Industry Standard Policies
Industry Standard Policies encompass all of the best practices that world class CIOs and enterprises use
Managing the activities of end-users with today's tech-savvy workforce is a huge challenge. The temptation is always there for employees to abuse social networking sites, instant-messaging, telecommuting privileges and install personal software on company equipment. Lost productivity, slow service, viruses and worse are inevitable unless you are able to develop and enforce clear IT policies throughout your company.
Sure, you have rules for using technology. But are you continually encountering gray areas? Do you have people in your company who like to "push the envelope" with their computer privileges? Do you find that you and your company just spend way too much time defining rules?
All of the policies that are provided here are contained within one or more of the templates that are on this site. These policies have been added as individual documents in MS WORD format for those clients who just need this particular policy. All policies are Sarbanes-Oxley, HIPAA, PCI-DSS, and ISO compliant.
CIO IT Infrastructure Policy Bundle
Save over 60% on these World Class Best Practices Policies
Janco has combine the policies that it has developed over time with some of the best IT organizations around the globe into a single package. With this bundle you get a PDF file that has all of the procedures in a single document that is over 210 pages long. It would take your staff months to develop these procedures from scratch. In addition you get a separate MS-Word document for each procedure which can easily be modified.
This bundle contains the following:
The policies have just been updated to comply with all mandated requirements and include electronic forms that can be Emailed, filled out completely on the computer, routed and stored electronically -- a total solution.
We have just completed a major update of most of the individual polices and almost all of the electronic forms.
- CIO IT Infrastructure Policy Bundle (All of the policies below are included as individual MS Word files and a single PDF file. Electronic forms are all individual documents that are easily modifiable)
- Backup and Backup Retention Policy
- Blog and Personal Web Site Policy (Includes electronic Blog Compliance Agreement Form)
- BYOD Policy Template (Includes electronic BYOD Access and Use Agreement Form)
- Google Glass Policy (Includes Google Glass Access and Use Agreement Form)
- Incident Communication Plan Policy (Updated to include social networks as a communication path)
- Internet, e-Mail, Social Networking, Mobile Device, Electronic Communications, and Record Retention Policy(Includes 5 electronic forms to aid in the quick deployment of this policy)
- Mobile Device Access and Use Policy
- Patch Management Policy
- Outsourcing and Cloud Based File Sharing Policy
- Physical and Virtual Server Security Policy
- Record Management, Retention, and Destruction Policy
- Safety Progam
- Sensitive Information Policy(HIPAA Compliant and includes electronic Sensitive Information Policy Compliance Agreement Form)
- Service Level Agreement (SLA) Policy Template with KPI Metrics
- Social Networking Policy(includes electronic form)
- Telecommuting Policy(includes 6 electronic forms to effectively manage work at home staff)
- Text Messaging Sensitive and Confidential Information (includes electronic form)
- Travel, Electronic Meeting, and Off-Site Meeting Policy
- Wearable Device Policy
- IT Infrastructure Electronic Forms
Backup and Backup Retention Policy
IT organizations of all sizes contend with a growing data footprint with more data to manage, protect and preserve for longer periods of time. Online primary storage, has focus a on fast low latency, reliable access to data while near-line secondary storage has a focus on low cost and high capacity. Long-term data retention requires a combination of ultra-low cost, good performance during storage and retrieval, and reduced footprint in terms of power, cooling, floor-space and economics (PCFE) - also known as a small green footprint - for inactive data.
Factors that CIOs and IT professionals need to consider for data retention include:
- Business and regulatory requirements - regulatory compliance and data preservation
- Economic and budgetary concerns - doing more with less
- Data loss prevention and information protection - protect, preserve and serve
- Environmental and business sustainment - green and economically efficient
- Maximize IT resource effectiveness and return on investment (ROI)
- Reduce total cost ownership (TCO) of IT resources and service delivery
The Backup and Backup Retention policy is an 11 page sample policy that is a complete policy which can be implemented immediately.
The document is provided in MS WORD format and is easily modified. This policy is included in the Disaster Recovery / Business Continuity Template.
Below is a table from the policy:
Type of Data
Minimal Backup Policy
Backup Retention Policy
Latest Version plus patches
Annual (verified) Backup
Latest Version plus patches
Annual (verified) Backup
Annual (verified) Backup
Daily with real time transaction files
Annual (verified) Backup
Software licenses, encryption keys, & Protocol Data
Annual (verified) Backup
Backing up data at remote offices has always been a challenge for IT administrators. Remote office backup schemes that rely on tape backup are expensive, time consuming to maintain, and often require technical expertise in remote offices that may not have on‐site IT staff. Network attached storage devices are high capacity, disk‐based storage appliances that can be easily deployed by employees with little technical expertise. The included client backup software, coupled with the built‐in backup and replication features provides a backup framework that's cost‐effective to deploy, easy to maintain and can be configured to automatically backup data to remote offsite locations.
Blog and Personal Web Site Policy
With the advent of blogs, there is a need to set rules of the road for the use of blogs by employees, contractors, agents, supplies and others. This 8 page sample blog policy contains specific policy statements on what can and can not be done via blogs. There are 13 specific guidelines defined as specific guidelines for personal web sites and blogs which are on your enterprise's domains and those on are on domains outside of your enterprise's control.
The policy template comes in word format and can easily be modified to meet the specific requirements of any size enterprise.
The purpose of the BYOD Policy Template is to define standards, procedures, and restrictions for end users who have specific and authorized business requirements to access enterprise data from a BYOD connected via a wireless or unmanaged network outside of ENTERPRISE's direct control.
The policy template comes in word format and can easily be modified to meet the specific requirements of any size enterprise.
Mobile Device Access and Use Policy
The purpose of this policy is to define standards, procedures, and restrictions for end users who have specific and authorized business requirements to access enterprise data from a mobile device connected via a wireless or unmanaged network outside of ENTERPRISE's direct control. This policy applies to, but is not limited to, all devices and media that fit the following device classifications:
- USB applications and data
- Laptop/notebook/tablet computers
- Ultra-mobile PCs (UMPC)
- Mobile/cellular phones
- Home or personal computers used to access enterprise resources
- Any mobile device capable of storing corporate data and connecting to an unmanaged network
The policy applies to any hardware and related software that could be used to access enterprise resources, even if the equipment is not approved, owned, or supplied by ENTERPRISE.
Mobile Device Access and Use Policy Template - This policy is 10 pages in length. It contains everything that an enterprise needs to implement a functioning and compliant mobile device and use process. Included are forms defining the mobile device environment.
Google Glass Policy Template
Janco, in concert with a number of world class enterprises had created a Google Glass Policy Template that addresses these issues and provides solutions for the following questions:
- What are the legal implication of Google Glass- What is the impact of the Stored Communication Act - Record Retention and Destruction?
- What happens to the data and audit trail on a Google Glass device when an employee leaves the company?
- What about a lost or stolen devices?
- How is the Google Glass device configured to receive and transmit corporate data?
- What kind of passwords are acceptable to use on a Google Glass device?
- What kind of encryption standards are acceptable for Google Glass device data transmissions - both inbound and out-bound?
The purpose of the Google Glass Policy Template is to define standards, procedures, and restrictions for end users who have specific and authorized business requirements to use the devices connected via a wireless or unmanaged network outside of ENTERPRISE's direct control.
Google Glass Policy Template - It is 14 pages in length. It contains everything that an enterprise needs to implement a functioning and compliant Google Glass device and use process. Included are forms defining the mobile device environment.
WYOD - Wearable Device Policy
WYOD - Wearable Device Policy - Wearable devices provide a variety of potential business or educational uses involving accessing, capturing and sharing data. At the same time they can pose a significant security risk to an organization with, the ability to surreptitiously record audio and video can threaten business confidentiality and jeopardize company data and even its reputation.
With that in mind, the consultants at Janco Associates have created a Wearable Device Policy that can be downloaded and used as a guideline for organizations as they establish rules for the use of such devices in the workplace.
This policy is seventeen (17) page in length and covers:
- Enterprise Mobile Device Infrastructure
- Wearable Device Infrastructure
- Disaster Recovery - Business Continuity
- Best Practices for Wearable Devices
- Legal Considerations
- Wearable Device Access and Use Agreement - Electronic Form
This policy has been updated to reflect the latest mandated security and privacy requirements. The policy comes as both a WORD file and a PDF file utilizing a standard CSS style sheet.
Internet, e-Mail, Social Networking Mobile Device, Electronic Communications, and Record Retention Policy
Driving electronic communication is the fact that data is easier to find when it is a click away than when it is stacked in folders. E-mail is a great source of easy-to-access information. When faxes and paper communication are integrated into the email automation framework, there is little fear of losing them.
Organizations that have or want to establish a company wide telecommuting program should establish a formal, written telecommuting policy document that is regularly reviewed and updated by IT, human resources, legal, and finance. This will ensure that managers and the corporate services and technical support groups within the organization are aware of their respective role and responsibilities for enabling and supporting telecommuting. It also will help ensure that telecommuting employees know about their responsibilities too, along with new company and approved third-party applications and support services available outside company facilities.
Businesses have to comply with industry-specific regulations for digital communications. This is a bigger challenge for multinational companies, where regulations vary from country to country. How can companies comply with these regulations without sacrificing business velocity and driving up costs? The answer lies in adopting standardized email policies that include best practice work flows to enforce compliance with industry-specific rules for process and content. This serves the dual purpose of keeping businesses out of trouble and providing superior customer experience.
Best Practices for commercial Email are defined with compliance to CAN-SPAM Act as its focus.
All companies archive e-mail whether they realize it or not. Merely backing up an e-mail server creates an archive. The real question is what policies your company should have regarding those archives. What messages should be archived, for how long, and who should be able to access them?
Depending on your requirements, which may or may not involve regulatory compliance, you can determine whether you need a separate e-mail archiving solution, and if so, what features it should have. In some cases, the features built into e-mail servers, which include e-mail retention policies and basic e-discovery capabilities, may be sufficient. In others, you may need to pay for a full-featured archiving system.
That may be money well spent if your risk is high. Financial penalties have been levied against companies not for any malfeasance, but simply for failing to comply with legal discovery or record-keeping requirements. Clearly, the costs of archiving would be more than offset in this situation.
Remember, however, that an e-mail archiving solution is not a substitute for a traditional e-mail backup and recovery solution. You still need the latter for e-mail reliability and availability. But the two can work hand in hand. E-mail archiving solutions feature additional benefits such as mailbox management, e-mail administration, and mail policy monitoring. Archiving can also help ease the burden on mail administrators, lowering overall costs by moving mail off of primary storage, pulling PST (Personal Storage Table) files off client systems, monitoring mail in real time for policy violations, and more.
Today's email threats are far more dangerous than yesterday's. On the inbound side, blended email and web attacks masterminded by profit-seeking criminals are now the norm. Spam is no longer about selling, it's about stealing. Attacks are targeted and fast moving. The perpetrators are more sinister, organized, and sophisticated. Orchestrated botnet armies strike globally and quickly go dormant. Harmful payloads morph continuously to evade signature-based defenses, and are more often delivered through an embedded web link rather than a direct file attachment. Every malicious email that penetrates the perimeter carries dramatically more risk than ever before.
Over 50% of all companies do not have policies for the appropriate use of the Internet. The problem now is that when you Twitter or post to a blog information that might be sensitive thousands of people can see it immediately, and then thousands more could see it as it's forwarded on to others. The ramifications of making a mistake, of putting things that shouldn't be on there on those sites, are even greater than they used to be.
This policy is is compliant with all recent legislation (SOX, HIPAA, Patriot Act, and Sensitive information), and covers:
- Appropriate Use of Equipment
- Social Networks
- Mobile Devices
- Internet Access
- Electronic Mail
- Retention of E-mail on Personal Systems
- E-mail and Business Records Retention
- Copyrighted Materials
- Banned Activities
- Ownership of Information
Included with the policy are forms that can be used to facilitate the implementation of the policy. Included are these ready to use forms:
- Internet & Electronic Communication Employee Acknowledgement
- E-Mail - Employee Acknowledgement
- Internet Use Approval Form
- Internet Access Request Form
- Security Access Application Form
template uses the latest CSS style sheet and can easily be modified
to conform to the style used in your enterprise policy manual.
Incident Communication Plan Policy
NEW Electronic Form - Incident Communication Contact Form
To survive an incident such as a business interruption, security breach, or a product recall, organizations need more than a successful communication strategy - they need an incident communication plan.
The overall objectives of a incident communications plan should be established at the outset. The objectives should be agreed upon, well understood, and publicized. For example, will the primary objective of the communications plan be for communications only to employees, and only during a disaster? Or is the intent to advise customers of interruptions to service? Or is it for investors and stockholders? Or regulatory agencies? Or is it some combination of these?
Whatever the objectives of the enterprise, they should be shared, supported by executive management, and widely communicated - both via traditional media contact and social networks. This policy template addresses those needs directly as well as provides electronic tools that aid in the execution of of the policy.
The specific objective of this incident communication plan is to define who will provide key communications during a crisis including content, recipients, schedule, method of delivery, frequency, and priority of the communication. By outlining a communication plan in advance, the business is better able to
- Communicate the effects and status of a crisis for employees, associates, suppliers and customers,
- Reduce the impact of bad publicity, maintain customer service, bolster relations with vendors and
- Address the concerns of other key stakeholders
Outsourcing and Cloud Based File Sharing Policy
Outsourcing and Cloud Based File Sharing Policy - This policy is eighteen page in length and defines everything that is needed for function to be outsourced or the data to be shared via the cloud. The policy comes as a Microsoft Word document that can be modified as needed. The template has been updated to include a HIPAA audit program definition in length and covers:
- Outsourcing Management Standard
- Service Level Agreement
- Outsourcing Policy
- Policy Statement
- Cloud Based File Sharing
- Approval Standard
- Base Case
Note: Look at the Practical Guide for Outsourcing, it is over 110 page in lenght and contains more extensive processes for outsourcing
Patch Management - Version Control Policy
Includes 3 full job Descriptions: Manager Change Control; Change Control Supervisor; and, Change Control Analyst
Patch management and version control are an on-going process. The reality of software and network vulnerabilities is that, after you apply a patch, a new vulnerability will be addressed sooner rather than later. This is part of the DevOps process and needs to be managed with a robust patch management process which includes:
- Detection - Tools to scan systems for missing security patches. The detection should be automated and trigger the patch management process.
- Assessment - If necessary updates are not installed, determine the severity of the issue(s) addressed by the patch and the mitigating factors that may influence your next steps. By balancing the severity of the issue and mitigating factors, determine if the vulnerabilities are a threat to your current environment.
- Acquisition - If the vulnerability is not addressed by the security measures already in place, download the patch for testing.
- Testing - Install the patch on a test system to verify the ramifications of the update against your production configuration.
- Deployment - Deploy the patch to production computers. Make sure your applications are not adversely affected. Employ your rollback or backup restore plan if needed.
- Maintenance - Subscribe to notifications that alert you to vulnerabilities as they are reported. Begin the patch management process again.
- Obsolesce - Over time multiple version of an application and/pr software will exit and the need to be a process in place for obsolesce of old versions which the enterprise no longer supports.
The policy come with an electronic form - Change and Patch Management Control Log. A form with full instructions that is in Microsoft Excel (.xlsx) format. Included with the instruction set are directions for how to customize the form.
Physical and Virtual Server Security Policy
Server security policy management includes keeping security settings up to date as your various server configurations change over time. The steps to help secure your servers through policy management include:
- Analyze server security settings to ensure that the security policy applied to a server is appropriate for the server role.
- Update a server security policy when the server configuration is modified.
- Create a security policy for a new application or server role not included in Server Manager.
- Use security policy management tools to apply security policy settings that are unique to your environment.
Record Management, Retention, and Destruction Policy
There are many common myths about tape, disk, data protection and archiving, one, for example, being that archiving and long-term data retention are only for regulatory compliance purposes. The reality is that while regulatory compliance data, including Sarbanes-Oxley, ISO, financial or HIPAA medical, require long-term retention, many other common application data for almost every business, including those that do not fall under regulatory requirements, can benefit from - if not require - long–term data retention. The notion is to think beyond regulatory compliance. In other words, organizations of all sizes need and rely on information, both current and past.
Contains everything needed to implement a record management policy includng an Interview Checklist to use when you are implementing a records managment process
A record is essentially any material that contains information about your company's plans, results, policies or performance. In other words, anything about your company that can be represented with words or numbers can be considered a business record - and you are now expected to retain and manage every one of those records, for slementing or altering the policy.
Several years or even permanently depending on the nature of the information. The need to manage potentially millions of records each year creates many new challenges for your business, and especially for your IT managers who must come up with rock-solid solutions to securely store and manage all this data.
The Record Management, Retention, and Destruction policy is a detail template which can be utilized on day one to create a records management process. Included with the policy are forms for establishing the record management retention and destruction schedule and a full job description with responsibilities for the Manager Records Administration.
The areas included with this policy template are:
- Record retention requirements for SOX sections 103a, 302, 404, 409, 801a and 802.
- Record Management
- Compliance and Enforcement
- E-mail Retention and Compliance
- Job Description Manager Record Administrator
- 12 forms for Record Retention and Disposition Schedule
- Record Management Best Practices
You can download the Table of Contents and selected pages for this policy template.
Service Level Agreement Policy Template with Sample KPI Metrics
Download Instructions Shipped immediately via E-MAIL
Service Level Agreement Policy Template is a nine page policy for a single application, It defines specific SLAs and metrics that are both internally and externally focused. The sample contain over 70 possible metrics presented graphically in PDF format.
The table of contents for the policy template is as follows.
Service Level Agreement For The Application
- Three-Tier Environment
- Service Level Agreement (SLA)
- Internal IT SLAs
- Hardware/Network Maintenance
- Backup and Recover
- Application Administration
- Application Updates
- External SLA
- IT Obligations
- End User Obligations
- Internal IT SLAs
- Sample Metrics
The sample metrics are provided in PDF format. Click on the small image below to see one page of the PDF file with the book marked outline of the document showing the classification of the 70 metrics depicted graphically
Telecommuting is a popular alternative to making the drive in to work every day. If your users are asking about telecommuting to work, you may find that a telecommuting policy helps makes things clear to them.
With the rise of the Internet, and the increase in affordable bandwidth came a new type of worker, the telecommuter. Available technologies, in certain cases, have allowed some companies to offer the ability for certain employees to work from home instead of the office. This can be not only a benefit for the employee, but also for the company itself. As more and more employees clamor for the ability to telecommute, it is imperative for companies to have an in place a viable telecommuting policy.
Telecommuting Policy Template - This policy is over 20 pages in length. It contains everything that an enterprise needs to implement a functioning and compliant telecommuting process. Included are forms defining the working environment in addition to a check list to validate that the off site location complies with you safety requirements.
Text Messaging Sensitive and Confidential Information Policy
As data is captured from systems that is sensitive or confidential, users can use screen captures and actual web based applications to send an enterprise's key information assets with a click of a button. Be it a disgruntled employee, or someone with prying eyes, these assets need to be protected.
Janco Associates, in concert with a dozen of its leading world class clients has created a standard template that any enterprise can use to create a policy to help to manage in this ever more risky environment.
Travel and Off-Site Meeting Policy
Travel and Off-Site Meeting Policy - Protection of data and software is often is complicated by the fact that it can be accessed from remote locations. As individuals travel and attend off-site meetings with other employees, contractors, suppliers and customers data and software can be compromised. This policy is seven (7) page in length and covers:
- Laptop and PDA Security
- Wireless and Virtual Private Networks (VPN)
- Data and Application Security
- Public Shared Resources
- Minimizing attention
- Off-Site Meetings
- Remote Computing Best Practices
This policy has been updated to reflect the requirements of PCI-DSS, Sarbanes-Oxley, HIPAA, and ISO. The policy comes as both a WORD file and a PDF file utilizing a standard CSS style sheet.
Sensitive Information Policy
Includes HIPAA Audit Program Guide, a PCI Audit Program, and an electronic form that can be used to quickly deploy this Policy. Plus as a bonus you get the User/Customer Bill of Rights for Sensitive and Confidential Information.
This policy is easily modified and defines how to treat Credit Card, Social Security, Employee, and Customer Data. The template is 34 pages in length and complies with Sarbanes Oxley Section 404, ISO 27000 (17799), and HIPAA. The PCI Audit Program that is included is an additional 50 plus pages in length.
This policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) and co-location providers and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals).
The HIPAA Audit Program Guide provides you with a checklist of the must be implemented items which HIPAA mandates.
You can download the Table of Contents and some sample pages by clicking on the link below.
Social Networking Policy
Social networking is going corporate. The popular technology used by millions of people to share ideas and photos on MySpace, Facebook, LinkedIn and others is catching on at companies to improve productivity and communication among workers. Private, internal social networks make sense as companies grapple with a slumping economy that has made travel cost-prohibitive even as workforces are spread out as never before.
With increased adoption of social networks among the public, organizations have begun setting up profiles within social networks as a means to further connect with their audiences. Organizations who have been most successful in these endeavors take time to survey the community, understand the values and rules of engagement. In short, they pay attention to the culture and identify what is accepted before they join. When they join, the organizations who have had success within social networks remember that this isn't a place for traditional public relations tactics but a place for engagement. These organizations don't always just talk about themselves, but they have real and human-toned conversations with real people.
The issue faced by enterprises of all sizes is ensuring that the right message is being communicated in a consistent manner. The first step in achieving this objective is to have a uniform social network policy.
Janco recommends that companies embrace social networking because:
- Social networking is going to happen - Workers increasingly have Internet access on their smart phones. By the year 2013, 43% of global mobile internet users (607.5 million people worldwide) will be accessing social networks from their mobile devices.
- Most employeess will use it wisely and for the benefit of the enterprise - Some CIOs fear that social networking would lead to "Networking" instead of doing their jobs. Employees with proper training and guidance will use this new "technology" in ways that will enhance the enterprise's products ans services.
- Social networks actually can make workers more productive - Three out of four of the 895 experts interviewed for the recent Pew Internet report The Future of the Internet IV, said that use of the Internet enhances and augments human intelligence, and two-thirds said use of the Internet has improved reading, writing, and rendering of knowledge.
- Great ideas are gems that are ready to be found on social networks - Great ideas can come from any level of a company. Using social networks internally (wikis, blogs, forums, even IM) fosters collaboration, and allows workers at all levels to contribute ideas.
- Employees are trustworthy - Managers worry that employees will leak confidential information, or speak poorly of the company. but with the proper training and procedures in place this is a non-issue.
The Social Networking Policy Template is the right tool for this task. With it you can successfully manage and control your employees' activity that are related to your enterprise.