Security Manual Template Policies and Procedures

ISO 27000 (27001 & 27002) - Sarbanes-Oxley - PCI - Patriot Act - HIPAA Compliant

---

  

This Security Manual for the Internet and Information Technology is over 240 pages in length.  The template is compliant with ISO 27000 (formerly ISO 17799), Sarbanes-Oxley, Patriot Act and HIPAA and includes a PCI DSS Audit program. All versions of the Security Manual template include both the Business & IT Impact Questionnaire and the Threat & Vulnerability Assessment Tool (both were redesigned to address Sarbanes Oxley compliance).   In addition, the Security Manual Template PREMIUM Edition contains 16 detail job descriptions that apply specifically to security and Sarbanes Oxley

Clients can also subscribe to Janco's Security Manual update service and receive all updates to the Security Manual Template. 

The template includes everything needed to customize the Internet and Information Technology Security Manual to fit your specific requirement.  The electronic document includes proven written text and examples for the following major topics / sections for your security plan:

• ISO 27000, Sarbanes-Oxley, Patriot Act, and HIPAA compliant
• Security Manual Introduction - scope, objectives, general policy, and responsibilities
• Risk Analysis - objectives, roles, responsibilities, program requirements, and practices program elements
• Staff Member Roles - policies, responsibilities and practices
• Physical Security  - area classifications, access controls, and access authority
• Facility Design, Construction and Operational Considerations - requirements for both central and remote access points
• Media and Documentation - requirements and responsibilities
• Data and Software Security - definitions, classification, rights, access control, INTERNET, INTRANET, logging, audit trails, compliance, and violation reporting and follow-up
• Sensitive Information Policy

• Network Security - vulnerabilities, exploitation techniques, resource protection, responsibilities, encryption, and contingency planning
• Internet and Information Technology contingency Planning - responsibilities and documentation requirements

• Travel and Off-Site Meetings - specifics of what to do and not do to maximize security

• Insurance - objectives, responsibilities and requirements
• Outsourced Services - responsibilities for both the enterprise and the service providers

• Waiver Procedures - process to waive security guidelines and policies,
• Incident Reporting Procedures - process to follow when security violations occur
• Access Control Guidelines - responsibilities and how to issue and manage badges / passwords
• Sample Forms
  • Business and IT Impact Questionnaire
  • Threat & Vulnerability Assessment Tool
  • Security Violation Reporting form
  • Security Audit form
  • Inspection Check List
  • New Employee Security form
  • Security Access Application form
  • Employee Termination Checklist
  • Supervisor's Employee Termination Checklist
  • Sensitive Information Policy Compliance Agreement
  • HIPAA Audit Program Guide
  • ISO 27000 (27001 & 27002) Security Checklist
  • PCI DSS Audit Program

  

 

 

---

 

 

 

 

Infrastructure and Security Policies and Procedures News

---

Expensive weather and climate disasters in the United States

02/02/2012

Disaster Recovery and Business Continuity plans need to consider natural weather and events. The effects that natural events have on the environment directly and indirectly may be harmful to people. Forest fires and volcanoes harm air quality. Hurricanes and floods can contaminate water supplies and damage wastewater facilities. Any of these can spread contaminated materials into the environment.

The United States set a record with 12 separate billion-dollar weather/climate disasters in 2011, with an aggregate damage total of approximately $52 billion, according to the National Oceanic and Atmospheric Administration. That is just continuing the trend of the past 30 years.

These incidents have prompted many organizations to reconsider the human element during a crisis or major news event and evaluate how they communicate with employees, suppliers, investors and customers. Emergency and mass notification systems are designed to help organizations communicate to stakeholders during an incident or disruption. However, in response to the high occurrence of prominent disasters in recent years, the marketplace has been flooded with products to address emergency and mass notification needs. The need to diligently evaluate vendors is critical to ensure that services will meet an organization's specific requirements.

- more info

---

Disaster Life Cycle

01/20/2012

A business disruption has a life cycle; it starts small and could potentially become a disaster of epic proportion, depending on its duration. The longer the duration, the greater the disruption to your business. Your organization’s response should shift as an incident evolves from threat to emergency to crisis to disaster. It’s one thing to say access to contract data isn’t essential for a day or two, but what about a week or two? This is why it’s important to protect more than just data. Now that you know what processes are critical to the operation of your business, you can consider threats according to their impact on those critical processes.

To help you mitigate impact to your core processes, your plan should address three key phases:

• Business Continuity Response - these are the steps you take immediately to sustain your core processes, your primary business priorities
• Disaster Recovery Response - these are the steps you take to extend your core processes indefinitely and address your secondary priorities
• Restoration Planning Response - these are the steps you take to restore your business to its pre
  -incident level

- more info

---

DRP for virtual data centers

01/08/2012

Protecting application data from disasters is critical to keeping businesses up and running. Yet traditional disaster recovery solutions were never intended to address the needs of today's virtualized data center.

As a result, the cost and complexity of using traditional disaster recovery products to address data replication needs in highly virtualized environments forces many organizations to forego disaster recovery altogether.

- more info

---

Business continuity management will minimise business interruptions

12/14/2011

In addition to this, it is integral for managers to devise business continuity plans to deal with the threats identified by setting out what needs to be done should a certain event occur.

And although not possible to avoid all risks, business continuity management (BCM) can minimise the disruption to a business to a great extend, protecting its share price, stakeholder relations, and reputation, among others.

With that said, BCM is a critical strategic function that cannot be neglected by any organisation whatsoever.

Still, managers often neglect charting a strategic course for their company's future survival, which in itself poses a huge risk, seeing that there are many internal and external events that could impact on a company's overall performance, such as:

• the death of the CEO, owner or key staff member
• fire, flood or earthquake damage - this could hamper operations while organisations repair damages or settle insurance claims
• an interruption in the supply chain
• the loss of a major client
• production line failure or breakdown
• failure to stay abreast of technological innovation
• product failure or contaminationinterruption in telecommunications or power supply

  

- more info

---

Tape still used in my DR plans

11/05/2011

Data protection requirements are further necessary to comply with regulated and long periods of data retention. For example, laws about data storage and privacy apply to the vertical markets of the medical industry. HIPAA requires medical companies to store patient’s medical records for five to seven years, and to store their childhood records for the life of the patient. This data also has to be highly secure and easily accessible to address patient care and also for legal reasons, such as a mishap in the office. Laws exist like this in many other industries as well, and a company is advised to research legal strictures on data protection. If there is a law requiring compliance, companies must often store more data for a longer period of time, necessitating secure, cost‐effective storage.

These requirements build a basis for using tape for data protection in the mid‐market, in part because of the high likelihood that organizations already use some form of tape in their IT set‐ups. Tape continues to be the preferred home for nearly 70 percent of the world's data. Using tape for DR automatically builds on existing infrastructure and practices, and provides cost‐effective long‐term storage that addresses DR and legal compliance.

- more info

---

Business continuity failures drive RIMs downtime

10/28/2011

RIM's problems raise some important issues for all business continuity managers:

• Successful tests do not guarantee that business continuity strategies will work.
• Holistic business continuity plans need to consider the failure of failover systems and require that strategies are in place to deal with such a situation.
• High availability systems are not a substitute for conventional business continuity and disaster recovery solutions. The latter provide the belts and braces required for total system assurance.

According to RIM the downtime was the result of the failure of a core network switch and then the failure of business continuity processes which were meant to kick-in.

RIM explained the situation in a service message posted on Facebook:

"The messaging and browsing delays being experienced by BlackBerry users in Europe, the Middle East, Africa, India, Brazil, Chile and Argentina were caused by a core switch failure within RIM’s infrastructure. Although the system is designed to failover to a back-up switch, the failover did not function as previously tested. As a result, a large backlog of data was generated, and we are now working to clear that backlog and restore normal service as quickly as possible. We apologize for any inconvenience, and we will continue to keep you informed."

 

- more info

---

DisasterRecovery and Business Continuity Planning Considerations for Email

10/16/2011

Disaster recovery and business continuity planning considerations are crucial when deploying any email system. Not only is it important to have a plan in the event of a local outage, but careful consideration should also be given to the chance of an entire site failure. In the event of a disaster, the first system that needs to be brought online is communications. E-mail is the ideal method of communication, but users need access and the environment has to be able to withstand a major service interruption.

Issues include, failing over to the backup site is a manual process and most systems do not include a mechanism to fail back to the primary site. Getting the primary site back online is a labor- and network-intensive process. Another is that most email systems do not utilize compression, which results in additional network bandwidth consumption.

- more info

---

Blackberry impacted by lastest outage and get negative image in social networks

10/12/2011

The risks of using social media for critical service announcements were highlighted when BlackBerry posted notices of downtime on various social media channels.

BlackBerry users in Europe, the Middle East and Africa were unable to use email, BBM and various other services due to a major fault. To inform users of the incident, Blackberry chose to utilize social media, posted a message stating:

"Some users in EMEA are experiencing issues. We're investigating, and we apologise for any inconvenience."

This basic message resulted in a stream of abuse and negative comments, with 2,500+ messages being posted on Facebook alone.

The theme of many of the complaining comments were:

• Questions about when services would be restored;
• Questions about whether Blackberry would provide compensation for the downtime;
• Questions about why Blackberry customer services employees were not responding to comments posted by users;
• Generally abusive comments by people using the incident as a means of venting existing frustrations with Blackberry.

The incident shows that companies need to think very carefully about whether unrestricted social media is an appropriate medium for customer service information. If organizations decide to go down this route, it is critical that messages are not just posted and left; they must be monitored and customer care employees must proactively engage with customer responses.

- more info

---

Egypt Caused CIO to Re-evaluate Disaster Recovery and Business Continuity Plans using remote sites

10/01/2011

The shut down of the Internet in Egypt raised serious disaster recovery and business continuity questions:

• How are business departments designed and deployed throughout the company globally?

  

• How are critical functions dispersed through the various locations?

An efficiently run business is always looking at its model and adapting to change -not only within the four walls of the company, but also global changes. As we operate in a flat world, businesses need to consider factors that 20 years ago did not exist to the level they do today. Economic and social changes occurring around the globe on a regular basis force businesses to look at all factors from a comprehensive cost perspective. Business models need to adapt when it becomes disadvantageous being in a specific country. Issues such as unstable governments, civil unrest, devalued currency or inflation that cause the cost point to increase and push the business out of a market, (for example, due to increased salaries and cost of living, or industries that are more favorable drawing on your employee pool). There are many more but the point is the dynamics of change outside of a company can greatly influence the inner workings of that company. And where the company goes, so does business continuity and disaster recovery.

Business continuity and disaster recovery programs must align and adapt with business models no matter how fluid they become, rather than react to those changes once they are in place.

- more info

---

Continuous Data Protection definition

09/16/2011

The focus on data protection and data recovery in traditional disaster recovery planning methodology reflects a practical reality: it makes little sense to re-host applications or reconnect users to the recovery environment if they have no data with which to operate. Next to personnel, data is an organization’s most irreplaceable asset. While other resources used in recovery avail themselves of strategies based either on redundancy or replacement, data cannot be replaced: to protect and recover data, it must be copied (made redundant).

This has been the focus of much of the discussion of continuity planning: how to make data redundant for safety. Typically, this entails a combination of approaches collectively described as defense in depth. Typically, some attention is paid to making data redundant at the transactional level—to protect against the accidental deletion or corruption of a file or database transaction and to enable recovery to a point in time just prior to the event itself. A number of technologies are available for this purpose, and the term Continuous Data Protection (CDP) has become an umbrella concept.

- more info

---

Disaster Plan Quick Action Steps

09/12/2011

Every IT manager knows the importance of having an effective and fast disaster recovery (DR) plan. Organizations without an adequate plan may find themselves out of business quickly after experiencing a major disaster. Organizations that ensure survival following a disaster understand the basics of creating a good plan. 

 

A disaster recovery is a response to a declared disaster or a regional disaster. It is the restoration or recovery of an entire Agent computer. A disaster recovery plan describes how an organization is to deal with potential disasters. Just as a disaster is an event that makes the continuation of normal functions impossible, a disaster recovery plan consists of the precautions taken so that the effects of a disaster will be minimized, and the organization will be able to either maintain or quickly resume mission-critical functions. Typically, disaster recovery planning involves an analysis of business processes and continuity needs; it may also include a significant focus on disaster prevention.

The Disaster Recovery Planning Template (DRP) can be used for any sized enterprise.  The template and supporting material have been updated to be Sarbanes-Oxley compliant.  The complete package includes:

• Disaster Recovery Plan Template
• Business and IT Impact Analysis Questionnaire
• Work Plan

- more info

---

Status of business continuity plan

09/08/2011

 An overlooked step in the business continuity process often flows from the assumption that an IT expert is always readily available. Due to the inherent unpredictability of a disaster, the IT staff that your company relies on may take time to find and start action. Considering this human latency when developing the recovery plan naturally highlights any undesirable complexity in the systems and processes, and the need to support recovery even with minimal IT expertise on hand.

Questions to consider during assessment:

• Could a newly hired IT professional quickly handle the situation?
• Could a remote IT engineer talk a novice through the procedures?
• Could a smart phone web browser provide all needed access to bring your business back online?
• Could all this happen within the RTO and RPO requirements?

In addition to reviewing your Business Continuity Plan, survey your executive team to get a realistic picture of their expectations. You could spend too much time thinking of costly alternatives to cover aspects of daily operations that may not be critical. When doing so, ask yourself and your executive team:

• Specifically, what level of protection is necessary (RTO, RPO, LOS)?
• Which aspects of your company’s business must stay operational in an emergency?
• Are your physical, as well as virtual servers, protected?

- more info

---

Disaster recovery business continuity team leader tasks

09/05/2011

The tasks that the leader of a disaster recovery business continuity project needs to complete are:

•  Establish BC program lifecycle processes within your organization
• Assess business and technology requirements for a BC plan
• Evaluate business continuity risks to your organization
• Identify and select cost-effective BC recovery strategies
• Organize an effective BC team
• Develop a BC plan document
• Coordinate BC plan with external entities
• Develop an effective test plan for testing the BC plan
• Organize and conduct successful BC plan tests
• Establish a process for maintaining the BC plan
• Implement a BC plan change management process
• Understand the main differences between a disaster recovery plan, emergency response plan, crisis management plan, and business continuity plan

- more info

---

Small Businesses Not Prepared for Disasters

08/31/2011

After reviewing the preliminary impacts of the recent hurricane on the East Coast, Janco finds that SMBs are not taking disaster preparedness for their computer and networking systems as seriously as they should. SMBs are at risk and most don't take action to prepare for disasters until after they have experienced loss from downtime. The result is that this lack of preparation has a significant impact on their customers and their business.

Over 30% of all Disaster Recover Business Continuity Plans are not current according to data gathered by Janco

There are plenty of partial, outdated, or ineffective disaster and business continuity plans out there - why is it so difficult to get it right?

• Data collection
• Data inconsistency
• Categorization
• Manageability
• Maintenance

- more info

---

Disaster Planning Tutorial

08/14/2011

Significance of testing is critical to disaster recovery and small business continuity planning

Almost all good disaster recovery together with contingency plans with developing a good solid backup associated with data. Although systems and applications could be reinstalled and reconfigured, data shouldn't be rebuilt out of thin air. The key to working with a good backup is to check the data is correct and that can be successfully restored. That isn't always as easy because seems. One company had such an issue. Their backup administrator didn't correctly follow procedures and once he thought he was performing a backup, he actually weren't writing anything. When they tried to restore a database, they determined all the tapes were definitely blank.

- more info

---

Most activations of disaster plans are driven by IT events -- not external events!!

08/12/2011

A business continuity company, has published details of the invocations that it has handled for clients between January and June 2011.

These show that 94 percent of their customers that invoked their business continuity plan did so due to IT problems, with only six percent accounting for more dramatic incidents such as fire or flood. This means that the day-to-day causes of invocation, such as hardware failure or infrastructure loss, are 15 times more likely to occur than a flood or fire.

The director of Business Continuity and Infrastructure at the company, said: "In our experience, many organizations focus on the likelihood of a major disaster, such as terrorism, extreme weather events, or fire, when deciding to implement a business continuity plan. However, our invocation statistics prove that it is the ordinary and not the dramatic that can also have significant impact."

"In today's just-in-time world, customers are highly transient and the excuse that the IT system is down is no longer acceptable to them. If they can't get what they want, when they want it, they will quickly go elsewhere - every minute the IT is down, customers are lost. Businesses therefore need their IT to be back up and running quickly, and without an effective business continuity plan in place that is an unlikely scenario."

- more info

---

Backup plan is first step in business continuity planning

07/20/2011

Backups provide the first layer of protection in a comprehensive DR plan. IT staff must ensure the integrity of all media and test the backups regularly to make sure data can be easily restored. It is also essential to store backup copies off-site in case of local or regional disasters, such as fires or earthquakes. Tape is still the most common and affordable backup media, but restoring from tape can be very problematic. Although efficient and reliable backups form the foundation of a complete DR strategy, IT teams still face several hurdles to retrieve critical information from a restore operation. 

Business continuity managers have to obtain replacement hardware, reinstall operating systems, and reconfigure all software applications. In a traditional DR model, prior to virtualization, all of these processes can be very difficult and timeconsuming since it is essential to restore every setting to exactly the way it was before the disruption.

- more info

---

Company fined for not have a disaster business continuity plan

07/15/2011

 The US National Futures Association (NFA) has imposed a fine of $75,000 against Capital Market Services LLC (CMS), a Futures Commission Merchant located in New York.

The decision, issued by NFA's Business Conduct Committee, is based on an NFA Complaint filed and a settlement offer submitted by CMS.

The complaint alleged that CMS failed to implement adequate business continuity and disaster recovery plans and that CMS failed to report all system outages experienced by the firm to its customers and NFA. These outages left customers unable to enter new orders or manage their existing orders. In addition, the Complaint charged CMS with failing to adequately supervise the use of its electronic trading platforms.

NFA Compliance Rule 2-38 requires that 'Members establish and maintain a written BCDR plan to be followed in the event of an emergency or significant business disruption'.

- more info

---

Requirements of a basic disaster recivery plan

07/13/2011

Effective operations management requires clear, concise recovery execution or automation, enabling staff members to execute the same tasks and achieve similar results. In particular, an effective disaster recovery plan must address three key goals:

• Minimize downtime: The consequences of extended downtime can be severe, not only in terms of lost business and lost productivity, but even in terms of survival for small organizations.
• Minimize risk: Not having a disaster recovery plan often constitutes an unacceptable level of risk—but simply having a disaster recovery plan in place does not eliminate risk if its reliability is uncertain.
• Control costs: Traditional disaster recovery plans are often limited in scope because of the costs associated with building and maintaining a recovery site, training staff members in disaster recovery processes, testing those processes, and so on.

- more info

---

Disaster plans are not keeping up with increased volumes

06/18/2011

Data volumes are expanding rapidly and many Disaster Recovery and Business Continuity plans are not keeping up.  It is estimated that over half of large US enterprises had 11 terabytes or more of unstructured data - business documents, virtual machine images, email, media files, etc. - in their environments, with annual growth rates hovering around 60%. This is compounded by a 20% or more annual growth rate for transactional data, historically the bulk of data processing. With remote office staffing levels in decline, IT's ability to track and secure these growing data sets is in jeopardy. - more info

---

Classifying systems for business continuity planning

06/01/2011

Every IT system has a unique cost vs. time or risk-tolerance profile, it is useful to categorize each application.

One classification of categories is:

• Mission-critical - applications require continuous availability and synchronous or near real-time failover to an alternate site
• Business critical - nearly continuous availability, but tolerate recovery times in the minutes
• Online - support important business processes, but with low usage and infrequent access, with minimal impact if down for a few hours
• Noncritical - systems or data stores that cause no significant business disruptive if offline for few days or even a week
• Offline or archival - applications and data are seldom-used systems with large amounts archival information that will not affect business operations if unavailable for a week or more

In addition to these categories, it is common to apply two standard parameters to applications for DR purposes: the recovery time objective (RTO) and recovery point objective (RPO). The former describes the time window within which an application must be brought online to avoid significant business loss (financial or otherwise), while the latter quantifies the amount of acceptable data loss you’re willing to suffer for a given application. In essence, RTOs focus on application availability and RPOs focus on data loss.

- more info

---

Downtime can cost companies customers

05/31/2011

Do you know what it would cost your business if your systems and data were unavailable for just an hour, or a day or even a week or more? Various studies conducted after natural disasters such as Hurricane Katrina and other major outages have shown that an estimated 25%never reopen after such a loss, and about 50% will be out of business within 2 years. Even an application and data loss that is not recoverable within three days can permanently impact a company’s financial health—in fact, 40% of all businesses will never recover from such a loss. Even a few hours of downtime can ring up a very high price, so it makes financial sense to evaluate your business now, and come up with a backup plan to protect the vital core of your company.

 

Another factor that needs to be considered when evaluating the full extent of a business disruption is that your company doesn’t only risk losing data, it risks losing its customers, and that can be very costly. For example, market research firm that conducts customer satisfaction and loyalty studies and has concluded “it takes many fewer resources to retain a satisfied customer coming back than it does to recruit new ones.” They estimate that “the ratio of resources spent on retaining existing customers to resources spent on attracting new ones can range from 1 to 2 to as much as 1 to 5, depending on the industry and local market characteristics.”

Other impacts can be felt in terms of business records, regulatory reporting, and compliance. A 2008 report from the U.S. Small Business Agency’s Office of Advocacy, “The Impact of Regulatory Costs on Small Firms,” indicated that federal regulatory compliance absorbed about 14 percent of U.S. national income.” Clearly, even when things are operating smoothly the costs to maintain records and compliance are high, so significant downtime will significantly multiply that expense.

- more info

---

Creating a disaster plan for Exchange

05/29/2011

 Because email is one of the most important tools employees use on the job, Exchange is a mission-critical application for millions of businesses around the world. And while email is essential for communications, email systems are also used as a repository of critical business information.

The proper protection of Exchange data and its archives is often mandated by external regulations and HR initiatives Therefore, maintaining the health and availability of messaging systems, and the integrity of the information and intellectual property housed within it, is becoming the most critical daily task for administrators.

Creating and implementing a data protection and disaster recovery (D/R) strategy enables you to protect your
organization’s data against loss, recover it quickly in the event of a disaster, and comply with regulations and corporate policies.

- more info

---

Data Backbone of Disaster Recovery

05/14/2011

Data is the backbone of every organization. No matter the business, industry, or size, reliable data access is essential to operations. As that data continues to grow exponentially, it is important to have a backup and recovery strategy that meets current business needs and has the flexibility to grow and change.

 

Protecting your data is vital to the survival and growth of your business. You must keep your systems and employees up and running - and productive - even as fast backup and restore processes are being completed. And, should a "worst-case scenario" occur, being prepared with an appropriate disaster recovery plan is essential.

 

The Disaster Recovery Plan (DRP) can be used as a Disaster Planning template for any size of enterprise. The Disaster Recovery template and supporting material have been updated to be Sarbanes-Oxley and HIPAA compliant.

- more info

---

Disaster Planning and Business Continuity Best Practices

05/13/2011

Disaster recovery and business continuity best practices - The disaster recovery plan the top 7 best practices

1.       Focus on operations

2.       Train everyone on how to execute the DRP and BCP

3.       Have a clear definition for declaring when a disaster or business interruption occurs that will set the DRP and BCP process into motion -

4.       Integrate DRP and BCP with change management

5.       Focus on addressing issues BEFORE they impact the enterprise

6.       Validate that all technology is properly installed and configured right from the start

7.       Monitor the processes and people to know what critical

 

.

- more info