Prerequisite : Hire smart people, and trust them to do their job.
I think that’s key to getting anything done in business and not specific to network security at all, however it’s worth considering before you do any of the below.
1) 1) Management and user education
Without educating management to the risks associated with modern network connectivity, insufficient effort and budget will be assigned to the task. This directly leads to fail. Network security education must also be presented in an enabling way, for example, “This is how to do stuff safely”, or “Implementing this security measure will allow us to conduct business with this partner while maintaining our security posture”, rather than a disabling “Don’t do that it’s naughty”.
This first point includes the education associated with AUP (Acceptable usage policies) for network connectivity and resource usage. Without defining acceptable and unacceptable usage of resources users will never know if they are misbehaving.
2) 2) Enforce sensible access controls
This point exists at many layers within the network, including user account management (with good passwords) via role based access (RBAC) and network access controls (and by network access controls, I refer to Firewalls not a NAC-like deployment).
Firewalls should be configured to only allow the required ingress and egress ports for communication through network segments while controlling the direction of trust.
3) 3) Patch, patch, patch, and then patch again.
Always keep up to date with security specific software updates, and automate this process wherever possible.
4) 4) Harden systems that do not operate in a “secure by default” model.
Make sure systems that operate in areas of high risk have the appropriate lock down applied to them including
- Disabling non-required services
- Remove/rename system or default user accounts
- Remove un-required applications
5) 5) Enable logging, audit system, network and user behavior in the context of the AUP. Monitor and react to violations and security events.
Central and sane event logging and its management is key to accomplishing this goal. Intrusion detection / Network security monitoring also fit in with this point as they are key to detecting the misuse or security violations on the network.
6) 6) Anti-ware (the modern equivalent of Anti-virus)
This is a must on user desktops and servers (where appropriate). Even though some AV software has lower than desirable virus detection rates, having something is better than nothing as long as it’s kept up to date (see point 3)!
7) 7) Segment the network into trust zones (Logical Security)
Every network should be made up of multiple zones with differing functions, e.g Management, Public DMZ, Servers, Clients. VLAN’s can be used to implement much of this segregation, and firewalls should be used to route data between those networks.
8) 8) Physical security
Make sure that the correct physical security controls are in place in your data-center. Consider and mitigate the risk of when a user’s laptop get stolen or “lost” after a four-hour business meeting in a high-class wine bar.
9) 9) Take Backups and test them!
Not taking and checking the quality of your backups *will* cause a lot of pain. Fact. Loosing data could mean losing the company, and therefore loosing your job.
10) 10) Enforce Change Management
Each change must be reversible. Any configuration change in a system or network must be canceled in case of problem or misconfiguration.
11) 11) Documents and create procedures
Document the topology and the architecture. Document the changes. Create procedure to be applied for critical tasks.
12) 12) Use the correct tools to do the job.
If budget is tight (and it always is), look for lower cost software alternatives. There is an amazing resource of high quality open source security software available that can help address many of the security points above. Make sure you research select good tools that your are comfortable with and can scale to meet future requirements.
And to conclude … implement controls and do some checks, to verify that rules are applied.