Janco News Feed
Sarbanes-Oxley
Compliance Auditing Tools
The audit spotlight now shines on IT. After years of regulation and embarrassing data breaches, the highest levels of management now comfortably discuss IT controls and audit results. However, their quality expectations are rising. Where IT once performed audits annually, many now support quarterly, monthly, and ad hoc exercises. Each audit expands the scope of the technologies assessed, measured, and proven compliant. Broader scope means more complexity and more work. With the Sarbanes Oxley Compliance Kit you can increase timeliness and accuracy of audit data while reducing IT audit effort, disruption, and cost.
Sarbanes-Oxley challenges the Information Technology function with requirements that impact day-to-day activities.
SOX compliance monitoring and auditing tools put in place the infrastructure that every enterprise that must comply with the requirements of this and other mandated security needs addresses. Each of the components in this tool kit are easy to implement and meets the most stringent needs that you face.
-
Security Audit Program - Contains over 400 unique tasks divided into 11 areas of audit focus which are the divided into 38 separate task groupings. The audit program is one that either an external auditor, internal auditor can use to validate the compliance of the Information Technology and the enterprise to ISO 27000, Sarbanes-Oxley, HIPAA, and PCI-DSS.
The results are posted to a 22 page Excel worksheet that graphically summarizes the strengths and weaknesses of the enterprises security and compliance to best security practices. (Read on...)
-
Job Descriptions - Director Sarbanes-Oxley Compliance and Manager Sarbanes-Oxley Compliance job descriptions.
Sarbanes Oxley Auditing News
DRP versus BCP
May 17th, 2012
Disaster recovery planning is one of the most important jobs of the IT professional. It includes working with upper management and winning the cooperation of all departments to make a working recovery plan. The two main parts are the Business Continuity Plan (BCP) and the Disaster Recovery Plan (DRP). These have to go hand-in-hand procedurally. The BCP focuses more on the schedule and timing of the DRP, so that in the event of a disaster the business can function normally. The three stages of a DRP are Prevent, Detect and Correct.
A disaster recovery is a response to a declared disaster or a regional disaster. It is the restoration or recovery of an entire agent computer. A disaster recovery plan describes how an organization is to deal with potential disasters.
- more info
Disaster Recovery budgets remain stable
April 29th, 2012
A report into business continuity and disaster recovery budgets finds:
- According to a IT
budget survey, 32 percent of enterprises had planned to increase spending on business continuity and disaster recovery by at least 5 percent in 2011. The reality is that budgets have stayed constant rather than increased as anticipated.
- Business continuity and disaster recovery budgets in 2011 have been an average of six percent of IT operating and capital budgets.
- The likely culprit in stalled business continuity and disaster recovery spending is the continuing economic uncertainty. Even in the best of economic times, it's difficult to build the business case for an initiative such as business continuity that's primarily about cost avoidance rather than return on investment. In tough economic times, it's almost impossible.
- more info
Business Continuity Planning
April 13th, 2012
Horizon scanning is essential to avoid surprises in business continuity planning, but identifying the most likely thing to bite you next is tricky.
Looking beyond the imminent plannin risks contained in in every day events the top 3 worries are:
- more info
- Supply Chain - Will an economic or political crisis mean disruption to this as a result of protest and civil unrest or even secession from monetary union?
- Severe weather - Most enterprises are geared up for "average" weather. As we see extremes of drought, cold and storm will the strain on the infrastructure become a major cause of business interruptions?
- Social Media - Increasingly organizations believe that these are essential to their businesses, yet they are provided externally, funded through advertising and beyond the control of the organization. How can we provide resilience/continuity for these? Should we?
Social media a disaster planning tools
April 2nd, 2012
Government agencies are turning to social media technology to manage disasters and improve public safety.
A growing number of agencies are tapping into Facebook and Twitter to monitor events and provide near real-time notifications. And some are now taking social media a step further by communicating internally or sharing information and comments across offices or agencies.
A September Congressional Research Service report, Social Media and Disasters: Current Uses, Future Options, and Policy Considerations, noted that social media already plays an important role in disasters, but the use of the technology for emergency management is growing.
In Fort Worth and Tarrant County in Texas, for instance, a joint emergency operations center has switched on social media tools that improve communication across dozens of agencies and departments throughout the state. Police, firefighters, healthcare providers and others use push-to-talk radio, cellular telephony, and text messaging (including text documents and file sharing) to interact with an IP telephony infrastructure located in a response center. This allows teams to coordinate immediate responses, regardless of the underlying communications technology.
- CIO IT Infrastructure Policy PDF (All of the policies below which come as individual MS Word files)
- Backup and Backup Retention Policy
- Blog and Personal Web Site Policy (Includes electronic Blog Compliance Agreement Form)
- BYOD Access and Use Policy
(Includes electronic BYOD Access and Use Agreement Form)
- Incident Communication Plan Policy (Updated to include social networks as a communication path)
- Internet, e-Mail, Social Networking, Mobile Device, Electronic Communications, and Record Retention Policy (Includes 5 electronic forms to aid in the quick deployment of this policy)
- Mobile Device Access and Use Policy
- Patch Management Policy
- Outsourcing Policy
- Record Management, Retention, and Destruction Policy
- Sensitive Information Policy (HIPAA Compliant and includes electronic Sensitive Information Policy Compliance Agreement Form)
- Service Level Agreement (SLA) Policy Template with Metrics
- Social Networking Policy (includes electronic form)
- Telecommuting Policy (includes 3 electronic forms to help to effecively manage work at home staff)
- Travel and Off-Site Meeting Policy
- IT Infrastructure Forms
- more info
Disaster Recovery Business Continuity Basics
March 1st, 2012
The basics of a Disaster Recovery Business Continuity Plan are defined in the Janco Disaster Recovery Business Continuity Template. They are:
- more info
- Develop the contingency planning policy statement. A formal department or agency policy provides the authority and guidance necessary to develop an effective contingency plan.
- Conduct the business impact analysis (BIA). The BIA helps to identify and prioritize critical IT systems and components.
- Identify preventive controls. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.
- Develop recovery strategies. Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption.
- Develop an IT contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system.
- Plan testing and training exercises. Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness.
- Plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements.
