Security Manual Template

ISO27000, Sarbanes - Oxley, PCI-DSS & HIPAA Compliant

Multi-Country License Options

The Global Standard for Security Policies and Procedures

The License for the Security Manual Template can be purchased for use for either by a single company in a single country, single company in a country group like the EU, or by a single company for worldwide use.

License Options

• A single (1) country for a single (1) company (DUNS number)
  Standard License

• A country group (North America, Central America, South America, EU, Africa, Middle East, Asia, or Pan-Pacific) for multiple related company groups -
  Enterprise License

• Worldwide (International) use for multiple related company groups Worldwide License

License Conditions

The template can be placed on the enterprise's Intranet and be used as the standard for all  divisions and operating units of the enterprise.  The template is not for re-sale or re-distribution by consultants or VARs.  If a consultant or a VAR wishes to use this for its clients Janco Associates should be contacted directly

Janco can provide coordination services for the enterprise on a time and materials basis.  In addition Janco can save copies of a companies customized DRP in its archives for retrieval in by the enterprise.  

 Contact us directly for pricing of these services at +011 435 940-9300 x 101.

Testimonials

Testimonial - Dave Baker - City of Hamilton -I have found the Janco template invaluable!

Testimonial - Bob Rifenbury -MCSE/CCNA Lauch Testing Lab -The Janco Template saved me about 6 months of work!

Testimonial -  Kelly Keeler - Martin's Point Health Care -I have received and I began using the template immediately. IT IS GREAT! Made this process a snap for me. Cut my documentation time down from.  weeks to hours! This document has made, what began to be an overwhelming process turn into a snap!

Testimonial - Juan Stamos - Mexico City Corporation -We had a DRP in place, but needed a more user friendly structure.  The Security Manual Template (Gold edition) has that structure.  It was very easy to quickly move our policies into Janco's DRP Template -- a real added value.

This template is not for resale or re-distribution

Security Policies and Procedures Multi-Site Implementation Considerations

Issuse CIO Face in a Troubled Economic Times

CIOs face some of its greatest challenges they have ever had. All managers are under intense pressure to cut costs, and that pressure is significantly increased by the current grim economic outlook. Everywhere CIOs look there is study after study indicating that organizations are looking at reducing headcount, as well as their overall spending in 2009. In addition, many business areas are relying on IT more than ever before to help them deal with the increased competition and reduced funding. This budget crunch creates a greater need for improved efficiency and higher productivity.

Normal logic would cause a CIO to consider hunkering down and focusing on survival until business conditions improve. However, enterprises must continue to make strategic investments in Information Technology. Survival is clearly important, but by making survival your primary focus, you risk missing opportunities.

CIOs and IT organizations that position themselves for the eventual upturn will look at IT as an enabler of business efficiency and growth. In this turbulent economy, it becomes more critical to invest differently in IT. The key is to invest in areas that really improve IT efficiency and discipline. This focus will enable IT not only to survive this difficult financial period, but also to quickly shift its profile toward enabling true business growth.

Over 70% of Lost Laptops are Never Recovered

Laptops can and do get lost or stolen. In studies conducted by several security firms, it has been found that over 50% of all lost or stolen laptops disappear at airport security checkpoints an departure gates. Unfortunately almost 70% of these laptops are never recovered.

Terminating an Outsource Relationship

Enterprises can and do suffer because they do not plan for what happens when the end date of the outsourcing contract approaches. Enterprises usually omit to include a definition of procedures to be followed and assets allocated when the contract terminates.

The time to set the groundwork for the termination of an outsource contract is when the original contract is negotiated.  If it is not done then, the outsourcer has no reason to do more than the contract requires.

Key issues to consider are:

• Ownership of fixed assests
• Ownership and return of data
• Documentation and other intellectual property
• Staffing turnover from outsourcer to enterprise
• Support outsourcer is to provide in the turnover process

CIO Recovery Planning Tool Kit Released

Park City, UT –  Park City, UT - With the recovery on the horizon, Janco Associates, Inc. has released its CIO Infrastructure Planning Tool Kit. The kit contains all of the elements that are required for CIOs to hit the ground running as the recovery starts to take hold and demand increases for IT services. The CEO of Janco, Mr. Victor Janulaitis said, "During a downturn, CIOs often had to make some unpopular decisions and that cost them the alliances they need to succeed. Based on our experience the highest attrition rates for CIOs is during a recovery. With a recovery, many enterprises feel they can afford a change at the top to get a new direction and improve the enterprise's IT operations. In order to succeed CIOs need to take proactive steps before it is too late."

Janulaitis said, "CIOs need to act well in advance of the recovery, and the end of a recession is often recognized only months after the fact. The most progressive CIOs and enterprises will turn to recovery mode before competitors by implementing a recovery plan right now."

Janulaitis added, "...Most IT functions are operating at very high productivity levels and do not have any extra capacity to use when the recovery starts. Once the recovery occurs there were be huge demand for initiatives, projects, and staffing. CIOs who react too late will find they will not be able to meet the demands placed on them."

The CIO Infrastructure Planning Tool Kit directs CIO how to get there organization in order by helping them meet several key objectives. Updating the organization infrastructure with IT Service Management (ITSM) and Metrics in mind; updating the Service-Oriented Architecture (SOA) and how it will be applied with new initiatives; defining all of the responsibilities of the IT staff and support staff members; creating current job descriptions in place; and identifying the resources that will have to be hire (employees) or retain (contractors) once the recovery starts.

The CIO Infrastructure Planning kit comes in three versions: standard, silver, and gold. The gold version contains the IT Infrastructure, Strategy, & Charter Template, the latest Janco IT Salary Survey, the IT Service Management for SOA Template, 220 IT Job Descriptions, the Internet and IT Job Descriptions HandiGuide , and a Functional Specification Template. These templates and job descriptions all come in MS WORD and are fully editable. More information can be found at http://www.e-janco.com/CIOInfrastructurePlanningToolKit.html.

Is your business ready to deal with management of all of its data and business records?

For most midsized and even small businesses, managing data is a major challenge. The growth of structured data from databases, e-mail and other applications, as well as file data such as PDFs, audio, video and graphics has been exponential. Furthermore, no end is in sight. According to well know reasearch firm, the need for on-line data storage capacity is increasing at a rate of nearly 58 per cent per year; by 2011, it is estimated that companies worldwide will require disk storage of more than 32,000 petabytes of data.

The increasing flood of data can lead to a host of problems, like added time and system slowdowns due to the sheer volume of data; added cost, in new equipment and especially in management overhead, to provide for all this data accumulation; and the added business risk that comes with larger data stores.

The temptation is to accommodate added data by increasing the number of servers and disk drives. But simply adding servers is not the answer – in fact, without planning, the direct attachment of additional drives or servers can create islands of storage, resulting in greater management requirements. Such an unplanned and reactive approach to storage is inefficient, raising costs while limiting flexibility and the capacity to respond to new business opportunities.

Areas Impacted by Security Policies and Procedures

Security policies and procedures need to consider areas where your systems can be breached and include:

• Employee access cards
• Logon codes
• Computers and laptops
• Routers and networking equipment
• Printers
• Cameras, digital or analog, with company-sensitive photographs
• Data - sales, customer information, employee information
• Company Smartphones/ PDAs
• VoIP phones, IP PBXs (digital version of phone exchange boxes), related servers
• VoIP or regular phone call recordings and records
• Email
• Logs of employees daily schedule and activities
• Web pages, especially those that ask for customer details and those that are backed by web scripts that query a database
• Web server computer
• Security cameras                                                
• Access points (i.e., any scanners that control room entry)

Legacy Infrastructure Hinders Productivity

When technologist's design and implement a "new way" to do things they often forget about how to transaction from the "legacy" system to the new one. The Washington Post reported that the Copyright Office's "new $52 million electronic process" was responsible for creating an overwhelming logjam of copyright applications.

Turnaround time for copyright applications has slowed from six to 18 months and the Copyright Office is behind some 500,000 applications.

Workers say the "new" electronic system is slow and prone to crashing. Managers say the challenge has been retraining the staff to use the system. In addition, 45% of the copyright applications are still submitted in paper format, which must be painstakingly entered by hand into the "new" electronic system.

The staff is spending so much time handling the paper applications it does not have enough time to process electronic applications, which has created delays for online claims now. It now takes six months to process electronic claims when it should take one month.

Since the problem appears to be the volume of paper applications, the office plans to raise the fees for paper applications from $45 to $65 in August while keeping the fee for electronic filing at $35.

Vista Dead

The Microsoft urged some companies week to dump Vista deployment plans and shift to Windows 7, the operating system the company has promised to ship in the fourth quarter.

"If you're just starting your testing of Vista, with the [Windows 7] Release Candidate and the quality of that offering, I would switch over and do your testing on the [Windows 7] Release Candidate, and use that going forward," said Bill Veghte, Microsoft's senior vice president for Windows business.

That same day, other Microsoft managers said work on Windows 7 should wrap up in August, which would indicate availability on new PCs and at retail stores as early as mid-October if the company uses the same pace as Windows XP eight years ago.

Microsoft delivered Windows 7 Release Candidate (RC) to the public on May 4, but made it available to developers and IT professionals several days earlier.

Metric for Troubled Economic Times

Metrics are an issue that continues to be focus as CIOs try to address the stresses placed on IT. Successful CIOs know that "business-centric" metrics (which effectively communicate the value of IT's operating activities and capital projects in terms that relate to business executives) should be the focus rather than  "technology-centric" metrics (such as the number of transactions processed or the mean time between system failures).  The right metrics for IT spending and its business value can help reinforce IT's position as an informed and trusted business partner.

In the current economic conditions the focus of the CIO's Metrics should be:

• Increase/preserve/accelerate revenue
• Decrease/avoid/delay cost
• Reduce business risk
• Enhance business capabilities

Metrics CIOs Need to Implement

Few business professionals need to be convinced that information is valuable to their organizations - or that data must be carefully protected. However, as corporations accumulate increasingly greater volumes of information, protecting it efficiently and effectively becomes more complex, expensve, and difficult. At the same time as the consequences and cost of a protection failure increase as data becomes more integrated into the day-to-day operations of the enterprise. No one understands this better than the CIO, who is charged with a seemingly impossible task: hold down storage and protection costs, keep production data instantly accessible 24x7, and make sure than any information asset, no matter how obscure or seldom used, can be quickly recovered on demand. These competing agendas signal a gradual shift in emphasis from the process and technologies of information protection to the strategies and tactics necessary to quickly, easily, and comprehensively respond to and recover from any data event.

Security Threats Abound in Wireless Locations

To protect networks and information against increasingly sophisticated threats, many organizations are deploying security in layers. Some are finding that an efficient way to do this is by using unified threat management (UTM) appliances.  What happens when you have Wireless town like the new 725-acre planned community in eastern Missouri that is being built entirely with wireless systems, helping businesses avoid the costs of laying fiber and other traditional infrastructure.

The community, called New Town at St. Charles, already has 800 homes built with architectural styles of a traditional American small town.

There are 2,000 residents with five businesses serviced by a combination of microwave, WiMax backhaul, Wi-Fi and related technology. The wireless technologies are used to provide Internet services to homes and businesses. It also provides video surveillance to the town's businesses.

Fight continues on H-1B Visa Program

Two U.S. senators plan to reintroduce legislation that would require U.S. employers to make a "good faith" effort to hire U.S. citizens over H-1B visa holders, after failing to win approval for a similar bill two years ago.

The earlier measure died after being folded into a comprehensive immigration reform bill that was killed without coming up for a vote. Lawmakers are aiming to introduce a new bill.

The widespread layoffs being caused by the economic recession may help lawmakers this time around. Earlier this year, for instance, lawmakers succeeded at getting H-1B hiring restrictions on financial services firms that receive federal bailout money into the massive economic stimulus bill signed into law by President Barack Obama.

U.S. Citizenship and Immigration Services will begin accepting visa applications for the federal fiscal year that starts Oct. 1.  The weak economy is expected to reduce the number of applications, the prevailing view among immigration attorneys and supporters of efforts to raise the annual visa cap is that more than enough to meet the limit of 65,000 regular visas will again be filed quickly. High demand is expected as well for the 20,000 visas set aside for foreign workers with advanced degrees from U.S. universities.

Among those driving the demand will be foreign graduates who did not win visas in last year's lottery distribution of visas but were able to continue working in the U.S. on extension of their student visas. Foreigners who graduated last spring and are still working on their student visas will also be eligible to apply for H-1B visas.

PCI Compliance Becomes More Complex

Two payment processors that recently disclosed data breaches have been dropped from Visa Inc.'s list of companies that comply with the PCI data security rules.  That means that  merchants cannot use those payment processors if they themselves want to remain compliant with the Payment Card Industry Data Security Standard (PCI-DSS) rules.

Visa said that it was dropping Heartland Payment Systems Inc. and RBS WorldPay Inc. from its PCI-compliant list. The company added that it would "consider" restoring Heartland and RBS WorldPay if they are recertified as compliant by third-party assessors.

Reasons why CIOs and CTOs get Fired

Top ten list of things that fired CIOs do

1.       Do not have a disaster recovery and business continuity plan integrated with a backup/archiving program.

2.       Ignore warning signs

3.       Do not document changes

4.       Do not use logging processes

5.       Do not install updates

6.       Save money by not purchasing upgrades

7.       Do not manage passwords well

8.       Never say no to anyone

9.       Never say yes to anyone

10.   Do not train a replacement

PCI-DSS Standards are Best Practices for Security Policies and Procedures

The six areas of data protection prescribed by the PCI-DSS standard drive enterprises to implement a comprehensive approach to overall security. They address security concerns from network protection to security governance policies.

Build and maintain a secure network

• Create a firewall to secure cardholder data.
• Go beyond vendor defaults for passwords and other security parameters.

Protect cardholder data

• Protect stored data.
• Encrypt data transmission.

Maintain a vulnerability management program

• Employ and update anti-virus software.
• Develop and maintain application security.

Implement strong access control measures

• Restrict access to cardholder data on a need-to-know basis.
• Assign a unique ID to each authorized user.
• Restrict physical access to cardholder data.

Regularly monitor and test networks

• Track and monitor access to network resources and data.
• Regularly test security systems and processes.

Maintain an information security policy

• Develop and maintain policy-based security protocols.

Top Reasons Why Outsourcing Relationships Fail

Outsourcing is a strategic decision with long-term impact and the success of outsourcing depends both on the service provider and the outsourcer's commitment. Not all outsourcing arrangements work.  We have found that the more work that is done by an enterprise before it outsources, the better the chances are for success.

In a survey of 50 CIO's Janco found the primary reasons that outsourcing fails are:

• Not defining an infrastructure for managing and delivering services
• Focusing on cost savings versus quality of service provided
• Lacking metrics and service level agreements
• Choosing the wrong outsourcing vendor – one that does not have the proper experience with enterprises of your size or your industry
• Activating an outsourcing contract without proper planning for what to be done, by whom, when
• Outsourcing core competitive advantage functions that that drive sales and or customer service
• Poor communication channels and chain of command definition between the outsource provider and the enterprise
• Organizational conflicts due to personalities and or different organizational cultures

Challenges CIOs face