better year, not a year loaded with downtime, system cleanup and compliance headaches? I've come up with what I would consider some of the best network security practices.

Best practices are things you do - steps you take - actions and plans. Within those plans, I'm certain you will include which security countermeasures to budget for in 2007. Although I thought about going into details about recent security concepts, such as unified threat management or network admission control, it seems more appropriate to focus on the seven best practices instead of the seven best security tools you might consider deploying. For example, I consider encryption a best practice and not a product or tool. I'm sure you'll find many commercial and freely available tools out there. You can always evaluate those tools which you find most suited for your own best-practice model.

Here's my best practice list, in order of importance:

1) Roll out corporate security policies

2) Deliver corporate security awareness and training

3) Run frequent information security self-assessments

4) Perform regulatory compliance self-assessments

5) Deploy corporate-wide encryption

6) Value, protect, track and manage all corporate assets

7) Test business continuity and disaster recovery planning

Although I could have made this list a little bit longer, these seven make the cut because if you implement them, you should see a rapid improvement in network uptime, performance and your IT regulatory compliance posture. Let's take a closer look.COBIT model , the e-tail/retail-oriented PCI model from the PCI Security Standards Council and an extremely comprehensive international model called ISO 27001/17799 . Any of these models would be a great starting point. Once you start working with a model, you'll need to create, as the U.S. military says, a "simplified English" model, one that an 8th grader can understand. Why? So every individual in your organization can understand these policies. Most employees in any organization are not INFOSEC or compliance experts, so plan out a plain-English roll-up of each section of your corporate security model for all employees to see, acknowledge and support the implementation of throughout your organization. Keep the detailed model available for IT staff, your CIO and anyone who helps you implement network security and IT support of regulatory compliance.

If these models are too overwhelming for you, just remember that good network security always starts with a living security policy. Even if it is one page, it should be an outline of security practices that every executive in the organization agrees to live by. Basic rules should include guidelines for everything from user access and passwords to business continuity planning and disaster recovery planning (BCP and DRP). For example, you should have policies in place for backing up financials and confidential customer records as well as mirroring systems to be better prepared, proactively, in the event of a disaster. In some cases, your BCP and DRP may even require a 'cold' or 'warm' site where you can quickly relocate your staff to continue operations after a natural disaster or terrorist attack. Implementing a corporate security policy is the first step in achieving proactive network security.

To get some heft behind your corporate security policies, work out with the executives what happens when someone violates one or more of your policies. Was the violation intentional? Was the action criminal? For example, an employee violates one of your eyes-only access policies, copies all of the employee records out of the HR database and posts this information on a public site. If this happens, what would you do? You should let all personnel know the policies and the costs associated with violation.

Take a look at this site to see how many records have been lost or stolen. Did these organizations have the best corporate security policies in place? Did any of these incidents occur because of a malicious insider?

Put some teeth into your policies by getting executive-level support not only for their implementation but also for the consequences of violations. These could include a written reprimand, day without pay, fired with cause, civil suit, documenting the violation with the local authorities and possible criminal suit.

Sharing this information with all employees will give any potential malicious insiders something to think about before they cause harm to your organization. Take a look at this site to see case law and more information on hacker cases and malicious insiders.

By planning on the worst-case scenario, you'll be better prepared for policy violations. With this information under your belt, let's try to take the bright side and assume the attack against your corporate security policies will not be from insiders but from external threats. If all employees are on board and help you implement your policies, your network security and regulatory compliance posture should be strong. The best way to get them on board is through corporate security awareness and training.here and then find more details at the National Vulnerability Database hosted by NIST .

Speaking of NIST, it has best-practice guidelines for setting up servers and systems, called STIGs. The Cyber Security Research and Development Act requires NIST to develop, and revise as necessary, a checklist setting forth settings and option selections that minimize the security risks associated with each computer hardware or software system that is, or is likely to become, widely used within the federal government.

Why not take advantage of this resource? DISA now provides the public with direct access to its STIGs and Checklists . On the DISA Web page, you may sign up for the "STIG-News Mailing List" to be notified when the latest STIGs are available.

Do a search for a Windows Server STIG and see if you can find some hardening tips that you never thought to apply to one of your critical Windows servers. Also, the NSA offers a best-practice guide to setting up a Windows Server , along with many other free and useful security resources. If it's good enough for federal government network security, it should be good enough for you.

Perform your own security self-assessment against these best practices recommendations of the U.S. government. Find all of the holes in your INFOSEC environment so that you can, document them and begin a workflow process and plan to harden your network. Network security is a process, not a product, so to do it right, you need to frequently self-assess against the best guidelines you can find.list .

The best practice is to look at all aspects of electronic communication and data manipulation throughout your enterprise. That should include all instant messaging, file transfer, chat, e-mail, online meetings and webinars, plus all data creation, change, storage, deletion and retrieval.

How are customer records stored? How are electronic versions of other confidential information protected? Backing up the data is not enough.

You should setup a VPN for those who have access to your network from the outside. Make sure the systems that access your network through the encrypted tunnel are also not the weakest links in your infrastructure. Don't let them in if they aren't fully patched, up to date, scrubbed for malware and authenticated. If you let go of an employee with a laptop, get the equipment back - and in the meantime, close their VPN tunnel.

You can encrypt everything from your hard drives to your e-mail sessions to your file transfers. There are numerous free tools out there, for hard drives ; for Web, e-mail and instant messaging ; plus the grand-daddy of free encryption, PGP (Pretty Good Privacy) , first created by Phil Zimmermann in 1991.

But encryption is not to be taken lightly. You'll need policies in place for key storage and password access so if ever the keys and passwords are lost by the end users, you'll have a way back in to decrypt the information, reset the keys or change the passwords.

You might find out that some of the servers and services you are running already offer encryption if you simply check the box and turn this feature on. If a laptop with confidential records is stolen, but the thief doesn't have the password or key to decrypt the data, it will be useless to them. If someone is eavesdropping on your new VOIP phone system using a tool like Ethereal and the voice-over-misconfigured-internet-telephony (VOMIT) attack, they won't get very far if all the data stream is encrypted.

I recommend you encrypt your communications and data whenever and wherever possible.SugarCRM for their customer relationship management (CRM) system? Does SugarCRM offer a backup service for your sales team? You might find out that the salespeople placed an entire customer list on their own Web server that they are managing without telling you. Then, when the server they are using crashes, you'll get a wake-up call to restore probably one of the most valuable assets in the corporation.

If you did a physical security and asset inspection walk-around, you might have found this 'new' server and taken control of it - enabling encryption, setting up a daily backup schedule and getting it on your maintenance program.

You can't protect what you don't know about. It's very important to have a handle on all corporate assets. You can quickly build a spreadsheet that includes the value of each asset - from an IT standpoint, not necessarily from the CFO's. Then, you'll be able to consider what INFOSEC countermeasures such as encryption, strong authentication, separate subnet, quality-of-service provisioning, backup plan, etc., you'll need to put in place to reduce the risk of downtime, data theft or loss of a critical asset.

7) Test business continuity and disaster recovery planning

Business continuity, in layman's terms, means "keeping the lights on," while disaster recovery means "what do we do when the lights go out" and we need them to stay on.

You should perform tests against your business continuity and disaster recovery plans as often as reasonably possible, no less than once per year and as frequently as four times per year.

Doing it off-hours such as on a Sunday evening might be best so that you don't disrupt the operations of your organization. The best way to create your first BCP/DRP is to think up a list of "what if" scenarios.

You can make this fun and interesting for your IT fellows by asking them to come up with a list that's at least 10 times longer than my sample list that follows. Whoever comes up with the longest credible "what if" list should win a prize. Some of the tests you should perform include the following:

What if:

a) the power went out

b) the router went down

c) the phone system went down

d) the Internet went down

e) a critical server went offline

f) a hard drive became corrupt

g) an application crashed

h) a malware outbreak occurred on your network

i) the heating/air-conditioning system stopped working

j) a natural disaster occurred

k) the flu spread throughout your organization

I'm sure you can think of other problems that might disrupt your organization. Write these all down. In the COBIT and ISO 27001/17799 models, you'll find a wealth of information about BCP and DRP planning. See if there is anything you missed that you think would affect your operations.

Do you have a cold, warm or hot backup site in case of a critical emergency? If not, you should start planning one. If you can't afford one, could you create a 'virtual' office telecommuting situation where your organization could continue to operate virtually until you've resolved your emergency situation?

Making 2007 a Great Year for IT

Knowing we are under constant attack and risk, now is the best time to begin implementing these seven best practices for network security in 2007. Hackers, malicious insiders and cyber-criminals have had their field day in 2006 - hijacking our corporate LANs and placing most organizations at risk of being out of compliance, tarnishing our brands, reducing our productivity and employee morale - placing most of us in the passenger seat on a runaway Internet. By taking a more proactive approach, setting measurable goals and documenting your progress along the way, you might find yourself in the drivers' seat of IT Security in 2007.

Gary S. Miliefsky is founder and CTO of NetClarity, Inc., and a founding member of the U.S. Department of Homeland Security.