Home

Search

Templates Kits

Salary Survey

HandiGuides

Job Descriptions

Policies

Compliance

White Papers

Update Service

Bundles

CIO Infrastructure

Promotions

 

Janco

 

 

News

 

 

 

 

 

Individual Policies

All of the policies that are provided here are contained within one or more of the templates that are on this site. These policies have been added as individual documents in WORD format (WORD 2003 and WORD 2007) for those clients who just need this particular policy. All policies are Sarbanes-Oxley, HIPAA, PCI-DSS, and ISO compliant.

 

 

Internet,
e-Mail,
Mobile Device,
Electronic Communications, and
Record Retention  Policy

This policy is is compliant with all recent legislation (SOX, HIPAA, Patriot Act, and Sensitive information), and covers:

• Appropriate Use of Equipment
• Mobile Devices
• Internet Access
• Electronic Mail
• Retention of Email on Personal Systems
• E-mail and Business Records Retention
• Copyrighted Materials
• Banned Activities
• Ownership of Information
• Security
• Sarbanes-Oxley
• Abuse

Included with the policy are forms that can be used to facilitate the implementation of the policy. Included are these ready to use forms:

• Internet & Electronic Communication Employee Acknowledgement
• E-Mail - Employee Acknowledgement
• Internet Use Approval Form
• Internet Access Request Form
• Security Access Application Form

The WORD template uses the latest CSS style sheet and can easily be modified to conform to the style used in your enterprise policy manual.
 

 

 

 

Outsourcing Policy

Outsourcing Policy - This policy is eighteen page in length and defines everything that is need for function to be outsourced.  The policy comes as a Microsoft Word document that can be modified as needed.  The template has been updated to include a HIPAA audit program definition in length and covers:

• Outsourcing Management Standard
  • Service Level Agreement
  • Responsibility
• Outsourcing Policy
  • Policy Statement
  • Goal
• Approval Standard
  • Base Case
  • Responsibilities

 

 

Note: Look at the Practical Guide for Outsourcing over 110 page document for a more extensive process for outsourcing

 

Sensitive Information Policy

Includes HIPAA Audit Program Guide and a PCI Audit Program

This policy is easily modified and defines how to treat Credit Card, Social Security, Employee, and Customer Data.  The template is 29 pages in length and complies with Sarbanes Oxley Section 404, ISO 27000 (17799), and HIPAA.  The PCI Audit Program that is included is an additional 50 plus pages in length.

This policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) and co-location providers and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals). 

The HIPAA Audit Program Guide provides you with a checklist of the must be implemented items which HIPAA mandates. 

You can download the Table of Contents and some sample pages by clicking on the link below.

 

Backup and Backup Retention Policy

The Backup and Backup Retention policy is an 11 page sample policy that is a complete policy which can be implemented immediately. 

The document is provided in both Word 2003 and Word 2007 format and is easily modified.  This policy is included in the Disaster Recovery / Business Continuity Template.

Below is a table from the policy:

 

Travel and Off-Site Meeting Policy

Travel and Off-Site Meeting Policy - Protection of data and software is often is complicated by the fact that it can be accessed from remote locations. As individuals travel and attend off-site meetings with other  employees, contractors, suppliers and customers data and software can be compromised.  This policy is seven (7) page in length and covers:

• Laptop and PDA Security
• Wireless and Virtual Private Networks (VPN)
• Data and Application Security
• Public Shared Resources
• Minimizing attention
• Off-Site Meetings
• Remote Computing Best Practices

This policy has been updated to reflect the requirements of PCI-DSS, Sarbanes-Oxley, HIPAA, and ISO.  The policy comes as both a WORD file and a PDF file utilizing a standard CSS style sheet.

 

 

 

 

 

 

 

IT Policies and Procedures News

Managing Productivity and Costs in a Turbulent Economy

There have been unprecedented events in the global markets that will have a profound impact on enterprises of all types. Enterprises need to take proactive measures to mitigate the risk of coming under severe financial pressure themselves.

Is traditional "cost cutting"really the answer? Cost reduction is a promising solution to sustain profitability for nearly all organizations. However, the key to success is finding creative ways to prevent costs.

Metrics are the way we see it.  Metrics based solutions allow enterprises to improve their understanding of the key drivers of profitability and enable them to develop a cost redistribution program that will ensure long-term financial viability. It is critical to identify the areas where cost can be eliminated or reduced and to create and implement a formal cost review process.

Enterprises of all types are feeling the pressure as customers' disposable income decreases while trying to keep up with higher costs of living. Over the last several years, cost management strategies have become the focus of executive management due to global economic challenges.

These external drivers of cost management include:

• Marketplace Competition - competitors providing similar products at lower prices
• Recession Fears - less cash flow in the marketplace
• Rising Production Costs - increasing cost of energy and material
• Inflation - declining value of currency and/or rising prices of goods and services
  Increased
• Investors and Boards of Directors Pressures - missed revenue targets, mergers and acquisitions

- more info

ITSM Metrics

IT Service Management Metrics are defined in the ITSM Template.

IT Service Management is possible only with client and IT agreement that service is being delivered.  The ITSM SOA Template is the perfect solution.

- more info

Setting Priorities With Tight Budgets

Meet with each user groups executives and ask them if they could get only one project done, what it would be. The rule for the discussion: They describe their projects in terms of business change, not in terms of software requirements ("We need to improve productivity in the warehouse by picking items more efficiently," not "We need an inventory picking system enhancement.")

Next, call a meeting with your business analysts. Walk them through the full list, then parcel out the requests based on each analyst's expertise and ability to get along with the various execs. In this discussion, let them know you're looking for quick solutions that are good enough, not elegant solutions that will withstand the test of time. Their job is to figure out how to get each exec most of the improvement they're looking for and quickly, not all of the improvements they'd like done the "right way."

This means that if a twice-a-day batch extract into Excel file works, there is no need to create a real-time SOA-driven interface. It means that a once-a-night dump-and-load into Excel might be a better answer than enhancing the data warehouse and its business intelligence interface.

It might mean nothing more than teaching their staff how to assign tasks to each other using plain-vanilla existing software, instead of deploying a full-blown, enterprise-scale integrated project management solution.

- more info

CIO Need to Hire and Develop IT Staff

Successful CIOs are utilizing sophisticated, aggressive hiring tactics to acquire the most desirable personnel wherever they may be, while at the same time putting extensive emphasis on retaining and developing internal talent.

This is not easy given the current economic situation.  Developing an adequate in-house talent pool demands more than a simple training program for employees' development. Establishing a strong, predictable internal talent pipeline requires:

• Clarity of role and expected performance
• Management of employees at every level
• Guided training, education, and career planning
• Assignment of eligible staff to the most exciting projects to motivate them and ensure a satisfying work experience

- more info

IT Metrics Key to Success in Troubled Times

You cannot manage what you do not measure. In addition, once you measure you modify behavior. Yet many organizations do a very poor job (or no job at all) of measuring the business value of their IT investments; but maximizing the business value of IT investments is the primary objective of good IT governance. A number of formal measurement methodologies exist for measuring the business value of IT. Simple ROI or other financial metrics are not good enough. By employing a consistent, repeatable, credible methodology, that both the business users and IT are held accountable for and that measures projected business value as well as the actual value delivered, organizations can significantly improve their IT investment returns.

Many IT organizations are under increasing pressure from the board of directors, executive management, and business unit managers to demonstrate and improve the business value of their IT investments. However, IT organizations still struggle to measure business value. Many of the attempts to do so have been focused on ROI measures at the front end as part of developing a business case for the IT portfolio’s proposed investments - but these are only estimates of expected business value. Actual delivered business value can only be measured by taking a life-cycle approach, working with the business to measure actual benefits after the project is complete.

Firms that strive for best practice in IT portfolio management need to apply a credible standard methodology across the enterprise to measure the business value of investments, both when proposed and when delivered. The good news is that a number of IT value methodologies have emerged that can be employed in the portfolio management process. The key is to adopt one and begin using it.

- more info

IT Strategy is Based on a Grounded Infrastructure

If companies are going to grow into entities that are truly greater than the sum of their parts, they need to respond faster and smarter to market challenges with better decision-making capabilities. One vital concern, which is often overlooked in discussions of information visibility, is the need for stringent alignment of departmental objectives with corporate strategy.

Business activity alignment is the ability to take your theories and put them into practice - in essence, taking the strategic plan and translating it into tactical steps. This results in more clearly defined executive roles, as well as an enhanced ability to leverage technology towards growth.

Additional business benefits include achieving a balance of cost and investment towards organizational goals; a balance between internal limits and external growth; enhanced collaboration for better decisions and departmental alignment; and a 360-degree view of customers for better customer experiences as well as marketing and sales efforts.

To ensure alignment, management should focus on the development of a common set of metrics within the organization, which naturally requires a common set of definitions. Typically, different parts of the organization develop metrics specific to themselves and their purposes - resulting in a lack of consistency in reporting and an inability to aggregate information to senior management. According to a 2007 report 57 percent of companies do not have a common set of metrics to work with.

The challenges become apparent when management tries to aggregate departmental information to make enterprise decisions. A lack of consistent definitions and metrics makes it particularly difficult for management to determine which way alignment needs to tilt, if at all. One caveat: small and midsize companies must strike a balance between letting groups identify and define the best metrics for themselves versus defining metrics in the best interests of the organization as a whole.

The result of strict alignment of activities with corporate strategy is that individual departments are no longer paying lip service to the business plan; instead, it serves as a coherent action plan, with all cogs working toward the same objective instead of grinding the machine to a halt.

- more info

Secuitiy Audit Starting Points

When conducting a security audit there are some common areas that should be reviewed.  Included are:

• Computer and network passwords. Is there a log of all people with passwords (and what type). How secure is this ACL list, and how strong are the passwords currently in use?
• Emails. Are spam filters in place? Do employees need to be educated on how to spot potential spam and phishing emails? Is there a company policy that outgoing emails to clients not have certain types of hyperlinks in them?
• Physical assets. Can computers or laptops be picked up and removed from the premises by visitors or even employees?
• Records of physical assets. Do they exist? Are they backed up?
• Data backups. What backups of virtual assets exist, how are they backed up, where are the backups kept, and who conducts the backups?
• Logging of data access. Each time someone accesses some data, is this logged, along with who, what, when, where, etc.?
• Access to sensitive customer data, e.g., credit card info. Who has access? How can access be controlled? Can this information be accessed from outside the company premises?
• Access to client lists. Does the website allow backdoor access into the client database? Can it be hacked?
• Long-distance calling. Are long-distance calls restricted, or is it a free-for-all? Should it be restricted?

- more info

Government Computers Hit by Virus Attack

WASHINGTON (AP) - Law enforcement computers were struck by a Mystery computer virus, forcing the FBI and the U.S. Marshals to shut down part of their networks as a precaution.

The U.S. Marshals confirmed it disconnected from the Justice Department's computers as a protective measure after being hit by the virus; an FBI official said only that that agency was experiencing similar issues and was working on the problem.

"We too are evaluating a network issue on our external, unclassified network that's affecting several government agencies," said FBI spokesman Mike Kortan. He did not elaborate or identify the other agencies.

Marshals spokeswoman Nikki Credic said the agency's computer problem began Thursday morning. The FBI began experiencing similar problems earlier.

"At no time was data compromised," said Credic. The type of virus and its origin were not determined.

In addition to their external networks, most federal law enforcement agencies have an internal-only network to prevent cyber-snoopers from sensitive data.

In this incident, the Marshals Service shut down its Internet access and some e-mail while staff worked on the problem.

- more info

Productivty Improvements Will Drive IT's Future Growth

Microsoft CEO Steve Ballmer told developers in India that growth will come from higher productivity and innovation when the economy begins to recover. It is not clear when that recovery will take place but he added that the IT industry will have a starring role to play in that recovery as customers focus on improving productivity and innovation.

According to Ballmer, the global economy is being "reset" in a "once in a lifetime" type of economic change. IT accounts for 50% of capital expenditure in the U.S.

- more info

CIOs Change Focus of Staffing Requirments

With the recent changes in the economy, many CIO are focusing staffing requirements on factors like:

• .NET, Java, PHP   - It is not enough to know the core languages. As projects encompass disparate functionality, IT professionals need to know the big 3 of Web 2.0.
• Rich Graphical Internet Applications - Flash is suddenly being used for more than just animations of politicians singing goofy songs. Flash has also sprouted additional functionality in the form or Flex and AIR. Flash's competitors, such as JavaFx and Silverlight, are also upping the ante on features and performance. To make things even more complicated, HTML 5 is incorporating all sorts of functionality, including database connectivity.
• Web Based Application development - Management is demanding more and needs staff who really knows how to work with the underlying technology at a "hand code" level.
• Web services - IT groups who cannot work with Web services will find themselves relegated to legacy and maintenance roles.
• People skills - Developers are being brought into more and more non-development meetings and processes to provide feedback. For example: the CFO cannot change the accounting rules without working with IT to update the systems; an operations manager cannot change a call center process without IT updating the CRM workflow. IT groups that can meet these challenges will be much more valuable to their employers - and highly sought after in the job market.
• New programming languages - Languages like Ruby, Python, F#, and Groovy are not mainstream –  but the ideas in them are. For example, the LINQ system in Microsoft's .NET is a direct descendent of functional programming techniques. Both Ruby and Python are becoming hot in some sectors, thanks to the Rails framework and Silverlight, respectively.
• Flexible Methodologies - Many CIO are either adopting flexible SDM or running proof-of-concept experiments. IT groups with a proven track record of understanding and succeeding in a flexible SDM environment is a critical success factor.
• Enterprise Operational knowledge - Hand-in-hand with flexible SDM methodologies, development teams are increasingly being viewed as collaborators in the definition of projects. This means that IT groups who understand the enterprise problem are able to contribute to the project in a highly visible, valuable way.
• Change Control and IT Service Management -  Thanks to the development of new, integrated stacks, like the Microsoft Visual Studio Team System, and the explosion in availability of high quality, open source environments, organizations without these tools are becoming much less common.
• Mobile development - In 2008, mobile development left the launch pad, and over the next five years, it will become increasingly important. There are, of course, different approaches to mobile development: Web applications designed to work on mobile devices, RIAs aimed at that market, and applications that run directly on the devices. Regardless of which of these paths you choose, adding mobile development to your skill set will ensure that you are in demand for the future.

- more info