Outsourcing Policy
The outsourcing policy is eighteen page in length and defines everything that is needed for a function, department, or area to be outsourced.
The policy comes as a Microsoft Word document (Word 2003 & Word 2007) that can be modified as needed. The template has been updated to include a HIPAA audit program definition:
- Outsourcing Management Standard
- Service Level Agreement
- Responsibility
- Outsourcing Policy
- Policy Statement
- Goal
- Approval Standard
- BaseCase
- Responsibilities
Note: Look at the Practical Guide for Outsourcing over 110 page template for a more extensive process for outsourcing which includes a sample contract with a sample service level agreement
Other Policies
All of the policies that are provided here are contained within one or more of the templates that are on this site. These policies have been added as individual documents in WORD format for those clients who just need this particular policy. All policies are Sarbanes-Oxley compliant
Internet, e-Mail, Mobile Device,
Electronic Communications, and
Record Retention Policy
This policy is is compliant with all recent legislation (SOX, HIPAA, Patriot Act, and Sensitive information), and covers:
- Appropriate Use of Equipment
- Mobile Devices
- Internet Access
- Electronic Mail
- Retention of Email on Personal Systems
- E-mail and Business Records Retention
- Copyrighted Materials
- Banned Activities
- Ownership of Information
- Security
- Sarbanes-Oxley
- Abuse
Included with the policy are forms that can be used to facilitate the implementation of the policy. Included are these ready to use forms:
- Internet & Electronic Communication Employee Acknowledgement
- E-Mail - Employee Acknowledgement
- Internet Use Approval Form
- Internet Access Request Form
- Security Access Application Form
Sensitive Information Policy
Includes HIPAA Audit Program Guide and a PCI Audit Program
This
policy is easily modified and defines how to treat Credit Card,
Social Security, Employee, and Customer Data. The template is 29
pages in length and complies with Sarbanes Oxley Section 404,
ISO 27000 (17799), and HIPAA. The PCI Audit Program that is
included is an additional 50 plus pages in length.
This policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) and co-location providers and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals).
The HIPAA Audit Program Guide provides you with a checklist of the must be implemented items which HIPAA mandates.
You can download the Table of Contents and some sample pages by clicking on the link below.
Travel and Off-Site Meeting Policy
Travel and Off-Site Meeting Policy -
Protection of data and software
is often is complicated by the fact
that it can be accessed from remote locations. As individuals travel
and attend off-site meetings with other employees,
contractors, suppliers and customers data and software can be
compromised. This policy is four page in length and covers:
- Data and application security
- Minimize attention
- Shared public resources
- Off-site meeting special considerations
Outsourcing Policies and Procedures News
Metrics for Organizations with no Disaster Recovery Business Continuity Plan
According to Janco Associates, an International Disaster
Recovery - Business Continuity consultancy the most common form of enterprise
wide disaster is related to power outages.
Janco has found that in disaster recovery and business continuity cases
it has reviewed the following is true:
-
Over one third companies take more than a day to recover from a major power outage caused by events like hurricanes and extensive disasters.
-
Over eleven percent of companies take more than a week to recover from these events.
-
The typical time to reconfigure a network that has not been planned for can take up to 72 hours - if the resources are available.
-
Data that is lost (not backup up electronically) can take weeks to re-enter if there is paper trail and if there is none the data can be lost forever.
-
Over 85 percent of companies that experience a computer disaster and do not have a Disaster Recovery - Business Continuity Plan go out of business within 18 months.
Disaster Recovery Planning Scope
All Disaster Recovery Planning and Business Continuity Planning need to encompass how employees will communicate, where they will go and how they will keep doing their jobs. The details can vary greatly, depending on the size and scope of a company and the way it does business. For some businesses, issues such as supply chain logistics are most crucial and are the focus on the plan. For others, information technology may play a more pivotal role, and the Disaster Recovery and Business Continuity plan may have more of a focus on systems recovery.
But the critical point is that neither element can be ignored, and physical, IT and human resources plans cannot be developed in isolation from each other. At its heart, BC/DR is about constant communication. Business leaders and IT leaders should work together to determine what kind of plan is necessary and which systems and business units are most crucial to the company. Together, they should decide which people are responsible for declaring a disruptive event and mitigating its effects. Most importantly, the plan should establish a process for locating and communicating with employees after such an event. In a catastrophic event (Hurricane Katrina being a recent example), the plan will also need to take into account that many of those employees will have more pressing concerns than getting back to work.
- more infoDisaster Recovery Metric Defined
A proposed overall metric for Disaster Recovery is Total Time to Disaster Recovery (TTDR), which is the time it takes to backup the data, deduplication of the data, replication of the data at remote DR site, and then finally recovery of the data so it is in an operational state. This metric is all-inclusive as it takes into consideration every aspect of the backup and recovery environment into account when performing a true disaster recovery.
Recovery and data replication are the much more important ones issues that need to be considered. It is great to backup data fast, but if it takes three times as long to recover it, try to explain that to your CIO when a major application goes out and he is standing over your shoulder waiting for the data to be recovered.
TTDR includes:
-
Backing up the data
-
De-duplicating the data, and
-
Replicating the data to the remote disaster recovery site
-
Setting the data and the applications to an operational state
Backup For Disaster Recovery and Business Continuity Now Easier
Quantum
Corp. a global specialist in backup, recovery and archive, announced two new
product releases designed to help end users solve the challenges of data backup
and recovery across distributed environments by improving local data protection
and disaster recovery (DR) while streamlining management and reducing costs. The
latest addition of disk backup solutions with deduplication and replication, the
appliance is optimized for remote and branch office environments that are part
of a distributed enterprise. The other software product release provides new
centralized, multi-tier management and reporting capabilities for unifying
backup resources, including disk and tape.
Disaster Recovery Business Continuity Basics
The basics of a Disaster Recovery Business Continuity Plan are defined in the Janco Disaster Recovery Business Continuity Template. They are:
-
Develop the contingency planning policy statement. A formal department or agency policy provides the authority and guidance necessary to develop an effective contingency plan.
-
Conduct the business impact analysis (BIA). The BIA helps to identify and prioritize critical IT systems and components.
-
Identify preventive controls. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.
-
Develop recovery strategies. Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption.
-
Develop an IT contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system.
-
Plan testing, training and exercises. Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness.
-
Plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements.
New Devices Make Backup Easier to Implement
Backup and recovery while complex may be easier as media vendors release new advanced products. While many external drives now come with a physical push-button backup option, a new genre of backup devices is emerging one-touch USB flash drives that combine the convenience of small size with relatively sophisticated backup applications for data protection.
The latest to arrive is the SanDisk Ultra Backup USB Flash Drive, which combines push-button backups with SanDisk's U3 smart-drive technology that allows a user to store Windows PC user preferences, profiles and settings as well as download and launch a limited number of applications from the flash drive.
- more infoDisaster Recovery Business Continuity Templates Addresses Mid-sized Requirement
Mid-sized businesses have long struggled to protect their IT systems. Many firms are inadequately protected and mistakenly think that a disaster is rare and will not happen to them anytime soon. There is a lot of confusion and misunderstanding regarding what disaster recovery encompasses and how to implement it effectively. The Janco Disaster Recovery / Business Continuity Temple provides CIO and CFO with tools that address minor and major disaster scenarios. This template also clarifies what true disaster recovery means and how backup and high availability are not true DR solutions. Janco studies the newest technology trends, such as virtualization and storage replication, which make powerful DR solutions attainable and affordable even for mid-sized businesses.
- more infoWhat is critical in creating a DRP BCP that works?
Good disaster recovery planning is about identifying those processes and resources that are truly critical, developing realistic recovery objectives for them and then developing a plan that can achieve those objectives as simply and cost-effectively as possible.
The reality is that a sophisticated DR plan that is too complex or expensive to properly maintain and test is worse than a plan that only does the minimum because it gives a false sense of security.
CIOs must make the right decisions in order to develop an effective, executable plan that allows their organization to create a process which will help them to recover critical enterprise functions after a disaster.
- more infoBackup Service Providers May Not Be Enough
Your data is only as safe as its most recent backup. But what happens when you have worked on your laptop with enterprise critical data and it is lost or damaged. You data is only as redundant as the integrity of the data that you have stored on your servers, but in this case you may have a compliance issue that you have not addressed. For companies that service customers in the cloud, if they cannot offer 99.9999% uptime and absolutely ensure data backup and restoration, they might as well not be in business.
There are a few issues at hand here. Not only must the backup provider ensure that the data is accurately and securely backed up whereby every packet and byte is accounted for, but you must also ensure that when the time comes, the data is "clean" enough to be plugged back into the system without a hiccup. It's the hiccup that companies need to avoid which is why they look for ways to backup their data to begin with, however they aren't always as proactive as the results they were expecting.
- more infoCIOs see Disaster Recovery and Business Continuity Budgets Slashed
Many CIOs have seen their disaster recovery budget for 2009 slashed and are wondering how they can recover when a disaster occurs. CIOs are now looking for solution that that will not cost any money upfront. CIOs feel they can get money to recover if they have solution in place. CIOs cannot sit idly by while they roll out critical services without the safety net of Disaster Recovery / Business Continuity Plan in place - that is like skiing without a helmet or driving a car with no seat belt. For most, there is a very good chance that nothing bad will happen, but if something does go wrong, the consequences can be so severe that the overall risk is unacceptable.
- more infoRecovery Time Objective (RTO) Defined
The two most common metrics for business continuity solutions are Recovery Time Objective (RTO) and Recovery Point Objective (RPO). RTO measures the window of time when service is unavailable and RPO represents the amount of data lost as measured in time before the failure.
For example, organizations that use
tape backup for Exchange recovery typically perform a full backup weekly and a
differential backup nightly. If the introduction of a new software patch
destabilizes an application server and it takes 2 hours to restore the server
from the differential backup and put it back into operation, an RTO of 2 hours
is achieved. However, it is likely that some hours of log files will need to be
replayed to bring the RPO down to zero from the time of the last
backup.
How a CIO should chose a backup site

Disasters cost
money, interrupt business operations and may cause the enterprise or government
agency to fail, which makes planning a business continuity issue. Disasters can
interfere with or even terminate IT and communications services. It does not
matter whether the disaster affects the enterprise, government or service
provider. Floods, fire, volcanoes, earthquakes and other events can destroy a
primary and backup site if they are too close together.
Telecom service providers can offer expert advice on where to locate a backup facility and should position themselves with CIOs to offer both consulting and services. After all, they have experience planning for their own primary and backup facilities, as well.
A CIO's selection of the backup site location will always have risks and liabilities attached to the decision. Adequate and reliable communications to the backup site and communications between the primary and backup sites are what most service providers can successfully offer to the CIO.
In choosing a backup site, CIO's must first determine how big a disaster plan for and budget for it. The level of disaster planning increases as you goes down the following list:
-
Building closed/evacuated
-
Loss of power
-
Loss of communications
-
Facility damaged/destroyed
-
Community disaster (10-to-30 mile range)
-
Regional disaster (30-to100 mile range)
Overlooked items in many Business Continuity Plans
Traditional business continuity and disaster recovery address
issues related to preparing the IT department and the office infrastructure to
function. The typical policies, procedures, and process that deal with data
backup and recovery, distributed data centers with redundant capacity, and
preparedness plans for the technical staff. Are that are often overlooked
are:
-
Surge in remote connections - As employees and contractor turn into mobile workers, the volume of remote connections increases sharply placing more demand on the IT infrastructure. The support group must have ways to set up new mobile users quickly and give them access rights to the proper resources within the enterprise network.
-
First-time mobile users support - Technical support and IT staffs will be called upon to assist employees whose only experience has been using computers on a corporate LAN. Support staffs should trained and implement tools that make remote support easier.
Disaster Recover Process Defined
Preparation for Disaster Recovery / Business Continuity in light of SOX has two primary parts. The first is putting systems in place to completely protect all financial and other data required to meet the reporting regulations and to archive the data to meet future requests for clarification of those reports. The second is to clearly and expressly document all these procedures so that in the event of a SOX audit, the auditors clearly see that the DRP exists and will appropriately protect the data.
Analize
- Define
business continuity and what it means to your
enterprise
- Understand
the impact of a potential disaster
- Differentiate
location vs. data destruction disasters
- Calculate
the cost of downtime
Document
- Know
your recovery objectives; define the parts of the plan
- Outline
what your business needs to get back up and running
Evaluate
- Continuous
vs. Periodic Replication
- Weigh
the complexities, the costs of replication technology
- Improve
the backup process with a formal backup and retention
policy
Implement
- Pick
the technology that best meets your enterprises
objectives
- Test rigorously
Security When Business Continuity Plan is Turned On
Have you tested to see if your company's information protected by the security policy and solutions you have in place now work when you execute your disaster recovery business continuity plan ? Are you in full compliance with PCI-DSS, SOX, GLBA and HIPAA regulations, while also complying with your state's information security laws?
Federal and state rules enforcing the electronic security of personal information are becoming stricter and more complicated. As a result, companies are reexamining the way they deal with sensitive information to avoid the lawsuits, fines and loss of business reputation associated with a security breach.
Still, despite business's efforts to step up their security protocols, in 2007:
-
More than 79 million personal electronic records containing data such as Social Security numbers and credit-card numbers were compromised in the U.S.
-
This was nearly four times the number reported in 2006. (Source: New State Laws Enforcing Encryption, MessageLabs Whitepaper, Nov. 2008)
Alternative Disaster Recovery and Business Continuity Solutions
An
alternative to traditional disaster recovery and business continuity planning
solutions is needed to meet a number of new and growing business requirements
including:
-
Workers increasingly need to collaborate to get their work done
-
Data must be protected from identity theft and to meet new privacy laws
-
Security software needs updating to parry evolving security threats
High Availability and Disaster Recovery Business continuity Planning
High availability of enterprise systems is a prerequisite for business continuity and or sustaining services to an organizations end users and end customers. Achieving high availability during a period of rapid technology change or economic downturn can be challenging for many enterprises, which see too many obstacles to ensuring high availability across many servers and across the enterprise.
The
process of IT transformation brings new opportunities to improve high
availability, especially for end-to-end applications that span the enterprise
and that leverage the computing power of many servers across the network. That
is because IT transformation opens the door to doing things differently breaking
down the information silos that prevented a deeper integration across business
units and a unified view of all networked servers. In so doing, there is also an
opportunity to reduce server footprints via workload consolidation resulting in
more efficient computing and in reduced power/cooling costs. In the process of
IT transformation, IT infrastructure is optimized so that workloads run on the
platforms that support them with the best performance and the greatest
efficiency.
Enterprises that want to ensure that end users are able to access
key enterprise systems on a 24 x 7 x 365 basis, with little or no perceptible
downtime, are studying ways to protect important applications by applying
reliable server hardware and high availability software to the workloads being
deployed. Efficiency in operating these systems is essential to holding down
operational costs associated with IT staff time, system downtime, and
power/cooling for deployed systems.
Tape Backup Hinders Many Disaster Plans
Effective disaster planning and business continuity planning has
historically been out of reach for many small and medium sized businesses
because it was too costly and complicated. While large companies could afford
expensive hardware solutions, the highly trained staff to manage them, duplicate
data centers, channel extenders, and expensive replication software, small and
medium sized businesses are often limited to making backup tapes and carting
them to the storage administrators basement for safe keeping.
While tape backup remains a good long-term
archiving method for many organizations, numerous problems limit its usefulness
including:
-
Backup windows are shrinking due to the huge growth in data volumes, requirements for longer retention and faster access, and generally greater reliance on data and technology.
-
Backup is not easy or quick, many organizations cannot backup often enough to adequately protect themselves backing up once a week leaves a lot of data vulnerable.
-
Tape is not the most reliable medium hardware failures, media failures, and human errors are common. Tape management is a constant IT headache and administrative costs are high.
What You Need to Know Before Creating Your Disaster Recovery / Business Continuity Plan
There are a number of standard answers that are needed
before your create a Disaster Recovery / Business Continuity Plan. They are:
-
Current critical business processes
-
Specific recovery time and recovery point objectives
-
List of key personnel involved in the D/R process
-
List of personnel needing information access after the disaster
-
How personnel will access information from home, from a secondary data center, from a leased facility
-
What systems, applications, and data will be required, and for how long
-
Chronologically, how far back you need data to conduct business as if the disaster never occurred
Water Damage Is the Most Frequent Form of Disaster
While water damage is the most common form of disaster, every enterprise with assets of needs a good fire-protection system. Since most emergencies seem to happen outside normal working hours, reliable fire detection systems on professional, twenty-four-hour monitors are a wise investment. Wherever possible, assets should also be protected by a fire-suppression system. The use of halon is no longer recommended. Professionals now recommend wet-pipe sprinklers for most enterprise record archives. In addition, water misting suppression systems have become available within the last several years; these can provide fire suppression using much less water than conventional sprinkler systems. Before choosing a fire-protection system, be sure to contact a professional or a fire-protection consultant for information about the latest developments in fire protection and for advice appropriate to your enterprise.
All fire-protection systems should be designed and installed by professionals with experience in servicing enterprise of your type, because the needs of your type of business differ from the needs for others.
- more infoHow the credit crunch has impacted the Disaster Planning and Business Continuity Process in Enterprises
In a survey of our Jancos clients 67 percent said that the financial crisis and the credit crunch has had an impact on business continuity planning in their organizations. Over one third of our clients reported that it had had a negative impact.
Medium sized organizations reported the most impact on business continuity activities, with over forty percent reporting a negative impact. While only one third of large organizations reported a negative impact and one fifth of small organizations did.
Large organizations were most likely to state
that the global financial crisis and the credit crunch had had a positive impact
on business continuity activities.
Regional differences were quite striking, those located in the United States were the most badly impacted and Western Europe-based organizations apparently being least affected, closely followed by UK organizations.
The following shows the percentage of regional respondents who said that the global financial crisis and the credit crunch was having a negative impact on business continuity planning in their organization:
-
United States: 52 percent
-
Western Europe: 28 percent
-
United Kingdom: 35 percent
-
South East Asia: 47 percent
-
Canada: 48 percent
-
Pacific (Including Australia): 49 percent
Disaster Recovery Planning
Every
business and organization can experience a serious incident which can prevent it
from continuing normal operations. This this can happen any day at any time. The
potential causes are many and varied: flood, explosion, computer malfunction,
accident, grievious act... the list is endless. The Disaster Recovery Planning Template is designed to help you plan for
these scenarios. They will help you reduce both the risk and impact should the
worst occur. The Disaster Recovery
Planning Template is intended to be a launch pad for those seeking help
with the business continuity planning process. It offers information, guidance,
tips, and links to a range of resources.
Creating a disaster recovery plan is considerably simplified by use of this template. Using detailed questionnaires and checklists, this MS-Word toolkit will help you create and review both your contingency practices and recovery arrangements.
- more infoAfter Disaster Recovery and Business Continuity Plan Completed Testing is Critical
Once your Disaster Recovery Business Continuity Plan (see Disaster Recovery Plan Template Business Continuity - http://www.e-janco.com/DisasterPlanning.htm) is set, test it at least semi-annually. The enterprise will need to perform a component-level restoration of your largest databases to get a realistic assessment of your recovery procedure, but a periodic walk-through of the procedure with the recovery team will assure that everyone knows their roles. Test the systems you are going to use in recovery regularly to validate that all the pieces work. Always record your test results and update the Disaster Recovery Business Continuity Plan to address any shortcomings.
As your business environment changes, so should the Disaster Recovery Business Continuity Plan. Reexamine the plan every year on a high level. Conduct a risk assessment annually and determine if you still need every part of the plan? Do you need to add to it? Will the budget need to be adjusted to accommodate changes to the plan? As applications, hardware, and software are added to your network, they must be brought into the plan. New employees must be trained on recovery procedures. New threats to business seem to pop up every week and a sound DRP takes all of them into account.
- more infoIRS Systems Lack DRP and Security
An audit report of IRS systems states that the IRS fails to implement systems with adequate security
built in. Since 1997, the IRS has
designated computer security as a material weakness. The IRS continues to
struggle with addressing security vulnerabilities on its modernized
systems. Until security control
vulnerabilities are corrected, the IRS is jeopardizing the confidentiality,
integrity, and availability of the massive volume of taxpayer data processed and
stored by the IRS.
The IRS deployed two new systems with known security vulnerabilities relating to the protection of sensitive data, system access, monitoring of system access, and disaster recovery. These vulnerabilities increase the risks that
-
An unscrupulous person, with little chance of detection, could gain unauthorized access to the vast amount of taxpayer information the IRS processes, and
-
The systems could not be recovered effectively and efficiently during an emergency.
The IRS' processes for ensuring that security controls are implemented before systems are deployed failed because the IRS did not consider the known security vulnerabilities to be significant, which affected vulnerability resolution and system deployment decisions.
The Customer Service Executive Steering Committee, which had final milestone approval;
-
Did not provide sufficient oversight to ensure that security controls were implemented, and
-
Signed off project milestones despite the existence of weaknesses repeatedly reported to the Committee.
In addition the IRS' accepted major risks for these security vulnerabilities, including the inabilities to successfully recover the systems and their data in the event of a disaster and to detect malicious security events and unauthorized accesses to taxpayer data.
To see the report go to (http://www.treas.gov/tigta/auditreports/2008reports/200820163fr.pdf).
- more info
Disaster Rcovery / Business Continuity is the International Standard
Disaster Recovery Business Continuity Template in WORD 2003 and WORD 2007 (Office 2003 and Office 2007) FormatsPark City, UT
The Disaster Recovery Business
Continuity template has been sold to enterprise in over 65 countries around the
globe. With the release a of version 4.4 of the template it is in complete
compliance with Sarbanes-Oxley, HIPAA, ITIL (Ver 3), ISO 17799, and PCI
DSS.
M V Janulaitis the CEO of Janco said, "Our DRP /BCP Template has
been accepted by enterprise around the globe as the standard for disaster
recovery plan and business continuity plan creation." In response to that need
Janco has updated its "Disaster Recovery / Business Continuity Template" by
increasing the content of the template as well as updating the entire document
to be compliant with Sarbanes-Oxley, HIPAA, ITIL (Ver. 3), ISO 17799, and PCI
DSS.
The Disaster Recovery Business Continuity Plan has been purchased for use in over 65 countries around the globe including:
|
|
|
|
The Disaster Recovery Business Continuity Plan has been purchased for use in government, public, and private enterprises in almost all industries including:
|
|
|
|
















