Data Security - Top 10 Best Practices

CIO's and IT Managers' are challenged to meet compliance requirements for data security and at the same time meet the data requirements of a full range of desperate users
Security Policies

CIOs are challenged with data security and protection. They are tasked with protecting an organization's data, but often without the business-context needed to do this effectively. When considering how valuable an organization's data is, a 'best guess' scenario is not enough. There are certain best practices that CIOs and  IT departments should follow to keep data  secure and protected, while still allowing authorized users to have the access to the data and information they need in a timely manner.

A company's data is typically is protected by access control lists containing security groups and particular organizational roles. Users are assigned to a security group depending on their role in the company and/or organizational need.

Order Security Policies and ProceduresDownload TOC security policiesVersion History Security Policies
However, access control lists rarely reflect the true needs of the business. More often than not, users have access to far more information than they need to do their jobs effectively, greatly increasing the risk of theft, data loss or misuse. At the same time, IT is not able to reduce access without having a negative impact on organizational activity.
There are best practices that CIOs need to implement in order to protect a businesses' data:

  1. Understand who is accessing data via frequent auditing and real-time monitoring of data access - A comprehensive record of access is vital to the effective management of any data. A proper record of data use, allows an organization to answer critical questions, such as who deleted particular files, what data specific individuals use and what is not being used. It will also allow a business to answer more complicated questions such as who owns a particular data, which data support a particular business unit and how can data be locked down without disrupting work-flows.
  2. Keep current records on data access permissions - CIOs cannot effectively manage any data without understanding that can and can't access it. All too often IT cannot quickly and easily answer data protection questions such as who has access to a particular data? Or what data a user or group does have access to? IT must be able to answer these questions accurately and quickly for data protection and management projects to work.
  3. Classify data by sensitivity - While all a company's information needs to be protected, some information needs that protection more urgently. Audit trails, data classification technology and access control information help businesses to identify active and stale data, as well as data that is sensitive, classified or internal, and data that is accessible to many people.
  4. Minimize and remove global access rights - Sometimes folders on file shares have access control permissions allowing 'everyone' or 'all domain users' to access the data they contain. This is a significant potential risk, as any information housed in that folder will inherit those permissions, and those who place information in these wide-open folders may be unaware of the unsecured settings. Sensitive data, such as PII, credit card information, intellectual property or HR information can lead to enormous security problems.
  5. Identify data owners and users - An organization's technical department should maintain a list of data business owners and the data they own. Through this list, CIOs and IT departments can expedite many of the previously identified tasks, such as verifying permissions revocation and review and identifying data for archival. Ultimately, being able to identify the data owners will lead to a marked increase in the accuracy of data entitlement permissions and, in turn, data protectionSecurity Manual.
  6. Include data access reviews when individuals are transferred, promoted, or terminated - When an individual within a company changes their role, that user should more than likely no longer have access to data resources that they no longer need. In order to do this successfully, the business must know at the very minimum what data and which security groups require review, which groups grant access to which data and who owns a particular data set. Performing these reviews will make sure that can only be accessed by individuals who strictly need it.
  7. Align groups to data ownership and management - When data access is controlled by groups, it is vital that the groups are properly aligned with the data they are in place to protect. A group should have the ability to grant access to the data that are control and nothing else.
  8. Audit permissions and group changes - Access control lists play a vital role in protecting data from loss, tampering or exposure. Group membership should be authorized and reviewed by the owner of the data or resource to which the group provides access.
  9. Lock down, delete or archive stale, unused data - A significant amount of data housed on unstructured and semi-structured platforms is stale. By archiving stale or unused data to off-line storage or deleting it, IT makes the job of managing the remainder simpler and easier, while freeing up an expensive resource.
  10. Clean up security groupings - Unneeded complexity hampers performance and facilitates mistakes. Businesses create so many groups that they often have as many as they do users and many of these groups are likely to be empty, unused or redundant. Access control lists often contain references to previously deleted users and groups and these groups must be identified and re-mediated.

Security Manual - Comprehensive, Detailed, and Customizable

The Security Manual is over 240 pages in length. All versions of the Security Manual Template include both the Business IT Impact Questionnaire and the Threat Vulnerability Assessment Tool (they were redesigned to address Sarbanes Oxley compliance).

Order Security ManualDownload Security Table of Contents

In addition, the Security Manual Template PREMIUM Edition  contains 16 detail job descriptions that apply specifically to security and Sarbanes Oxley, ISO security domains, ISO 27000 (ISO27001 and ISO27002), PCI-DSS, HIPAA, FIPS 199, and CobiT.

Security template electronic formsThe Security Manual has recommended policies, procedures and written agreements with employees, vendors and other parties who have access to the company's technology assets. To make this process as easy as possible, Janco provides 18 formatted electronic forms for distribution and documentation. All forms are in easy-to-edit Microsoft Word templates so all you need to do is add your corporate logo, make your own additions and changes and your task of policy and procedure documentation is nearly complete!

The ELECTRONIC forms included with the Security Manual template are:

    1. Blog Policy Compliance Agreement
    2. BYOD Access and Use Agreement
    3. Company Asset Employee Control Log
    4. Email Employee Agreement
    5. Employee Termination Procedures and Checklist
    6. FIPS 199 Assessment
    7. Internet Access Request Form
    8. Internet and Electronic Communication Employee Agreement
    9. Internet use Approval
    10. Mobile Device Access and Use Agreement
    11. Mobile Device Security and Compliance Checklist
    12. New Employee Security Acknowledgment and Release
    13. Outsourcing and Cloud Security Compliance Agreement
    14. Outsourcing Security Compliance Agreement
    15. Preliminary Security Audit Checklist
    16. Risk Assessment
    17. Security Access Application
    18. Security Audit Report
    19. Security Violation Procedures
    20. Sensitive Information Policy Compliance Agreement
    21. Server Registration
    22. Social networking Policy Compliance Agreement
    23. Telecommuting Work Agreement
    24. Text Messaging Sensitive Information Agreement
    25. Threat and Vulnerability Assessment Inventory

Data Security and Protection are a priority and this template is a must have tool for every CIO and IT department. Over 3,000 enterprise worldwide have acquired this tool and it is viewed by many as the Industry Standard for Security Management and Security Compliance.

Security Manual Template purchase options

Security Manual Template - Standard Edition

Security Manual TemplateSecurity Manual Template

  • Business and IT Impact Questionnaire
  • Threat and Vulnerability Assessment Toolkit
  • Security Management Checklist
  • HIPAA Audit Program
  • Sarbanes Oxley Section 404 Checklist
  • Security Audit Program- fully editable -- Comes in MS EXCEL and PDF formats -- Meets ISO 28000, 27001, 27002, Sarbanes-Oxley, PCI-DSS, HIPAA FIPS 199, and NIS SP 800-53 requirements -- Over 400 unique tasks divided into 11 areas of audit focus which are the divided into 38 separate task groupings
  • Electronic forms that can be Emailed, completed via a computer or tablet, and stored electronically including: Blog Policy Compliance, BYOD Access and Use, Company Asset Employee Control Log, Email - Employee Acknowledgment, Employee Termination Checklist, FIPS 199 Assessment Electronic Form, Internet Access Request, Internet Use Approval, Internet & Electronic Communication - Employee Acknowledgment, Mobile Device Access and Use Agreement, Employee Security Acknowledgement Release, Preliminary Security Audit Checklist, Risk Assessment, Security Access Application, Security Audit Report, Security Violation Reporting, Sensitive Information Policy Compliance Agreement, Server Registration, and Threat and Vulnerability Assessment
  • eReader version of the Security Manual Template

Security Manual Template - Premium Edition

Security Manual TemplateSecurity Manual Template

  • Business and IT Impact Questionnaire
  • Threat and Vulnerability Assessment Form
  • Security Management Checklist
  • HIPAA Audit Program
  • Sarbanes Oxley Section 404 Checklist
  • Security Audit Program
  • Over two dozen Electronic Forms
  • eReader version of the Security Manual Template

Security Job Descriptions MS Word Format 

  • Chief Security Officer (CSO), Chief Compliance Officer (CCO), VP Strategy and Architecture, Director e-Commerce, Database Administrator, Data Security Administrator, Manager Data Security, Manager Facilities and Equipment, Manager Network and Computing Services, Manager Network Services, Manager Training and Documentation, Manager Voice and Data Communication, Manager Wireless Systems, Network Security Analyst, System Administrator - Unix, and System Administrator - Windows

Security Manual Template - Gold Edition

Security Manual TemplateSecurity Manual Gold Edition

  • Business and IT Impact Questionnaire
  • Threat and Vulnerability Assessment Form
  • Security Management Checklist
  • HIPAA Audit Program
  • Sarbanes Oxley Section 404 Checklist
  • Security Audit Program
  • Over two dozen Electronic Forms
  • eReader version of the Security Manual Template

IT Job Descriptions  MS Word Format - Updated to meet all mandated security requirements

  • 281 Job Descriptions from the Internet and IT Job Descriptions HandiGuide in MS Word Format including all of the job descriptions in the Premium Edition. Each job description is at least 2 pages long and some of the more senior positions are up to 8 pages in length.

 

Order Security Manual with update serviceDownload Selected Pages security manual template