1. Create Strong Passwords for all Drupal and sensitive email accounts used by [YOUR COMPANY] Staff. A Strong password is typically 8 characters long +, has upper and lowercase letters, a symbol (e.g. # % ^ &) and does not contain any personally identifiable information or anything someone could find out about you online. This handy document might help you: http://www.pctools.com/guides/password/ . Typically, an attacker gains access to you email or an admin account, where they can “escalate” their privileges by getting more usernames/passwords. Becase[YOUR COMPANY]'s CRM and Website are linked, this is crucial.
2. Create a Maintenance Plan over server operating system security updates and Drupal & CiviCRM upgrades. Currently your website is hosted on a Virtual Private Server at [hosting provider], and maintained on a “best effort basis” by [contractor]. Typically,[YOUR COMPANY] would have a maintenance plan in effect to have a contractor and/or a third party have duties and responsibilities in keeping the server secure. Suggestion : update the server, Drupal, CiviCRM and contributed modules at least once a month.
3. Backups, Backups, Backups. Create a backup plan for the servers’ assets (CiviCRM, Drupal, etc.) to an offsite location. We can enable Linode.com’s backup plan, or use a third party service for extra redundancy.[contractor can recommend some. Additionally, make sure all PC’s with important info on them are backing up regularly somewhere.
4. Never give out your password over the phone to untrusted parties. Keep sensitive material stored in Google Docs / Apps to a minimum. This is to avoid “social engineering” techniques. Yes, you might not think anyone would want to come after [YOUR COMPANY], but its something we should just remind ourselves of.
5. Do an Audit of all Drupal Roles, Permissions, Access Groups, and CiviCRM access permissions. Make sure the policies in effect make sense. I suggest creating a CiviCRM Admin Drupal role that has access to CiviCRM administration, but not Drupal administration. Create a spreadsheet of what staff and volunteers roles should be, and how they gain access (standard operating procedure).
6. Review the implementation of SSL yearly. Make sure the right pages are secured, and consider if securing user login and register pages would make sense (recommended).
7. Remember: you have a complex system with many moving parts - it has to be greased and maintained, especially as things change, or problems will occur.