Security Audit Program

DRP BCP Audit

DRP Security

Disaster Business Continuity

Security Policies Procedures

Job Descriptions

ITSM SOA

IT Infrastructure, Strategy, & Charter Template

IT Salary Survey

 

Security Policies and Procedures

Data Protection Priorities

ISO 27000 Compliant


Sarbanes Oxley Compliant - HIPAA Complaint
Version 6.3

Includes HIPAA Audit Program Guide &
ISO 27000 Security Checklist
OrderVersion HistoryTable of Contents

 

Data protection priorities are impacted by various factors. Janco has identified seven of the ones that drive security policies and procedures.

 

Data Protection Priorities

 

OrderVersion HistoryTable of Contents

The Security Manual for the Internet and Information Technology is over 215  pages in length. All versions of the Security Manual template include both the Business & IT Impact Questionnaire and the Threat & Vulnerability Assessment Tool (both were redesigned to address Sarbanes Oxley compliance).   In addition, the Security Manual Template PREMIUM Edition  contains 16 detail job descriptions that apply specifically to security and Sarbanes Oxley. The job descriptions are:

  • Chief Compliance Officer (CCO)
  • Chief Security Officer (CSO)
  • VP Strategy and Architecture
  • Director e-Commerce
  • Database Administrator
  • Data Security Administrator
  • Manager Data Security
  • Manager Facilities & Equipment
  • Manager Network & Computing Services
  • Manager Network Services
  • Manager Training and Documentation
  • Manager Voice and Data Communication
  • Manager Wireless Systems
  • Network Security Analyst
  • System Administrator - Unix
  • System Administrator - Windows

Clients can also subscribe to Janco's Security Manual update service and receive all updates to the Security Manual Template for 12 months* from the date of purchase. 

The template includes everything needed to customize the Internet and Information Technology Security Manual to fit your specific requirement.  The electronic document includes proven written text and examples for the following major sections for your security plan:  

  • Security Manual Introduction - scope, objectives, general policy, and responsibilities
  • Risk Analysis - objectives, roles, responsibilities, program requirements, and practices program elements
  • Staff Member Roles - policies, responsibilities and practices
  • Physical Security  - area classifications, access controls, and access authority
  • Facility Design, Construction and Operational Considerations - requirements for both central and remote access points
  • Sensitive Information Policy
  • Media and Documentation - requirements and responsibilities
  • Data and Software Security - definitions, classification, rights, access control, INTERNET, INTRANET, logging, audit trails, compliance, and violation reporting and follow-up
  • Network Security - vulnerabilities, exploitation techniques, resource protection, responsibilities, encryption, and contingency planning
  • Internet and Information Technology contingency Planning - responsibilities and documentation requirements
  • Travel and Off & Site Meetings - specifics of what to do and not do to maximize security
  • Insurance - objectives, responsibilities and requirements
  • Outsourced Services - responsibilities for both the enterprise and the service providers
  • Waiver Procedures - process to waive security guidelines and policies,
  • Incident Reporting Procedures - process to follow when security violations occur
  • Access Control Guidelines - responsibilities and how to issue and manage badges / passwords
  • Sample Forms and Checklists
    • Business and IT Impact Questionnaire
    • Threat & Vulnerability Assessment Tool
    • Security Violation Reporting form
    • Security Audit form
    • Inspection Check List
    • New Employee Security form
    • Security Access Application form
    • Sensitive Information
    • Employee Termination Checklist
    • Supervisor's Employee Termination Checklist
    • Sensitive Information Policy Compliance Agreement
    • HIPAA Audit Program Guide
    • ISO 27000 Security Checklist
OrderVersion HistoryTable of Contents

 

 

 

 

 

 

 

 

Security Data Protection Priorities News




USB flash drives a major security risk

According to the Washington Post, a top Defense Department official is speaking publicly a successful, high-profile infiltration of a computer network belonging to the US military's Central Command.

Security Manual - Sarbanes-OxleyDeputy Defense Secretary William J. Lynn III describes the attack in an article to be published today in Foreign Affairs. The incident occurred in 2008 at a post in the middle east and was performed by means of a USB flash drive which installed malware. "That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control," according to Lynn. In 2008, the Los Angeles Times reported, citing anonymous Defense officials, that the incursion might have originated in Russia.

"Operation Buckshot Yankee," which countered the attack, was a turning point for military computer security. Part of the response was a temporary ban on the use of flash drives in military computers. That ban has since been modified. The broad outlines of the attack have been reported over time, but the details had heretofore been kept secret.

The Post suggests that Lynn's article is aimed in part at raising awareness of the problem and of DoD's actions in response, particularly "active defense" which seeks out intruders on the network. It is also an exercise in public lobbying for DoD to have a role in national cyberdefense. Current legislative proposals generally give the Department of Homeland Security primary responsibility.

- more info



IE continues to lose market share

Microsoft Continues to Lose Browser  Market Share!!!
Vista Dead In Its Tracks - Windows 7 Does Better?

Browser White Paper

         

The summary findings in Janco's Browser and OS Market Share White Paper are:

  • Firefox challenged Microsoft as no other competitor has done in quite some time but Microsoft seems to have addressed this
  • The SmartPhone market has taken off and users no longer have to depend on a PC to access the Internet
  • Users are staying current with the latest versions of IE, and Firefox via the automatic update feature.
  • Google’s Chrome is disappointing and has captured only a little over 5% of the browser market since its introduction.
  • Internet Explorer’s market share continues to fall.
  • Attacks on browsers are moving many users to the automatic update feature to get the latest versions of the browsers.
  • The door was open for Google with both Desktop and Chrome – it is not clear that the current offering by Microsoft’s competitors can do more damage to Microsoft browser market share.  However Microsoft must address the SmartPhone market to maintain its leadership position.

 

- more info



Blackberry under attack again...

India's government is the latest in a long list of national governments that have recently threatened to shut down BlackBerry services over security issues. The United Arab Emirates has said it will halt Blackberry Messenger, e-mail, and Web browsing starting October 11. Indonesia and Saudi Arabia also threatened to block BlackBerry Messenger service. Saudi Arabia reached a deal with RIM over the weekend, and a ban that was to go into effect starting Monday was lifted.

Meanwhile, countries in Europe, such as Germany, are also putting pressure on RIM to loosen its security enough so that communications can be monitored. The German government has urged staffers not to use the BlackBerry, and several ministries have banned them, Reuters reported. And last week, the European Commission rejected the BlackBerry as a handset for its employees, opting instead for Apple's iPhone and HTC smartphones.

India's decision followed a meeting that Home Secretary G.K. Pillai had with officials from India's Department of Telecommunications as well as other federal security agencies, according to Reuters.

Governments say the BlackBerry's tight security is a concern as they try to combat terrorist attacks and other illegal activities. India, for instance, is trying to keep a lid on fighting by insurgents in Kashmir as well as potential threats from Pakistani militants.

Security Manual - Sarbanes-OxleyOf RIM's 46 million users worldwide, about 1.1 million are in India. India is among the fastest-growing markets for the BlackBerry. This is an important factor given that the North American market, RIM's stronghold, is becoming saturated. RIM and other phone makers need to look to developing countries, such as India and nations in the Middle East, for growth.

If RIM is unable to satisfy India's security demands, the services that would be shut down are the BlackBerry e-mail service and instant messaging.

- more info



IT infrastructure is complex

IT Infrastructure Strategy Charter ISOToday’s IT infrastructure is complex. The number of IT assets in the infrastructure that an enterprise level organisation must manage can be overwhelming - different platforms, devices, servers, applications databases and more. And the sheer volume of activity that occurs in this infrastructure is almost too large to imagine. Many organisations have technology located in different places around the world. In the retail and hospitality industries for example, these organizations have corporate data centers plus thousands of tills and point of sale (POS) devices in stores and hotels that introduce potential risk.

In addition, to drive down costs, organisations have turned to potential cost-savings technology such as virtualisation. But such actions introduce new complications. Virtualisation may provide cost-savings, but managing these highly dynamic virtual machines introduces a new layer of risk and requires greater visibility into the activities on these systems.

- more info



Security infrastructure definition key to productivity

Complex security policies can be difficult for employees to follow, it is unrealistic to leave security in the hands of mobile employees. An effective enterprise security Security Manual - Sarbanes-Oxleyplan should provide for simple, automated, scalable, and comprehensive ways to protect IT investments and maintain worker productivity. Organizations must approach security from a comprehensive perspective that ranges from the desktop to the data center, following best practices to help ensure that the plan protects both physical assets and data. A good strategy for mobile security is based on:

  • Protect systems: Asset tags can help simplify asset management by identifying individual devices. When used in conjunction with server-side asset management toolssoftware, these tags can give IT organizations the ability to monitor internal system components. In addition, dedicated security locks can help prevent theft. Visual deterrent labels and company logos offer an additional layer of protection against common theft because they can prevent an easy resale.
  • Protect data: When physical protection fails and a mobile device is lost, stolen, or damaged, it is critical that organizations retain the ability to protect sensitive enterprise data on the system. Data protection is linked to efficient access management. If authentication is not well managed, data protection can be difficult - especially if it is not centrally controlled. With a central security management solution a server-side application that interacts with the client-side software for central management IT departments can maintain control over key client security features and link them back.
  • Prevent unauthorized access: Security policies must strike the correct balance between providing the right people with access to the right level of information and blocking access for improper users. Authentication is key to enabling secure data access because it focuses on identifying the user. Authentication methods can include smart cards with PIN access, contactless cards, or unique biometric verifiers such as Federal Information Processing Standards (FIPS) - certified embedded fingerprint readers. Multi-factor authentication is the combination of these technologies into one strong authentication process, whereby any end user may be asked for more than one form of authentication.
  • Prevent malicious attacks: Network security should focuses on antivirus deployment and securityappliances, targeting three lines of
    defense: endpoint protection, which relies on software designed to safeguard mobile devices; network traffic monitoring, which uses appliances to watch for unusual data traffic patterns on enterprise networks; and Internet gateway appliances, which serve as filters and firewalls that selectively identify and block potentially dangerous data.
- more info