Step 1: Install and maintain a firewall to protect data.
Step 2: Change default (vendor supplied) passwords on all firm devices and systems.
Step 3: Encrypt all hard drives.
Step 4: Encrypt transmission (internal or external) of client data.
Step 5: Use AntiVirus and Malware detection software on all devices. Use VPN services for all mobile devices.
Step 6: Use only systems that allow for 2-factor authentication (Yubiko key, Google Authenticator, etc).
Step 7: Restrict access to data only to those who need it to function in their jobs.
Step 8: Assign unique usernames to all employees who accesses your client’s data. No sharing of passwords.
Step 9: Restrict physical access to the data. Lock your office, enable mobile wipe, etc.
Step 10: Monitor and log all access to data and network resources.
Step 11: Perform Vulnerability scans on systems quarterly.
Step 12: Documentation is EVERYTHING!