Subscribe

Reddit  Del.icio.us  Stumble Upon  Facebook  Bookmark
Facebook Follow
Security Policies ProceduresThreat Vulnerability AssessmentRisk Assessment

Security Manual
Template

ISO 27000 - 27001 & 27002
(formerly ISO 17799),
Sarbanes Oxley, HIPAA,
PCI-DSS, and Patriot Act Compliant

 

Includes Audit Program for PCI DSS  Compliance, HIPAA Audit Guide, and ISO 27000 Checklist

Order Security Manual Template

The Security Manual for the Internet and Information Technology is over 240 pages in length. This electronic document is fully compliant with the ISO 27000 standard, Sarbanes Oxley, HIPAA standard, and the Patriot Act.

All versions of the Security Manual template include both the Business & IT Impact Questionnaire and the Threat & Vulnerability Assessment Tool (both were redesigned to address Sarbanes Oxley compliance.   In addition, the Security Manual Template PREMIUM Edition  contains detail job descriptions that apply specifically to security and Sarbanes Oxley. The job descriptions are:

  • Chief Security Officer (CSO)
  • Chief Compliance Officer (CCO)
  • VP Strategy and Architecture
  • Director e-Commerce
  • Database Administrator
  • Data Security Administrator
  • Manager Data Security
  • Manager Facilities and Equipment
  • Manager Network and Computing Services
  • Manager Network Services
  • Manager Training and Documentation
  • Manager Voice and Data Communication
  • Manager Wireless Systems
  • Network Security Analyst
  • System Administrator - Unix
  • System Administrator - Windows

Clients can also subscribe to Janco's Security Manual update service and receive all updates to the Security Manual Template. 

The template includes everything needed to customize the Internet and Information Technology Security Manual to fit your specific requirement.  The electronic document includes proven written text and examples for the following major topics for your security plan:

  • Compliance to ISO 27000 (27001 & 27002), HIPAA, SOX, PCI, and the Patriot Act
  • Security Manual Introduction - scope, objectives, general policy, and responsibilities
  • Risk Analysis - objectives, roles, responsibilities, program requirements, and practices program elements
  • Staff Member Roles - policies, responsibilities and practices
  • Physical Security  - area classifications, access controls, and access authority
  • Facility Design, Construction and Operational Considerations - requirements for both central and remote access points
  • Media and Documentation - requirements and responsibilities
  • Data and Software Security - definitions, classification, rights, access control, INTERNET, INTRANET, logging, audit trails, compliance, and violation reporting and follow-up
  • Network Security - vulnerabilities, exploitation techniques, resource protection, responsibilities, encryption, and contingency planning
  • Internet and Information Technology contingency Planning - responsibilities and documentation requirements
  • Travel and Off - Site Meetings - specifics of what to do and not do to maximize security
  • Insurance - objectives, responsibilities and requirements
  • Outsourced Services - responsibilities for both the enterprise and the service providers
  • Waiver Procedures - process to waive security guidelines and policies,
  • Incident Reporting Procedures - process to follow when security violations occur
  • Access Control Guidelines - responsibilities and how to issue and manage badges / passwords
  • Sample Forms

    • Business and IT Impact Questionnaire
    • Threat & Vulnerability Assessment Tool
    • Security Violation Reporting form
    • Security Audit form
    • Inspection Check List
    • New Employee Security form
    • Security Access Application form

Order Security Manual Template

 

 

 

Latest News

Security threats are on the rise and they are costly

February 12th, 2012

Companies as well as individuals need well defined security policies and procedures to combat secruity threats.

In a report that was recently published it was estimated that breaches cost companies between $90 and $305 per lost record. This includes notifying customers, hiring contractors to fix computer systems, fines and lost business. In addition, over 95 percent of network attacks are entirely financially motivated. This is different than two or three years ago where it may have been a college student who wanted to crash your computer. Threats today burrow deep in computers and hide. They are a lot less visible today.

Order Security ManualTable of Contents

Indeed, the new threats are much more sophisticated than those security experts had foiled in the past. The easy things - viruses, Trojans and worms - are generally stoppable by most firewalls or certainly inline intrusion prevention. But now, hackers and the organizations that fund them have upped the ante for gateway and network security.

- more info

Improving eMail Security

February 2nd, 2012

Electronic CommunicationSeveral companies, including Google, Facebook, Microsoft, Yahoo, PayPal are working jointly work on a standard for blocking phishing e-mails by verifying that they come from legitimate companies

DMARC.org - or the Domain-based Message Authentication, Reporting, and Conformance – is a new white-list system will be available for use across the Internet.

Order PolicySample policy

The other companies in the DMARC working group are AOL, Bank of America, Fidelity Investments, American Greetings, LinkedIn, and e-mail security providers Agari, Cloudmark, eCert, Return Path, and Trusted Domain Project.

- more info

Will IT spending go up?

January 20th, 2012

IT spending is expected to increase in 2012. After years of budgets crimped by a bum economy, there is significant pent-up demand at companies around the globe to drop some extra cash for the products and services they have been waiting for to drive business forward. But we have heard this song before.

IT Spending

Order Salary Survey     Free Salary Survey

Gartner was bullish on IT spending last year, saying that it could rise somewhat significantly in 2012, yet in its latest report the research firm acknowledges that its estimates might have been too optimistic. Global spending on IT spending will still be up, the company says, but do not expect it to rise too quickly.

- more info

CIO success is driven by relationships

January 8th, 2012

Relationships are critical for a CIOs success.  A poor relationship with superiors and staff is the number one reason for failure of CIO.  Relationships are critical to communications and without them common goals cannot be achieved.

Job Descriptions

CIO and employees who understand each other have preferred styles .better understand how to communicate and work together effectively.  Factors that strongly predict the compatibility between a CIO and their teams are self-assurance, self-reliance, conformity, optimism, decisiveness, objectivity, and approach to learning. Assessing a CIO relationships with team members allows the CIO to use objective information about themselves and their teams so that they can work more effectively toward a common goal.

A poor relationship with one's boss is the number one reason for failure at work. Two common flashpoints adversely affect performance:

  • The employee is unclear about the CIO's expectations - Goals should cascade down from the CIO to team members so that everyone understands how they contribute to the objectives of both the team and the organization. If an employee does not understand the goals given,or if they have not been given goals at all, the onus is on the employee to seek clarity. Asking a simple question such as, "What are the top three priorities in my role that you would like me to focus on?" can help everyone on the team gain clarity. Employees should also ask, "Why is this so important?" as the answer will give them a lot of good clues for developing the relationship with their CIO.
  • CIOs fail to adapt their styles to the employees' preferred styles - Every employee/CIO relationship is unique and requires a different management approach. For example, the approach taken by highly decisive boss working with a highly decisive employee should be significantly different from the approach taken by this same boss when working with a less-decisive employee. The decisive employee thrives on quick decisions, while the other employee will be more methodical in thier decision-making approach. The less-decisive employee will potentially enter into conflict with the faster-paced CIO.  
- more info

Burnout of key employees

December 17th, 2011

In these troubled times employee burn-out is a reality.  There are a number of impacts on the employees that negatively impact the organization that they work for.  They are:

IT Job Descriptions  IT Hiring Kit  IT Salary Survey

  • Withdrawal - Employees want to avoid what discomforts them, and those organizational conditions that can cause burnout are certainly discomforting.  Signs to watch for are that employees leave work early, arrive at work late, take long breaks, and stay away from the workplace as much as possible.
  • Interpersonal friction - Employees strike back at what they do not like.  Signs are employees begin being cynical and callous toward others, small differences lead to monumental arguments, work assignments begin to seem like insurmountable challenges, and friends begin to look like foes.
  • Performance declines - When employees are not happy they do not perform well.  The quantity of the employee’s may not be reduced, but the quality will.  Signs are clients say that service quality is poor and interrelationships been the burned out employee, their peers, their customers is a low point.  There are few smiles and jokes - it is all work and no play.
  • Family life and personal space negative - Just as burnout leads to behaviors that have a negative impact on the quality of one's work life, it can also lead to behaviors that cause a deterioration of the quality of home life and personal space. Burned out individuals are often described by their wives as coming home tense, anxious, upset, angry, and complaining about the problems they faced at work. These individuals are also more withdrawn at home -preferring to be left alone, instead of sharing time with their families.
  • Declining health and gaining weight - Burnout often leads to health-related problems. Burnout victims are more likely to suffer from insomnia, excessive drinking or smoking,  and to use medications of various kinds.
- more info

Top priorities for 2012

November 7th, 2011

IT InfrastructureFive projects to tackle in the short term will make you a hero to upper management while enabling the organization to move forward:

  • Streamline company data storage and access
  • Master mobile devices to meet
  • Become a efficient development organization
  • Implement crisis management response processess
  • Gain control of social media

Order Infrastructure TemplateDownload Infrastructure Template

- more info

Facebook most popular social network

October 27th, 2011

Social Network Facebook is leading all social networks in U.S. mobile traffic. While access through the browser still trumps application access, apps are gaining.

More than 72.2 million Americans, or nearly one-third of the country, accessed Facebook, LinkedIn, Twitter, or some other social network or blog from a mobile device in August, up 37 percent from the same time last year.

Nearly 40 million of those U.S. mobile users access these sites almost every day, according to new research from comScore. Smartphone users proved to be the heaviest social media users, with 3 in 5 of those users using social media software every month.

Facebook, which claims it has over 200 million mobile users, enjoyed more than 57 million mobile users in August, up 50 percent from the previous year. Twitter and LinkedIn have far fewer mobile users. Twitter's mobile audience rose 75 percent to 13.4 million people, while LinkedIn's audience grew 69 percent to 5.5 million users.

- more info

Backup service providers an expanding DRP resource

October 16th, 2011

Online backup and recovery service providers have emerged from different market spaces and have different product focuses and business drivers. These providers can be grouped into three categories:

  • Service providers leveraging existing core business resources to expand into adjacent markets to look for new revenue opportunities
  • Service providers concentrating on server backup in niche markets: backup and recovery only, single verticals, regional boundaries
  • Service providers whose backup and recovery service forms an integral part of a broader spectrum of information management and data protection services

The scope, strengths, and weaknesses of each type of online backup and recovery service provider are characterized with respect to the current and forward-looking requirements of companies looking to protect their server data. Such requirements range from full system (versus data only) backup and restore to comprehensive business continuity best practices and support. Understanding these strengths and weaknesses can help businesses clarify their server protection requirements and better align their selection criteria and focus with their business goals.

- more info

New technique offers enhanced security for sensitive data in cloud computing

October 10th, 2011

Cloud OutsourcingResearchers from North Carolina State University and IBM have developed a new, experimental, technique to better protect sensitive information in cloud computing - without significantly affecting the system's overall performance.

Under the cloud-computing paradigm, hypervisors are programs that create the virtual workspace that allows different operating systems to run in isolation from one another - even though each of these systems is using computing power and storage capability on the same computer. A longstanding concern in cloud computing is that attackers could take advantage of vulnerabilities in a hypervisor to steal or corrupt confidential data from other users in the cloud.

The NC State research team has developed a new approach to cloud security, which builds upon existing hardware and firmware functionality to isolate sensitive information and workload from the rest of the functions performed by a hypervisor. The new technique, called strongly isolated computing environment (SICE), demonstrates the introduction of a different layer of protection.

Sensitive Information Policy"We have significantly reduced the 'surface' that can be attacked by malicious software," says  a professor of computer science at NC State. "For example, our approach relies on a software foundation called the Trusted Computing Base, or TCB, that has approximately 300 lines of code, meaning that only these 300 lines of code need to be trusted in order to ensure the isolation offered by our approach. Previous techniques have exposed thousands of lines of code to potential attacks. We have a smaller attack surface to protect."

SICE also lets programmers dedicate specific cores on widely-available multi-core processors to the sensitive workload - allowing the other cores to perform all other functions normally. A core is the 'brain' of a computer chip, and many computers now use chips that have between two and eight cores. By confining the sensitive workload to one or a few cores with strong isolation, and allowing other functions to operate separately, SICE is able to provide both high assurance for the sensitive workload and efficient resource sharing in a cloud.

In testing, the SICE framework generally took up approximately three percent of the system's performance overhead on multi-core processors for workloads that do not require direct network access. "That is a fairly modest price to pay for the enhanced security," the professor says. "However, more research is needed to further speed up the workloads that require interactions with the network."

- more info

Mobile devices change the way companies infrastructure

October 1st, 2011

Mobile Device PolicyMobile devices and new user interfaces change everything. Leading edge enterprise managers have been using mobile devices for phone, e-mail, and Web communications since the inception of these products. Further, laptop devices have enabled employees to travel and to manage how employees or sell to customers.

However, consumers' rapid adoption of the Apple iPhone, iPad, and Android-based personal digital assistants (PDAs) and tablet PCs is causing lending IT innovators to quickly create new capabilities that will transform most enterprises’ interactions with their customers. An excellent example is an iPhone application for consumer automobile lending where a customer can compare car prices, apply for a car loan, and receive onsite loan approval at a car dealer.

Order Outsourcing PolicySample Outsourcing Policy

A tablet device is never going to fit into a jeans pocket like a smartphone, but it is still mobile and its screen size add new usability and utility of its apps over a mobile phone. For example, in many retail operations will eventually use a table PC to replace the clipboard, pencil, and paper forms for one-time electronic information capture.

- more info