Join Our Email List
Email:  

Patriot Act Security Bundle

The Patriot Act Security Buncle contains the Security Manual Template; the Disaster Recovery Plan Template; the Sensitive Information Policy Template; the Internet, E-Mail & Electronic Communications Policy Template; the Internet and PC Workstation Policies and Procedures HandiGuide; and 3 key job descriptions - Chief Security Officer (CSO) - Manager Internet - Intranet and Internet Administrator.  

The Patriot Act Security Bundle has been updated to reflect all of the legislation that has be enacted by the United States Congress.  You can purchase the entire bundle by clicking on the order button above or individual components by clicking on the images below.

Security Manual Template - Policies and Procedures

The Security Manual Template includes two of our most popular and successful tools - the Business & IT Impact Analysis Questionnaire and the Threat and Vulnerability Assessment Tool.
  
The Security Manual Template is over 200 pages and includes everything needed to customize the Internet and Information Technology Security Manual to fit your specific requirement.  The electronic document includes proven written text and examples for the following major sections for your security plan:

• Security Manual Introduction
• Risk Analysis
• Staff Member Roles
• Physical Security 
• Facility Design, Construction and Operational Considerations
• Media and Documentation
• Data and Software Security
• Network Security
• Internet and Information Technology contingency Planning
• Insurance
• Outsourced Services
• Waiver Procedures
• Incident Reporting Procedures
• Access Control Guidelines
• Glossary
• Sample Forms

---

Sensitive Information Policy Template

Policy defines how to treat Credit Card, Social Security, Employee, and Customer Data.  The policy is 15 pages in length. This policy complies with Sarbanes Oxley Section 404.

This policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) and co-location providers and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals).

---

Disaster Recovery Plan (DRP) and
Business Continuity Plan (BCP)

This Disaster Recovery Plan (DRP) can be used as a template for any size of enterprise. The DRP is sent to you via e-mail in WORD and/or PDF formats. Included is a 13 page Business Impact Questionnaire as well as a 3 page Job Description for the Disaster Recovery Manager.

The Template inclues the following sections in pre-written format. There is no reason for you to re-invent the procss. The template has all of the text and forms that you need.

• Plan Introduction
• Work Plan to implement the template
• Business Impact Analysis
• DRP Organization Responsibilities
• Backup Strategy
• Recovery Strategy 
• Disaster Recovery Procedures Check List
• Plan Administration Process
• 13 page Risk Assessment - Business Impact Questionnaire
• 3 page Job Description for Disaster Recovery Manager
• Plus much more

---

Internet and PC Workstation Policies and Procedures HandiGuide

The use of the Internet and PCs is now part of normal work and personal activities.  Terms such as cyberspace, information highway and the Internet are now part of everyone's vocabulary.  New operating systems, complex networks, inter-company e-mail and work at home programs have made the management of most enterprises understand the total effort required to support PCs, LANs and workstations.   With this in mind, we've developed the Internet and PC Workstation Policies and Procedures HandiGuide® to assist you in managing your environment with valuable guidelines, rules, forms, and standards that many enterprises have already adopted.  Some of the chapter include:

Security Guidelines Back-Up and Recovery Service Requests Electronic Communication Internet Security Guidelines Facility Requirements Local Area Networks

Business Resumption Plan Applications Development Standards Viruses Justification, Acquisition & Support Manager's PC & LAN Responsibilities Change Control How to get Technical Support

---

Internet, Email & Electronic Communication Policy

Internet, Email & Electronic Communication Policy sections include appropriate use of equipment, Internet access, Intellectual Property, e-mail, e-mail retention period, data security and ownership of information. This has been updated to reflect file sharing,, music and video file capture and use.

3 Key Job Descriptions:

• Chief Security Officer (CSO)
• Manager Internet and Intranet
• Internet - Intranet Administrator

---

 

 

 

Patriot Act and Security News

---

Disaster Plan - Yes or No

In many businesses, disaster recovery plans (DRPs) are often inadequate or outdated and in small to mid-sized businesses the situation is even worse: only a relatively small percentage have any form of plan. Why do so many businesses have such a lackadaisical approach to disaster recovery planning? Probably because it is a long and complicated process that ties up key personnel, can be costly to produce, and will change over time so it has a limited shelf life. And why spend time producing a document that may well never be needed? But any business that does not create a DRP is gambling that disasters will not strike and gambling with the livelihood of its employees and with the investments of shareholders and stakeholders.

Gartner, a leading research and advisory company, 40% of businesses that encounter a disaster close their doors within the following five years. For the 60% that do survive, the expenses that result from a loss of continuity can be significant.

According to Janco Associates, an International Disaster Recovery - Business Continuity consultancy the most common form of enterprise wide disaster is related to power outages.  Janco has found that in disaster recovery and business continuity cases it has reviewed the following is true:

• Over one third companies take more than a day to recover from a major power outage caused by events like hurricanes and extensive disasters.
• Over eleven percent of companies take more than a week to recover from these events.
• The typical time to reconfigure a network that has not been planned for can take up to 72 hours - if the resources are available.
• Data that is lost (not backup up electronically) can take weeks to re-enter if there is paper trail and if there is none the data can be lost forever.
• Over 85 percent of companies that experience a computer disaster and do not have a Disaster Recovery - Business Continuity Plan go out of business within 18 months.

 

- more info

---

Scope of Disaster Planning is expanding as world events escalate

Disaster Planning scope continues to expand.  The volcanic ash air travel crisis caught many by surprise but in hindsight it was a predictable outcome of an event which was almost inevitable. What other such outliers are there? Continuity Central believes that using the huge experience of our global readership of business continuity managers many of these can be identified in advance.

If you add terroist attacks at infrastructure that can cause widespread environmental damage like the oil rig explosion in the gulf, the events to be considered are almost infinate.

A Yellowstone eruption, which would be a super volcand, would make the ash problems from the Icelandic volcano look like a minor event.  It would impact the entire US except Calfinoria. According to the Yellowstone Volcano Observatory the last supervolcanic eruption occurred 74,000 years ago at the Toba Caldera in Sumatra, Indonesia. Other known supervolcanoes around the world, include Long Valley in eastern California, Toba in Indonesia, and Taupo in New Zealand. In addition other potential supervolcanoes include large caldera volcanoes of Japan, Indonesia, and South America.

- more info

---

Touch screens are a security risk according to U of Penn

A University of Pennsylvania researcher presented a paper at the Usenix conference analyzing "Smudge Attacks on Smartphone Touch Screens."

Based on his results, "the practice of entering sensitive information via touchscreens needs careful analysis," said the researchers. "The Android password pattern, in particular, should be strengthened." But they cautioned that any touchscreen device, including ATMs, voting machines, and PIN entry devices in retail stores, could be susceptible to smudge attacks.

Touchscreens, of course, are an increasingly common feature of mobile computing devices. According to one market research firm, 363 million touchscreen mobile devices will be sold in 2010, an increase of 97% over last year's sales. But are passwords entered via touchscreens secure?

- more info

---

The key elements of business continuity management defined

Writing and testing a disaster recovery plan is one of the key elements of business continuity management. Traditionally business continuity and disaster recovery (DR) planning have always been separated between the business and the information technology department. It has long been recognised that this ‘divide’ creates more problems than it solves, after all most businesses could not continue to operate successfully if their IT services were unavailable for a period of time, depending on the nature of your business this may well range from a few hours to several days. The recent launch of BS25999 has established a business continuity management (BCM) standard which intrinsically links BCM, incident management, and IT DR. Essentially the key message is to have true business continuity you must also have strong IT DR capability.

A disaster recovery plan should interface with the overall business continuity management plan, be clear and concise, focus on the key activities required to recover the critical IT services, be tested reviewed and updated on a regular basis, have an owner, and enable the recovery objectives to be met.

- more info

---

External Drives are a security risk

The Department of the Navy's CIO Privacy Office was notified on July 27 that a Naval headquarters office had been burglarized, and that the thieves had stolen at least 10 laptops and nine external hard drives. In the initial reporty by the Privacy Office said that one laptop contained a file with passwords and user names; personal financial data including bank accounts, investment accounts, and credit card information; a personal contact list with cell phone numbers, addresses, and birth dates; "government only" contract information; discrimination and hostile work environment correspondence; and other sensitive information.

Upon investigation, the Navy found that the laptop contained "high risk" personally identifiable information on only eight people. And the external hard drives were either still in their boxes or encrypted when taken. 

The incident emphasizes the importance of security policies and continued vigilance over insider threats, according to Navy department of the CIO privacy team lead  who disclosed the breach in a blog post on the Navy CIO's Web site.

"External hard drives are becoming as vulnerable as thumb drives," Muck wrote. "A best practice should be to physically secure them at the end of each work day."

The Navy Privacy Offices advised employees to never store personally identifiable information or unencrypted user names and passwords on government computers. And he reminded of the importance of inventory control policies.

- more info

---

What Does Disaster Recovery and Business Continuity Mean

The IT industry continues to add emphasis and focus to Disaster Recovery and Business Continuity Planning. While the concept has been around for many years, Disaster Recovery has a different connotation today. As business technology and software applications have advanced, Disaster Recovery has come to mean more than simply the ability to get your systems back online after a power outage. Companies are now expected to recover from unforeseen disasters, and retrieve contracts, memos, invoices, signatures and all other critical documents with minimal interruption.

There is little doubt of the importance of an effective backup plan if a natural or man-made disaster destroys your business records. Many companies, however, still have yet to implement a Disaster Recovery plan, believing that the chance of it happening to them is too slim.

The reality is that an organization may declare a disaster for a number of reasons, including:

• Extreme weather conditions
• Prolonged power or communications failure
• Robbery or other criminal activity
• Civil unrest
• Terrorist acts

- more info

---

End of life for XP will increase security risk

Three out of four companies will soon face more security risks because they continue to run the soon-to-be-retired Windows XP  Service Pack 2 (SP2), a report published today claimed.

According to Toronto, Canada-based technology provider, 77 percent of the organizations it surveyed are running Windows XP SP2 on 10 percent or more of their PCs. Nearly 46 percent of the 280,000 business computers they analyzed rely on the aged operating system.

- more info

---

Remote Branch Offices are a Disaster Recovery Business Continuity Risk

Distributed data at remote and branch offices (ROBOs) continues to grow substantially year after year. Leaving this data unprotected or inadequately protected poses, serious business risks for organizations. Protection approaches require careful consideration as factors such as technical complexity, capital and operational costs, and expertise of personnel must be taken into account.

Local disk-based data protection strategies improve backup efficiency and reliability over tape-based ones. Consolidation of edge data to the core data center may introduce further efficiencies. Data de-duplication can drive both backup-to-disk and consolidation adoption.

- more info

---

Necessary Steps in Developing a Disaster Recovery Business Continuity Plan That Works

The process of developing a disater recovery & buisness conintuity plan requires that you:

• Provide management with a comprehensive understanding of the total effort required to develop and maintain an effective recovery plan;
• Obtain commitment from appropriate management to support and participate in the effort;
• Define recovery requirements from the perspective of business functions;
• Document the impact of an extended loss to operations and key business functions;
• Focus appropriately on disaster prevention and impact minimization, as well as orderly recovery;
• Select project teams that ensure the proper balance required for plan development;
• Develope a contingency plan that is understandable, easy to use and easy to maintain; and
• Define how contingency planning considerations must be integrated into ongoing business planning and system development processes in order for the plan to remain viable over time.

- more info

---

Apple a monopolist?

Apple is acting like a monopolist with its effort to promote HTML5 as the future and to cast Adobe Flash as the past, Apple on Friday launched a new series of Web pages called "HTML5 Showcase."

HTML5 is the emerging standard for next generation of Web pages and applications. It remains a draft specification and isn't expected to be finalized for years.

Apple has been promoting HTML5 as an alternative to Flash, which company CEO Steve Jobs has spent the past few months deriding as slow, power-hungry, insecure, ill-suited for touch-based devices, and deleterious to the progress of the iPhone OS platform.

Apple's crusade against Flash continues in its HTML5 Showcase with its observation that HTML5, as a standard, isn't an add-on to the Web (like Flash).

- more info

 

Copyright © 1999 - IT Productivity Center - a division of Janco Associates, Inc. -- ALL RIGHTS RESERVED