Security Manual Template

 

ISO 27000 - Sarbanes Oxley Patriot Act - HIPAA - PCI DSS Complaint

With all of the new legislation, there are more security requirements that need to be met.  Requirements like Sarbanes-Oxley, HIPAA, PCI-DSS, and ITIL, are primary concerns of CIOs as executive management is depending on IT to have the right security policies and procedures in place.

We have just the download you need to create a world class plan and assure you leave no stone unturned. With this Template we walk you through the entire process, providing all the tools you need along the way.  As an added benefit you can purchase an update service which keeps these polcies and procedures abreast of the latest legislated and mandated requirements. 

This Security Manual for the Internet and Information Technology is over 230 pages in length. All versions of the Security Manual template include both the Business & IT Impact Questionnaire and the Threat & Vulnerability Assessment Tool (both were redesigned to address Sarbanes Oxley compliance).   In addition, the Security Manual Template PREMIUM Edition  contains 16 detail job descriptions that apply specifically to security and Sarbanes Oxley, ISO 27000, PCI DSS, and HIPAA.

The policies have just been updated and include a section on Log Management which is required to meet the new compliance mandates.

The Security Manual template can be purchased with the Disaster Recovery program or by itself in three: Standard, Premium, and Gold.

Clients can also subscribe to Janco's Security Manual update service and receive all updates to the Security Manual Template. 

The template includes everything needed to customize the Internet and Information Technology Security Manual to fit your specific requirement.  The electronic document includes proven written text and examples for the following major topics / sections for your security plan:

• Compliance to ISO 27000, Sarbanes-Oxley, PCI-DSS, Patriot Act and HIPAA
• Security Manual Introduction - scope, objectives, general policy, and responsibilities
• Risk Analysis - objectives, roles, responsibilities, program requirements, and practices program elements
• Staff Member Roles - policies, responsibilities and practices
• Sensitive Information Policy
• Physical Security  - area classifications, access controls, and access authority
• Facility Design, Construction and Operational Considerations - requirements for both central and remote access points
• Media and Documentation - requirements and responsibilities
• Data and Software Security - definitions, classification, rights, access control, INTERNET, INTRANET, logging, audit trails, compliance, and violation reporting and follow-up
• Network Security - vulnerabilities, exploitation techniques, resource protection, responsibilities, encryption, and contingency planning
• Internet and Information Technology contingency Planning - responsibilities and documentation requirements
• Travel and Off-Site Meetings - specifics of what to do and not do to maximize security
• Insurance - objectives, responsibilities and requirements
• Outsourced Services - responsibilities for both the enterprise and the service providers
• Waiver Procedures - process to waive security guidelines and policies,
• Incident Reporting Procedures - process to follow when security violations occur
• Access Control Guidelines - responsibilities and how to issue and manage badges / passwords
• Sample Forms
  • Business and IT Impact Questionnaire
  • Threat & Vulnerability Assessment Tool
  • Security Violation Reporting form
  • Security Audit form
  • Inspection Check List
  • New Employee Security form
  • Security Access Application form
  • Employee Termination Checklist
  • Supervisor's Employee Termination Checklist
  • Sensitive Information Policy Compliance Agreement
  • HIPAA Audit Program Guide
  • ISO 27000 (ISO 27002 & ISO 27002) Security Checklist
  • PCI DSS Audit Program

 

 

 

 

CIO - CTO - CSO Security News

---

02/02/2012

Disaster recovery and business continuity still a struggle for many CIOs

Organizations of all sizes are struggling with getting some of the basics of disaster recovery and business continuity right. They still need support in obtaining executive buy-in, managing resources and implementing easy to use and reliable technology. To some extent, there is still a lack of best practices being provided by vendors, and many SMBs rely heavily on their channel partners to be their best practices advisors to help them make the right choices.

What has made the world more complex is the fact that organizations are now presented with three different platforms for their disaster recovery strategies: physical, virtual and cloud. Each platform has its own unique challenges and benefits. Some organizations will opt to keep purely physical, others will add virtualization while many will embrace all three.

Ultimately the success of any company's backup and DR is based on the availability of its systems and data and the impact that downtime has in terms of lost revenue and lost customers, regardless of the environment data and systems are held in. Using multiple different solutions to manage data across physical, virtual and cloud environments makes this process unnecessarily complicated and risks wasting valuable time and resources.

For most small to medium size businesses, a service's success is underpinned by its ability to deliver ease of use, cost effectiveness and flexibility, and by its ability to implement measures quickly enough to affect a near immediate positive impact. Both cloud services and virtualization can do this, so the future is bright. Managed in the right way, from one central, easy to use solution, they can offer businesses the ultimate backup and disaster recovery protection, ensuring that business continuity becomes easier to manage.

For IT managers, Janco encourages them to compare their backup and DR practices against their counterparts.

- more info

---

01/27/2012

Mobile devices are the bane of many CIOs concerns

As more companies embrace the broad usage of individually-owned mobile devices for access to corporate applications and data, CIO are asked for guidance on the establishment of an associated device usage policy.

Every organization needs to identify and develop mobile security policies to be deployed which will provide adequate protection. The level of protection has to be aligned with the level of risk that your organization is willing to accept. These policies should ensure that the many regulatory or compliance concerns that might be applicable are addressed.

Only by a partnership of information technology (IT), human resource (HR), finance, and legal teams - working closely with your executive team and business unit managers - can determine the exact corporate liable and/or individual liable policy that best fits your company, meets its financial goals and objectives, and takes into account security, legal, regulatory, tax, or other requirements and considerations that may uniquely apply to your company and its operations.

- more info

---

01/14/2012

Will IT spending increase in 2012

IT spending is expected to increase in 2012. After years of budgets crimped by the economy, there is significant pent-up demand at companies around the globe to drop some extra cash for the products and services they’ve been waiting for to drive business forward. But we’ve heard this song before. One research fiorm that  was bullish on IT spending last year, said that it could rise somewhat significantly in 2012, yet in its latest report the research firm acknowledges that its estimates might have been too optimistic. Global spending on IT spending will still be up, the company says, but don’t expect it to rise too quickly.

Janco has found that consultants and contractors are starting to be hired again.

 

The salary survey is updated twice a year; once in January and then again in July. You can get a free copy of the full survey if you provide 10 valid data points and use a corporate email address. Free email accounts like gmail or yahoo do not qualify as we have no way to verify the accuracy of the data provided.

The report is updated twice a year, once in January and second time in July. The unemployment data on this page is updated at least once a month and is based on the Bureau of Labor Statistics data.

    

 

- more info

---

01/08/2012

New Facts of Life For the CIO and IT Management

The world has changed and the CIO and IT managers need to face the new realities.  They include:

• iPhone and Tablet are here to stay
• CIO and IT department no longer are in control of how technology is used by you enterprise
• There will always be some downtime
• Systems will not be 100% compliant all of the time
• The cloud will not be the solution for all problems and will case new ones
• There will never be enough capital and staff to get what needs to be completed done
• The network has already been compromised
• Social networking use risks all of your company's secrets
• Users will always need your support even for technology that you have not implemented
• IT will continue to be viewed as a service organization
  

- more info

---

01/04/2012

Compliance Best Practices

Security compliance best practices include:

• Combine written content, usage, and retention policies with a Hosted Managed Email Archiving Service to ensure an organization's ability to preserve, locate, and produce legally valid email evidence. Unmanaged email and other record management solutiond can trigger financial, productivity, and legal issues for your organization when it a finds itself in a workplace lawsuit. The cost and time required to produce subpoenaed email, retain legal counsel, secure expert witnesses, mount a legal battle, and cover jury awards and settlements is ver costly. Best practices call for a proactive approach to email and business records management.
• Utilize a proven archiving technology to ensure forensic compliance. For example, by encrypting and archiving a copy of every business record and internal and external email sent or received and across the organization, a Hosted Managed Email Archiving Service solution guarantees that your email is secure and tamperproof. Nothing in your archive can be deleted or altered. Everything in your archive is legally compliant.
• Ensure that financial data and related documents are effectively protected from malware, viruses, and other malicious intruders - and are preserved in a legally compliant manner in order to  maximize SOX, GLBA, SEC, FINRA, and PCI DSS compliance. This includes having solutions in place to manage messaging threats and compling with regulatory requirements including Email Anti-Virus, Email Archiving, Email Continuity, and Email Content Control.
• Meet HIPAA requirements by using formal policies, employee training, and technology including email
  Archiving, Anti-Virus, Continuity, and Content Control Services to ensure compliant use of email to transmit and store HIPAA-regulated patient information.
• Safeguard personal or sensitive data whose transmission falls under state encryption laws or other privacy acts by deploying proven solutions that are designed to effectively identify personal information in any electronic transmission and, if necessary, block or encrypt the transmission.
• Reduce business and security risks associated with electronic communication by implementing a formal electronic communication policy that combines a written policy with employee training.

- more info