Security - continued
Physical access to the computer systems is one of the biggest things that you should take care of. As an IT policy, restrict access to your server room. Open plugs are one of the biggest dangers, and the easiest intrusion possible is through the meeting rooms. This can be considered normal psychologically: there is a stranger in the meeting room, everybody thinks he is waiting for somebody from the office, and in the meantime he is connected to the company network and checking e-mails. Are you sure? What about this stranger watching your unsecured network shares and silently copying unprotected documents? Develop strict procedures for telephone calls and emergencies. Are you sure that the person calling in on Saturday evening asking for his blocked password to be reset is the one who he claims to be?
Do not under- or overestimate the technical background of your users. Some can be very talented while for some a computer is no more than an electronic typewriter. Communicate your IT procedures simply and enforce them. Tell them that torrent, peer-to-peer, HTTP and FTP protocols are not allowed in the company. If a user needs to download files from an HTTP/FTP server, develop procedures to assist them immediately and let them have the files. Do not force your users to go home, download files from their own computer and bring them to work with their malware-infected USB sticks. Tell them the risks associated with doing particular things, give examples, and explain why you have to take such action. Do not be the “Preventer of Information Systems." Your users are smart enough to understand everything if it is communicated clearly.
Make use of virtualization technology extensively. I suggest you to check all the incoming connections on a virtual “controlling" computer and then let in the network, but only if the scan results provide no question marks. An example of this can be to scan incoming e-mails in a virtual server and then letting it go to the Intranet. This way, you will keep your network safe to some degree. And if something goes wrong with a false negative, you can shutdown or isolate the virtual mail server without taking down all the network connections/file shares etc. and work on the problem. It will also be a good idea to block all the e-mails containing executable (exe) files and scan the contents of the attached zip files.
Read the Securing and Optimizing Linux. The book is available for download free and will get you started in a very short time. Do not forget to check your bookstore for the newer edition or other books on the subject. Try them on your virtual test server and when it is ok, pass them to the production server.