This documentation refers to an older version of CiviCRM (3.4 / 4.0). View latest version.

Comparaison des versions

Légende

  • Ces lignes ont été ajoutées. Ce mot a été ajouté.
  • Ces lignes ont été supprimées. Ce mot a été supprimé.
  • Formatting was changed.
Commentaire: Migrated to Confluence 4.0

...

1. Policies - Everything from who gets what kind of permissions to how you treat passwords. Password policies are critical (IMHO) - because
this is where you are very likely to see an attack. Some guidelines regarding passwords -

  • Are they long/obscure enough?
  • Are they ever transmitted via cleartext (without encryption)? Chat logs, and email DBs are full of unencrypted passwords.
  • Do users keep them in a digitally secure store or are they written down in people's daily planners?
  • Are they changed when people leave the organization?
  • Are your backups secured?
  • Do you have policies regarding creation and storage of non-backup copies of DBs?

2. Network security -

  • Is your network hardware being kept updated - there are routinely security holes found in the software/firmware in the products of major
    brands of network suppliers.
  • Is your network being actively monitored for intrusion / sniffing?
  • Are all the other computers that you share local network resources with secured?

3. System security -

  • Is your OS up to date?
  • Are all unnecessary services turned off?
  • Are your IP ports being actively scanned and monitored?
  • Is your system adequately partitioned so that successful attacks on one users or clients account will not effect other accounts?

If you don't believe that individual's computers can be hijacked take a look at these:

...

Also if you are serious about protecting a sensitive (political) clients business from cyber attack you should also consider -

  • Denial Of Service attacks
  • Ability to restore from catastrophic failure

What's Next?

So what's a reasonable solution? Get a security audit and then outsource! Very few organizations have the time or expertise to deal with these issues in a comprehensive or effective way. If you want to find out how vulnerable you are then have a pro do an audit. If you want to build a secure environment yourself - great - but you will spend lots of time and money doing so. Find a host you trust and let them do the heavy lifting for you. You will still have to implement decent organizational policies however - otherwise your security is useless.

...