Security Manual
Template
ISO 27000 - 27001 & 27002
(formerly ISO 17799),
Sarbanes Oxley, HIPAA,
PCI-DSS, and Patriot Act Compliant
Includes Audit Program for PCI DSS Compliance, HIPAA Audit Guide, and ISO 27000 Checklist
The Security Manual for the Internet and Information Technology is over 240 pages in length. This electronic document is fully compliant with the ISO 27000 standard, Sarbanes Oxley, HIPAA standard, and the Patriot Act.
All versions of the Security Manual template include both the Business & IT Impact Questionnaire and the Threat & Vulnerability Assessment Tool (both were redesigned to address Sarbanes Oxley compliance. In addition, the Security Manual Template PREMIUM Edition contains 16 detail job descriptions that apply specifically to security and Sarbanes Oxley. The job descriptions are:
- Chief Security Officer (CSO)
- Chief Compliance Officer (COO)
- VP Strategy and Architecture
- Director e-Commerce
- Database Administrator
- Data Security Administrator
- Manager Data Security
- Manager Facilities and Equipment
- Manager Network and Computing Services
- Manager Network Services
- Manager Training and Documentation
- Manager Voice and Data Communication
- Manager Wireless Systems
- Network Security Analyst
- System Administrator - Unix
- System Administrator - Windows
Clients can also subscribe to Janco's Security Manual update service and receive all updates to the Security Manual Template.
The template includes everything needed to customize the Internet and Information Technology Security Manual to fit your specific requirement. The electronic document includes proven written text and examples for the following major topics for your security plan:
- Compliance to ISO 27000 (27001 & 27002), HIPAA, SOX, PCI, and the Patriot Act
- Security Manual Introduction - scope, objectives, general policy, and responsibilities
- Risk Analysis - objectives, roles, responsibilities, program requirements, and practices program elements
- Staff Member Roles - policies, responsibilities and practices
- Physical Security - area classifications, access controls, and access authority
- Facility Design, Construction and Operational Considerations - requirements for both central and remote access points
- Media and Documentation - requirements and responsibilities
- Data and Software Security - definitions, classification, rights, access control, INTERNET, INTRANET, logging, audit trails, compliance, and violation reporting and follow-up
- Network Security - vulnerabilities, exploitation techniques, resource protection, responsibilities, encryption, and contingency planning
- Internet and Information Technology contingency Planning - responsibilities and documentation requirements
- Travel and Off - Site Meetings - specifics of what to do and not do to maximize security
- Insurance - objectives, responsibilities and requirements
- Outsourced Services - responsibilities for both the enterprise and the service providers
- Waiver Procedures - process to waive security guidelines and policies,
- Incident Reporting Procedures - process to follow when security violations occur
- Access Control Guidelines - responsibilities and how to issue and manage badges / passwords
- Sample Forms
- Business and IT Impact Questionnaire
- Threat & Vulnerability Assessment Tool
- Security Violation Reporting form
- Security Audit form
- Inspection Check List
- New Employee Security form
- Security Access Application form
Latest News
Availability of e-mail a business continuity issue
Availability of e-mail for business continuity and associated data can impact an organization's ability to make or break a profit objectives -- as well as retain or lose customers. In today's economy, the importance of e-mail takes on new meaning. Recovery time and recovery point objectives (RTOs and RPOs) are no longer general rules. The Exchange administrator's ability to meet or exceed the proverbial lines in the sand, in terms of time to recover and the age of the data recovered, can mean the difference between gainful employment and prepping for a job interview.
Questions that you need to have answers to are:
- What is the the impact of e-mail downtime on today's business,
- What are the types of potential failures -- both the common and the not-so-common along with the general probability of occurrence, and
- How do you plan to mitigate the impact of these challenges to ensure adequate levels of protection for your e-mail environment.
CIO Strategic Planning Guidelines
CIOs now are starting to develop new information technology strategies. As they do that, they need to include understanding the fundamental business and operational trends that are driving businesses and enterprises of all types to redesign their operations. The principles that CIOs need to keep in mind are:
-
Flexibility - CIOs must be able to respond to opportunities and challenges faster than ever before. These CIOs are usually battling well-resourced organizations that may be based where the opportunity originated, or another globalizing company that is reaching out for new opportunities. In order to compete, a CIO must create a strategy this helps the enterprise to deliver faster a product or service as good, or better, than that of potentially any other company in the world.
-
Simplicity - The increase in technology has led to increased complexity. While per unit costs of technology are decreasing, in aggregate IT budgets continue to increase. With the pressure on IT to act less as a cost center and more as a way to increase the profitability of business units, adding more storage, more bandwidth, or additional technologies throughout the organization is no longer an acceptable approach to managing information technology. Instead, smart CIOs are investigating technologies like continuous data protection, virtualization, and wireless connectivity to help IT slim down its footprint while increasing their business's competitive advantages. Therefore, the IT team is typically in a difficult position, assessing where to cut costs while still moving forward with a plan to continually enhance IT services to the business.
-
Security and Mandated Requirements - With the growing importance of applications and data, the sources of threats to enterprise data have multiplied dramatically. Everything from natural disasters, to criminals, and corrupt sources within the company can steal or corrupt data. While CIOs do everything that they can to stop these threats in the first place, they still must be prepared to recover from these threats as quickly as possible.
-
Disaster Recovery Business Continuity - As businesses have expanded, the need for anytime, anywhere application access has become a requirement. At the same time, "follow the sun" (global 24/7) operations have shrinking maintenance windows and a need for applications to be running at all times. Delay or loss of data for any reason - system failure, natural disasters - has a domino-like effect across the entire organization, at any time of the day or night.
Art Work In Danager - Disaster Plans Need to Address That
Natural disasters, such as hurricanes that assault the
southern Florida and Louisiana, make all of us acutely aware of our
vulnerabilities to disaster. Fortunately, catastrophes of this magnitude are
rare, but disaster can strike in many ways. For example, a broken water main
inundated the Chicago Historical Society; fire severely damaged the Cabildo in
New Orleans; the Loma Prieta earthquake damaged several San Francisco area
museums and libraries; smoke from an electrical fire covered collections
throughout the Huntington Gallery; mold damage threatened Mount Vernon's
archival collections. Large or small, natural or man-made, emergencies put an
institution's staff and collections in danger. - more info
Backup and Retention a DRP issue
Traditional storage environments have many of the same problems as distributed server farms: applications are tied to physical devices, making any response to changing needs both disruptive and time-consuming; capacity utilization is low; and many maintenance activities require application downtime. The simple and straightforward solution is storage virtualization, which decouples applications and data from the underlying physical devices. Storage virtualization simplifies storage management, as only a single set of tools are required for a given virtualized set of similar devices, such as managing a set of disk systems.
For IT departments charged with delivering greater business value in the face of unprecedented data growth, storage virtualization is a very attractive way to control costs, improve performance and maximize resource utilization.
- more infoHIPAA is a major compliance issue for CIOs in Heathcare
There is a high degree of mobility inherent in the work styles of most
healthcare professionals, IT must remain cognizant of where critical data is
being stored and whats at risk on top of providing 24x7 productivity. In its
healthcare and life sciences respondent base alone, it has been said that
89% of healthcare organizations have some percentage of their employees working
away from the office at least one day per week, while 87% of healthcare
organizations have some percentage of workers telecommuting from home at least
one day per week, and more than 50% have some segment of workers telecommuting
at least four days per week. To support this mobile work style, 95% of these
enterprises have users relying on smartphones for work, usually in addition to
laptop computers.
Regulatory compliance tops the list of concerns among healthcare and life sciences IT professionals with 86% of healthcare IT decision-makers rating it as a high or critical priority over the course of the coming year. Immediately following regulatory compliance is data security, with 31% of healthcare enterprises ranking it a critical priority and almost 60% ranking it as a high priority.
- more infoGoals of a Disaster Recovery Planning Defined
The ultimate goal of Disaster Recovery Plan (DRP) is to get your business restarted in an acceptable timeframe. For some organizations that means within minutes, while for others it means hours or possibly days. The cost of operational downtime varies among businesses and industries. For example, financial firms often calculate that cost in millions of dollars per hour, while other industries calculate operational downtime as thousands per day. These costs include lost business transactions, employee productivity, and customers - not to mention regulatory penalties. The ability to tolerate these losses generally determines business continuity strategy.
There are two types of disasters:
-
Physical destruction of a location and data (or access to location and data). Examples: fire, flood, earthquake, significant power or network outage.
-
Data destruction without physical destruction. Examples: hardware failure, virus/hacker attack, software malfunction, human error.
Each if these have a different set of requirements and your Disaster Recovery / Business Continuity Plan needs to take them into consideration.
- more info
Social networks - big worry for CIOs
Controlling communications on social networking Web sites is far more complex for corporations because they're attempting to control communications on Web sites that are outside their IT systems and that are almost continuously changing or adding to the number of applications that can be used to network.
This is one of the reasons why popular social networking sites, such as Facebook, Twitter, and LinkedIn, are causing a stir in the financial services community as well as other highly regulated industries as companies seek ways to control how the sites are used to communicate with potential clients and colleagues.
It is a bigger issue than email and IM. For IM and email, you pretty much use standard port and protocols. You just have to be in the right spot in the network to capture it and monitor it. That is not the case for these social networks. Security is an issue.
- more infoHackers focus on iPad
(Computerworld) Hackers are targeting iPad users with bogus update messages that dupe them into downloading malicious code onto their Windows PCs, a security researcher said today.
The messages claim that a recent update to iTunes has been released for the iPad, according to Romanian security company BitDefender. "It is very important to keep the software on your iPad updated for best performance, newer features and security," the message reads. "To get the latest version of iTunes software, please go to ... and install the application."
The link in the message leads to a copycat of the legitimate iTunes download site, where users are asked to approve the download of a file dubbed "itunessetup.exe."
The file masquerading as the iTunes update is actually a Trojan horse that injects code into Windows' "explorer.exe" process and opens a backdoor for hackers, who then use that entrance to add more malware to the PC. The "Backdoor.Bifrose.AADY" Trojan also tries to snatch activation keys from various programs on the hacked
- more infoStates Attack Internet Tax Free Zone
Amazon.com filed a lawsuit on Monday to fight a demand from North Carolina's tax collectors for detailed records including names and addresses of customers and information on what was purchased.
The lawsuit says the demand violates the privacy and First Amendment rights of Amazon's customers. North Carolina's Department of Revenue had ordered the online retailer to provide full details on nearly 50 million purchases made by state residents between 2003 and 2010.
Amazon is asking a federal judge in Seattle to rule that the demand is illegal, and left open the possibility of requesting a preliminary injunction against North Carolina's tax collectors.
Because Amazon has no offices or warehouses in North Carolina, it is not required to collect the customary 5.75 percent sales tax on shipments, although tax collectors have reminded residents that what's known as a use tax applies on anything "purchased or received" through the mail.
- more infoVendor management is a key to cost control
Vendor management is an area where costs and productivity can be improved. What IT organizations must do is:
- Have a consistant and uniform message
- Know what your requirements are and what your vendor's abilities are
- Do not get locked in on price
- Have multiple suppliers
- Use both small and large vendors
- Review the relationship on an on on-going basis