Record Retention and Destruction Policy Template
Current Rules and Regulations Regarding the Protection and Destruction of Confidential and Sensitive Documents require that any person or company that possesses or maintains such information to take reasonable measures to protect against unauthorized access to, or use of the information in connection with its disposal. In addition Sarbanes-Oxley requires that records be retained for all audits and legal proceedings.
Some of the records types and retention time periods for physical and/or electronic records are:
The Record Management, Retention, and Destruction is a detail policy template which can be utilized on day one to create a records management process. Included with the policy are forms for establishing the record management retention and destruction schedule and a full job description with responsibilities for the Manager Records Administration.
You areas included with this policy template are:
- Record retention requirements for SOX sections 103a, 302, 404, 409, 801a and 802.
- Record Management
- Compliance and Enforcement
- Email Retention and Compliance
- Job Description Manager Record Administrator
- 12 forms for Record Retention and Disposition Schedule
A record is essentially any material that contains information about your company’s plans, results, policies or performance. In other words, anything about your company that can be represented with words or numbers can be considered a business record – and you are now expected to retain and manage every one of those records, for several years or even permanently depending on the nature of the information. The need to manage potentially millions of records each year creates many new challenges for your business, and especially for your IT managers who must come up with rock-solid solutions to securely store and manage all this data.
“The Financial Modernization Act of 1999”, also known as Gramm-Leach-Bliley (GLB Act) applies to every business with 100 or more annual transactions, and gives authority to eight (8) federal agencies and each state, to administer and enforce the Financial Privacy Rule, Disposal Rule and the Safeguards Rule contained in the FACT Act. The Federal Trade Commission is actively enforcing this Act in the following business segments:
- Financial institutions - lenders and traditional financial institutions, insurance companies, banks, securities firms are the primary targets of enforcement. Also receiving scrutiny are: auto dealers (leasing and financing departments, service and rental divisions), of particular interest to the enforcers are auto rental agreements, drivers license copies – used for test drives; mortgage brokers, real estate settlement companies, and those retailers who issue credit cards, gift cards or related items.
- Service institutions -payday lenders, check-cashing services, professional tax preparers, accountants, and electronic funds transfer networks, as well as credit counselors, independent psychologists, and related service firms are also targets.
There are hundreds of document types that may factor into an investigation or legal action. Such records are assumed to be searchable and quickly available upon request, under the rules of SOX. This even applies to less official types of records, like Emails or instant messages.
Record Retention and Destruction News
Florida Activates Disaster Recovery Plan
AC failure takes out Florida state computers
A massive air-conditioning failure at a state office complex in Tallahassee shut down government computer traffic statewide and forced emergency managers to begin studying backup plans.- more info
Rising temperatures posed an immediate threat to a $30 million state computer system in the Shared Resource Center, a highly secure, windowless brick complex that serves as the electronic nerve center for much of state government.
Computer traffic from 84 agencies and local governments, including some non-profit groups, flows through it daily.
Temperatures in a 9,276-square-foot room filled with 1,200 computer servers hovered at 90-degrees earlier today. Technicians like to keep the room chilled to 68 degrees and expect the equipment to start failing at 95 degrees.
New RFID technology could end lost data tapes
(Computerworld) -- Imation Corp. today announced a first-of-its-kind tracking technology that could put an end to the ongoing problem of lost data tapes by using passive radio frequency identification (RFID) tags and Global Positioning System (GPS) tracking systems to remotely locate cartridges, no matter where they are -- stationary or in transit. - more info
ISO 17799, SOX, HIPPA Compliant Disaster Recovery / Business Continuity Template Released
The ISO 17799 compliant Disaster Recovery Planning (Business Continuity) Template is Version 4.2. The template has increased in size from 140 pages in version 3.1 to 189 pages in the current version.
New with this version of the Disaster Recovery Planning Template are:
- more info
Added Section defining the ISO 17799 compliance requirements
Reviewed and modified entire DRP/BCP template to ensure compliance with ISO 17799
Business & IT Impact Questionnaire updated to meet ISO 17799 compliance requirements
Added Best Data Retention and Destruction Practices section
Protecting your data center
(Computerworld) -- If anyone knows how to protect against power outages caused by extreme weather, it would be Jeff Biggs. The vice president of operations and engineering for Peak 10 Inc., a fast-growing Charlotte, N.C.-based data center operator, Biggs has taken many steps to harden Peak 10s colocation facilities in Florida against the states annual threat of hurricanes.
Like making sure Peak 10s Jacksonville, Fla., data center taps into the citys underground power lines in two places, in case one substation or line goes down. Or buying a massive, 1,500-kilowatt backup diesel generator for Peak 10s Tampa Bay data center, along with emergency refueling contracts with two separate suppliers in case of an extended outage.
But Biggs admits that recent storm-related power outages in Denver, Seattle and St. Louis, all of which left parts of those cities dark for a week or longer, would have tested and perhaps overwhelmed Peak 10s precautions.
An outage that long, oh, my God, it would catch even my fuel suppliers off guard, he said.
The continued growth of the Internet, combined with cheaper PC-based technologies, has led the number of servers worldwide to double since 2000, according to market research company IDC.
Much attention has been paid on how to cut the spiraling costs of powering and cooling these servers. But less thought has been devoted on how to better protect data centers from power outages, now that incidents of turbulent weather caused by global climate change appear to be on the rise.- more info
ISO 17799 Security Template Released by Janco
The template includes everything needed to customize the Internet and Information Technology Security Manual to fit your specific requirement. The electronic document includes proven written text and examples for the following major topics / sections for your security plan:
- more info
ISO 17799, Sarbanes-Oxley, Patriot Act, and HIPAA compliance
Security Manual Introduction - scope, objectives, general policy, and responsibilities
Risk Analysis - objectives, roles, responsibilities, program requirements, and practices program elements
Staff Member Roles - policies, responsibilities and practices
Physical Security - area classifications, access controls, and access authority
Facility Design, Construction and Operational Considerations - requirements for both central and remote access points
Media and Documentation - requirements and responsibilities
Data and Software Security - definitions, classification, rights, access control, INTERNET, INTRANET, logging, audit trails, compliance, and violation reporting and follow-up
Sensitive Information Policy
Network Security - vulnerabilities, exploitation techniques, resource protection, responsibilities, encryption, and contingency planning
Internet and Information Technology contingency Planning - responsibilities and documentation requirements
Travel and Off-Site Meetings - specifics of what to do and not do to maximize security
Insurance - objectives, responsibilities and requirements
Outsourced Services - responsibilities for both the enterprise and the service providers
Waiver Procedures - process to waive security guidelines and policies,
Incident Reporting Procedures - process to follow when security violations occur
Access Control Guidelines - responsibilities and how to issue and manage badges / passwords
Business and IT Impact Questionnaire
Threat & Vulnerability Assessment Tool
Security Violation Reporting form
Security Audit form
Inspection Check List
New Employee Security form
Security Access Application form
Employee Termination Checklist
Supervisor's Employee Termination Checklist
Sensitive Information Policy Compliance Agreement
Avoiding Data Migration Delays
(Computerworld) -- As a technical matter, migrating data from an old computer system to a new one should be straightforward. There are common industry practices that can help, such as running field-mapping and conversion scripts, and using extract, transform and load tools. So why does data migration so often turn good IT projects into bad ones, with embarrassing delays that drag on for weeks or months?
Delays are often the result of getting off on the wrong foot - failing to adequately plan the approach to data migration at the outset. The technical issues can be complex, but at least they are predictable. It is the nontechnical strategy that often causes delays down the road. - more info
Malware writers are making their code harder to track down, remove
(Computerworld) -- Hackers working for criminal gain are using increasingly sophisticated methods to ensure that the malware they develop is hard to detect and remove from infected systems, security researchers warned at this week's Computer Security Institute (CSI) trade show in Orlando.
The most popular of these approaches involve code mutation techniques designed to evade detection by signature-based malware blocking tools; code fragmentation that makes removal harder; and code concealment via rootkits.
Unlike mass-mailing worms such as MS Blaster and SQL Slammer, most of today's malware programs are being designed to stick around undetected for as long as possible on infected systems, said Matthew Williamson, principal researcher at Sana Security Inc.- more info
U.S. Lacks Cybersecurity Leadership
The U.S. Department of Homeland Security (DHS) has failed to take several basic steps to protect the nations cyber infrastructure, including a year-plus delay in naming an assistant secretary for cybersecurity, lawmakers and other critics said Wednesday.
Lawmakers and representatives of cybersecurity trade groups questioned why the DHS has failed to fill the high-level cybersecurity position after DHS Secretary Michael Chertoff announced plans to create the position in July 2005. The delay in hiring an assistant secretary shows a "lack of cybersecurity leadership" at the DHS, said Rep. John Dingell, a Michigan Democrat, during a congressional hearing. - more info
IT managers fight fatigue, labor shortages and other problems
(Computerworld) -- NEW ORLEANS -- Hurricane Katrina struck one year ago today. Since then, there is much that IT managers interviewed here last week have done to shore up their technology infrastructures and try to ensure that their organizations can continue to operate no matter what roars out of the Gulf of Mexico.
Many have replaced tape archiving with electronic data backup and added redundant voice and data lines or satellite communications systems. Power generation capabilities have been improved, and some companies have even dug wells in an attempt to ensure that they have a reliable water supply. New contracts have been signed with disaster recovery providers.- more info
Will your documented Disaster Recovery Plan Work?
As an IT professional, you know your IT environment is recoverable, but can you prove it when your boss, auditor or CEO demands documentation and specific confirmation. The IT Productivity Center has all of the tools that are needed to create a Disaster Recovery Plan that is acceptable by everyone.- more info
Blog Policy Released
Janco Associates released its Blog and Personal Web Site Policy.
The Blog and Personal Web Site Template includes a detailed Policy statement with specific guidelines for blog and web site participation, security standards, and Blog Policy Compliance Agreement form which all employees, contractors, sub-contactors and affiliates should complete. This template can be purchased on its own and is included it the IT Service Management Template.
In a recent AMA survey it was found that only 9 percent have policies governing personal blogging on company time, 7 percent have policies on business blogging and appropriate content, and even fewer (3 percent) retain blog content. The risks faced by enterprises of all sizes include copyright infringement, sexual harassment and trade secret theft not to mention the drain on employee productivity.- more info
IT Service Management SOA Policy Template Released by Janco
Janco has just released its IT Service Management SOA Policy Template. The Service-Oriented Architecture policy template is an 107 page document that contains standards, policies and procedures, metrics and service level agreement for the help desk, change control, service requests, blog / personal web site, and travel and off-site meetings. It also contains a Change Request Form, Business and IT Impact Questionnaire, and an Internet Use Approval Form. The template is availalable in Microsoft Word format or PDF file. - more info
Fed up with tape, hospital moves to storage jukebox
(COMPUTERWORLD) - When Cabell Huntington Hospital installed a new image and records archiving system late last year, it was given a choice of sticking with its optical disk jukebox and its spinning disk arrays or going back to magnetic tape.
The 300-bed hospital in Huntington, W.Va., chose to stay with its unconventional optical disk format because, as its CIO said, the system saves money and has so far offered great reliability.- more info
Microsoft joins group key to Open Document Format standards adoption
In a move some say has the potential to stall adoption of the OpenDocument Format as an international standard, Microsoft Corp. has joined a group that takes part in the International Standards Organization (ISO) voting process to standardize ODF.
Microsoft joined the V1 Text Processing: Office and Publishing Systems Interface group within the International Committee for Information Technology Standards (INCITS), a Washington-based organization. The INCITS is involved in recommending what technologies should become ISO standards, and the V1 Text Processing group in particular deals with office document formats.
ODF is overseen by the Organization for the Advancement of Structured Information Standards (OASIS) and is supported by Microsoft rivals IBM and Sun Microsystems Inc., among other companies. They want to see ODF adopted internationally as the standard for office documents and the software that creates and manages these documents, such as Microsoft's popular Office suite and rivals such as Star Office from Sun. The commonwealth of Massachusetts has already put in motion a plan to migrate its documents from proprietary formats to ODF, a process it hopes to implement beginning in January 2007.- more info
Katrina Proves Wi-Fi Works in Disaster Zones
When Hurricane Katrina hit New Orleans, the only communication system that had not broken down was the wireless mesh network deployed in the downtown area to support surveillance cameras credited with reducing the citys prestorm violent-crime rate.
Today it still performs police duties, but as the lone public communications system left in the city, it also carries VoIP traffic that is the lifeline for many city businesses.
The storm wiped out wireline phone service and cellular networks, and those that it didn't destroy outright couldn't be kept up because the city could not get fuel to the backup generators needed to keep the networks running, Meffert told an audience at a session during Spring VON 2006 this week.- more info
Disaster Recovery and Business Continuity Template Released
The Disaster Recovery and Business Continuity Template Version 4.0 was just released. It is a MS Word document that can be used as a DRP - BCP template for any enterprise. The template and supporting material have been updated to be Sarbanes-Oxley and HIPAA compliant. The Disaster Planning Template includes:
- Disaster Recovery Plan and Business Continuity Template
- Business and IT Impact Analysis Questionnaire
- Work Plan
New with version 4.0 are:
- Vendor Disaster Recovery Questionnaire
- Vendor Phone List Form Updated
- Key Customer Notification Form
- Critical Resources to be Retrieved Form
- Business Continuity Off-Site Materials Form
- Department Disaster Recovery Planning Workbook
Go to http://www.e-janco.com/drp.htm- more info
It Pays to Work with a Single Security Vendor
Evolving network threats pose significant risks to your business, and the traditional, band-aid approach of using multiple security software vendors to manage those threats only compounds your risk. The deployment of disparate solutions can actually create vulnerabilities at all points along the network, meaning more work for your already over-burdened IT staff. So, if implementing a patchwork of software solutions through multiple vendors doesn't necessarily equate to better protection, why would you take that chance with your business?
- more info
IT Service Management Policy Template Updated
The IT Productivity Center, a division of Janco Associates, Inc. announced an update to IT Service Management Template. IT Service Management (ITSM) is defined as part of a rapidly accepted standard of best practices known as IT Infrastructure Library (ITIL). The IT Service Management template joins the IT Productivity Center's CIO and IT Productivity series of tools and templates which include their popular Sarbanes Oxley Compliance Resource Kit and Disaster Recovery Plan Template. The ITSM update can be found at http://www.itproductivity.org/itsm.htm
Victor Janulaitis, CEO of Janco and the IT Productivity Center said "IT infrastructure productivity is the core of our firm's practice. We have created a set of tools to improve the productivity and quality of service provided by the IT function. With the IT Service Management Template and our Sarbanes Oxley Compliance Resource Kit enterprises of all sizes can quickly implement best practices." In addition he said. "... the IT Service Management template is now included in the CIO Productivity Bundle." The CIO Productivity Bundle, which is Sarbanes-Oxley compliant can be found at http://www.itproductivity.org/offer_cio.htm.
The IT Service Management Template (http://www.itproductivity.org/itsm.htm) contains policies, standards, procedures and metrics for Change Control, Help Desk and Service Request processing. The ITSM Template also contains the IT Productivity Center's Business and IT Impact Questionnaire, a Change Control Request Form and an Internet Use Approval Form. The template comes as a word document which can be used as a template to create customized procedures for any size enterprise.
The Sarbanes-Oxley Compliance Resource Kit (http://www.itproductivity.org/SOX.htm) which was released in January now has a Platinum Edition which contains the IT Service Management Template.
Janco also announced the activation of its new web site www.it-toolkits.com. The site provides productivity tools for IT and the Chief Information Officer in particular. Included are Janco's Browser Study, CIO Productivity Kit, Disaster Recovery Template, Security Template, IT Salary Survey, IT Job Descriptions, and Sarbanes-Oxley Compliance Resource Kit.- more info
Paid searches ometimes include links to spyware or shady companies
A Google search for "spyware," turns up more than 100 paid results. Searching for "spyware cleaner" on MSN's search engine turns up a paid link that takes the user to Secure Computer's site, where Web users are told that the product is "not available for download or sale until further notice." Secure Computer has admitted that there are problems with Spyware Cleaner, and it pulled the product from the market shortly after being sued last week.
The practice of unsavory spyware advertising is particularly troubling, because it often catches consumers at a vulnerable time, as they desperately look for a way to fix their infected computers.- more info
Disaster Management Plan for Remote Access
Telecommuting and mobile access can help enterprises cope with emergencies. When disaster strikes, key company locations may go offline or be physically inaccessible. Remote work capability will keep businesses running. - more info
IT Cost Managment Tool
Managing IT costs and the service delivery process was just made easier with the release of The Metrics, IT Service Management and Service Level Agreement bundle.
Delivering quality IT Service and measuring IT's performance is a difficult and time consuming exercise. Many enterprises believe that they do not have the time, money, or resources to initiate and monitor the processes necessary to do this. However, enterprises cannot determine how much something is worth unless its value can be quantified. It is a necessity of the new economy that every business unit needs to demonstrate its worth while meeting necessary service objectives.more info
Sarbanes-Oxley is a Casualtiy of Disasters
Sarbanes-Oxley Section 404 requires that:
- Enterprises have an enterprise wide security policy;
- Enterprises have enterprise wide classification of data for security, risk, and business impact;
- Enterprises have security related standards and procedures;
- Enterprises have formal security based documentation, auditing, and testing in place;
- Enterprise enforce separation of duties; and
- Enterprises have policies and procedures in place for Change Management, Help Desk, Service Requests, and changes to applications, policies, and procedures.
Disaster Recovery Plan Template Saves the Day
Katrina shows the exposure of business that do not have a Disaster Recovery Plan in place. This may provide little solace for small and midsize businesses brought down by Hurricane Katrina, but for as little as $20 per month they could have backed up their individual workstations to a server site in Salt Lake City.more info