Procedures

OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security

root — Mon, 11 Aug 2008 02:26:05 -0500

These guidelines apply to all participants in the new information society and suggest the need for a greater awareness and understanding of security issues, including the need to develop a "culture of security" - that is, a focus on security in the development of information systems and networks, and the adoption of new ways of thinking and behaving when using and interacting within information systems and networks. The guidelines constitute a foundation for work towards a culture of security throughout society.

Download Free Policy & Procedure Manager 4.5 for Regulatory Compliance Standards

root — Fri, 11 Jul 2008 05:32:45 -0500

The web-based Policy & Procedure Manager provides your staff with instant access to your organization's policies and procedures. It notifies those who are required to read specific documents and tracks who has read them. You can use the software to create, review, approve, and archive all of your documents, not just policies and procedures. Email reminders and reports ensure that everything stays up to date. You can also organize documents according to any regulatory compliance standards - such as Sarbanes Oxley, ISO 9000, JCAHO, HIPAA, state guidelines.

Size: 29.57MB
License: Free to try
Requirements: Windows 95/98/Me/NT/2000/XP
Limitations: 30-day trial
Date Added: February 19, 2008

Download Page

The truth about IT security policy

root — Thu, 26 Jun 2008 02:58:48 -0500

"…IT security policy for IT auditor day to day perspective.."

I've been working for the IT security policy and procedures making for the last four years. And my main responsibility for that period is doing consulting services for the company who need to comply with some kind of security standard such as Sarbanes Oxley, ISO 27001 or event just some guidelines from our government.

Security policy and procedures are my main deliverables. So if you see my client you will see that in their office, there are a lot of policy and procedures that created by many prestigious company, my company is also contributed there. They took international standard such as COBIT or ITIL to ensure that the company confidential data is keep secure

The four things every IT security must do every day

root — Tue, 24 Jun 2008 17:10:42 -0500

Security work is a continuous and daily process. You can’t just install a firewall or an intrusion-detection system and say that you’re suddenly secure. In some cases, you’ll be lucky to enter an organization that already has a relatively mature security program. In these cases, most of the items discussed in the following sections will already be implemented and your job will be easier to manage. In other cases, you may find yourself hired into an organization that has not had a security program in the past. In this case, you’ll have the opportunity to build the program from the ground up. Although this might sound like more work, and a potentially bigger hassle, you may find it easier creating everything from scratch and ensuring that it’s all done correctly. But let’s look at some of the items you’ll need to understand.

1. Patches and Hot Fixes
Both operating systems and applications have a single huge flaw: They are written by human beings. Because of that, they have bugs and security issues. Vendors release patches or hot fixes on a periodic basis to address security concerns that may have arisen since the last patch came out. To keep an organization secure, you need to ensure that these software patches are applied in a timely manner. One important item to note here: Test your patches in a test environment before you implement them in production systems. In some cases, patches have caused more harm than good because of unexpected issues.

How to manage CMDB Scope

root — Mon, 02 Jun 2008 20:28:32 -0500

Although a CMDB can be extremely complex, it is built of only two elementary constructs, called configuration items and relationships. Configuration items represent static portions of the IT environment, such as computers, software programs, or process documents. Relationships, as the name implies, track how these configuration items are related to one another, and are much more dynamic because these relationships can change frequently. Given these simple building blocks, defining the scope of a configuration management system is as simple as deciding which types of configuration items you want to track and which relationships will be important.

Note that we define scope as which types of configuration items will be tracked, not which configuration items. Once we decide that a particular type of thing is going to be tracked, it becomes part of our scope, even if we choose to track only a single instance of that type of thing. The choice of how many of each type, and exactly which ones, is part of the span of the CMDB

Well writen policy using 5Ws of Journalism

root — Thu, 22 May 2008 14:15:00 -0500

The written policy should clear up confusion, not generate new problems. When preparing a document for a specific audience, remember that the writer will not have the luxury to sit down with each reader and explain what each item means and how it impacts the user's daily assignments. Know the audience for whom the policies are being developed. Remember the reading and comprehension level of the average employee. When writing the policy, remember the "5 Ws of Journalism 101":

What: what is to be protected (the topic)
Who: who is responsible (responsibilities)
Where: where within the organization does the policy reach (scope)
How: how compliance will be monitored (compliance)
When: when does the policy take effect
Why: why the policy was developed

What is the first priority in IT audit?

root — Mon, 19 May 2008 16:33:45 -0500

If you’re the first person responsible for performing information system audit in your company, then what is your first priority? Repairing the IT process in your company? Prepare risk control matrices or just recruit another experience IS auditor for brainstorming with you?

In my experience, all start from planning first. Yes IT planning plays the significant role at this stage. Remember that auditing mean a lot of interaction with a lot of departments and function across the company. So coordination is the first issue to be noted.

Have you ever be in this situation?

Develop, Buy or Customize?

root — Tue, 13 May 2008 23:42:48 -0500

Although this is not a step in the SDLC, an organization might decide to buy a product instead of building it. The decision typically comes down to time, cost, and availability of a predesigned substitute.

Before moving forward with the option to buy, the project team should develop a request for proposal (RFP) to solicit bids from vendors. Vendor responses should be closely examined to find the vendor that best meets the project team’s requirements. Some of the questions that should be asked include these:
. Does the vendor have a software product that will work as is?
. Will the vendor have to modify the software product to meet our needs?
. Will the vendor have to create a new, nonexistent software product for us?

IT Service Funding: Shared Cost, Charge Back or Sponsor Pays

root — Mon, 12 May 2008 16:15:12 -0500

Senior management must select a strategy to determine who will pay for the information system’s services. Funding is an important topic because departments must have adequate funds to operate. Each funding option has its advantages and disadvantages. The three most common include these:

Shared cost
With this method, all departments of the organization share the cost. The advantage of this method is that it is relatively easy to implement and for accounting to handle. Its disadvantage is that some departments might feel that they are paying for something they do not use.

File or Folder level Encryption Pros and Cons

root — Sun, 27 Apr 2008 20:21:02 -0500

File or folder level encryption (or file system level) is an encryption system where specific folders, files, or volumes are encrypted by a third-party software package or a feature of the file system itself. Here is the pros and cons of implementing the file or folder level encryption. This pros and cons taken from Tony Bradley books about PCI compliances

Advantages

More granular control over what specific information needs to be encrypted can be accomplished. Items that you desire to be encrypted can be stored in a particular folder or volume, and data that does not need to be protected can be stored elsewhere.
Many file-level encryption products allow you to integrate access level restrictions.This allows you to manage who has access to what.
When data is encrypted on a file level and is moved off the storage location, it is moved encrypted.This maintains the confidentiality of the data when it is moved to a backup tape.
Less invasive to a database than column-level encryption.The schema of the database does not need to be modified and the access of data by authorized personnel (based on access control) is not hindered when querying and other management activities take place. This is an aspect of availability, one of the three tenets of the CIA triad.
Tends to consume less resource overhead, thus less impact on system performance.
Logging and auditing capabilities. Some file-level encryption systems offer the capability to track who attempts to access a file and when. Since the majority of data breaches are internal to the network, this kind of information is good to have.

Disadvantages

Can cause performance issues for backup processes, especially with relational databases

read more