Policies - Ready to Download and Customize

Documenting a clear set of IT policies is a resource-intensive process for CIO and their staffs due to the research and writing time involved. And once policies are created, the next step is to communicate and gain acceptance for those policies throughout the organization. Wouldn't it be nice to start with boiler plate templates that require only minor customizing?

All of the policies that are provided here are contained within one or more of the templates that are on this site. These policies have been added as individual documents in WORD format (WORD 2007) for those clients who just need this particular policy. All policies are Sarbanes-Oxley, HIPAA, COBIT, and ISO compliant.

IT Policies You can get all of the policies at a significant discount. When you order the CIO Infrastructure policy bundle you get:

CIO IT Infrastructure Policy PDF (All of the policies below which come as individual MS Word files in a single PDF)
Backup and Backup Retention Policy
Blog and Personal Web Site Policy
Disaster Recovery Electronic Forms
Electronic Communications, e-Mail, Internet, Social Networking, Mobile Device, and Record Retention Policy
Incident Communication Plan Policy
IT Infrastructure Electronic Forms
Mobile Device Access and Use Policy
Outsourcing Policy
Patch Management
Record Management, Retention, and Destruction Policy
Sensitive Information Policy (HIPAA Compliant)
Service Level Agreement (SLA) Policy Template with Metrics
Social Networking Policy
Telecommuting Policy
Travel and Off-Site Meeting Policy

Backup & Retention
Blog
DR BC Electronic Forms
Electronic Communication
Telecommuting
Incident Communication
IT Infrastructure Electronic Forms
Mobile Devices
Outsourcing
Patch Management
Records Management
Sensitive Information
Social Networking
Travel
Service Level Agreement

Backup and Backup Retention Policy

The Backup and Backup Retention policy is an 11 page sample policy that is a complete policy which can be implemented immediately.

The document is provided in both Word 2003 and Word 2007 formats and is easily modified. This policy is included in the Disaster Recovery / Business Continuity Template

Below is a table from the policy.

Type of Data	Minimal Backup Policy	Backup Retention Policy
System software	Latest Version plus patches At Least Weekly	Annual (verified) Backup Monthly Generations Weekly Generations
Application software	Latest Version plus patches At Least Weekly	Annual (verified) Backup Monthly Generations Weekly Generations
System data	Daily	Annual (verified) Backup Monthly Generations Weekly Generations Daily Generations
Application Data	Daily with real time transaction files	Annual (verified) Backup Monthly Generations Weekly Generations Daily Generations
Software licenses, encryption keys, & Protocol Data	Weekly	Annual (verified) Backup Monthly Generations Weekly Generations

Typical data disaster that occur and should be considered when implementing a backup and retention policy are:

Pulling the wrong drive. While trying to replace a failed disk in a RAID array, a healthy disk is accidently removed.

Reformatting a disk. During a server migration, the wrong SAN LUN is accidently reformatted.

Restoring corrupt/old backup data. A server containing a business-critical database is deleted by mistake and is restored with a corrupt or incomplete backup prior to realizing the backup is not sound.

Rebuilding a bad array. Following a multiple drive failure in a RAID array, an attempt to force the failed drives back online and rebuild the configuration is made, whereby damaging or corrupting the data on the array.

Deleting data. Files, volumes, virtual machines or a SAN LUN is deleted by accident and there is no backup or the backup is old or corrupt.

Blog and Personal Web Site Policy Template - Blog Policy, Procedures and Guidelines

With the advent of blogs, there is a need to set rules of the road for the use of blogs by employees, contractors, agents, supplies and others. This sample blog policy template contains specific policy statements on what can and can not be done via blogs. There are 13 specific guidelines defined as specific guidelines for personal web sites and blogs which are on your enterprise's domains and those on are on domains outside of your enterprise's control.

The policy template comes in word format and can easily be modified to meet the specific requirements of any size enterprise.

DR/BC Electronic Forms

Disaster and business continuity recovery is all about documentation. Whether you use Janco's Disaster Planning Template or a competing product, you need to document basic recovery information. That is were these electronic forms can help you jump start the process.

Disaster Recovery Business Continuity Forms

Disaster Recovery – Business Continuity LAN Node Inventory
Disaster Recovery – Business Continuity Location Contact Numbers
Disaster Recovery – Business Continuity Off-Site Inventory
Disaster Recovery – Business Continuity Personnel Location
Disaster Recovery – Business Continuity Plan Distribution
Disaster Recovery – Business Continuity Remote Location Contact Information
Disaster Recovery – Business Continuity Team Call List
Disaster Recovery – Business Continuity Vendor List

All of these forms are contained within the Disaster Recovery Business Continuity Template.

Internet, E Mail, Mobile Device, Electronic Communication, and Record Retention Policy

This policy is is compliant with all recent legislation (SOX, HIPAA, Patriot Act, and Sensitive information), and covers:

Appropriate Use of Equipment

Mobile Devices

Internet Access

Electronic Mail

Retention of Email on Personal

E-mail and Business Records

Copyrighted Materials

Banned Activities

Ownership of Information

Security

Sarbanes-Oxley

Abuse

Included are these ready to use forms

Internet & Electronic Communication Employee Acknowledgement

E-Mail - Employee Acknowledgement

Internet Use Approval Form

Internet Access Request Form

Security Access Application Form

Telecommuting Policy

Telecommuting is a popular alternative to making the drive in to work every day. If your users are asking about telecommuting to work, you may find that a telecommuting policy helps makes things clear to them.

With the rise of the Internet, and the increase in affordable bandwidth came a new type of worker, the telecommuter. Available technologies, in certain cases, have allowed some companies to offer the ability for certain employees to work from home instead of the office. This can be not only a benefit for the employee, but also for the company itself. As more and more employees clamor for the ability to telecommute, it is imperative for companies to have an in place a viable telecommuting policy.

Telecommuting Policy Template - This policy is 13 pages in length. It contains everything that an enterprise needs to implement a functioning and compliant telecommuting process. Included are forms defining the working environment in addition to a check list to validate that the off site location complies with you safety requirements.

Incident Communication Plan Policy Template

Now Includes Social Networking as a Media Outlet

To survive an incident such as a business interruption, security breach, or a product recall, organizations need more than a successful communication strategy – they need an incident communication plan.

The overall objectives of a incident communications plan should be established at the outset. The objectives should be agreed upon, well understood, and publicized. For example, will the primary objective of the communications plan be for communications only to employees, and only during a disaster? Or is the intent to advise customers of interruptions to service? Or is it for investors and stockholders? Or regulatory agencies? Or is it some combination of these?

Whatever the objectives of the enterprise, they should be shared, supported by executive management, and widely communicated.

The specific objective of this incident communication plan is to define who will provide key communications during a crisis and the content, recipients, schedule, method of delivery, frequency and priority of the communication. By outlining communications in advance, ENTERPRISE

Protect the effect of a crisis on employees, associates, suppliers and customers,
Reduce the impact of bad publicity, maintain customer service, bolster relations with vendors and
Addresses the concerns of other key stakeholders

Infrastructure Electronic Forms

Structure and rules drive successful IT organizations. Janco has developed a number of forms as its consultants help world class IT organizations to implement best practices as defined by its templates. Even if you do not think you need the templates you still can get a lot a value from the design and implementation of its forms.

IT Infrastructure Forms

Blog Policy Compliance Agreement
Company Asset Employee Control Log
Disaster Recovery – Business Continuity LAN Node Inventory
Disaster Recovery – Business Continuity Location Contact Numbers
Disaster Recovery – Business Continuity Off-Site Inventory
Disaster Recovery – Business Continuity Personnel Location
Disaster Recovery – Business Continuity Plan Distribution
Disaster Recovery – Business Continuity Remote Location Contact Information
Disaster Recovery – Business Continuity Team Call List
Disaster Recovery – Business Continuity Vendor List
Email – Employee Acknowledgement
Employee Termination Checklist
Internet & Electronic Communication Employee Acknowledgement
Internet Access Request
Internet Use Approval
Mobile Device Access and Agreement
New Employee Security Acknowledgement and Release
Preliminary Security Audit Checklist
Security Access Application
Security Audit Report
Security Violation
Sensitive Information Policy Compliance Agreement

Mobile Device Access and Use Policy

The purpose of this policy is to define standards, procedures, and restrictions for end users who have specific and authorized business requirements to access enterprise data from a mobile device connected via a wireless or unmanaged network outside of ENTERPRISE’s direct control. This policy applies to, but is not limited to, all devices and media that fit the following device classifications:

Smartphones
PDAs
USB applications and data
Laptop/notebook/tablet computers
Ultra-mobile PCs (UMPC)
Mobile/cellular phones
Home or personal computers used to access enterprise resources
Any mobile device capable of storing corporate data and connecting to an unmanaged network

The policy applies to any hardware and related software that could be used to access enterprise resources, even if the equipment is not approved, owned, or supplied by ENTERPRISE.

Mobile Device Access and Use Policy Template - This policy is 10 pages in length. It contains everything that an enterprise needs to implement a functioning and compliant mobile device and use process. Included are forms defining the mobile device environment.

Outsourcing Policy

This policy is eighteen page in length and defines everything that is needed for a function to be outsourced. The policy comes as a Microsoft Word document (Word 2007) that can be modified as needed. The template has been updated to include a HIPAA audit program definition:

Outsourcing Management Standard

Service Level Agreement

Responsibility

Outsourcing Policy

Policy Statement

Goal

Approval Standard

Base Case

Responsibilities

Note: Look at the Practical Guide for Outsourcing over 110 page document for a more extensive process for outsourcing.

Patch Management

Not long ago, patch management was barely a blip on the radar screens of most security and IT personnel. 'Install and forget' was a fairly common practice; once deployed, many systems were infrequently or never updated. Obviously, for a number of reasons, this approach is no longer an option. The rise of widespread worms and malicious code targeting known vulnerabilities on unpatched systems, and the resultant downtime and expense they bring, is probably the biggest reason so many organizations are focusing on patch management. Along with these threats, increasing concern around governance and regulatory compliance (e.g. HIPAA, Sarbanes-Oxley) has pushed enterprises to gain better control and oversight of their information assets. Add in increasingly interconnected partners and customers and the rise of broadband connections and remote workers, and you have the perfect storm that has thrust patch management to the forefront of many organizations' list of security priorities.

Patch Management

Record Management, Retention, and Destruction Policy

A record is essentially any material that contains information about your company’s plans, results, policies or performance. In other words, anything about your company that can be represented with words or numbers can be considered a business record – and you are now expected to retain and manage every one of those records, for several years or even permanently depending on the nature of the information. The need to manage potentially millions of records each year creates many new challenges for your business, and especially for your IT managers who must come up with rock-solid solutions to securely store and manage all this data.

The Record Management, Retention, and Destruction is a detail policy template which can be utilized on day one to create a records management process. Included with the policy are forms for establishing the record management retention and destruction schedule and a full job description with responsibilities for the Manager Records Administration.

You areas included with this policy template are:

Record retention requirements for SOX sections 103a, 302, 404, 409, 801a and 802.

Policy

Standard

Scope

Responsibilities

Record Management

Compliance and Enforcement

Email Retention and Compliance

Job Description Manager Record Administrator

12 forms for Record Retention and Disposition Schedule

You can download the Table of Contests and selected pages for this policy template.

Sensitive Information Policy

Sensitive Information Policy defines how to treat Credit Card, Social Security, Employee, and Customer Data.

This policy covers the treatment of Credit Card, Social Security, Employee, and Customer Data. The policy is 15 pages in length. This policy complies with Sarbanes Oxley Section 404.

The policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) and co-location providers and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals).

Social Networking Policy

Social networking is going corporate. The popular technology used by millions of people to share ideas and photos on MySpace, Facebook, LinkedIn and others is catching on at companies to improve productivity and communication among workers. Private, internal social networks make sense as companies grapple with a slumping economy that has made travel cost-prohibitive even as workforces are spread out as never before.

With increased adoption of social networks among the public, organizations have begun setting up profiles within social networks as a means to further connect with their audiences. Organizations who have been most successful in these endeavors take time to survey the community, understand the values and rules of engagement. In short, they pay attention to the culture and identify what is accepted before they join. When they join, the organizations who have had success within social networks remember that this isn’t a place for traditional public relations tactics but a place for engagement. These organizations don’t always just talk about themselves, but they have real and human-toned conversations with real people.

The issue faced by enterprises of all sizes is ensuring that the right message is being communicated in a consistent manner. The first step in achieving this objective is to have a uniform social network policy.

Travel and Off-Site Meeting Policy

Protection of data and software is often is complicated by the fact that it can be accessed from remote locations. As individuals travel and attend off-site meetings with other employees, contractors, suppliers and customers data and software can be compromised. This policy is four page in length and covers:

Data and application security
Minimize attention
Shared public resources
Off-site meeting special considerations

Things to you need to do to make an off site meeting successful

Set clear objectives. The worst mistake you can make is neglecting to set key objectives for your off-site meeting, just because you want everyone to “relax.” Nothing will get accomplished, and you’ll end up with a group of bored, frustrated employees who will resent you for not respecting their time.

Choosing the right meeting site
Remember that an off-site meeting is meant to “shake things up.” If your office is located in a busy downtown area, don’t hold your meeting in another crowded urban location. Choose a site that provides employees with a new experience. If you work in the city, take them somewhere rural and relaxing; if your office is located in the suburbs, employees might enjoy a trip to a bustling city center.

Schedule just enough to be accomplished
Don’t hold your employees hostage at the meeting site by trying to accomplish too much in one day. Make sure the meeting doesn’t cut into people’s evening activities or family time. You can’t solve the entire year’s problems with one day long retreat, so don’t even try. However, if the off-site meeting encompasses two days, the evening between can be a good time for a fun activity.

Publish an agenda beforehand
Be careful not to mislead your employees with promises of relaxing outdoor activities, only to transform into a corporate drill sergeant who puts them through a series of grueling trust-building exercises all day. Be clear about your intentions from the start.

Schedule meetings during normal working hours
Just because you can get a cheaper hotel or convention center rate, it’s always a bad idea to plan your off-site meeting around weekends or holidays, which will make attendance a hardship for your employees. Also avoid days when there might be other important things going on within your company.

Hold meeting at site where you can work
When booking your site, inquire what other events or company meetings might be scheduled for the same day. You don’t want the distractions of a raucous wedding party or other large group sharing your space or causing delays in the dining room.

Have time to interact
Don’t turn the day into a Power Point marathon or fill it with endless speeches by the boss. The energy will be sucked right out of the room in no time. Keep the day active and engaging, with opportunities for all employees to participate
.

Have good speakers
When considering guest speakers for your event, be certain they have a solid understanding of your company — and not just from the CEO’s lofty perspective. Choose someone interesting who will hold people’s attention in a way that's clearly relevant to the meeting's purpose.

Have limited and focused activities
While they can sometimes be fun, don’t overdo the trust-building, ice-breaking activities. Make sure they are well thought out and actually enjoyable. If an employee is an effective salesperson, it doesn’t really matter if he or she can’t climb a rope. Never forget that most people would rather be home with their families or out with friends than playing games with their boss.

After the meeting follow-up
Once the day of the off-site meeting has come and gone, don’t file it away and forget it. Check back in as a group to gauge the benefits of the experience. What has actually changed as a result of the meeting? Have any of the great ideas people came up with that day been implemented? Use the feedback to improve upon next year’s meeting.

Service Level Agreement Policy Template with Sample Metrics

Service Level Agreement Policy Template is a nine page policy for a single application, It defines specific SLAs and metrics that are both internally and externally focused. The sample contain over 70 possible metrics presented graphically in PDF format.

The table of contents for the policy template is as follows.

Service Level Agreement For The Application

Overview
Three-Tier Environment
Service Level Agreement (SLA)
- Internal IT SLAs
  - Hardware/Network Maintenance
  - Backup and Recover
  - Application Administration
  - Application Updates
- External SLA
  - IT Obligations
  - End User Obligations
Sample Metrics

The sample metrics are provided in PDF format. Click on the small image below to see one page of the PDF file with the book marked outline of the document showing the classification of the 70 metrics depicted graphically

Policies, Procedures and Infrastructure News

Big brother compliance requirement killed in Hawaii

01/28/2012

Lawmakers in Hawaii on Thursday killed a bill that would have required Internet service providers to collect the detailed browsing histories of Internet users in the state and store the data for at least two years. The bill would have required anyone providing access to the Internet in Hawaii to maintain "consumer records" of every Internet user's subscriber information and data such as the IP addresses, domain names and host names of the sites they visit. It would have covered not only ISPs but also libraries, coffee shops and employers.

One of those opposing the bill was the U.S. Internet Service Provider Association, which earlier this week sent a letter to the committee's chairman. The bill was overbroad, raised a "myriad privacy concerns," and would be hugely expensive to comply with, wrote the ISP association's Executive.
- more info

Disaster Recovery Planning is Required for Business Continuity Planning

01/08/2012

Disaster Recovery Plans are part of a larger, more extensive planning process known as Business Continuity Planning. Disaster Recovery plans should be tested frequently so that the as many individuals as possible are familiar with the specific actions they will need to take when a disaster occurs. Disaster Recovery plans must also be adaptable and updated frequently, e.g. if new people, a new branch office, or new hardware or software are added to an organization they should promptly be incorporated into the organization's disaster recovery plan. Enterprises must consider all these facets of their organization as well as update and practice their plan if they want to maximize their recovery after a disaster.

Disaster Recovery and Business Continuity Planning are the process an organization uses to recover access to their enterprise operations; software, data, and/or hardware that are needed to resume the performance of normal, critical business functions after the event of either a natural disaster or a disaster caused by humans. While Disaster Recovery and Business Continuity plans, or DRPs & BCPs, often focus on bridging the gap where data, software, or hardware have been damaged or lost, one cannot forget the vital element of work force that composes much of any organization. A building fire might predominantly affect vital data storage; whereas a pandemic or epidemic illness is more likely to have an effect on staffing. Both types of disaster need to be considered when creating a Disaster Recovery and Business Continuity Plans. Thus, enterprises should include in their DRPs & BCPs contingencies for how they will cope with the sudden and/or unexpected loss of key personnel as well as how to recover their data.
- more info

Disaster Rcovery Plan First Steps

12/21/2011

Companies of all sizes have realized how critical it is to have a DR plan in place, and many have given top priority to developing one. But organizations need to know that developing a DR plan is not an overnight process but rather something that takes thorough consideration and numerous steps.

Janco's Disaster Recovery - Business Continuity Templated can help get you on the right track with creating a disaster recovery as over 3,000 enterprises around the globe of all sizes already have.

- more info

Public cloud poses a major security risk for CIOs

11/10/2011

Using some clouds like Amazon's EC2 (Elastic Compute Cloud) can pose a security threat to organizations and individuals alike, according to researchers. Some third parties evidently are not following best security practices when using preconfigured virtual machine images available in public catalogs, leaving users and providers open to such risks as unauthorized access, malware infections, and data loss.

The underlying message is that for all the power and opportunity of public clouds, providers and users alike need to approach with caution and embrace best security practices. Cloud infrastructure providers can't be expected to assess the security of every image, bit, and transaction that occurs on their machines any more than an apartment landlord can be responsible for everything that happens within his or her complex -- that is, what tenants do behind closed doors in the spaces they rent.

These vulnerabilities leave users exposed to malware, as well as to unsolicited connections, which malicious hackers could use to gather information about usage and to collect IP target addresses for future attacks through a backdoor.

A malicious hacker could use tools such asextundeleteandWinundelete to recover previously deleted data.

Researchers' stressed the importance of users being properly trained in using public cloud server images. Although public cloud server images are highly useful for organizations, if users are not properly trained, the risk associated with using these images can be quite high. The fact that these machines come pre-installed and pre-configured may communicate the wrong message, i.e., that they can provide an easy-to-use 'shortcut' for users that do not have the skills to configure and setup a complex server. The reality is quite different. Many different security considerations must be taken into account to make sure that a virtual image can be operated securely.
- more info

How to maximize data protection

11/05/2011

The top must-do tasks for maximizing data protection.

Audit Data Access - IT should keep a current list of data business owners and the folders and SharePoint sites under their responsibility. By having this list - at the ready, IT can expedite a number of the previously identified tasks, including verifying permissions revocation and review, and identifying data for archival. The net effect is a marked increase in the accuracy of data entitlement permissions and, therefore, data protection.
Inventory Permissions and Directory Services Group Objects - Effective management of any data set is also impossible without understanding who has access to it. Access controls lists and groups (in Active Directory, LDAP, etc.) are the fundamental protective control mechanism for all unstructured and semi structured data platforms, yet too often IT cannot easily answer fundamental data protection questions like, - Who has access to a data set? and - What data sets does a user or group have access to? Answers to these questions must be accurate and accessible for data protection and management projects to succeed.
Prioritize Which Data Should Be Addressed - While all data should be protected, some data needs to be protected much more urgently than other data. Some data sets have well known owners and well defined processes and controls for their protection, but many others are less understood. With an audit trail, data classification technology, and access control information, organizations can identify active and stale data, data that is considered sensitive, confidential, or internal, and data that is accessible to many people. These data sets should be reviewed and addressed quickly to reduce risk.
Remove Global Access Groups from ACLs (like "Everyone") - especially where sensitive data is located - It is not uncommon for folders on file shares to have access control permissions allowing - Everyone, or all - domain users‖ (nearly Everyone) to access the data contained therein. SharePoint has the same problem (with authenticated users). Exchange has these, as well as - Anonymous User‖ access. This creates a significant security risk; for any data placed in that folder will inherit those - exposed permissions, and those who place data in these wide-open folders may not be aware of the lax access settings. When sensitive data, like credit card information, intellectual property, or HR information are in these folders, the risks can become very significant. Global access to folders, SharePoint sites, and mailboxes should be removed and replaced with rules that give access to the explicit groups that need it.
Identify Data Owners - IT should keep a current list of data business owners and the folders and SharePoint sites under their responsibility. By having this list - at the ready,‖ IT can expedite a number of the previously identified tasks, including verifying permissions revocation and review, and identifying data for archival. The net effect is a marked increase in the accuracy of data entitlement permissions and, therefore, data protection.
Perform Regular Data Entitlement (ACL) Reviews and Revoke Unused and Unwarranted Permissions - Every file and folder on a Windows or UNIX file system, every SharePoint site, and every mailbox and public folder has access controls assigned to it which determine which users can access the data and how (i.e. read, write, execute, list). These controls need to be reviewed on a regular basis and the settings documented so that they can be verified as accurate by data business owners and security policy auditors.
Users with access to data that is not material to their jobs constitute a security risk for organizations. Most users only need access to a small fraction of the data that resides on file servers. It is important to review and then remove or revoke permissions that are unused.
Align Security Groups to Data - Whenever someone is placed in a group, they get file system access to all folders that list the group on its ACL. Unfortunately, organizations have completely lost track of what data folders contain which Active Directory, LDAP, SharePoint or NIS groups. This uncertainty undermines any access control review project, any Role Based Access Control (RBAC) initiative. In Role Based Access Control methodology, each role has a list of associated groups into which the user is placed when they are assigned that role. It is impossible to align the role with the right data if the organization cannot verify to what data a group provides access.
Audit Permissions and Group Membership Changes - Access Control Lists are the fundamental preventive control mechanism in place to protect data from loss, tampering, and exposure. IT requires the ability to capture and report on access control changes to data - especially for highly sensitive folders. If access is incorrectly assigned or changed to a more permissive state without good business reason, IT and the data business owner must be quickly alerted, and be able to execute remediation.
Directory Groups are the primary entities on Access Control Lists (Active Directory, LDAP, NIS, etc.); membership grants access to unstructured data (as well as many applications, VPN gateways, etc.). Servers also have their own - local groups that should be audited. Users are added to existing and newly created groups on a daily basis. Without an audit trail of who is being added and removed from these groups, enforcing access control processes is impossible. Ideally, group membership should be authorized and reviewed by the owner of the data or resource to which the group provides access.
Lock Down, Delete, or Archive Stale, Unused Data - Much of the data contained on unstructured and semi-structured platforms is stale. By archiving stale or unused data to offline storage or deleting it, IT reduces risk that stale data will be accessed by inappropriate parties, and makes the job of managing the remainder simpler and easier while freeing up expensive resources.
Clean Up Legacy Groups and Access Control Artifacts - Unneeded complexity slows down performance and makes mistakes more likely. Organizations create so many groups that they often have as many as they do users - many are empty, unused or redundant. Some groups contain other groups, which contain other groups, with so many levels of nesting (that they sometimes create circular a reference when they contain a group that contains itself). Access control lists often contain references to previously deleted users and groups (also known as - Orphans). These legacy groups and misconfigured access control objects should be identified and remediated.

- more info

Ten commandments of security management

10/27/2011

The ten commandments of security management are:

Limit access to information to those who need to have it -- People can't misuse information that they don't have.

Conduct frequent and deep security audits Identify who has access to what and how their actions could weaken the protection of valuable data/information.

Set limits to information access do not exclude all information from access data exclusion locks down access and limits set authorizations so specific people can do specific things under specific circumstances.

Limit admin to as few individuals as possible -- very few individuals need them to do their jobs.
Ignore organizational hierarch when setting access capabilities access and authorization should be based upon responsibilities, not

position.

Make Security Invisible -- Minimize extra commands, screens, pop-ups for employees; if an action is allowed, just let it happen.

Analyze Security End back doors -- Compliance logs reveal threat patterns, and show how security steps are hurting productivity.

Monitor information access and updates-- User-initiated app updates can invite vulnerabilities.

Educate everyone on security policies and procedures The more that people know about the rules the better

Make security best practices the watch word for everyone -- IT and the general workforce must address the constantly changing nature of security breaches.
- more info

Disaster Recovery Must Do Steps

10/16/2011

The must do things that your company must do to make sure the disaster recovery and business continuity plan will work when they are need are:

Distribute the disaster recovery and business continuity plan or a HandiGuide'® to all decision makers and key operating employees who will need access to it when the event occurs.
Define the chain of command with single leader but do not limit the people who would have to implement the disaster recovery business continuity plan when the event occurs if that leader is unavailable.
Conduct frequent tests and address all areas where shortcomings are found.
Conduct the tests in an unannounced mode
Validated that mission critical data is at sites other than the primary data center
Establish a communication plan that can be implemented after the disaster.

HandiGuide is a Janco Associates registered trademark
- more info

Records Management Policy is Key to e-discovery

10/10/2011

This explosion of electronic communications has opened new and creative ways of conducting business, but it has also created new challenges in the way litigation and investigations are conducted. Since communications and other records relevant to any legal matter are often found in electronic format, the methods for collecting, processing and reviewing potentially relevant evidence has changed. The process of finding, identifying, holding, searching, reviewing, producing and presenting electronic data to be used as evidence in a legal or investigative matter is called electronic discovery, or simply e-discovery.

The scope of an e-discovery effort can include any form of ESI, but the overwhelming majority of e-discovery is performed against email systems and data. In fact, email data has quickly become the de facto standard for prima facie evidence and affirmative defense in litigation or investigative matters. Unfortunately, searching against email systems often results in enormous amounts of data, which must then be processed and reviewed for relevance, typically by paralegals and attorneys who charge by the hour. Therefore, email processing and review is typically the most costly part of an e-discovery project.
- more info

Endpoint data is security and compliance risk

10/01/2011

CIOs all agree that endpoint information is a potential liability. The big question is, where do CIOs find a non-intrusive way to protect and classify endpoint data to minimize risk, all while making sense economically?

With compliance requirements and external threats on the rise, no business can afford to leave its data unprotected, especially at the endpoint. Fortunately, IT leaders understand the risk: Fifty-nine percent of recent survey rate backup and protection of desktop and laptop data as crucial or high priority. Unfortunately, even though the majority of survey respondents have something in place, many fall short in terms of meeting needs for identification, classification and discovery. As a result, these firms leave themselves in a position of vulnerability - especially those in highly regulated industries.

Sixty-one percent currently using or planning to use a desktop and laptop backup solution consider improving the accessibility and availability of user data a critical or very important objective.

Fifty percent rate the ability to quickly find endpoint data for discovery and compliance purposes a critical or high priority.

Forty-seven percent expect an improvement in the ability to improve compliance with industry and government regulations as a result of the efforts their companies are making to effectively backup, protect and manage endpoint data.
- more info

FEMA emergency response first steps

09/08/2011

For companies just starting to develop emergency-response plans, or reviewing the plans they have, FEMA and the Small Business Administration recommend focusing on the following questions:

Who is responsible for backing up critical records, including tax, accounting, payroll, and production? Store these records, including a copy of the business-continuity plan, site maps, insurance policies, and bank-account information, both on-site and at a second site at least 100 miles away.

How will the company protect its computer hardware, software, and databases?

How will the company communicate with employees during an emergency?

Has the CFO or risk-management chief met with the company's insurance providers to review coverage? Most policies do not cover flood damage, for instance.

Does the company have a shelter-in-place plan to protect employees in the event they need to remain inside the building during an emergency? Do employees know the plan?
- more info

Working at home works in the Singapore

09/05/2011

Singapore companies offering flexible and home-based work arrangements are reporting a 10 per cent increase in productivity, on top of savings in rental and transportation costs.

Such arrangements also allow them to tap into the more than one million economically-inactive residents in Singapore.

And according to a Manpower Ministry survey last year, 35 per cent of employers offer at least one form of flexible work arrangement, up from 25 per cent in 2007.

Policies that you could use include:

CIO IT Infrastructure Policy PDF (All of the policies below which come as individual MS Word files)

Backup and Backup Retention Policy

Blog and Personal Web Site Policy (Includes electronic Blog Compliance Agreement Form)

Incident Communication Plan Policy (Updated to include social networks as a communication path)

Internet, e-Mail, Social Networking, Mobile Device, Electronic Communications, and Record Retention Policy (Includes 5 electronic forms to aid in the quick deployment of this policy)

Mobile Device Access and Use Policy

Outsourcing Policy

Record Management, Retention, and Destruction Policy

Sensitive Information Policy (HIPAA Compliant and includes electronic Sensitive Information Policy Compliance Agreement Form)

Service Level Agreement (SLA) Policy Template with Metrics

Social Networking Policy

Telecommuting Policy

Travel and Off-Site Meeting Policy
- more info

Disaster Recovery is Area of Cost Cutting Focus

08/14/2011

Disaster Recovery (DR) is a tough game. It's a critical component of IT and risk mitigation strategies, and compounded in difficulty by ever growing data volumes, distributed computing, and new technologies. Unfortunately, DR is often one of the first line items hit by budget cuts. How can you get creative in protecting more data, recovering more swiftly, but also saving some money at the same time?

According to an AT&T Survey of 100 Chicago firms (revenues <$10M), 81 have DR plans, but only 43% have fully tested their plans within the last 12 months and 12% admitted they have never tested their business continuity plans.

Next to personnel, data is your most irreplaceable asset. Networks, application hosting platforms, and end user computing environments can be replaced quickly. However, without your customer lists, product catalogs, inventory, financial records, and other operational data your business cannot recover.

A disaster recovery is a response to a declared disaster or a regional disaster. It is the restoration or recovery of an entire Agent computer. A disaster recovery plan describes how an organization is to deal with potential disasters. Just as a disaster is an event that makes the continuation of normal functions impossible, a disaster recovery plan consists of the precautions taken so that the effects of a disaster will be minimized, and the organization will be able to either maintain or quickly resume mission-critical functions. Typically, disaster recovery planning involves an analysis of business processes and continuity needs; it may also include a significant focus on disaster prevention.
- more info

Elements of Mobility Security

08/11/2011

As the traditional enterprise boundaries begin to fade, it is paramount that mobile devices and the sensitive information they contain be managed and protected. As a result, security perimeters must also expand beyond the internal network to these numerous critical endpoints.

Mobile Device Management

Mobile Device Management within organizations becomes more complex and important as both the number of devices and the amount of sensitive data stored on the devices increases. A lost or stolen device may compromise the critical data stored on it, unless there are processes and tools in place to protect it.

Mobile Device Asset Discovery and Inventory

The first step in securing your mobile organization network is the identification of the current inventory of mobile devices and OS clients that exist within your infrastructure. Next, you must integrate the mobile devices that have been identified in this process into your existing asset inventory database. Consider the following as you develop or update your mobile device asset inventory:

How will you identify the mobile assets?

What are the related assets to this mobile device, for example, additional memory cards?

How do you identify the asset owner and the business purpose of each device?

- more info

Backup and Storage Medium

08/05/2011

Data is valuable and so it's no wonder that the evolution of storage media has been stubborn. No one wants his or her business-critical data stored on a new, untried medium. In the end, however, technological development has allowed IT professionals to adopt the media that best meets their needs.

Initially, tapes were the media of choice. Even today, many businesses rely on this old workhorse of storage. Tapes, however, are unwieldy in a recovery scenario and ultimately unreliable. With a failure rate exceeding 70 percent for data restorations from delicate tape systems, the standard media gradually became disk arrays.

More recently, however, flexible cloud storage and responsive virtual servers have emerged as the new, high-speed contenders in the storage medium space. This option brings significant advantages such as scalability and restoration speed to a disaster recovery - business continuity plan.
- more info

Retirement to be put off by many

07/21/2011

The retirement-savings forecast remains bleak, even as the economy recovers. Many workers say they arent at all confident about their retirement prospects, according to a survey from the Employee Benefit Research Institute. Worse, many are dipping into their retirement savings to pay for day-to-day needs. And the amount of savings socked away by workers remains extremely low.

One positive sign: participants in the research recognize the need to do better, often the first step to building a reasonable nest-egg. People are recognizing the level of savings realistically needed for a comfortable retirement, says the research director for the institute and co-author of the report. We know that far too many people had false confidence in the past. People's expectations still need to come closer to reality, so they will save more and delay retirement until it is financially feasible."
- more info

Disaster Planning Takes Good Staff

07/12/2011

Good business continuity planning needs to take a broad view, embracing people, human behavior, customers and other factors that lie outside the data center. It is also important to secure the vision and endorsement of executive management. A properly funded, well-prioritized business continuity plan, combined with a regular program of testing and recovery drills, will help to safeguard the organization. Read this white paper to understand the key elements of a successful business continuity plan, see how to develop a plan that clarifies what is critical, and set specific recovery requirements.
- more info

Failure does not have to impact IT Professional's career

07/07/2011

IT professionals, including CIOs who experience some kind of enterprise IT failure in the course of their careers - whether a high-profile security breach, massive network outage, or multi-million dollar ERP boondoggle - the incident can feel like a career killer. But unless the individual repeatedly makes the same mistake, or the failure stemmed from some illegal or "just plain stupid" action, it won't end a IT profesionnal's career.

IT professionals who wish to recover from failure just need to know how to address suboptimal work experiences in their job searches and during job interviews.

Admit and acknowledge the failure - Don't ever try to hide failure; you won't get away with it. If an employer doesn't already know about, say, the ERP catastrophe at your previous employer, they will find out about it eventually. Better you be the source of that information than someone else.

Anticipate prospective employers' concerns - When framing how you discuss your failure, put yourself in your prospective employer's shoes and think about the concerns they'd have with your candidacy.

Focus on the positive and lessons learned - One failed project among 10 successful ones is no big deal, rather what was learned is more importants.

Offer references who make you shine- Make sure your references will corroborate your explanation of events when employers and recruiters call them.
- more info

Weak passwords continue to abound

06/23/2011

While users can select strong passwords and control their reuse, the only gatekeeper that can force the requirement of password strength is the provider. User have some control over their own fates, but the online service provider has more, says Per Thorsheim, a researcher who has organized two conferences on the subject of passwords. After all, it's the service provider that sets the policy of what is an acceptable password.
- more info

Facebook links in email present a high security risk

06/18/2011

A user at a corporate desktop receives an email from Facebook that a friend has a new photo, so the user clicks the link and takes a look. There are many actions that happen during that one simple check:

The link within the email can be a fake (phishing or spear phishing)

The email can contain a worm disguised as a Facebook link

The specific Facebook server could be subject to a DNS redirection attack,sending the user to a false server

The Facebook page could be compromised and hosting a browser‐based attack

The advertisements on Facebook could be compromised and hosting Flashbased attacks
- more info

Security threats

06/04/2011

Today's cyber attacks can hit a website, a laptop, or a server. The increasing popularity of smart phones, iPads, and social networking sites only increases the security risks for businesses. A single security approach is no longer sufficient. This multilayered threat environment demands a multilayered approach to security.

Network security is a primary line of defense. The task at hand for CIOs today is to provide world-class firewall, virtual private network (VPN), intrusion prevention, anti-spam, anti-virus and Web filtering technologies to secure the network perimeter. But this doesnt mean a piecemeal approach. Rather, network security should be integrated so no threats are missed or overlooked. At the same time network security must also be flexible to allow a business to run seamlessly.

Data Security and Protection are a priority and Janco's Security template is a must have tool that every CIO and IT department must have. Over 3,000 enterprise worldwide have acquired this tool and it is viewed by many as the Industry Standard for Security Management and Compliance.

- more info

Virtualization can be costly with not plan

05/29/2011

Virtualization is being rapidly adopted, particularly in small to mid-sized businesses (SMBs) where time and money are always at a premium. It brings significant time, money and labor savings in a variety of areas, including procurement, administration, deployment, operation, reliability and recoverability. Virtualization can radically simplify management of the entire environment and enable the SMB administrator to ―do more with less.‖ Moreover, disaster recovery becomes significantly easier once a business has virtualized, provided the administrator adopts newer, more efficient technologies that are designed to work with the virtual infrastructure.

However, like any technology, virtualization brings challenges that can erode its cost benefits and leave the infrastructure less protected than before.

The need to lower cost, increase efficiency and conserve cash has increased the motivation of companies to turn to Cloud Computing and increased the appeal of alternative delivery models. The disruptive shifts in new demand and supply patterns drives changes for how IT services are bought and from whom. Cloud computing requirements need to be well defined.
- more info

Data protection a CIOs primary concern

05/25/2011

It is not an easy time for CIOs are they are tasked with protecting corporate information while budgets are constrained. Organizations are generating enormous amounts of new data - by everything from large-scale applications and heavy volumes of emails to massive files in new media formats. At the same time, user demands and service-level expectations continue to grow. And to intensify matters, IT operating environments are becoming more complex; they commonly comprise multiple sites around the world - each running its own unique blend of hardware, applications, and databases, as well as distinct business processes.

Despite facing these challenges, many enterprises are reluctant to invest in the very solutions that could better manage their environments. At the same time, government and industry overseers are not sympathetic to this frugality; they continue to legislate and enforce regulations mandating information integrity and access. And of course, data damaging disasters and outages are an ever-present threat.
- more info

Clound Outrsourcing for small business CIOs

05/14/2011

Small businesses are under increasing pressure to sharpen their business practices. Cloud computing and technology outsourcing provide affordable access to resources that can make a competitive difference. Liberating resources through effective IT investment will be especially important for firms looking to free capital to invest in new initiatives.

The Practical Guide for Cloud Outsourcing provides the tools necessary for managing the business drivers for this process.
- more info

Data center consolidation first steps

05/04/2011

The CIOs biggest challenges is to justify staffing and spending levels as they strive to improve IT efficiency. When assessing comparative benchmarks, it is hard to know which metrics to start with. The Metrics for the Internet, Information Technology and Service Management HandiGuide helps CIOs to understand and pick the appropriate comparative benchmarks to justify staffing and spending, improving IT operations and demonstrating the value of IT to the business.

Steps that CIOs should take in order to identify where there are saving potentials from data center consolidations.

Standardize data center definition

Agree on the metrics that matter most

Accurately consider all costs

Fund the mandate to enable optimum savings

Leverage data center savings to fund the cloud
- more info

SmartPhone security puts companies at risk

04/29/2011

Ponemon Institute released findings of the Smartphone Security Survey: A Study of U.S. Consumers sponsored by AVG Technologies. The goal of the research was to determine consumers' perceptions about the potential privacy and security risks when using their smartphones. In addition, they wanted to learn if participants in the study cared about these risks and if they take security precautions. They surveyed 734 consumers who were 18 years and older and own a smartphone.

The risks that were addressed in the survey concerned location tracking, transmission of confidential payment without the user's knowledge or consent, dialerware (specialized malware unique to smartphones), spyware, viruses from insecure Wi-Fi networks and others. The study found that most consumers were using their smartphones without understanding they were exposing their sensitive information to the risks listed above.

The findings of this study also signal a potential security risk for organizations because many of the consumers surveyed use their smartphones for both business and personal use. With business confidential information stored on these smartphones, organizations should make sure employees and contractors take appropriate precautions to secure such sensitive information. They also recommend that security policies state these precautions and ensure they are enforced.
- more info