Personal Office Sec Checklist

05/08/20161 Min Read — In Office, Security

There are so many more things you could do but this is the minimum bar I set for my team, they're all software developers so I don't harass 'em too much. We're a BYOD shop but I still like to remind folks to be security conscious. If you're running Linux, you know better than me and you should send me your list, if you're on Windows, heaven help you.

  • If you can bear it, run your day to day machine as a regular user and have a separate admin account for privilege escalation, yes it will hurt
  • Encrypt your startup drive with FileVault
  • Set auto-lock on machine when inactive, set quick screensaver
  • Ensure all devices that use company info are using a lock (pin, pw, code, etc)
  • Use good PWs, if you wrote it yourself or can remember it, it's probably not very good, never use a password less than 14 chars
  • Have unique PWs per service, including your personal accounts, never reuse, you heard me
  • Use your work email where you can and append +serviceName using Gmail's syntax, alternately the n.a.m.e@ syntax, rely on your password manager to remember the exact email address
  • Be smart about PW hygiene, keep out of browser, keep in 1password (or your trusted tool, have a tool)
  • Set up SSH keys where you can, never passwordless, keep passing of PWs to a minimum
  • Enable VPN on networks that are not ours and maybe ones that are ours
  • Set up two-factor auth everywhere that offers it (GitHub, Google, twofactorauth.org)
  • Opt to use SSL and HTTPS everywhere you can (Chrome & FF have extensions for this)
  • Consider using separate, locked Keychain for high value items or credentials that are not yours, AWS info for client accounts is a good example
  • Purge old certs from Keychain Access quarterly
  • Set up S/MIME certificates for your email client https://www.instantssl.com/ssl-certificate-products/free-email-certificate.html