Join Our Email List
Email:  

Sensitive Information Policy

Sensitive Information Policy defines how to treat Credit Card, Social Security, Employee, and Customer Data.
 

This policy covers the treatment of Credit Card, Social Security, Employee, and Customer Data.  The policy is 15 pages in length. This policy complies with Sarbanes Oxley Section 404.

The policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) and co-location providers and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals).

---

Other Individual Policies

All of the policies that are provided here are contained within one or more of the templates that are on this site. These policies have been added as individual documents in WORD format (WORD 2003 and WORD 2007) for those clients who just need this particular policy.  All policies are Sarbanes-Oxley, HIPAA, and Patriot Act compliant.

 

---

Record Management, Retention, and Destruction Policy

    

A record is essentially any material that contains information about your company’s plans, results, policies or performance. In other words, anything about your company that can be represented with words or numbers can be considered a business record – and you are now expected to retain and manage every one of those records, for several years or even permanently depending on the nature of the information. The need to manage potentially millions of records each year creates many new challenges for your business, and especially for your IT managers who must come up with rock-solid solutions to securely store and manage all this data.

The Record Management, Retention, and Destruction is a detail policy template which can be utilized on day one to create a records management process.  Included with the policy are forms for establishing the record management retention and destruction schedule and a full job description with responsibilities for the Manager Records Administration.

You areas included with this policy template are:

• Record retention requirements for SOX sections 103a, 302, 404, 409, 801a and 802.
• Policy
• Standard
• Scope
• Responsibilities
• Record Management
• Compliance and Enforcement
• Email Retention and Compliance
• Job Description Manager Record Administrator
• 12 forms for Record Retention and Disposition Schedule

You can download the Table of Contests and selected pages for this policy template.

    

 

---

Outsourcing Policy

This policy is eighteen page in length and defines everything that is needed for a function to be outsourced.  The policy comes as a Microsoft Word document (Word 2003 & Word 2007) that can be modified as needed.  The template has been updated to include a HIPAA audit program definition:

• Outsourcing Management Standard
  • Service Level Agreement
  • Responsibility
• Outsourcing Policy
  • Policy Statement
  • Goal
• Approval Standard
  • Base Case
  • Responsibilities 

Note: Look at the Practical Guide for Outsourcing over 110 page document for a more extensive process for outsourcing

 

---

 

Internet, E Mail, Mobile Device, Electronic Communication, and Record Retention Policy

This policy is is compliant with all recent legislation (SOX, HIPAA, Patriot Act, and Sensitive information), and covers:

• Appropriate Use of Equipment
• Mobile Devices
• Internet Access
• Electronic Mail
• Retention of Email on Personal
• E-mail and Business Records
• Copyrighted Materials
• Banned Activities
• Ownership of Information
• Security
• Sarbanes-Oxley
• Abuse

Included are these ready to

• Internet & Electronic Communication Employee Acknowledgement
• E-Mail - Employee Acknowledgement
• Internet Use Approval Form
• Internet Access Request Form
• Security Access Application Form

---

Travel and Off-Site Meeting Policy

Protection of data and software is often is complicated by the fact that it can be accessed from remote locations. As individuals travel and attend off-site meetings with other  employees, contractors, suppliers and customers data and software can be compromised.  This policy is four page in length and covers:

• Data and application security
• Minimize attention
• Shared public resources
• Off-site meeting special considerations

---

 

Backup and Backup Retention Policy

The Backup and Backup Retention policy is an 11 page sample policy that is a complete policy which can be implemented immediately. 

The document is provided in both Word 2003 and Word 2007 formats and is easily modified.  This policy is included in the Disaster Recovery / Business Continuity Template

  

 

Below is a table from the policy.

 

Type of Data	Minimal Backup Policy	Backup Retention Policy
System software	Latest Version plus patches  At Least Weekly	Annual (verified) Backup Monthly Generations Weekly Generations
Application software	Latest Version plus patches At Least Weekly	Annual (verified) Backup Monthly Generations Weekly Generations
System data	Daily	Annual (verified) Backup Monthly Generations Weekly Generations Daily Generations
Application Data	Daily with real time transaction files	Annual (verified) Backup Monthly Generations Weekly Generations Daily Generations
Software licenses, encryption keys, & Protocol Data	Weekly	Annual (verified) Backup Monthly Generations Weekly Generations

 

  

 

Productivity Policies and Procedures News

---

Bank of America site goes down....

Bank of America was investigating an outage that affected an unknown number of customers but had ruled out a cyberattack, a representative said. Their disaster recovery plan was not activated.

"Our online-banking service is available," spokeswoman Anne Pace said in a telephone interview on Friday afternoon. "We ruled out a cyberattack, but are working with partners to determine the root cause."

Disaster Recovery Plan Template Business Continuity

The Standard - Over 3,000 Companies World Wide have chosen this DRP/BCP Template

Checks  found the site down during the morning and afternoon, as late as 2:50 p.m. PST. Several people reported the outage to and Business Insider reported that the site was down most of the morning. Several others reported that they were able to get through to the site, although at least one said it was sluggish.

Bank of America's Twitter account was reporting that "Our Web site is available. However, some customers are having intermittent issues with access. We are working to determine the root cause."

One person reported that he discovered a work-around: "I tried going to the site via my mobile device, and it works! So then I typed the URL that my mobile device uses into my desktop browser, and I can get in. So it doesn't seem that the Web site, per se, is down, only the 'normal' entry portal?"

- more info

---

DR Plan tools defined in Janco DR Template

Your DR plan should be updated with tools that are collaborative in nature, enable teams and people to communicate remotely at any time, over any channel, and without dependency upon your IT infrastructure.

Emergency notification and communication technology should provide not only an automated solution for message delivery, but also:

• Enable companies to reach end users and allow them to respond anytime and from anywhere.
• Enable notification over any text enabled or voice enabled device (inbound/outbound).
• Provide local and global notification capabilities.
• Provide a centralized, interactive tool for executing your DR plan, monitoring tasks and enabling real time coordination of resources and status updates.

Many organizations' DR efforts fall short once initial notifi cation has occurred. Rarely do organizations have a centralized method for employees, DR teams, executives, customers, etc., to access the DR Plan, task lists, or documents necessary to recovery efforts such as contracts and purchase orders. Prior to purchasing the Janco Disaster Recovery Plan Template, one large regional health care provider complained that once notifcation occurred, they were not able to coordinate the simplest of tasks. In a crisis situation, often times employees have no method to stay apprised of information. Stories abound of disaster recovery teams that become occupied answering employee phone calls and answering basic questions about a crisis, and are unable to focus on their primary task  - managing through a crisis to recovery.

- more info

---

How a CIO should chose a backup site

 Disasters cost money, interrupt business operations and may cause the enterprise or government agency to fail, which makes planning a business continuity issue. Disasters can interfere with or even terminate IT and communications services. It does not matter whether the disaster affects the enterprise, government or service provider. Floods, fire, volcanoes, earthquakes and other events can destroy a primary and backup site if they are too close together.

Telecom service providers can offer expert advice on where to locate a backup facility and should position themselves with CIOs to offer both consulting and services. After all, they have experience planning for their own primary and backup facilities, as well.

A CIO's selection of the backup site location will always have risks and liabilities attached to the decision. Adequate and reliable communications to the backup site and communications between the primary and backup sites are what most service providers can successfully offer to the CIO.

      

In choosing a backup site, CIO's must first determine how big a disaster plan for and budget for it. The level of disaster planning increases as you goes down the following list:

• Building closed/evacuated
• Loss of power
• Loss of communications
• Facility damaged/destroyed
• Community disaster (10-to-30 mile range)
• Regional disaster (30-to100 mile range)

- more info

---

Cloud backup as a strategy for Disaster Planning

One of the biggest challenges of managing a backup infrastructure is that no one wants the job. In large companies, the backup administrator position is an ever-revolving door often staffed with junior people. In smaller companies, backing up the infrastructure is a peripheral duty that is often ignored. The result is the same in both cases: bad backups.

One potential solution to this problem is cloud backup services - or managed backup services, depending on your preferred terminology. The idea is simple: Outsource this undesirable part of IT to a company whose staff specializes in it and you’ll never look back.

  

Cloud backup services take advantage of many of the technologies mentioned here, but allow customers to use the service without having to manage the process. Instead, customers simply install a piece of software on the systems being backed up, and the cloud backup service does the rest. But as with any backup system, make sure you have a way to verify that backups are working the way they’re supposed to be working.

The unglamorous world of backups is like the rest of IT: You never hear from anyone until something goes wrong. Modernizing your infrastructure, when planned and executed carefully, can reduce your liability dramatically. But as you make those improvements, remember the backup mantra: Test everything and believe nothing.

- more info

---

Backing up now much faster

Seagate Technology LLC today at the Consumer Electronics Show (CES) in Las Vegas released its first USB SuperSpeed 3.0-enabled external hard disk drive, the BlackArmor PS110, which has up to three times the performance of its previous USB 2.0 products.

  

The BlackArmor all-in-one USB 3.0 toolkit packages a 500GB 7200rpm, 2.5-inch portable hard drive, power cable and PC express card to enable USB 2.0-enabled laptops to perform with the 4.8Gbit/sec speed that USB 3.0 specifications allow.

While USB 3.0 theoretically represents a 10-fold improvement in I/O

speed over USB 2.0, Seagate said the data speed of its BlackArmor USB 3.0 portable drive is based on "real-world testing." The SuperSpeed USB 3.0 interface allows transfer of large files to and from the external drive at sustained transfer rates of 100MB/sec.

For example, Seagate claims that a 25GB high-definition movie can be transferred in just four minutes on the BlackArmor USB 3.0 drive. That compares to the 14 minutes the transfer would take using a traditional USB 2.0 drive.

- more info

---

More than 75% of all American firms have DRPs in place

According to AT&T's 2008 Business Continuity Study, more than 75 percent of American companies have a business continuity plan (BCP) in place, with the largest enterprises leading the way at 88 percent and the smallest (100 employees or fewer) at 75 percent.

These percentages are significantly higher than just four years ago, according to the same study. That is not surprising, given the dire predictions of business failure following a major disruption or loss of data. Although current figures are not readily available, past studies indicated that many small to mid-size businesses never reopen following a major data loss, and more than half close within two years after the event. And that was during a period of economic expansion. For companies locked into one of the sluggish or soft areas of today's economy, failure rates would almost certainly be higher.

- more info

---

Security and DRP play a role in CIO Infrastructure Design

Designing IT Infrastructure requires CIOs to consider the globalized world they are now in. It is necessary and valuable for CIOs to understand the fundamental trends that are pushing businesses to redesign their operations around this new reality.  Factors they need to consider are:

• Security - With the growing importance of digital applications and data, the sources of threats to enterprise data have multiplied dramatically. Everything from natural disasters to criminals to corrupt sources within the company might try to steal or corrupt data. While businesses do everything that they can to stop these threats in the first place, they still must be prepared to recover from these threats as quickly as possible.
• Business Continuity and Disaster Planning - As businesses have expanded the need for anytime, anywhere application access has become a requirement. At the same time, “follow the sun” (global 24/7) operations have shrinking maintenance windows and a need for applications to be running at all times. Delay or loss of data for any reason – system failure, natural disasters – has a domino-like effect across the entire organization, at any time of the day or night.
• Flexibility - Most businesses now operate across international borders and CIOs must be able to respond to opportunities and challenges faster than ever before. CIOs are usually battling well-resourced organizations that may be based where the opportunity originated, or another globalizing company that is reaching out for new opportunities. In order to compete, a business has to be faster to deliver a product or service as good, or better, than that of potentially any other company in the world.
• Simplicity - Increases in technology have typically led to increased complexity. While per unit costs of technology are always decreasing, in aggregate companies see an increase in cost. With the pressure on IT to act less as a cost center and more as a way to increase the profitability of business units, just adding more storage, more bandwidth, or additional technologies throughout the organization is no longer an acceptable approach to managing information technology. Successful CIOs are investing in numerous technologies including; continuous data protection, virtualization, and wireless connectivity.  They are trying slim down IT’s footprint while increasing their business’s competitive advantages. The CIO is typically in a difficult position, assessing where to try and cut costs while still moving forward with a plan to continually enhance IT services to the business.

- more info

---

Encryption continues to be a key issue

Encryption continues to be key issue  on every CIO's front burner. No one wants to end up in the news as the next victim of a privacy breach or the next company that did not protect its customers' information. If you conduct a news search using the words "personal data breach," you will be alarmed at the number of instances where personal information such as social security and credit-card numbers have been exposed to possible theft. In a recent breach, a state government site allowed access to hundreds of thousands of records, including names, addresses, social security numbers and documents with signatures.

  

Whether it is government agencies, research facilities, banking institutions, credit card processing companies, hospitals' – or your company's computers - the risk of compromising private information is very high.  At the recent conference an attorney described the relationship business has with technology. In his presentation, he stated that since "business relies so heavily on technology today, business risk becomes technology dependent." The possibility of litigation is part of business. It has always been a risk of doing business, but because technology and today's business are so intertwined, business risk has a higher threat level. This has prompted many to encrypt workstations and mobile computers in order to protect critical business data.

If you have rolled out encryption, how do you maintain your IT service quality when the hard disk drive fails? How do you plan and prepare for a data loss when the user's computer is encrypted?  These are all issues that should be considered when putting together a data disaster plan. In addition, data recovery, one of the more common missing elements of a disaster recovery plan, should also be factored in because it can serve as the "Hail Mary" attempt when all other options have been exhausted.

- more info

---

Google applications can help in a disaster

Google Inc. has launched a feature in its Maps Web site that lets U.S. residents find nearby locations for getting seasonal and H1N1 flu shots, the company announced.  When thinking of disaster planning and business continuity this a very interesting concept that can be applied to any disaster or pandemic, any where in the world.

Google previously launched a site where people can monitor current flu-infection levels in the U.S. and abroad.

In launching the flu-shot finder, Google warned that the service doesn't yet have comprehensive data on all providers because it is still gathering that information.

Google Maps also won't say whether a particular provider has run out of vaccines, a big issue right now with the H1N1 shot, whose production isn't keeping up with demand. Thus, people are advised to call the providers before heading to their location.

- more info

---

Disaster Recovery Plan Ensures Survival

Every IT manager knows the importance of having an effective and fast disaster recovery plan (DRP) and Business Continuity Plan (BCP). Organizations without an adequate plan may find themselves out of business quickly after experiencing a major disaster. Janco Associates has found that over 80% of all enterprises that do not have these plans never open their doors after a disaster strikes.

Organizations that ensure survival following a disaster understand the basics of creating a good plan; however, there are many obstacles and pitfalls that can easily be avoided.

Based on working with thousands of customers, Janco Associates has developed a Disaster Recovery and Business Continuity Template that includes everything that you need to create a custom Disaster Plan.

You can download a full copy of the table of contents by going to http://www.e-janco.com/Register_drp.asp.

- more info

Copyright © 1999 - IT Productivity Center - a division of Janco Associates, Inc. -- ALL RIGHTS RESERVED