Sensitive Information Policy

Updated to meet the latest mandated standards
Includes a definition of what sensitive information is

Sensitive Information Policy
Electronic Sensitive Information Policy Compliance Agreement Form Included for Easy Depolyment of Policy

With identify theft and cyber attacks on the rise, you’re facing new pressures to protect sensitive information. In fact, in 46 states have now passed data security laws that apply to companies that do business with residents of those states. These laws are designed to protect residents against identity theft by mandating security practices
such as:

  • Implementing an information security program
  • Encrypting data
  • Notifying customers in the event of a security breach that compromises unencrypted personal information
Order Sensitive Information PolicySensitive Information policy

To protect sensitive information, many states are now required to implement security programs that include capabilities for incident monitoring and alerting, trend reporting, logging, security information management (SIM), and other prudent security controls and practices.

This policy is easily modified and defines how to treat Credit Card, Social Security, Employee, and Customer Data.  The template is 34 pages in length and complies with Sarbanes Oxley Section 404, ISO 27000 (17799), and HIPAA. The electronic word form that is provided can be delivered electronically, completed via computer, and filed electronically.  The PCI Audit Program that is included is an additional 50 plus pages in length.

The Massachusetts and California mandated requirements were specifically included as part of the policy.

This policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) , co-location providers, and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals). 

The HIPAA Audit Program Guide provides you with a checklist of the must be implemented items which HIPAA mandates.  (see also Nationalized ID)

You can download the Table of Contents and some sample pages by clicking on the link below.

The policy contains text that can be used immediately. For example::

General Policy Statement

The Chief Security Officer or delegate must approve all processing activities at ENTERPRISE associated with sensitive information.  This information includes but is not limited to social security numbers, credit card numbers, credit card expiration dates, security codes, passwords, customer names, customer numbers, ENTERPRISE proprietary data, and any other data (i.e. California Personal ID number) that is deemed to be confidential by ENTERPRISE, its external auditors, any governmental agency, or other body that has jurisdiction over ENTERPRISE or its industry.

This policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) and co-location providers and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals).
All processing, storage and retrieval activities for sensitive information must maintain the strict access control standards and the Chief Security Officer mandates the these specific polices be followed.

 

Order Sensitive Information PolicySensitive Information policy

 


Other Policies

The policies have just been updated to comply with all mandated requirements and include electronic forms that can be Emailed, filled out completely on the computer, routed and stored electronically -- a total solution.

We have just completed a major update of most of the individual polices and almost all of the electronic forms.

Note: Look at the Practical Guide for Outsourcing over 110 page document for a more extensive process for outsourcing

 


Current Information Technology News


Vendor Management - CIOs need to magage vendors more effectively

October 2nd, 2014

CIOs should not under estimate or under value the time that needs to be spent managing the vendors.  CIOs need to managing vendor expectation, performance, and the vendor's understanding of your priorities.

CIOs need a clear plan to define metrics, evaluate, and manage the day to day performance of vendors. If they do this it will ensure problems are spotted early and actively managed so they don't blow up into relationship damaging crisis. In addition CIOs need an exit plan for each vendor to ensure any transition is smooth with the vendors obligations clearly defined.

Order CIO Job Description

- more info


CIO tools readings and posts

August 22nd, 2014

CIO tools readings and posts

Related posts:

  1. 10 Best Practices for Staffing 10 Best Practices to Staff – Hire and Retain World Class Creative IT Professionals 10 Best Practices  - Janco Associates has found the top ten...
  2. Top 10 Project Manager Challenges Top 10 Project Manager Challenges Top 10 Project Manager Challenges have been identified in a survey that was conducted by Janco Associates.  One of the...
  3. IT Job Descriptions Update Service is Announced by Janco IT Job Descriptions Update Service is Announced by Janco JancoÂ’s IT job descriptions are constantly being updated to meet the latest technology and compliance requirements....
  4. 2014 IT Job Descriptions Released IT Job Descriptions have just been updated in the 2014 IT Position Descriptions HandiGuide Janco announced today the release if 263 IT Job Descriptions in...
  5. Released Internet and Information Technology Position Descriptions HandiGuide Internet and Information Technology Position Descriptions HandiGuide, Janco has released the Internet and IT Position Descriptions HandiGuide® which is over 700 pages; includes...

CIO - CTO  Changing Role

Chief Information Officer - Chief Technology Officer

Order CIO Job Description
- more info


Productivity on the upswing - Is the economy finally recovering

August 13th, 2014

The Deparment of Labor (DOL) released a report showing that U.S. worker productivity has risen in the second quarter of 2014. This is a greater increase than expected based on previous estimates.

Productivity increased at a 2.5% annualized rate, after a revised 4.5% decrease in the prior three months that was the biggest since 1981, according to the DOL.

The positive news comes a month after JulyÂ’s favorable jobs report, which showed that employers added more than 200,000 workers to payrolls for a sixth straight month, the first time thatÂ’s happened since 1997.

  IT Hiring KitIT Salary Data  IT Job Descriptions

- more info


Drive Business Success via Inovation

July 25th, 2014

With the advent of Big Data driving swift transformation in many organizations' IT functions, uncertainty and fear of change can put the brakes on the vital ability to innovate. How can IT leaders help their teams to conquer uncertainty and embrace change in order to drive innovation and unlock the potential of data-informed decision making?

Creativity and Innovation in the Organization prepares you to foster a creative mindset across your enterprise - and to exploit uncertainty and chaos to unleash powerful ideas that drive results.

IT Infrastructure PoliciesInfrastructure Policy Sample

The policies that Janco has created are a must have that every enterprise needs. They can all be accessed by going to thePolicy Master Page (more info...) or the individual policies can accessed directly by clicking on the links below.

  • CIO IT Infrastructure Policy Bundle (more info...) All of the policies below are included as individual MS Word files and a single PDF file. Electronic forms are all individual documents that are easily modifiable
    • Backup and Backup Retention Policy (more info...)
    • Blog and Personal Web Site Policy (more info...) Includes electronic Blog Compliance Agreement Form
    • BYOD Policy Template (more info...) Includes electronic BYOD Access and Use Agreement Form
    • Google Glass Policy Template (more info...) Includes electronic Google Glass Access and Use Agreement Form
    • Incident Communication Plan Policy (more info...) Updated to include social networks as a communication path
    • Internet, e-Mail, Social Networking, Mobile Device, Electronic Communications, and Record Retention Policy (more info...) Includes 5 electronic forms to aid in the quick deployment of this policy
    • Mobile Device Access and Use Policy (more info...)
    • Patch Management Policy (more info...)
    • Outsourcing Policy (more info...)
    • Physical and Virtual Security Policy (more info...)
    • Record Management, Retention, and Destruction Policy (more info...)
    • Sensitive Information Policy (more info...) HIPAA Compliant and includes electronic Sensitive Information Policy Compliance Agreement Form
    • Service Level Agreement (SLA) Policy Template with Metrics (more info...)
    • Social Networking Policy (more info...) Includes electronic form
    • Telecommuting Policy (more info...) Includes 3 electronic forms to help to effectively manage work at home staff
    • Text Messaging Sensitive and Confidential Information (more Info...)
    • Travel and Off-Site Meeting Policy (more info...)
    • IT Infrastructure Electronic Forms (more info...)

IT Infrastructure PoliciesInfrastructure Policy Sample

- more info


Europe's CIO brace for a recovery

July 11th, 2014

The European tech market has been down for several years. With most European economies emerging from recession, and Germany, Poland, and the UK doing better than that, CIOs in Europe can at last think about growing their tech budgets in 2014 and especially in 2015. Customer-facing technologies for sales and marketing and mobile and analytics technologies will see the strongest growth, contributing to relatively strong growth in software and communications equipment. Growth will solidify in 2015.

Order Salary Survey    Free Salary Survey

- more info


New IT Infrastruccture Needs to be Put in Place by CIOs

June 23rd, 2014 - more info


Top 10 Lists for Disaster Recovery and Business Continuity

April 26th, 2014

Disaster Recovery
  1. Top 10 tips for Disaster Recovery in a Small Business – best way to protect your data Disaster Recovery for a Small Business Baseline for best practices defined in Janco’s Disaster Recovery Business Continuity Template. As requirements for avoiding downtime become increasingly...
  2. Top 10 Disaster Recovery Best Practices As requirements for avoiding downtime become increasingly stringent, administrators need tools and platforms that can help them plan, design, and implement disaster recovery strategies that...
  3. 10 Commandments of Disaster Recovery and Business Continuity 10 commandments of disaster recovery and business continuity planning As requirements for avoiding downtime become increasingly stringent, administrators need tools and platforms that can help...
  4. Intermedia.net violates 10 commandments of business continuity plan fails Intermedia.net business continuity plan non-functional Failed Business Continuity – This morning about 2:00 AM MST one of the largest providers of cloud services went down. ...
  5. 10 tips for surviving a natural disaster Failing to prepare for a natural disaster is not an option for businesses. ThatÂ’s because 75 percent of companies without business continuity plans fail within...

 Order Disaster Plan TemplateDisaster Plan Sample

- more info


Security is key to keeping cybercriminals at bay

March 27th, 2014

To catch a sophisticated cybercriminal in today's age, IT departments must look deeper into their web traffic and examine many sources of information about web visitors and sessions to determine what behavior is typical and what is not. Existing solutions for detecting and analyzing online criminal behavior usually identify either pre-authentification threats , or post authentification threats (fraud products) but unfortunately not both.

Security Manual Purchase Options

Order Security Manual
Sample DRP
- more info


Security News Digest

March 10th, 2014

Security Manual

Security News Digest

  1. Cybersecurity IT Pros are in short supply  IT Pros who can handle cybersecurity are in short supply Cybersecurity specialist are not being trained by our educational system and this shows with high...
  2. Top 10 Data Security Risks for Cloud Storage  There is tremendous anxiety about security risks in the cloud. CIOs and CSOs worry whether they can trust their users (both internal and external to...
  3. 10 Certifications for Cloud Professionals  10 Certifications for Cloud Professionals Hear are 10 certifications for Cloud professionals.  Some are hardware and software specific and others are independent of hardware and...
  4. ERP Job Descriptions  ERP – Enterprise Resource Planning Job Description Bundle Released Janco has just released 15 Enterprise Resource Planning Job Descriptions in its ERP Job Description Bundle. ...
  5. IT Security Decision Process  IT Security Decision Process The IDG Enterprise Role & Influence of the Technology Decision-Maker survey helps CIOs understand their evolving roles and influence in todayÂ’s...
Order Security ManualSample DRP
- more info


Business continuity objectives

February 19th, 2014

Disaster Plan

Business continuity objectives are, along with the business impact analysis, probably one of the most difficult elements of ISO 22301 implementation. Most of the business continuity implementers have problems like these: Which types of objectives exist? What are they used for? How are they set?

Purpose of business continuity objectives

Victor Janulaitis, the CEO of Janco Associates, said, "What gets measured gets managed.: The same goes for business continuity – if you don't know how well you are doing, you will have a very difficult time steering your business continuity in the desired direction. And it is exactly this desired direction that is an essential part of measurement: setting the objectives.

Order DRP BCPSample DRP BCP

Types of objectives

There are at least two levels for which you need to set objectives:

1)  Strategic objectives Â– for your whole Business Continuity Management System, and

2)  Tactical objectives Â– Recovery Time Objectives (RTOs), Recovery Point Objectives (RPOs),  Minimum Business Continuity Objectives (MBCOs), and exercising and testing objectives.

Of course, depending on the size and complexity of your organization, you can choose to add another layer of objectives Â– e.g., at the level of individual organizational units (departments, business units, etc.)

- more info


Using spreadsheets to manage risk is risky

February 12th, 2014

Spreadsheets are universally loved. Why? Because they give everyone their own version of the truth, with complete autonomy to update and amend them as often as they like, without interference from anyone else. However, while spreadsheets might be great tool at an individual level they are completely un-scalable, and therefore totally unsuitable for compiling and analysing information enterprise-wide, or even for individual projects.

When applied to a risk management scenario, the potential horrors magnify. Who knows what risks are lurking in a spreadsheet so far undiscovered, with all around thinking that they have ‘ticked the boxÂ’ and that risk is managed.  Using spreadsheets and emails to manage risk, is a very risky approach.

Here are the main reasons that does not work:

  • Lack of integrity – spreadsheets are easily manipulated. Anyone could make changes to data to help present a better picture. This could be to cover up a situation once it has happened, to help move blame or mitigate responsibility, or to present a situation or opportunity in a better light.
  • No audit trail – you canÂ’t easily check who changed what when.  You have no guarantee of the provenance of data supplied, and you canÂ’t see how it may have changed over time.
  • Deadlines missed – spreadsheets donÂ’t have any workflows or processes built into them. So while someone may request a review, some information or an audit, if there is no response, there is no mechanism to highlight missed deadlines.
  • No consistency – with no formal structure, each time a new spreadsheet is set up the formatting will be different.
  • Difficult to compile information – risk management information could be held within hundreds of spreadsheets across the organization.  Compiling them is a very long and arduous task.
Threat Vulnerability AssessmentDownload Threat Assessement
- more info


Does it pay to get Certification

January 24th, 2014

Certification a scam or a help?

Most of the certifications being sold to job seekers are unregulated, making it hard for individuals and employers to measure their worth. There are clear metrics on the size of the certification industry but there are estimates that less than 10% of the more than 4,000 personnel certifications that exist have been accredited by a third party.

Salary Survey Job Descriptions IT Hiring Kit Interview Guide


Certifications porcesses and schools are a huge industry.  There are courses and accreditation promoted and sold by professional associations, software vendors, commercial training companies, and even formal educational institutions. In some cases, professionals may end up spending several thousand dollars in pursuit of a certification. Demand seems to be high, with certification requirements often being mentioned in help-wanted ads.

Whether or not they pay may depend upon the types of jobs and levels of demand in a particular economic environment. For example, Janco Associates says that there are no appreciable premiums paid for certifications in recent years, especially when the recession set in around 2009. However, in the most recent quarter, the researchers say average pay premiums for IT certifications rose 1.5%in the third quarter of 2013 -- the largest quarterly gain since 2005 and the first time since 2006 that there has been two consecutive quarters of positive growth in pay for certifications.

Order Salary Survey    Free Salary Survey

Certifications are recognized as a badge of accomplishment in many industries, and Marte indicates that work in underway in some sectors to standardize these programs. Also, employer endorsements of programs is key.

In a competitive era when there is acute demand for highly qualified professionals in a range of areas, certification programs are a way to ensure more training and skills updates. Lifelong learning -- not education that stops on graduation day -- is essential to both working professionals and organizations. The skills that are in demand five years from may be entirely different than today. 

- more info


Password Security Tip

January 23rd, 2014

Password

Use a password in only one place. Reusing passwords or using the same password all over the place is like carrying one key that unlocks your house, your car, your office, your briefcase, and your safety deposit box. If you reuse passwords for more than one computer, account, website, or other secure system, keep in mind that all of those computers, accounts, websites and secure systems will be only as secure as the least secure system on which you have used that password. Don't enter your password on untrusted systems. One lost key could let a thief unlock all the doors. Remember: Change your passwords on a schedule to keep them fresh.

Order Security ManualSample DRP
- more info


CIO Best Practices Digest

December 16th, 2013

CIO Best Practices Digest

  1. Top 10 issues for CIOs in 2014 Top 10 issues for CIOs in 2014 The top 10 issues that CIOs need to address in 2014 are driven by the current economic and...
  2. Top 10 CIO Leadership and Management Traits CIOs and IT Managers who are successful have some common leadership  and management traits Are one of the people and able to get their hands...
  3. Top 10 Things a CIO Needs to Add Value  Top 10 for CIOs -What does the CIO have to do to be viewed as a business person versus a technologist?  There are many strategies...
  4. Top 10 CIO Productivity and Budgeting Issues  CIO – Productivity Kit The best companies, and their CIOs, recognize the importance of ready access to the right information to drive the right choices...
  5. CIOs Drive Enterprise Management Processes  IT Infrastructure is key to CIOs leading enterprises in their management processes CIOs and other members of the IT management team could be the reason...
Order CIO Job Description
- more info


Chief Security Officer now a key role in many organizations

November 14th, 2013

A few years ago, hiring a Chief Security Officer (CSO) would have been superfluous. However, as companies continue to expand their technological footprint, they are also more vulnerable to cyber attacks. Having a CSO on board is necessary to alleviate cyber-security risks.

Job DescriptionsMuch of the challenge to hiring one comes from defining the CSO's role against that of the chief information officer's. Indeed, the job responsibilities of a CIO are quite different from those of a CSO. The common misconception is that the two positions would be adversarial, but the reality is they often collaborate.

CIOs ensure that the information-technology infrastructure enables employee functionality. They use technology to create efficiencies in the company. CSOs safeguard intellectual property or protect against data breaches. For the most part, the CSO helps C-suite executives make judgments by lending an independent voice to the discussion.

 BuyTable of Contents

The main function of a CSO is to lower a company's risk in respect to the security compromises that can happen via a network. From a board-level perspective, CSOs give visibility to and quantify the risks in a company. ItÂ’s helpful to have a role dedicated to those responsibilities, Carpenter says.

Typically, CSOs ensure there are adequate policies and procedures in place for cyber and physical security. Then, they assess the security risk relative to those policies and procedures. From there, they are responsible for identifying to the C-suite and the board those gaps in policies and procedures.

 

- more info


What is the cost of a business iinterruption?

November 5th, 2013

Four steps that must be taken to determine if a business continuity plan is worth the investment are listed below. This will allow the organization to determine real dollar cost per downtime event, calculate acceptable data recovery points and return to operation goal. This data will then allow an organization to align itself to a particular disaster recovery organization(s) skill sets and capabilities.

 Order Disaster Plan TemplateDisaster Plan Sample

MTO Disaster Timeline

  • Conduct a Business Impact Analysis -- The first step is to conduct a business impact analysis. A BIA maps the interdependencies between each system (physical and virtual), application, and component with each business process and service provided. Based on the information collected in that process, a determination can be made on the consequences to the business as a result of disruption. This analysis should prioritize the importance of each process, application, and components in terms of cost to the business when they are no longer accessible. Those costs should include but are not limited to the following:
        1. Lost productivity
        2. Lost revenue
        3. Complicance risk
        4. Reputation loss
  • Determine Recovery Time Objective -- The next step is to determine the Recovery Time Objective (RTO). RTO is the amount of time that a business process must be restored in order to meet Service Level Objectives (SLO) for the business. Organizations need to meet Recovery Time Objectives in order to avoid catastrophic consequences when a process or application continues to be unavailable. While system and component RTOs are important, the application RTO is what is important to the customer, whether internal or external. The RTO is established during the Business Impact Analysis portion of the Business Continuity Plan (BCP).
  • Determine Recovery Point Objective - Next you need to determine the Recovery Point Objective (RPO). RPO is the amount of data loss that is acceptable for a certain time period as part of Business Continuity Planning (BCP). A certain amount of data loss for some processes is tolerable (i.e. a data entry clerk types data in manually to process sales orders, if the data entry clerk keeps the paper files for one day, then the RPO would be 24 hours). Recovery Point Objectives should be carefully planned for each process and application, as traditional backup and restore methods may not meet today's demanding business environments. Snapshot and replication technology enablers are needed in most environments to meet shrinking RPO time requirements. Calculate Cost of Downtime per Hour - How Much Does It Really Cost?
        1. Labor cost per employee multiplied by percentage of employees affected by application or service interruption.
        2. Average revenue per hour multiplied by percentage of revenue affected by outage.

 Order Disaster Plan TemplateDisaster Plan Sample

- more info


Personalization is key to OmniCommerce

October 7th, 2013

According to a recent study by IDG Research Services, personalization is recognized as a key differentiator among online businesses, for both e-commerce and non-commerce sites. Companies with an online presence are learning that they need to take action to learn more about their customers in order to increase customer loyalty, gain new followers and outshine the competition. More than 60 percent of the companies surveyed are prioritizing investments over the next year that will enable a more personalized Web experience.

Omni Commerce

There are several benefits companies can realize by creating a more personalized website experience. Cited by 69 percent of survey respondents, improved website engagement is at the top of the list. When businesses employ website personalization techniques, the visit becomes a two-way interaction. Instead of solely clicking or pushing his or her way through the site, the user is enticed or pulled through the site via personalization, thus increasing website engagement.

The second benefit, according to 62 percent of survey respondents, is improved brand image. Visitors think highly of businesses that anticipate their needs and appeal to their individual interests. Finally, coming in third and fourth, 44 percent of respondents cite improved lead generation and decreased customer or website abandonment rates.

In order to provide a personalized Web experience and realize these benefits, companies need information about their visitors. Yet there are gaps identified when it comes to the information companies are currently able to collect. These gaps primarily exist around location, which inhibits the ability to offer visitors a personalized Web experience.

 Order Omni Commerce Planning Toolkit
Disaster Plan Sample

- more info


Internert users are masking their identities

September 13th, 2013

Security ManualA Pew Internet and American Life study released last week showed that 86 percent of Internet users have made steps to remove or mask their identities online. Meanwhile, some companies are even trying to be open about their activities: Acxiom Corp., which collects and sells data about individuals to companies, just launched Aboutthedata.com, a site where Internet users can see and manage what Acxiom knows about them.

Generally speaking, fields such as statistics, computer science and the hard sciences donÂ’t teach ethics. There are privacy concerns, such as how much corporations and the government should know about individualsÂ…. But software engineers are taught about the elegance or the mathematical beauty of the thing that theyÂ’re building, not how it will affect peopleÂ’s lives.

Order Security ManualTable of Contents

A computer science professor at the University of Illinois at Urbana-Champaign, says that she teaches her students how to sample data ethically and protect subjects in academic studies. For example, in a Facebook study, the researcher should replace all the participantsÂ’ names, all their friendsÂ’ names and all their friends of friendsÂ’ names with numbers.

If you do these large social network studies, you donÂ’t have what they call participant-informed consent. LetÂ’s say I have you in one of my Facebook studies, and youÂ’re coming to my lab and we are analyzing the strength of the connections between you and your friends. IÂ’m getting information about your friends and their friends without their consent. ItÂ’s a very, very ethically sensitive area.

Many ethics guidelines come from the Belmont Report, created in 1978 to protect human research subjects. It requires universities that receive funding from the government to have whatÂ’s called an Institute Review Board perform an ethics review of proposed studies involving human subjects.

If academics find that big data allows them to obtain more information than they would be able to gather when dealing with subjects in person, imagine what companies like Google and Facebook know. They are forming their own policies, which tend to be that you “pay” for a service, particularly a free service, by giving up some privacy. The fact people are so used to this may be why, after the initial shock over the NSA news, many people effectively shrugged. According to a Washington Post-ABC poll in late July, 58 percent said they support this intelligence gathering in the effort to identify potential terrorists, compared to 39 percent opposed.

- more info


10 questions that need answers in an interview

August 26th, 2013

Interview Guide

In the inerview process a uniform front is important.. Before you start recruitng you should have answers prepared for questions like the following:

  • Are responsibilities for this job completely defined?
  • How would you describe the someone who is successful in that role?
  • What is it like working at the company?
  • How are responsibilities defined within the team that this position is in?
  • How would you describe a typical week/day in this position?
  • Is this a new position? If not, why did the previous employee leave?
  • Is travel expected?
  • Is relocation a possibility?
  • What is the typical work week like?

·       Will there be overtime?

Order IT Job DescriptionsIT Job Descriptions

- more info


Business Continuity Digest

August 21st, 2013

  1. Disaster Recovery Plan TemplateTop 10 Reasons Why Disaster Recovery Business Continuity Plans Fail  In the recession many organizations put disaster recovery and business continuity on the back burner. As a result those plans are not as functional as...
  2. Include Social Media in Your Business Continuity Plans  6 Ways to Utilize Social Media Before a Disaster Strikes by Adam Crowe When creating a disaster recovery plan include social media.  Simple things like...
  3. Business Continuity Planning for Survival Under Stress  Business continuity and disaster recovery planning took a real hit in the recession that started in 2008.  First many companies reduced the number and intensity...
  4. Cloud storage aids disaster recovery and business continuity  Cloud Storage is a next step to implement after the disaster recovery plan is created Cloud storage is a next step after the CIO creates a...
  5. 10 Commandments of Disaster Recovery and Business Continuity  10 commandments of disaster recovery and business continuity planning As requirements for avoiding downtime become increasingly stringent, administrators need tools and platforms that can help...

Business Continuity Plan Template

ISO 27000 ( formerly ISO 17799 ) - Sarbanes-Oxley - HIPAA - PCI-DSS Compliant

OrderDownload Table of ContentsLessons Learned

- more info


BYOD Challenges

August 5th, 2013

Blog Policy BYOD Policy Communication Plan

Mobility has revolutionized how we do business. Managing mobility and BYOD means knowing how to navigate changing operating systems, changing platforms and changing hardware to reap benefits like improved productivity, agility, growth and better customer service.

BYOD include consumer SmartPhones and tablets which are making their way into your organization. Going mobile makes employees happier and more productive, but itÂ’s also risky. How can you say yes to a BYOD choice and still safeguard your corporate data, shield your network from mobile threats, and maintain policy compliance?

Bring Your Own Device Sample

With the advent of Bring-Your-Own-Device - BYOD and the ever increasing mandated requirements for record retention and security CIOs are challenged to manage in a complex and changing environment.

If your enterprise does not have a BYOD policy, then two types of things are happening:

  • BYOD blocked and your company is losing productivity associated with an employee making use of a BYOD or your company is paying for each employees access device.
  • BYOD are already accessing your corporate network, with or without your knowledge, and you are not doing anything to ensure that this is being done securely and is not in compliance with mandated federal, state, local, and industry requirements.
- more info


Mobile Device Use Policy Is Need

July 19th, 2013

Mobile Device UseThe consumerization of IT has wrought profound security issues and changes on how and where employees work. To unerstand the magnitude of this transformation, consider these statistics:

  • 3 out of 5 workers say they no longer need to be in the office to be productive.
  • The average mobile worker is now carrying 3.5 devices, up from 2.7 devices in 2011.
  • 64% of mobile users use a tablet for work, as of March 2012. Based on purchasing predictions from users, that number likely reached 80% by October 2012.
  • Apple iPhones and iPads and Google Android devices - all of them consumer devices - now make up more than 70% of the mobile devices used by mobilworkers.
  • Mobile workers are using smartphones for email, web conferencing, social media for work, accessing and editing Office documents, and note-taking.
  • In 2010, web-based email usage declined 6%, while mobile email access rose 36%

Order Mobile Device Access Use PolicySample Outsourcing Policy

- more info


How to Implement IT Security

July 9th, 2013

Security Policies

It is the CIO's and CISO's job to identify and present the risks the business may face, but itÂ’s up to the board of directors to make the final decision on the acceptable level of risks. Security decisions should be made taking into consideration all relevant business, economic, organization and technology issues. Factors that could influence the decision-making process include:

  • Economic - the financial risk exposure of a given techinical process or application. IT spending is an investment with real potential benefits, as well as real security risks.
  • Organizational - prior experience with making similar decisions; background knowledge about security in the company; internally established standards; maturity of existing security management processes.
  • Technology - existence of known technical vulnerabilities and risks in the technology stack.
  • Business - relate to the security knowledge and awareness of C-level executives and board members. It is impossible to make meaningful decisions if they donÂ’t realize how security issues may occur at each enterprise level.
Order Security ManualTable of Contents

Security Manual - Comprehensive, Detailed, and Customizable

The Security Manual is over 240 pages in length. All versions of the Security Manual Template include both the Business IT Impact Questionnaire and the Threat Vulnerability Assessment Tool (they were redesigned to address Sarbanes Oxley compliance).  

In addition, the Security Manual Template PREMIUM Edition  contains 16 detail job descriptions that apply specifically to security and Sarbanes Oxley, ISO security domains, ISO 27000 (ISO27001 and ISO27002), PCI-DSS, HIPAA, FIPS 199, and CobiT.

Data Security and Protection are a priority and this template is a must have tool for every CIO and IT department. Over 3,000 enterprise worldwide have acquired this tool and it is viewed by many as the Industry Standard for Security Management and Security Compliance.

Related posts:

  1. Top 10 Things a CIO Needs to Add Value  Top 10 for CIOs -What does the CIO have to do to be viewed as a business person versus a technologist?  There are many strategies...
  2. Compliance requirements drive security  Policy and Procedure Manual – Compliance Management Made Easy ISO 27000 / HIPAA / SOX / CobiT Compliant Includes PCI DSS Audit Program Security incidents...
  3. Top 10 CIO Productivity and Budgeting Issues  CIO – Productivity Kit The best companies, and their CIOs, recognize the importance of ready access to the right information to drive the right choices...
  4. 5 Corporate Compliance Errors Executives Are Making  5 Corporate Compliance Errors many executives are making Compliance is never easy and even the best make mistakes on occasion. But we can learn from...
  5. Google data center security & disaster recovery  This is a great video on physical security as well as the the software security. This is a great primer which all CIOs and Data...
- more info


CIOs are drivers of BYOD

June 2nd, 2013

Organizations that choose to support their employees' personal devices within a secure environment will measurably increase their business productivity as well as extend their employees' flexibility. Additionally, the results underline a need for businesses to develop a platform agnostic device strategy that ensures corporate data remains secure.

Bring Your Own Device Sample

BYOD PolicyJanco recommends:

  • Organizations provide comprehensive support to BYOD: Employees will workaround corporate IT infrastructure in order to be productive and find ways to leverage their personal devices, regardless of if they're supported by the business or not. Supporting as many computing platforms as possible will ensure employees are accessing and sharing business data within a secure environment approved by the organization.
  • CIO should focus on data when implementing BYOD: Over three quarters of all CIOs identify their role as a data custodian or someone responsible for locating content and establishing context that is aligned with associated business rules. An organization's mobile strategy therefore needs to not only enable IT professionals to effectively manage the volume of data, but also provide the solutions that allow employees to securely access and leverage data as a business asset.
  • BYOD implementation should enable productivity: Identify the business applications employees rely on (such as the organization's email or social collaboration tools) and provide mobile and tablet support for these applications to ensure employees can remain productive.
- more info


Security Tip of the Week

May 14th, 2013

Security ManualWhile using wireless hotspots, limit activity to Web surfing only. A hotspot is an open wireless network that is available (open) to everyone. An example would be the wireless network at your favorite coffee shop. These networks hook computers into the public Internet -- handy but dangerous. Because wireless hotspots are for open use, they don't provide much protection for your data. When using a wireless hotspot try to limit activity to web surfing only.

You should also disable peer-to-peer networking, file sharing, and remote access. Always use a good personal firewall and of course make sure all your software including your operating system (like Windows) is up to date and patched. You  should never use hotspots for online banking, bill paying, or for making purchases that require you to give out confidential information such as a credit card number.

Order Security ManualSample DRP
Other Redings
  • Fraud is on the rise  CIOs need to address fraud issues with better security For the last three years it has been reported that estimated fraud losses that are doubling...
  • Cyber war breaks out – slows Internet  Cyber war pushes need for more security The recent cyber war between Spamhaus and Cyberbunker with commercial Denial of Service Attack (DDoS) pushed the Internet...
  • CIOs are not conducting cloud computing risk assessments  CIOs are not conducting cloud computing risk assessments A new survey by Protiviti has found that cyber security tops chief information officersÂ’ concerns, with 84...
  • Many CIOs have not addressed cloud security issues  Less than 50% of all organizations have policies in place that for vetting cloud computing applications for possible security risks before deploying them. The number...
  • Email Spam Reporting Policy  E-mail Spam Reporting Policy Note: Of course legitimate, individually-sent employment, business and personal inquiries are not considered spam.  Below is a sample of a letter...
- more info