Record Management

Policy Template

The Record Management, Retention, and Destruction is a detail policy template which can be utilized on day one to create a records management process. More...

Disaster Planning

Business Continuity

Disaster Recovery Planning (DRP) template can be used by any size enterprise. The template and supporting material have been updated to be Sarbanes-Oxley compliant.  The Disaster Recovery Planning Documentation comes as a Word document. More...

Security Policies

Security Procedures

Security Manual for the Internet and Information Technology is over 240 pages in length.  The template is compliant with ISO 27000 (formerly ISO 17799), Sarbanes-Oxley, Patriot Act and HIPAA and includes a PCI DSS Audit program. More...

Job Descriptions

Job Descriptions

The IT job descriptions contained within the Internet and Information Technology Position Descriptions HandiGuide® were completed in 2012 and contains over 700 pages; which includes sample organization charts, a job progression matrix, and 243 job descriptions. More..

Salary Survey

Salaries for IT

Are you paying too much or too little to your information technology staff? Are you earning what you're worth? Whether employer or employee, it is important to know what other companies are paying in total compensation for a similar position in your area. Learn how your company compares in the area of compensation. More...

Sensitive Information Policy

Sensitive Information Policy defines how to treat Credit Card, Social Security, Employee, and Customer Data.
 
This policy covers the treatment of Credit Card, Social Security, Employee, and Customer Data.  The policy is 15 pages in length. This policy complies with Sarbanes Oxley Section 404.

The policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) and co-location providers and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals).

orderTake Salary Survey

Other Individual Policies

All of the policies that are provided here are contained within one or more of the templates that are on this site. These policies have been added as individual documents in WORD format (WORD 2003 and WORD 2007) for those clients who just need this particular policy.  All policies are Sarbanes-Oxley, HIPAA, and Patriot Act compliant.

 

Record Management, Retention, and Destruction Policy

order     Take Salary Survey

Record Management PolicyA record is essentially any material that contains information about your company’s plans, results, policies or performance. In other words, anything about your company that can be represented with words or numbers can be considered a business record – and you are now expected to retain and manage every one of those records, for several years or even permanently depending on the nature of the information. The need to manage potentially millions of records each year creates many new challenges for your business, and especially for your IT managers who must come up with rock-solid solutions to securely store and manage all this data.

The Record Management, Retention, and Destruction is a detail policy template which can be utilized on day one to create a records management process.  Included with the policy are forms for establishing the record management retention and destruction schedule and a full job description with responsibilities for the Manager Records Administration.

Record Retention Requirements

You areas included with this policy template are:

  • Record retention requirements for SOX sections 103a, 302, 404, 409, 801a and 802.
  • Policy
  • Standard
  • Scope
  • Responsibilities
  • Record Management
  • Compliance and Enforcement
  • Email Retention and Compliance
  • Job Description Manager Record Administrator
  • 12 forms for Record Retention and Disposition Schedule

You can download the Table of Contests and selected pages for this policy template.

order     Take Salary Survey

 

Outsourcing Policy

This policy is eighteen page in length and defines everything that is needed for a function to be outsourced.  The policy comes as a Microsoft Word document (Word 2003 & Word 2007) that can be modified as needed.  The template has been updated to include a HIPAA audit program definition:
  • Outsourcing Management Standard
    • Service Level Agreement
    • Responsibility
  • Outsourcing Policy
    • Policy Statement
    • Goal
  • Approval Standard
    • Base Case
    • Responsibilities 

Note: Look at the Practical Guide for Outsourcing over 110 page document for a more extensive process for outsourcing

order

 

 

Internet, E Mail, Mobile Device, Electronic Communication, and Record Retention Policy

This policy is is compliant with all recent legislation (SOX, HIPAA, Patriot Act, and Sensitive information), and covers:
  • Appropriate Use of Equipment
  • Mobile Devices
  • Internet Access
  • Electronic Mail
  • Retention of Email on Personal
  • E-mail and Business Records
  • Copyrighted Materials
  • Banned Activities
  • Ownership of Information
  • Security
  • Sarbanes-Oxley
  • Abuse
Included are these ready to

  • Internet & Electronic Communication Employee Acknowledgement
  • E-Mail - Employee Acknowledgement
  • Internet Use Approval Form
  • Internet Access Request Form
  • Security Access Application Form

orderTake Salary Survey

Travel and Off-Site Meeting Policy

Protection of data and software is often is complicated by the fact that it can be accessed from remote locations. As individuals travel and attend off-site meetings with other  employees, contractors, suppliers and customers data and software can be compromised.  This policy is four page in length and covers:

  • Data and application security
  • Minimize attention
  • Shared public resources
  • Off-site meeting special considerations

order

 

Backup and Backup Retention Policy

Backup Policy & Backup RetentionThe Backup and Backup Retention policy is an 11 page sample policy that is a complete policy which can be implemented immediately. 

The document is provided in both Word 2003 and Word 2007 formats and is easily modified.  This policy is included in the Disaster Recovery / Business Continuity Template

order   Take Salary Survey

 

Below is a table from the policy.

 

Type of Data

Minimal Backup Policy

Backup Retention Policy

System software

Latest Version plus patches
 At Least Weekly

Annual (verified) Backup
Monthly Generations
Weekly Generations

Application software

Latest Version plus patches
At Least Weekly

Annual (verified) Backup
Monthly Generations
Weekly Generations

System data

Daily

Annual (verified) Backup
Monthly Generations
Weekly Generations
Daily Generations

Application Data

Daily with real time transaction files

Annual (verified) Backup
Monthly Generations
Weekly Generations
Daily Generations

Software licenses, encryption keys, & Protocol Data

Weekly

Annual (verified) Backup
Monthly Generations
Weekly Generations

 

order   Take Salary Survey

 

Productivity Policies and Procedures News

Tools for Disaster Recovery planing

02/02/2012

When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing field. Safe recovery distances can also mean painfully slow replication and backup across the WAN in addition to the costs to accomplish this.

Preparing for Disaster
Order Disaster Plan TemplateDisaster Plan Template

Janco's "Disaster Recovery and Business Continuity Template" leads the way to implementation of the latest disaster recovery technologies and cost savings strategies. Enterprise of all sizes can build a functional disaster recovery plan with this tool and make your own disaster recovery efforts more efficient.

- more info

Business Continuity Plan is more than just paper

01/20/2012

The Business Continuity Planning is about more than the IT components. Though the CEO and executive staff must define what business processes need protection and the appropriate response.

IT has several innate characteristics that make them well suited to disaster planning and implementation.

  • Project planning: IT is accustomed to implementing new technology in a controlled fashion, giving IT staff experience in understanding and planning for the impact of change for maximum success.
  • People/Process/technology relationship understanding: Two areas in which having an understanding of this relationship are key to success. The implementation of new technology often changes process. Changes in process change the ways people interact with information systems. From advanced computers and applications to systems that allow physical building access, IT understands the people/process/technology relationship better than any other team in the company. In addition, IT also has a deep understanding of how supporting systems are critical to the delivery of, and access to primary information systems. From Active Directory and DHCP to routers and firewalls, IT understands the key systems and the order in which they must be restored to deliver a complete service. This understanding facilitates business continuity and restoration.
  • Experienced in disaster management: In complex IT environments, something is usually broken or has a problem. IT has the experience to quickly identify the problem, understand the impact and respond appropriately to the issue. This experience is vital in the high stress and dynamic environment of managing a disaster event.
- more info

Disaster Recovery and Business Continuity a critical part of enterprise operations

01/08/2012

Disaster recovery is becoming an increasingly important aspect of enterprise computing. As devices, systems, and networks become ever more complex, there are simply more things that can go wrong. As a consequence, recovery plans have also become more complex. According to Janco Associates (the author of the Disaster Recovery Business Continuity Template). For example, fifteen or twenty years ago if there was a threat to systems from a fire, a disaster recovery plan might consist of powering down the mainframe  and other computers before the sprinkler system came on, disassembling components, and subsequently drying circuit boards in the parking lot with a hair dryer. Current enterprise systems tend to be too large and complicated for such simple and hands-on approaches, however, and interruption of service or loss of data can have serious financial impact, whether directly or through loss of customer confidence.

DRP/BCP Security Templates

Appropriate plans vary from one enterprise to another, depending on variables such as the type of business, the processes involved, and the level of security needed. Disaster recovery planning may be developed within an organization or purchased as a software application or a service. It is not unusual for an enterprise to spend 25% of its information technology budget on disaster recovery.

Nevertheless, the consensus within the DR industry is that most enterprises are still ill-prepared for a disaster. According to the Janco Associates Disaster Recover Business Continuity web site, Despite the number of very public disasters since 9/11, still only about 50 percent of companies report having a disaster recovery plan. Of those that do, nearly half have never tested their plan, which is tantamount to not having one at all.

- more info

eCommerace mandates business continuity management

12/14/2011

There's little doubt that business continuity management (BCM) must be front and center for today's payment card issuers : the potential cost implications of an unmanaged catastrophic incident within the supply chain for payment card issuers can run into millions of Euros and cause wide-ranging reputational issues that may impact customer growth.

Plan Do Check Act Cycle

- more info

Lost data is critical to users

11/10/2011

Backup PolicyThe general lack of preparedness for disasters and business interuptions is surprising in light of the fact that 40% of users feel like they would never be able to recover, recreate or repurchase all of their documents and files if their personal computer crashed. It’s even more surprising considering the insights that the study uncovered regarding the significant value many assign to their digital content, including:

  • It  is More Valuable Than Vacation Time
  • It is Even More Precious Than My Wedding Ring
  • I would Pay Dearly to Get My Data Back
  • I would Sacrifice Something I Love to Save My Data      

Users Place Too Much Trust in Their Hard Drives

Users are surprisingly trusting of their computer hard drives, particularly taking into account that over half have lost all of their personal files in a computer crash at some point. According to study, 82% of users keep electronic files only and the majority of these files are nowhere else but on their computer hard drive. The most popular files people store digitally are photos (55%), music (46%), resumes (42%), addresses (28%), phone numbers (27%), and financial documents (22%). Notably, the average user surveyed has more than $400 of digital music and movies on their computers and that, for one in four, the music and movies are worth more than the computer itself.

- more info

Disaster Recovery budgets remain stable

11/05/2011

A report into business continuity and disaster recovery budgets finds:

  • According to a IT Business Continuity Templatebudget survey, 32 percent of enterprises had planned to increase spending on business continuity and disaster recovery by at least 5 percent in 2011. The reality is that budgets have stayed constant rather than increased as anticipated.
  • Business continuity and disaster recovery budgets in 2011 have been an average of six percent of IT operating and capital budgets.
  • The likely culprit in stalled business continuity and disaster recovery spending is the continuing economic uncertainty. Even in the best of economic times, it's difficult to build the business case for an initiative such as business continuity that's primarily about cost avoidance rather than return on investment. In tough economic times, it's almost impossible.

Order Disaster PlanDisaster Plan Sample

- more info

Social media a disaster planning tools

10/27/2011

CIO policy bundle Government agencies are turning to social media technology to manage disasters and improve public safety.

A growing number of agencies are tapping into Facebook and Twitter to monitor events and provide near real-time notifications. And some are now taking social media a step further by communicating internally or sharing information and comments across offices or agencies.

A September Congressional Research Service report, Social Media and Disasters: Current Uses, Future Options, and Policy Considerations, noted that social media already plays an important role in disasters, but the use of the technology for emergency management is growing.

In Fort Worth and Tarrant County in Texas, for instance, a joint emergency operations center has switched on social media tools that improve communication across dozens of agencies and departments throughout the state. Police, firefighters, healthcare providers and others use push-to-talk radio, cellular telephony, and text messaging (including text documents and file sharing) to interact with an IP telephony infrastructure located in a response center. This allows teams to coordinate immediate responses, regardless of the underlying communications technology.

- more info

How does ISO 27031 impact your disaster plan?

10/18/2011

ISO 27031:2011, the information and communications technology (ICT) continuity management standard developed originally by the British Standards Institution (BSI), was accepted as an ISO standard in 2011. It represents a management systems-based implementation of an IT disaster recovery program. It has six key principles:

  • Protecting the ICT environment from incidents, failures and disruptions;
  • Detecting incidents at the earliest possible time;
  •  Reacting to incidents as efficiently as possible;
  • Recovering by identifying and implementing appropriate recovery strategies;
  • Operating in disaster recovery mode.
  • Returning to normal operations.
Preparing for Disaster
Order Disaster PlanDisaster Plan Template

While ISO 27031 is intended for use in the larger context of a business continuity program, organizations have successfully implemented this standard and then later grew into business continuity.

Structured as a management systems-based standard, ISO 27031 has two main components: the management system and the process. The management system is intended to ensure that an organization has a documented process to execute ICT continuity management. It utilizes the plan-do-check-act (PDCA) cycle consistent with ISO and other management system based standards. The process details the necessary components to provide the recovery capability. While the management system described in ISO 27031 can be established solely for IT disaster recovery, there are elements of the process that assume the existence of an overall business continuity program. As you can see below, ICT requirements are established by business continuity requirements typically determined during a business impact analysis.

The process of developing, maintaining, and improving an ICT capability are defined as five high level components:

  • Understanding the ICT requirements for business continuity - with the purpose of determining the ICT continuity services needed to support the business continuity requirements. The process requires understanding the components of critical services in production, their current continuity capability and the gap between current capabilities and business continuity requirements. The analysis should also focus on actions that can be taken to improve the resiliency of the production environment;
  • Determining ICT continuity strategies  -  with the purpose of developing both an overall ICT continuity management strategy and strategies for each critical ICT service that closes gaps identified during the previous phase;
  • Developing and implementing ICT strategies - with the purpose of implementing the chosen strategies, including establishing the necessary organizational structure, plans and procedures;
  • Exercising and testing - with the purpose of ensuring that the strategies and plans work as intended;
  • Maintenance, review and improvement - with the purpose of ensuring that ICT continuity strategy remains current and appropriate.

For those familiar with BS 25999-2:2007, the business continuity management standard, the structure above is consistent with sections four through six of that standard.

Order Disaster PlanDisaster Plan Template

Given the similarities to BS 25999, ISO 27031 is the logical choice for implementing a disaster recovery capability in organizations that either utilize BS 25999 for business continuity or have other management systems-based programs. It also provides solid guidance for organizations that have no business continuity or other structure in place to serve as a basis for disaster recovery development. Establishing a management system as part of an ISO 27031 implementation will provide the necessary governance and provide a platform for the development of a more comprehensive business continuity program.

- more info

Disaster recovery done in place should use outside experts

10/16/2011

Many organizations simply do not have the luxury of being able to move to an alternative recovery site following a physical disruption. In these cases disaster recovery plans should include the support of a disaster recovery company that will aid the internal recovery and incident team to mitigate against secondary damage, administer triage to the affected areas and expedite the correct equipment, methods and manpower to restore their facility as quickly as possible to a suitable working environment, so that service can be resumed.

Disaster Types

Order Disaster PlanDisaster Plan Template

Such disaster recovery responders will be on 24/7 standby to attend the client site. The responder will have conducted a survey of the site in advance of an incident, noting critical information so that any recovery and restoration objectives will be expedited without delay.

Speed of response is vital: in order to reduce the level of disruption and physical secondary damage; and to limit the time in which function is lost. Dealing with an incident within the first few hours may reduce the total time of the disruptive event by weeks.

- more info

Europe is more vulnerable to natural disasters

10/12/2011

Outsourcing Template

The significant increase in thenumber of natural hazards taking place in Europe according to the  United Nations disaster risk reduction agency.  The are warning that the region's governments need to implement prevention platforms to significantly reduce the danger they pose to their populations.

In 2010, Europe saw an 18.2 percent increase in disaster events compared to the decade's averages according to the chief of the UN International Strategy for Disaster Reduction (UNISDR).

In terms of economic damages, Europe accounted for 14.3 percent of reported global disaster losses in 2010, with most of the damages caused by climatological and hydro meteorological events.

Although this is cause for concern, there is evidence that European governments are slowly implementing adequate disaster risk reduction measures:

National reports demonstrate a gradual evolution from a mindset of crisis and response to one of proactive risk reduction and safety. Countries who have or are going to establish national platforms (NPs) for disaster reduction are reporting significant and ongoing success in addressing cross cutting risk reduction issues - more than double compared to those countries without NPs.

Also highlighted Europe's participation in the 2010-2011 World Disaster Reduction Campaign - Making Cities Resilient:

Europe is the most active region in embracing the campaign: 378 European cities have joined the campaign to improve their resilience and to exchange their experiences and challenges.

- more info