Janco News Feed
Sarbanes-Oxley Compliance Kit
Mandated regulations impact IT
The audit spotlight now shines on IT. After years of regulation and embarrassing data breaches, the highest levels of management now comfortably discuss IT controls and audit results. However, their quality expectations are rising. Where IT once performed audits annually, many now support quarterly, monthly, and ad hoc exercises. Each audit expands the scope of the technologies assessed, measured, and proven compliant. Broader scope means more complexity and more work. With the Sarbanes Oxley Compliance Kit you can increase timeliness and accuracy of audit data while reducing IT audit effort, disruption, and cost.
Sarbanes-Oxley Section 404 requires that:
- Enterprises have an enterprise wide security policy;
- Enterprises have enterprise wide classification of data for security, risk, and business impact;
- Enterprises have security related standards and procedures;
- Enterprises have formal security based documentation, auditing, and testing in place;
- Enterprise enforce separation of duties; and
- Enterprises have policies and procedures in place for Change Management, Help Desk, Service Requests, and changes to applications, policies, and procedures.
SOX adopted the COSO model of controls, which is the same model that SAS 70 audits have utilized since inception. SOX heightened the focus placed on understanding the controls over financial reporting and identified a type II SAS 70 report as the only acceptable method of obtaining third-party assurance regarding the controls at a service organization. Security "certifications" are excluded as acceptable substitutes for a type II SAS 70 audit report.
In addition the ISO 27000 standard is used in SAS 70 reports. The Security Manual Template contains an ISO 27000 Security Process Audit Checklist. These two items directly address a service organization's descriptions of controls. The auditor can use these to help them in the evaluation of the service organization's control framework.
Preparation for Disaster Recovery / Business continuation in light of SOX has two primary parts. The first is putting systems in place to completely protect all financial and other data required to meet the reporting regulations and to archive the data to meet future requests for clarification of those reports. The second is to clearly and expressly document all these procedures so that in the event of a SOX audit, the auditors clearly see that the DR plan exists and will appropriately protect the data.
To meet these needs the Sarbanes Oxley Compliance Resource Kit, which comes in four editions (Standard, Silver, Gold, and Platinum) contains:
- Security Policies (all editions);
- Threat & Vulnerability Assessment Tool (all editions);
- Business & IT Impact Questionnaire Risk Assessment Tool (all editions);
- Safety Program Template (all editions);
- Disaster Recovery Template (all editions);
- Outsourcing guide update to reflect what you vendors need to do (all editions);
- Internet and IT Job Descriptions (Silver, Gold, and Platinum Editions) and;
- IT Service Management Template (Platinum
Edition) includes
- Service Request Policy and Standard
- Help Desk Policy, Procedure, Standard, and Service Level Agreement
- Change Control Standard, Quality Assurance Standard, and Management Workbook
- Documentation Standard
- Version Control Policy and Standard
- Sensitive Information Standard
- Blog and Personal Web Site Policy
- Travel and Off-Site Meetings Security Policy
- Internet, e-mail and electronic communication Policy
See Table Below for a summary of the contents of each of the versions of the Sarbanes-Oxley Compliance kit
Download Componets Table of Contents
Once you get to the download page just bookmark it and you will be able download all of the components without having to re-register.
Security Manual Template
The plan is over 200 pages and includes
everything needed to customize the Internet and Information Technology
Security Manual to fit your specific
requirement. The electronic document includes proven written text and
examples for your security plan.
Sensitive Information Policy Template
This
policy is easily modified and defines how to treat Credit Card,
Social Security, Employee, and Customer Data. The template is 34
pages in length and complies with Sarbanes Oxley Section 404,
ISO 27000 (17799), and HIPAA. The PCI Audit Program that is
included is an additional 50 plus pages in length.
IT Service Management Template
The IT Service Management Template contains policies, standards, procedures
and metrics for Change Control, Help Desk and Service
Request processing. ITSM template also contains
several easy to implement forms and conforms
with ITIL.
Safety Program Template
Safety Program is 60 pages and includes
everything needed to customize the Safety Program to fit your specific
requirement. The Safety
reflects the latest issues associated with the most recent
legislation (Sarbanes Oxley).
Business and IT Impact Questionnaire
This Business
and IT Impact Analysis Questionnaire has been designed by one of Industry's
most experienced application assessment consultants. This
Questionnaire has been used in over 500 assessment, DRP and business
impact projects in the past four years. Included is a Risk
Ranking definition.
Practical Guide for IT Outsourcing
The guide is 91 packed pages and includes
everything needed to plan for, negotiate, and manage an outsourcing
process within an enterprise.
IT Job Descriptions
You can get either the HandiGuide in PDF format, the Microsoft Word files, or both.
The Internet and IT Position
Descriptions in the WORD version comes as individual files in .docx format. Includes positions
from CIO and CTO to Wireless and Metrics Managers.
Sarbanes Oxley Compliance News
Hiring and keeping younger workers
January 28th, 2012
Today's young workers are extremely tech-savvy, and the technology they'll have access to is a major consideration for many as they join the workforce. Many are used to having 24/7 access to email and the Internet on their smartphones or tablets. And with extensive knowledge of the Internet and its many services, more are using Web-based applications for many of the solutions they use on a daily basis. As an employer, making sure you have the right technology on hand to both appeal to and keep your younger workers happy is an important consideration when plotting out your technology roadmap.
Keeping workers helps reduce training costs over time, and it could also help you sell your CEO on some product purchases. You know that cloud solution you're dying to implement? Well, tell the CEO about your young workforce being able to take advantage of it to work extra hours, and it might just happen. Want to bring iPads to the office? Tell the top executive that it might just improve productivity. As your company tries to find an edge in a job market filled with educated Millennials, technology could very well be the differentiating factor that helps you attract and retain a young workforce.
- more info
Cloud as an alternative to outsourcing
January 20th, 2012
CEOs at three of India's top ten outsourcing providers recently told the Times of India that they plan to "reduce on-site work by up to five percent over the next year and handle traditional onsite projects such as managing takeover of an existing outsourcing contract& through videoconferencing. (The Times did not name the CEOs or their companies.)
As the whistleblower case against Infosys, alleging that the Indian IT services provider misused B-1 visas to bring offshore staff to the U.S., heads to court later this year, it's unlikely that scrutiny of the temporary worker visa system will subside. And, as of Monday, talks between the U.S. and India intended to address these visa complaints among other issues, were called off indefinitely.
Prepare now for the inevitable effects of reductions in onshore and on-site headcount:
- more info
- Conduct a Process Design Review - Make sure that essential on-site roles required for seamless operation of global delivery will be filled. Consider contract resources to handle short-term gaps, advises Amneet Singh, vice president of global sourcing for outsourcing consultancy Everest Group. Longer term, developing such skills in-house maybe a better bet. "Buyers are picking and choosing certain roles to bring back in-house," says Esteban Herrera, chief operating officer of outsourcing analyst firm HfS Research.
- Invest in Change Management Efforts - Prepare users for potential tweaks in the delivery model and changes in their day-to-day working experience, says Singh, and execute an effective communication strategy to address any uncertainty in the business
Consider Nearshore Alternatives - Providers with alternate delivery locations, like Mexico, do not have the same temporary visa restrictions as a result of the North American Free Trade Agreement (NAFTA), Herrera points out. They can more easily transfer workers across borders to manage projects and knowledge transfer.- Beef Up Your Technology Backbone - Your offshore provider is likely to require more high-end videoconferencing or digitization capabilities to manage future projects. Ensure you have the right infrastructure and software to handle the proposed technology enablers of diminished on-site staff, says Singh. Also, make sure to design and execute effective internal training programs for the new tools.
- Revisit Contract Pricing - If your IT service provider is planning to move on-site roles overseas, it's probably a good time to renegotiate price, but don't play hardball. Sharing the upside of sending more work to less costly locales will result in a happier and healthier relationship long-term.
Half of European companys have no Disaster Plam
January 12th, 2012
Over half of small organisations across the UK, France and Germany are operating without a formal disaster recovery plan in place, according to research.
The survey of 160 IT decision-makers found that 58% of small organisations (50-250 employees) do not have a formal disaster recovery plan, and nearly one fifth of mid-sized enterprises (250- 1,000 employees) are in the same position.
Industry differences became apparent when comparing how prepared organisations are for a potential disaster. companies within the Financial Services sector (90%), as well as those in Communications and Media (81%), have formal disaster recovery plans in place. However, a much smaller percentage of businesses in Retail & Distribution, and Manufacturing, have done the same, with less than 40% having drawn up formal disaster recovery plans.
- more info
Security Template now has electronic forms
January 7th, 2012
Security Manual for the Internet and Information Technology is over 230 pages in length. All versions of the Security Manual template include both the Business & IT Impact Questionnaire and the Threat & Vulnerability Assessment Tool (both were redesigned to address Sarbanes Oxley compliance). In addition, the Security Manual Template PREMIUM Edition contains 16 detail job descriptions that apply specifically to security and Sarbanes Oxley, ISO 27000, PCI DSS, and HIPAA.
The policies and procedures template now has electonic forms including:
- more info
- Blog Policy Compliance
- Company Asset Employee Control Log
- Email - Employee Acknowledgment
- Employee Termination Checklist
- Internet Access Request
- Internet Use Approval
- Internet & Electronic Communication - Employee Acknowledgment
- Mobile Device Access and Use Agreement
- Employee Security Acknowledgement Release
- Preliminary Security Audit Checklist
- Security Access Application
- Security Audit Report
- Security Violation Reporting
- Sensitive Information Policy Compliance Agreement
Federal agencies are not spending as much as private businesses on security
November 22nd, 2011
Federal agencies have budgeted $6.5 billion for security in 2012, much less on a percentage basis than other businesses and industries.
Many agencies report they don't feel they have enough money to spend on security and, in general, security investments by the federal government are less than that spent by other business sectors.
In total, federal agencies have budgeted $6.5 billion for all security investments in fiscal 2012. However, the entire IT budget for the feds for that year is expected to top $81.3 billion.
Not surprisingly, the Department of Defense spends more than any other agency on security, according to the report. Its budget in 2012 for security for both legacy systems and development, modernization, and enhancement, in 2012 is $4.1 billion, according to the report, which does not provide data on total IT budgets for agencies. The Department of Homeland Security also is one of the leading security investors among agencies, having budgeted $525.7 million for security in 2012.
- more info
US Senate looking to tax Internet Sales
November 9th, 2011
The US Senate has a new bill on its agenda, The Marketplace Fairness Act, that would allow states to collect taxes on Internet sales, even when the seller does not have a physical presence in the taxing state.
In essence the bill would allow states that sign on to collect sales taxes from Web-based sellers, reversing a widespread practice of no Internet sales taxes since the beginning of the commercial Web.
The new bill would allow states to collect sales taxes from remote sellers if they sign on to the Streamlined Sales and Use Tax Agreement (SSUTA), a 12-year-old effort to meet the Supreme Court's requirements to simplify sales tax collection, or if they adopt a so-called alternative tax simplification plan.
Sponsors of the bill, similar to past efforts to allow Internet sales taxes, said the current system is unfair to small bricks-and-mortar businesses that have to charge sales tax to local customers.
- more info
Correcting Social Media Errors
November 8th, 2011
What matters first with a social media mistake is responding quickly, being transparent and demonstrating sincerity -- all of which should follow a social gaffe committed in person and in public. Social media, though, introduces complications all its own: How you've been using it all along will also affect your ability to clean up after it.
This is why what comes after the mistake is just as important, if not more so: The chance to learn why it happened in the first place and do something about it. You may find better ways to use social media because of this. If you've been spammy or thoughtless, you need to own up to that. If your audience makes good points about your shortcomings (however badly they phrase them), you need to respond to those too.
- more info
Smartphones impact how CIOs implement a secured DR infrastructure
November 5th, 2011
The world of smartphones, tablets and mobile devices is evolving rapidly and is changing the way CIOs think about topics ranging from telework to disaster recovery to information security.
- more info
- Mobile Device Security: Before you can make your users more productive with mobile devices, you need to make certain that those devices are highly secure and remotely managed.
- Custom Applications: The rapid advances in COTS smartphone technology have changed the game for creating custom, multi-platform applications that can dramatically boost your mobile users productivity.
- Disaster Recovery and Emergency Response: New commercial wireless technologies can be a key part of your disaster response/Continuity of Operations (COOP) plans.
- Mandated Mobile Security: While modern cellular networks provide security good enough for everyday usage, there are some situations such as when youre dealing with sensitive or classified information where you need a higher grade of information assurance for your wireless voice communications.
- Mobile Resource Management: Whether youre tracking vehicles or other transportable assets, Wireless asset management systems enables CIOs to increase your asset protection and tracking capabilities and save money at the same time.
- Field Force Automation: Virtually any job process that is done with paper-based forms or on unconnected terminals can be adapted to mobile handheld or tablet devices.
Small businesses have a false sense of security about Internet access
October 27th, 2011
Most small business owners believe that Internet security is critical to their success and that their companies are safe from cyber security threats: but most fail to take fundamental precautions. This is the major finding from a survey of US small businesses.
The survey found that two-thirds (67 percent) of US small businesses have become more dependent on the Internet in the last year and 66 percent are dependent on the network for their day-to-day operations. What's more, 57 percent of firms say that a loss of Internet access for 48 hours would be disruptive to their business, 38 percent said it would be 'extremely disruptive' and 76 percent say that most of their employees use the Internet daily.
The vast majority of small business owners think their company is cyber-secure as 85 percent of respondents said their company is safe from hackers, viruses, malware or a cyber-security breach and seven in ten (69 percent) believe that Internet security critical to their business's success. Additionally, a majority (57 percent) of small businesses believe that having a strong cyber security and online safety posture is good for their company's brand.
Despite this, a closer look reveals that most small businesses lack sufficient cyber security policies and training. 77 percent said they do not have a formal written Internet security policy for employees and of those, 49 percent reported that they do not even have an informal policy. More small business owners also said they do not provide Internet safety training to their employees than said they do - to a tune of 45 versus 37 percent. And a majority of businesses (56 percent) do not have Internet usage policies that clarify what websites and web services employees can use and only 52 percent have a plan in place for keeping their business cyber-secure.
At the same time, small businesses may not understand how to respond to online threats or the danger they pose. For example, 40 percent of small businesses say that if their business suffered a data breach or loss of customer or employee information, credit card information or intellectual property, their business does not have a contingency plan outlining procedures for responding and reporting it. Two-fifths (43 percent) also say they do not let their customers and partners/suppliers know what they do to protect their information.
The survey also found that 69 percent of their businesses handle customer data while about half (49 percent) handle financial records, one-third (34 percent) handle credit card information, one quarter (23 percent) have their own intellectual property, and one in five (18 percent) handled intellectual property belonging to others outside their company. When asked to rank the top concern of small business owners while their employees are on the Internet, 32 percent reported viruses, 17 percent spyware/malware and 10 percent reported loss of data. Yet only 8 percent are concerned about loss of customer information, 4 percent about loss of intellectual property and only 1 percent worry about loss of employee data, even though cyber security experts believe the loss of any of this kind of information would be devastating to a business.
- more info
Data Center Consolidation Impacts DRP and BCP
October 16th, 2011
While this has given IT greater operational control and lower costs, it also can lead to increased risk. Each remote site that accesses the centralized data center creates a potential point of failure. If the new centralized location were to fail, all the applications and services housed therein would be unavailable and its impact - as measured in lost productivity and revenue - could be far greater.
- more info
