XML Feed

 Feed
Description

Security Policies ProceduresThreat Vulnerability AssessmentRisk AssessmentSecurity Manual Template
ISO 27000 - 27001 & 27002
(formerly ISO 17799),
Sarbanes Oxley, HIPAA,
PCI-DSS, and Patriot Act Compliant

 

Includes Audit Program for PCI DSS  Compliance, HIPAA Audit Guide, and ISO 27000 Checklist

The Security Manual for the Internet and Information Technology is over 240 pages in length. This electronic document is fully compliant with the ISO 27000 standard, Sarbanes Oxley, HIPAA standard, and the Patriot Act.

All versions of the Security Manual template include both the Business & IT Impact Questionnaire and the Threat & Vulnerability Assessment Tool (both were redesigned to address Sarbanes Oxley compliance.   In addition, the Security Manual Template PREMIUM Edition  contains 16 detail job descriptions that apply specifically to security and Sarbanes Oxley. The job descriptions are:

  • Chief Security Officer (CSO)

  • Chief Compliance Officer (COO)

  • VP Strategy and Architecture

  • Director e-Commerce

  • Database Administrator

  • Data Security Administrator

  • Manager Data Security

  • Manager Facilities and Equipment

  • Manager Network and Computing Services

  • Manager Network Services

  • Manager Training and Documentation

  • Manager Voice and Data Communication

  • Manager Wireless Systems

  • Network Security Analyst

  • System Administrator - Unix

  • System Administrator - Windows

Clients can also subscribe to Janco's Security Manual update service and receive all updates to the Security Manual Template. 

The template includes everything needed to customize the Internet and Information Technology Security Manual to fit your specific requirement.  The electronic document includes proven written text and examples for the following major topics for your security plan:

  • Compliance to ISO 27000 (27001 & 27002), HIPAA, SOX, PCI, and the Patriot Act

  • Security Manual Introduction - scope, objectives, general policy, and responsibilities

  • Risk Analysis - objectives, roles, responsibilities, program requirements, and practices program elements

  • Staff Member Roles - policies, responsibilities and practices

  • Physical Security  - area classifications, access controls, and access authority

  • Facility Design, Construction and Operational Considerations - requirements for both central and remote access points

  • Media and Documentation - requirements and responsibilities

  • Data and Software Security - definitions, classification, rights, access control, INTERNET, INTRANET, logging, audit trails, compliance, and violation reporting and follow-up

  • Network Security - vulnerabilities, exploitation techniques, resource protection, responsibilities, encryption, and contingency planning

  • Internet and Information Technology contingency Planning - responsibilities and documentation requirements

  • Travel and Off - Site Meetings - specifics of what to do and not do to maximize security

  • Insurance - objectives, responsibilities and requirements

  • Outsourced Services - responsibilities for both the enterprise and the service providers

  • Waiver Procedures - process to waive security guidelines and policies,

  • Incident Reporting Procedures - process to follow when security violations occur

  • Access Control Guidelines - responsibilities and how to issue and manage badges / passwords

  • Sample Forms

    • Business and IT Impact Questionnaire

    • Threat & Vulnerability Assessment Tool

    • Security Violation Reporting form

    • Security Audit form

    • Inspection Check List

    • New Employee Security form

    • Security Access Application form


 

 
 
 
 
 
 
 
 
 
The Google search monopoly seems to be threatened by Microsoft's updated search engine Bing.

Bing, an update to Microsoft Live Search, is already getting more attention than its predecessor, according to a report released today by ComScore Inc.

Microsoft Sites increased its average daily penetration among U.S. searchers from 13.8 percent during the period of May 26-30 to 15.5 percent during the period of June 2-6, 2009, an indication that the search engine is reaching more people than before. MicrosoftÂ’s share of search result pages in the U.S., a proxy for overall search intensity, increased from 9.1 percent to 11.1 percent during the same time frame.

- more info

  

 
 Business Continuity and Disaster Recovery Defined -

Disaster Types

Business Continuity and Disaster Recovery Planning are the way an organization can prepare for and aid in disaster recovery. It is an arrangement agreed upon in advance by management and key personnel of the steps that will be taken to help the organization recover should any type of disaster occur. These programs prepare for multiple problems. Detailed plans are created that clearly outline the actions that an organization or particular members of an organization will take to help recover/restore any of its critical operations that may have been either completely or partially interrupted during or after (occurring within a specified period of time) a disaster or other extended disruption in accessibility to operational functions. In order to be fully effective at disaster recovery, these plans are fully defined and are tested regularly.

A Business Continuity Plan  (BCP) and Disaster Recovery Plan (DRP) are how an organization guards against future disasters that could endanger its long-term health or the accomplishment of its primary mission. BCPs and DRPs take into account disasters that can occur on multiple geographic levels-local, regional, and national-disasters like fires, earthquakes, or pandemic illness. BCPs and BCPs should be live and evolving strategies that are adjusted for any potential disasters that would require recovery; it should include everything from technological viruses to terrorist attacks. The ultimate goal is to help expedite the recovery of an organization's critical functions and man-power following these types of disasters. This sort of advanced planning can help an organization minimize the amount of loss and downtime it will sustain while simultaneously creating its best and fastest chance to recover after a disaster.

 - more info

  

 
 Palm Pre in Short Supply -

The Palm Pre, which goes on sale June 6 from Sprint Nextel Inc., appears on the Best Buy Web site for $849.99, several times the $200 price after a $100 rebate that Sprint has announced.  Sprint and Best Buy could not be reached immediately to comment, but bloggers speculated the Best Buy online price is artificially high to discourage Best Buy employees and other customers from reserving a purchase in advance due to expectations that there will be shortage of the new Smartphones at the time of the launch.

The expected shortages were clearly described by Sprint's CEO at an investors' conference.  He said, "We don't intend to advertise it heavily early on because we think we are going to have shortages for a while. We won't be able to keep up with demand for the device in the early period of time."

 - more info

  

 
 CIOs Major Responsibilities Are Focused -

CIOs have three major responsibilities in helping enterprises succeed.

  • CIOs must keep all IT systems and networks managed, optimized, and available to contribute maximum business value at minimal cost.
  • CIOs need to protect critical infrastructure against an increasingly hostile threat environment spyware, viruses, attacks, intrusions and human-engineered security lapses.
  • CIOs  must prevent exposure to legal and regulatory compliance penalties or breach disclosure laws. If IT fails in any one of these areas, their organizations can go out of business, or face criminal sanctions.

In meeting these responsibilities, CIOs can no longer incrementally buy new tools to meet any new requirement that makes headlines in the technical or business media. Business drivers, security and compliance mandates converging on the enterprise require a converged response. CIOs now demand solutions that enable them to eliminate redundant technologies and processes and integrate disparate elements into a common workflow. While established enterprise software vendors have adopted the language of convergence and consolidation, their product lines remain constrained by legacy architectures and designs. Proposing radical change to their customers' carries the risk of disrupting established revenue flows not to mention technical risks inherent in overhauling or replacing obsolete products.

Business runs at a velocity unimagined a few short years ago. Complex and highly distributed environments have grown to support an intricate web of partners, suppliers, distributors, and customers. Service oriented architectures and web-based applications have progressed from vision to real-world instantiation as enterprises look to leverage technology to innovate and deliver new services. In this new world, IT-delivered services must be available 24x7 to customers, suppliers, employees, regulators, investors and other constituencies.

The highly exposed nature of today's IT infrastructures fundamentally changes how organizations manage IT assets, processes and data. IT organizations can no longer treat resource management and maintenance as back-end functions that can be performed at times and conditions of their choosing. Neither is their work protected from outside scrutiny. Processes whose success or failures were largely internal now make the difference between business success or failure, legal compliance or litigation, prudent stewardship or ineffective execution.

- more info

  

 
 Abuse of Email Cause for Termination - The 58% of employers who have dismissed employees for computer violations cited excessive personal e-mail (26%) or Web (34%) use as the reason. Excessive personal use takes a toll on employee productivity, eats up valuable system space, and creates potentially damaging legal evidence. In order to protect your company and keep your employees aware of the risks, you need to have a written acceptable usage policy in place to notify employees that compliance with e-mail and Web usage rules is 100% mandatory. - more info

  

 
 CIO Strategic Planning Guidelines -

CIOs now are starting to develop new information technology strategies.  As they do that, they need to include understanding the fundamental business and operational trends that are driving businesses and enterprises of all types to redesign their operations.  The principles that CIOs need to keep in mind are:

  • Flexibility - CIOs must be able to respond to opportunities and challenges faster than ever before. These CIOs are usually battling well-resourced organizations that may be based where the opportunity originated, or another globalizing company that is reaching out for new opportunities. In order to compete, a CIO must create a strategy this helps the enterprise to deliver faster a product or service as good, or better, than that of potentially any other company in the world.
  • Simplicity - The increase in technology has led to increased complexity. While per unit costs of technology are decreasing, in aggregate IT budgets continue to increase. With the pressure on IT to act less as a cost center and more as a way to increase the profitability of business units, adding more storage, more bandwidth, or additional technologies throughout the organization is no longer an acceptable approach to managing information technology. Instead, smart CIOs are investigating technologies like continuous data protection, virtualization, and wireless connectivity to help IT slim down its footprint while increasing their business's competitive advantages. Therefore, the IT team is typically in a difficult position, assessing where to cut costs while still moving forward with a plan to continually enhance IT services to the business.
  • Security and Mandated Requirements - With the growing importance of applications and data, the sources of threats to enterprise data have multiplied dramatically. Everything from natural disasters, to criminals, and corrupt sources within the company can steal or corrupt data. While CIOs do everything that they can to stop these threats in the first place, they still must be prepared to recover from these threats as quickly as possible.
  • Disaster Recovery Business Continuity - As businesses have expanded, the need for anytime, anywhere application access has become a requirement. At the same time, "follow the sun" (global 24/7) operations have shrinking maintenance windows and a need for applications to be running at all times. Delay or loss of data for any reason - system failure, natural disasters - has a domino-like effect across the entire organization, at any time of the day or night.
 - more info

  

 
 SPAM a Productivity Killer -

Spam now accounts for as much as 80-90% of an organization's total e-mail volume. Every day, organizations face potential communications, operations, and intellectual-property disruption from spam and other e-mail borne threats. As a result, different types of attacks have started to merge and pose severe threats to your organization, leading to a significant increase in e-mail related costs. For companies grappling with limited IT staff, outsourcing e-mail security to one of the growing number of service providers is a quick, no-fuss way of protecting internal e-mail systems.

- more info

  

 
 Added Security Risks -

It used to be relatively easy to secure a corporate network. It was a physically connected entity used only by internal users. Web browsing was not generally available at the desktop, and data was transferred only by removable media or email.

Today, networks as we once understood them are disappearing as the network perimeter has become blurred by the prevalence of new technologies and business practices. Instant Messaging (IM), Voice Over IP (VoIP), peer-to-peer (P2P) file-sharing software, and wireless and mobile devices all offer new ways of transferring data. Network access is given to remote workers, business partners and contractors.

These changes fulfill the real business need to remain competitive, but they also increase the risk of malware, other security threats , and data breach threats infecting the network via unsecured hardware and unmonitored communication channels.

  • Security in this more complex environment requires:
  • Securing more types of endpoint devices
  • Securing endpoint computers
  • Monitoring for compliance with security policies
  • Protecting network from fast-moving zero-day threats
- more info

  

 
 The Market that Micosoft Missed -

Before Bill Gates left Microsoft, he realized that Enterprise Search was becoming increasingly important to organizations, and a central component of their business strategy. Competitors such as Google had moved quickly to fill the gaps left by Microsoft. With increasing competition and customer demand, Microsoft publicly announced in 2007 that Enterprise Search was strategic to them and began developing a unified search strategy, rationalizing the disparate portfolio of search products they owned.

Now Microsoft is moving to fill that gap.  The question is will they succeed?

 - more info

  

 

Latest News

 
 Goals of a Disaster Recovery Planning Defined -

Disaster Recovery PlanThe ultimate goal of Disaster Recovery Plan (DRP) is to get your business restarted in an acceptable timeframe. For some organizations that means within minutes, while for others it means hours or possibly days. The cost of operational downtime varies among businesses and industries. For example, financial firms often calculate that cost in millions of dollars per hour, while other industries calculate operational downtime as thousands per day. These costs include lost business transactions, employee productivity, and customers - not to mention regulatory penalties. The ability to tolerate these losses generally determines business continuity strategy.

 

There are two types of disasters:

  • Physical destruction of a location and data (or access to location and data). Examples: fire, flood, earthquake, significant power or network outage.
  • Data destruction without physical destruction. Examples: hardware failure, virus/hacker attack, software malfunction, human error.

Each if these have a different set of requirements and your Disaster Recovery / Business Continuity Plan needs to take them into consideration.

 

 - more info

  

 
 Google Monopoly Threatened -

CIO ProductivityBrowser Market Share  

 

 

 
 

 

© 1999 - 2009 Janco Associates, Inc. - ALL RIGHTS RESERVED -- Revised: 12/19/08.