I'm going through a "questioning everything" stage, which I'm sure some of you will find annoying, but hopefully it'll also be worthwhile in the end. One of those questions is "What are the actual minimum security practices that should be followed by all personnel?" It's an interesting and somewhat challenging question because, despite having no shortage of source materials to answer the question at length, I'm not necessarily convinced that many of the traditional "requirements" are either necessary or universal.
Thus far, all I've been able to come up with is this short list:
* Have a reasonably long password/passphrase.
* Practice safe computing/browsing.
* Don't share sensitive information (e.g., trade secrets, passwords).
* Protect your physical devices (e.g., phones, laptops).
* Report incidents, suspicious behavior, and related concerns.
That's about it. I'm sure there are more things, but in my somewhat jaded and cynical mindset (at the moment, anyway), I'm having a hard time thinking about what else might be universally applicable to all employees in a company.
What do you think? What am I missing?