Rule 1: Have a clear inventory of what data is critical to your organization.
By creating an inventory of all the data retained and its purpose, a company can identify which pieces are necessary to its ongoing operations and which are not.
Rule 2: Create a “two-person rule” for your data and processes.
By making sure critical operations and data access are guarded through multiple authorities, each checking the validity and work of the other, you minimize the risk that a compromise of any one part or person in the system compromises everything.
Rule 3. Compartmentalize your data.
By making sure that the ability to view and work with data in an organization is aligned with job responsibilities and enforced technologically, you can make sure that any one failure of security is not a total failure of security for the organization.
Rule 4. Build your defense in depth.
By applying the same security principles a company applies to its public-facing servers to its internal systems: setting up firewalls, using encrypted communication, and requiring strong authentication methods.
Rule 5. Keep the keys to your kingdom offline.
By using storage devices that aren’t connected to the Internet, (i.e, encrypted USB keys or your long-term memory). Thus, if attackers get complete control over an organization’s computer network, stored secrets within the network will be inaccessible to them.