ISO 27000 - 27001 & 27002
(formerly ISO 17799),
Sarbanes Oxley, HIPAA,
PCI-DSS, and Patriot Act Compliant
Includes Audit Program for PCI DSS Compliance, HIPAA Audit Guide, and ISO 27000 Checklist
The Security Manual for the Internet and Information Technology is over 240 pages in length. This electronic document is fully compliant with the ISO 27000 standard, Sarbanes Oxley, HIPAA standard, and the Patriot Act.
All versions of the Security Manual template include both the Business & IT Impact Questionnaire and the Threat & Vulnerability Assessment Tool (both were redesigned to address Sarbanes Oxley compliance. In addition, the Security Manual Template PREMIUM Edition contains detail job descriptions that apply specifically to security and Sarbanes Oxley. The job descriptions are:
- Chief Security Officer (CSO)
- Chief Compliance Officer (CCO)
- VP Strategy and Architecture
- Director e-Commerce
- Database Administrator
- Data Security Administrator
- Manager Data Security
- Manager Facilities and Equipment
- Manager Network and Computing Services
- Manager Network Services
- Manager Training and Documentation
- Manager Voice and Data Communication
- Manager Wireless Systems
- Network Security Analyst
- System Administrator - Unix
- System Administrator - Windows
Clients can also subscribe to Janco's Security Manual update service and receive all updates to the Security Manual Template.
The template includes everything needed to customize the Internet and Information Technology Security Manual to fit your specific requirement. The electronic document includes proven written text and examples for the following major topics for your security plan:
- Compliance to ISO 27000 (27001 & 27002), HIPAA, SOX, PCI, and the Patriot Act
- Security Manual Introduction - scope, objectives, general policy, and responsibilities
- Risk Analysis - objectives, roles, responsibilities, program requirements, and practices program elements
- Staff Member Roles - policies, responsibilities and practices
- Physical Security - area classifications, access controls, and access authority
- Facility Design, Construction and Operational Considerations - requirements for both central and remote access points
- Media and Documentation - requirements and responsibilities
- Data and Software Security - definitions, classification, rights, access control, INTERNET, INTRANET, logging, audit trails, compliance, and violation reporting and follow-up
- Network Security - vulnerabilities, exploitation techniques, resource protection, responsibilities, encryption, and contingency planning
- Internet and Information Technology contingency Planning - responsibilities and documentation requirements
- Travel and Off - Site Meetings - specifics of what to do and not do to maximize security
- Insurance - objectives, responsibilities and requirements
- Outsourced Services - responsibilities for both the enterprise and the service providers
- Waiver Procedures - process to waive security guidelines and policies,
- Incident Reporting Procedures - process to follow when security violations occur
- Access Control Guidelines - responsibilities and how to issue and manage badges / passwords
- Sample Forms
- Business and IT Impact Questionnaire
- Threat & Vulnerability Assessment Tool
- Security Violation Reporting form
- Security Audit form
- Inspection Check List
- New Employee Security form
- Security Access Application form
Improving eMail SecurityApril 29th, 2012
DMARC.org - or the Domain-based Message Authentication, Reporting, and Conformance - is a new white-list system will be available for use across the Internet.
The other companies in the DMARC working group are AOL, Bank of America, Fidelity Investments, American Greetings, LinkedIn, and e-mail security providers Agari, Cloudmark, eCert, Return Path, and Trusted Domain Project.- more info
Post Interview thank you notesApril 13th, 2012
In today's frenetic world of cyber-communication, many job seekers struggle with this basic question. Is it better to go with the flow - and thank your interviewer via e-mail, a quicker, but less formal means of communication? Or are you better off standing out from the crowd by sending a hand-written thank-you note?
Hand-written notes are more personal, more effective, and leave a more lasting impression on the interviewer. They also provide a great chance for you to let your personality shine through-more than you could do in an e-mail.
But e-mailed notes are faster to send and arrive faster; they are more likely to get read than snail mail; and the interviewer can easily respond to you if he or she feels like it.- more info
Mobile devices put confidential data at riskApril 2nd, 2012
The average cost to an organization every time a corporate secret is revealed to unauthorized parties, especially agents and their competitors, is
$1.3 million. Forty three percent of CIOs believe this occurs about once every month and 29 percent believe it happens annually. Eighty percent believe that the organization would not discover the wrongful interception of a smartphone conversation that revealed valuable corporate secrets.
Other vulnerabilities these devices face include attacks by viruses, spyware, malicious downloads, phishing and spam. It also has been found that Androids and iPhones have emerged as popular platforms for attack. There also has been a consistent degree of evolution in the sophistication and execution of these threats.
Every organization needs to identify and develop mobile security policies to be deployed which will provide adequate protection. The level of protection has to be aligned with the level of risk that your organization is willing to accept. These policies should ensure that the many regulatory or compliance concerns that might be applicable are addressed. The mobile security policy should be integrated within your overall information security policy framework.- more info
Loss of BOYDs puts companies at riskMarch 13th, 2012
According to a recent study by security software vendors, people who lose their smartphones or other mobile devices in public have less than a 50 percent chance of ever getting them back. And even if the device is returned, the person who found the phone most likely browsed the contents.
The theft or accidental loss of a Bring Your Own Device (BYOD) can expose businesses and individuals to loss of any data stored on the device, as well as data residing in corporate systems or cloud applications to which the device might have direct connections. The use of BYODs within a corporate environment further complicates the issue of data protection, as information may flow onto or through devices that are not fully controlled by the business.- more info
Congress tries to let states to charge sales tax on Internet transactionsMarch 1st, 2012
Three bills have been introduced in Congress that would tax internet sales: the Mainstreet Fairness Act, the Marketplace Fairness Act, and the Marketplace Equity Act.
The first two bills allow states to demand sales tax on purchases from large online and mail-order retailers if those states join the Streamlined Sales Tax and Use Agreement (SSUTA), a project created by some of the states to standardize the tax system. After the Supreme Court's Quill decision, these states agreed to try to simplify and unify their laws to "convince Congress to enact federal legislation that would overturn the Quill case.
Under the SSUTA, state and local jurisdictions each have one tax rate, or possibly two. All the states must define products, like candy, the same way. For instance, states that adhere to the SSUTA do not collect sales tax on cereal bars that contain flour, because they all define that product as "food."
The SSUTA requires each state to offer one central database or location for companies to file their taxes, to lower business expenses. The agreement also offers an exemption for small retailers that make $500,000 or less in national remote sales per year.
As of 2012, only 24 states have signed onto the project. Absent are the largest states, including New York, California, Illinois, Texas, and Florida.
Under the Marketplace Fairness Act, states that decline to join the SSUTA can also require sales tax collection on remote purchases if they simplify their taxation policies according to the bill's standards.
The third bill, the Marketplace Equity Act, also attempts to streamline sales-tax collection but remains independent of the SSUTA. Each of the proposed laws would make an exemption for small retailers, though the Mainstreet Fairness Act and the Marketplace Equity Act leave room for the states to define what's small. The Marketplace Fairness Act requires companies to make $500,000 or less from remote sales to qualify as small.- more info
Over 30% of all enterprise data resides remotelyFebruary 25th, 2012
Remote or branch offices are increasingly at the front lines of business - they have the closest contact with customers and business partners and therefore can have a dramatic impact on the success of the business. Analysts estimate that there are more than four million remote offices in the United States alone.
Many of these offices run autonomously from headquarters andare responsible for managing their own operations - including protecting and retaining the electronic information that they generate. Ignoring the recovery needs of this remotely storeddata is simply not an option. As companies expand operations into new markets, the percent-age of total corporate data in remote offices is increasing - the industry average is now 31%. However, many companies may not be adequately protecting these assets to ensure fast, reli-able recoverability.- more info
CIOs not valued by CFosFebruary 16th, 2012
The Financial Executives Research foundation in a survey found out that finance chiefs alone authorize 26% of all IT investments, while chief information officers approve only 5%. This makes sense: in tough economic times finance inevitably asserts itself and casts a gimlet eye on spending. In fact, an October 2011 report by CDW, one of the world's largest technology resellers, said that only 40% of IT decision-makers expect their budgets to rise this winter, down 8% from last year and the lowest level of IT investment increase since October 2009.
Given the oft-unequal CFO-CIO relationship and constrained IT spending, it's not surprising that the techies seemed more downcast than usual in another poll, CIO magazine's 2011 "State of the CIO" survey. Only 33% of CIOs believe they're seen as a "trusted partner or business peer," and even fewer (31%) see themselves viewed as a "valued service provider." Only 11% think IT is providing competitive differentiation - again not a surprise, given how cloud computing is propelling IT toward a utility model.
The fact that two out of three CIOs don't believe that they're seen as a trusted partner is not good news for CFOs. That's because to remain competitive, businesses need their top finance and IT managers to maintain a productive relationship.- more info
Security threats are on the rise and they are costlyFebruary 12th, 2012
Companies as well as individuals need well defined security policies and procedures to combat secruity threats.
In a report that was recently published it was estimated that breaches cost companies between $90 and $305 per lost record. This includes notifying customers, hiring contractors to fix computer systems, fines and lost business. In addition, over 95 percent of network attacks are entirely financially motivated. This is different than two or three years ago where it may have been a college student who wanted to crash your computer. Threats today burrow deep in computers and hide. They are a lot less visible today.
Indeed, the new threats are much more sophisticated than those security experts had foiled in the past. The easy things - viruses, Trojans and worms - are generally stoppable by most firewalls or certainly inline intrusion prevention. But now, hackers and the organizations that fund them have upped the ante for gateway and network security.- more info
Will IT spending go up?January 20th, 2012
IT spending is expected to increase in 2012. After years of budgets crimped by a bum economy, there is significant pent-up demand at companies around the globe to drop some extra cash for the products and services they have been waiting for to drive business forward. But we have heard this song before.
Gartner was bullish on IT spending last year, saying that it could rise somewhat significantly in 2012, yet in its latest report the research firm acknowledges that its estimates might have been too optimistic. Global spending on IT spending will still be up, the company says, but do not expect it to rise too quickly.- more info
CIO success is driven by relationshipsJanuary 8th, 2012
Relationships are critical for a CIOs success. A poor relationship with superiors and staff is the number one reason for failure of CIO. Relationships are critical to communications and without them common goals cannot be achieved.
CIO and employees who understand each other have preferred styles .better understand how to communicate and work together effectively. Factors that strongly predict the compatibility between a CIO and their teams are self-assurance, self-reliance, conformity, optimism, decisiveness, objectivity, and approach to learning. Assessing a CIO relationships with team members allows the CIO to use objective information about themselves and their teams so that they can work more effectively toward a common goal.
A poor relationship with one's boss is the number one reason for failure at work. Two common flashpoints adversely affect performance:
- more info
- The employee is unclear about the CIO's expectations - Goals should cascade down from the CIO to team members so that everyone understands how they contribute to the objectives of both the team and the organization. If an employee does not understand the goals given,or if they have not been given goals at all, the onus is on the employee to seek clarity. Asking a simple question such as, "What are the top three priorities in my role that you would like me to focus on?" can help everyone on the team gain clarity. Employees should also ask, "Why is this so important?" as the answer will give them a lot of good clues for developing the relationship with their CIO.
- CIOs fail to adapt their styles to the employees' preferred styles - Every employee/CIO relationship is unique and requires a different management approach. For example, the approach taken by highly decisive boss working with a highly decisive employee should be significantly different from the approach taken by this same boss when working with a less-decisive employee. The decisive employee thrives on quick decisions, while the other employee will be more methodical in thier decision-making approach. The less-decisive employee will potentially enter into conflict with the faster-paced CIO.