Disaster Recovery Planning (DRP)
Business Continuity Planning (BCP)
Binomial International
| HOME | Phoenix Software | Seminars | Consulting | Resources | Newsletter | Bookstore | Contact Us |
|
|
Disaster Recovery Planning (DRP)
Business Continuity Planning (BCP)
Binomial International
|
|
||||||||
| ||||||||||
![[Home]](http://www.binomial.com/bookstore/b_home.jpg)
![[Catalog]](http://www.binomial.com/bookstore/b_catl.jpg)
![[Category]](http://www.binomial.com/bookstore/b_catg.jpg)
![[Previous Item]](http://www.binomial.com/bookstore/b_left.jpg)
![[Next Item]](http://www.binomial.com/bookstore/b_right.jpg)
![[Checkout]](http://www.binomial.com/bookstore/b_chkout.jpg)
![[Review Cart]](http://www.binomial.com/bookstore/b_review.jpg)
![[Button]](http://www.binomial.com/bookstore/ordrinfo.jpg)
The Binomial Bookstore
Rothstein Associates Inc.
Info & Network Security, Info Protection
SECURITY MANUAL TEMPLATE
by Janco Associates Sarbanes Oxley / HIPAA / Patriot Act Compliant = = = = = = = = = = = = = = = = = = = = = = We will always ship the most current edition available. If a new edition is imminent, we will check with you before shipping. = = = = = = = = = = = = = = = = = = = = = = This Security Manual for the Internet and Information Technology is over 215 pages in length. It includes both the Business & IT Impact Questionnaire and the Threat & Vulnerability Assessment Tool (both were redesigned to address Sarbanes-Oxley compliance). The plan is 215+ pages and includes everything needed to customize the Internet and Information Technology Security Manual to fit your specific requirement. The electronic document includes proven written text and examples for the following major sections for your security plan: - Security Manual Introduction - scope, objectives, general policy, and responsibilities - Risk Analysis - objectives, roles, responsibilities, program requirements, and practices program elements - Staff Member Roles - policies, responsibilities and practices - Physical Security - area classifications, access controls, and access authority - Facility Design, Construction and Operational Considerations - requirements for both central and remote access points - Media and Documentation - requirements and responsibilities - Data and Software Security - definitions, classification, rights, access control, INTERNET, INTRANET, logging, audit trails, compliance, and violation reporting and follow-up - Network Security - vulnerabilities, exploitation techniques, resource protection, responsibilities, encryption, and contingency planning - Internet and Information Technology contingency Planning - responsibilities and documentation requirements - Insurance - objectives, responsibilities and requirements - Outsourced Services - responsibilities for both the enterprise and the service providers - Waiver Procedures - process to waive security guidelines and policies, - Incident Reporting Procedures - process to follow when security violations occur - Access Control Guidelines - responsibilities and how to issue and manage badges / passwords - Glossary - over 300 terms defined - Sample Forms - Security Violation Reporting Form (8 pages) and Security Audit Form (3 pages) - - - - - - - - - - - EXCERPT FROM INTERNET AND INFORMATION TECHNOLOGY SECURITY MANUAL © 2007 copyright Janco Associates, Inc. – ALL RIGHTS RESERVED “This document implements a formal, ENTERPRISE wide program intended to protect Internet and Information Technology systems resources and assure their availability to support all ENTERPRISE operations. “All elements of the ENTERPRISE Internet and Information Technology Security Program should be structured to minimize or prevent damage, which might result from accidental or intentional events, or actions that might breach the confidentiality of ENTERPRISE records, result in fraud or abuse, or delay the accomplishment of ENTERPRISE operations. “The objective of the ENTERPRISE Internet and Information Technology Security Program is to achieve an effective and cost beneficial security posture for the enterprise's Internet and Information Technology systems. Attainment of this objective requires a balanced combination of problem recognition, resources and policy to implement an effective program. The information in this manual: - Applies to all Internet and Information Technology systems and must be considered from a total-system perspective (i.e., the protection of information must be considered from its origination to its final destruction, to include all processes affecting the information) - Should be considered as the minimum standard for all Internet and Information Technology systems and supporting manual activities - Establishes Internet and Information Technology security policies, assigns responsibilities and prescribes procedures for the development and maintenance of ENTERPRISE wide Internet and Information Technology security - Describes the ENTERPRISE Internet and Information Technology security program - Complies with the intent of prevailing privacy legislation regarding safeguards and with certain sections of the foreign corrupt practices act SCOPE “The scope of this manual is to: - Provide uniform policy and centralized guidance for dealing with all known and recognized aspects of Internet and Information Technology Security affecting ENTERPRISE and its operations - Provide realistic guidance to ensure that all sensitive information handled by ENTERPRISE automated systems is protected commensurate with the risk of inadvertent or deliberate disclosure, fraud, misappropriation, misuse, sabotage or espionage NOTE: For the purposes of this document sensitive information includes, but is not restricted to, that information which must be safeguarded so as to: - Prevent damage to ENTERPRISE business operations due to unauthorized disclosures - Assure the individual privacy of ENTERPRISE customers and staff members - Protect funds, supplies and materials from theft, fraud, misappropriation or misuse - Protect property and rights of contractors, vendors and other organizations - Provides for the documented, justified selection of physical, technical and administrative security controls which are cost-effective, prudent and operationally efficient - Provides for the monitoring of the implementation of selected security controls and procedures - Provides for the auditing and reviewing functions necessary to ensure compliance with stated security requirements - Protect contract negotiations and other privileged considerations in dealings with contractors, vendors, correspondents and other organizations - Protect staff members from unnecessary temptation to misuse ENTERPRISE information or Internet and Information Technology systems resources while fulfilling their normal duties - Protect staff members from suspicion in the event of misuse or abuse by others RESPONSIBILITIES “The ENTERPRISE Internet and Information Technology Security Program have been established in recognition of the enterprise dependence upon computer-based services and the special problems involved in securing them. “Because of this dependence and the embedding of Internet and Information Technology systems into virtually every ENTERPRISE function and process, Internet and Information Technology Security cannot be viewed as a minor technical matter falling under the exclusive purview of the information processing community. To the contrary, the vital function of the computer and the potential impact upon the enterprise’s of security shortcomings make Internet and Information Technology Security a serious concern of all levels of ENTERPRISE management. “This section prescribes responsibilities for all levels of ENTERPRISE management, support staffs, and committees in order to assure successful implementation of the ENTERPRISE Internet and Information Technology Security Program. It also delineates the activities required of other organizational entities in support of the ENTERPRISE Internet and Information Technology Security Program. MANAGER, INTERNET AND INFORMATION TECHNOLOGY GROUP “The manager of the Internet and Information Technology Group is responsible for the ENTERPRISE Internet and Information Technology Security Program and for ensuring compliance with the security policy. In this capacity the manager shall: - Provide the resources for the development, implementation and maintenance of policies, plans and procedures to manage the overall ENTERPRISE Internet and Information Technology Security Program. - Ensure identification of Internet and Information Technology Security related problems, requirements and needs for resolution to ENTERPRISE executive management - Represent the interest of the ENTERPRISE Internet and Information Technology Security Program to the Strategic Planning Committee SUPPORT MANAGER “The support manager is the manager responsible for the operating integrity of an information system. “This manager must be of vice president level or above and is responsible for requesting appropriate establishment or modification to the access control restrictions for an information system resource. This request requires approval of the owner of that resource.” - - - - - - - - - - - TABLE OF CONTENTS SECURITY PROGRAM - INTRODUCTION Scope Objective Applicability Security General Policy General Management Individual Managers And Staff Members Principles Of Least Privilege And Need-To-Know Sensitivity And Criticality Of Information And Applications Critical Applications Sensitive Information and Applications Safeguarding Internet and Information Technology Resources Security Risk Analysis Program Processing Area Risk Categories Sensitive Staff Member Positions Security Design and Procurement Specifications Software Security Hardware Security Network Security Logical Access Controls Software Development Controls Responsibilities Manager, Internet and Information Technology Group Manager, Financial Management & Control Department Security Committee (SC) Manager, Internet and Information Technology Security All Enterprise Managers (Enterprise Groups, Departments And Divisions) Security Representative Enterprise Staff Members RISK ANALYSIS Objective Roles and Responsibilities General Responsibilities Manager, Financial Management & Control Department Internet and Information Technology Security Group Managers, all enterprise user/support departments Supporting Responsibilities Security Committee Program Requirements Frequency Relationship To Effective Security Design Selection Of Safeguards Requests For Waiver Program Basic Elements Asset Value Analysis Threat And Vulnerability Analysis Exposure Analysis Calculation of Annual Loss Expectancy Countermeasure Evaluation And Selection Identification Of Candidate Countermeasures Cost/Benefit Analysis Selection of a Countermeasure Management Decision Control Implementation Effectiveness Review STAFF MEMBER ROLES Basic Policies Individual Responsibility Review Of Positions Violation Procedures Dangerous Security Practices Security Violations Management Action Security - Responsibilities Managers, all departments, Internet and Information Technology Group Managers, Personnel Organizations Manager, Legal Department Manager, Internet and Information Technology Contracts/Hardware Services Division Manager, Audit Department Internet and Information Technology Security group, Financial Management & Control Department Determining Sensitive Internet and Information Technology Systems Positions Personnel Practices Hiring Procedures Termination Types Voluntary Termination Job Abandonment Involuntary Termination Termination Actions Education And Training Contractor Personnel Physical Security Information Processing Area Classification Application Processing Backup Capability Classification Categories Category I Information Processing Area Category II Information Processing Area Category III Information Processing Area Category IV Information Processing Area Access Control Separation of Duties Least Privilege Access Areas Individual Accountability Access Control Methods Levels Of Access Authority Permanent Access Temporary Access Access Control Requirements by Category Category I Information Processing Areas Category II Information Processing Areas Category III Information Processing Areas Category IV Information Processing Areas Implementation Requirements Protection of Supporting Utilities FACILITY DESIGN, CONSTRUCTION AND OPERATIONAL CONSIDERATIONS Building Location External Characteristics Location Of Information Processing Areas Construction Standards Water Damage Protection Air Conditioning Entrances and Exits Interior Furnishings Fire Prevention Fire Detection Fire Suppression Sprinklers - Category I, II, III and IV Areas Halon - Category I and II Areas Emergency Shut Down Control - Category I and II Areas Portable Fire Extinguishers - Category I, II, III and IV Areas Electrical Category I, II, III and IV Areas Uninterruptible Power Supplies Emergency Power Air Conditioning Category I, II, III and IV Areas Category I and II Areas Category I Areas Remote Internet and Information Technology Workstations Security Requirements Training, Drills, Maintenance And Testing MEDIA AND DOCUMENTATION Data Storage And Media Protection Labeling Storage Retention Schedule Disposal Of Sensitive Information Documentation Responsibilities Accountability And Control Storage of Information and Forms Disposal Off-Site Backup Storage Combustible Media DATA AND SOFTWARE SECURITY Resources To Be Protected Data Software Basic Standards Classification Sensitive Information Non-Sensitive Information Rights Support Manger Users Access Control Types Of Controls Hardware controls System Software Controls Systems Software Rights Controls Access From Other Sites Controllability Integrity Identification Authentication Techniques Standards For Passwords Authorization Verification Internet / Intranet / Terminal Access Owners Access Control User Accountability Logging And Audit Trails Reporting Network Security Internet / Intranet Security Dial-up Access Security Logging And Audit Trails Requirements Accountability Reconstruction Of Events Information to Be Recorded Tracing Transactions Support Information Retention Period Documentation / Audit Trail Data Audit Log Requirements Job-Related Data Log Program-related log File-Related Log Transaction-Related Log Message-Related Log Data Base-related Log Satisfactory Compliance Violation Reporting And Follow-Up Detection Violation Logging Follow-Up On Violation Reporting NETWORK SECURITY Vulnerabilities Exploitation Techniques Unauthorized Interception Unauthorized Insertion of Information Unauthorized Denial of Service Unauthorized Intrusion Goal Responsibilities Owners Application Support Organizations Network Services Internet and Information Technology Security Resource Protection Network Components Wire Closets Remote Devices Configuration Management Dial-Up Controls Message Authentication Encryption Standards Key Management Rules Exceptions Network Contingency Planning INTERNET AND INFORMATION TECHNOLOGY CONTINGENCY PLANNING Responsibilities Manager, Internet and Information Technology Group Manager, Financial Management & Control Department Managers, Information Processing Areas Manager, Contingency Planning Managers, All Departments User Organizations Information Technology Disaster Recovery Planning Contingency Planning Development Activities Documentation Contingency Plan Activation And Recovery INSURANCE Objectives Responsibilities Risk Manager Contracts/Hardware Services Manager Managers, All Departments, Internet and Information Technology Group Internet and Information Technology Security Group And The Risk Manager Filing A Proof Of Loss Risk Analysis Program Purchased Equipment and Systems Leased Equipment and Systems Media Business Interruption Staff Member Dishonesty Errors And Omissions OUTSOURCED SERVICES Responsibilities Managers, All Departments, Internet and Information Technology Group Managers, All Other ENTERPRISE Departments Internet and Information Technology Systems Contract Personnel And Organizations Manager, Internet and Information Technology Contracts/Hardware Services Division Internet And Information Technology Security Group Manager, Audit Department Outside Service Providers Contract Terms And Operating Policies WAIVER PROCEDURES Purpose And Scope Policy Definition Responsibilities Procedure INCIDENT REPORTING PROCEDURE Purpose & Scope Definitions Responsibilities Procedure Analysis/Evaluation ACCESS CONTROL GUIDELINES Purpose & Scope Objectives Definitions Of Access Control Zones Public Areas Controlled Areas General Areas Restricted Areas Responsibilities Internet and Information Technology Security Group Access Control Operations Center Requesting Manager Responsibilities Authorizing Managers Security Guards Staff Members Audit Department BADGE ISSUANCE Permanent Badge/Permanent Staff Member Permanent Badge/Temporary Staff Member Temporary Badge/Permanent Staff Member Temporary Badge/Temporary Staff Member Temporary Badge/Non-staff Members GLOSSARY FORMS Security Violation Form Security Audit Report Form Inspection Check List General Employees Office Equipment / computers Security Procedures Employee Forms New Employee Security Questionnaire Security Access Application Form - - - - - - - - - - OPTIONAL Update Service Available: $329.00 additional at time of order for 12-month subscription. Includes a minimum of one update. Specify at time of order. = = = = = = = = = = = = = = = = = = = = = = We will always ship the most current edition available. If a new edition is imminent, we will check with you before shipping. = = = = = = = = = = = = = = = = = = = = = = - - - - - - - - - - 215+ pages. Microsoft Word format. Distributed by e-mail. Order #DR640 Also available on CD - add $10.00. Special Order Item. - - - - - - - - - -
Rothstein Associates Inc.
4 Arapaho Rd.
Brookfield, CT 06804-3104
1-888-ROTHSTEin
Telephone: 203.740.7444; 888.768.4783
Fax: 203.740.7401
E-Mail:
info@rothstein.com
All bookstore enquiries should be sent to Rothstein Associates at the above address.
Looking for Practical Knowledge?
© Binomial International 2008
|
![[Item Image]](http://www.binomial.com/bookstore/it170022.jpg)