It Infrastructure Strategy And Charter Toc
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View It Infrastructure Strategy And Charter Toc as PDF for free.
More details
- Words: 2,800
- Pages: 13
Thi si sasampl eoft hef i nalpr oduct t hesepagesar ef oryourr evi ew onl y and ar epr ot ect ed byJanco’ scopyr i ght PAGES HAVEBEEN EXCLUDED
Information Technology
Infrastructure, Strategy, Charter &
TEMPLATE
-- Version 2.1
ISO 27000 Series Compliant E-mail: [email protected] http://www.e-janco.com
February 2008 Copyright 2008 M. Victor Janulaitis Copyright 2008 Janco Associates, Inc. ALL RIGHTS RESERVED
All Rights Reserved. No part of this book may be reproduced by any means without the prior written permission of the publisher. No reproduction or derivation of this book shall be re-sold or given away without royalties being paid to the authors. All other publisher‟s rights under the copyright laws will be strictly enforced.
Published by: Janco Associates Inc. 11 Eagle Landing Court Park City, UT 84060
435 940-9300
e-mail - [email protected] Publisher cannot in any way guarantee the procedures and approaches presented in this book are being used for the purposes intended and therefore assumes no responsibility for their proper and correct use. Printed in the United States of America ISBN13 ( 978-1-881218-01-2) HandiGuide is a registered trademark of Janco Associates, Inc. *** IMPORTANT ************************************************************ In order to get support you MUST register your product by going to http://www.e-janco.com/register.asp If your product is not registered you will have to pay for support via a credit card (MasterCard, Visa, or American Express). Please have your credit card ready prior to calling. ************************************************************************** Both of these documents are the same but we have provided them in both for your use. If you have any questions on these documents please send an email to [email protected] and reference your order number. Telephone support can be obtained if you have registered your product by going to http://www.ejanco.com/register.asp If you register your product within thirty (30) days of purchase and follow the instructions provided Janco will send you a coupon for 10% off on your next purchase from any of Janco's direct sites. These include: 1. http://www.e-janco.com 2. http://www.itproductivity.org 3. http://www.ejobdescription.com 4. http://www.it-toolkits.com © 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED
Page ii
READ ME - How to modify this template This template was compiled in Word and we have used VISIO for the exhibits. You need Microsoft WORD to modify the text and VISIO to modify the exhibits. ent. The steps that you should follow to use this template are: Make the original version of the document a read only file and restrict access to it. Save a copy of the word template with a new name in a place that you can access it without altering the original. Using Microsoft WORD‟s functionality (Edit Replace) Mandatory [Enterprise] with your enterprise’s name Optional IT Management Council with the name of your priority and resource setting group i.e. Steering Committee. Chief Information Officer with Chief Technology Officer CIO with CTO (make sure that you tag this as case sensitive) IT with IS (make sure that you tag this as case sensitive) Customize your headings and footers. Note somewhere within the document the reference to the fact that his charter was generated for one of our copyrighted templates needs to be mentioned. Delete this page Go to the table of contents and right click on any part of the table of contents and select the option to replace the Table of Contents and the new Table of Contents will be generated. Save the document with a name (i.e. Strategy001.doc). Increment the number each time that you save the document and you will have back-ups of your Charter that you can refer to as you customize it to meet your needs
© 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED
Page iii
Thi si sasampl eoft hef i nalpr oduct t hesepagesar ef oryourr evi ew onl y and ar epr ot ect ed byJanco’ scopyr i ght PAGES HAVEBEEN EXCLUDED
Table of Contents IT INFRASTRUCTURE, STRATEGY, AND CHARTER SUMMARY .......................................................1 Base Assumptions and Objectives ..........................................................................................................1 Scope and Applicability ..........................................................................................................................1 Operating Philosophy ..............................................................................................................................2 Compliance .............................................................................................................................................2 International Organization for Standardization .......................................................................................2 ISO 27000 ............................................................................................................................................2 STRATEGY AND CHARTER STATEMENT OF AUTHORITY ................................................................5 Chief Information Officer (CIO) .............................................................................................................5 Strategy and Charter .............................................................................................................................5 Authority ..............................................................................................................................................6 Functional IT Group Heads .....................................................................................................................7 Strategy and Charter .............................................................................................................................7 Authority ..............................................................................................................................................8 IT Management Council .........................................................................................................................9 Strategy and Charter .............................................................................................................................9 Authority ..............................................................................................................................................9 Users .....................................................................................................................................................10 Strategy and Charter ...........................................................................................................................10 IT MANAGEMENT STRUCTURE .............................................................................................................11 Organizational Approach ......................................................................................................................11 [Enterprise] IT Group............................................................................................................................12 Planning, Project Management and Control .......................................................................................12 Technology.........................................................................................................................................12 Systems Development ........................................................................................................................12 Organization, Staffing and Resource Development ...........................................................................12 [Enterprise] IT Resources .....................................................................................................................13 Functional IT Groups ............................................................................................................................14 COMPLIANCE .............................................................................................................................................15 Objective ...............................................................................................................................................15 Responsibilities .....................................................................................................................................15 CIO .....................................................................................................................................................15 IT Management Council.....................................................................................................................16 Functional IT Heads ...........................................................................................................................16 Users ..................................................................................................................................................16 Auditors ..............................................................................................................................................17 PERSONNEL PRACTICES.........................................................................................................................18 Formal Job Descriptions .......................................................................................................................18 Job Description Format ......................................................................................................................18 Job Title ................................................................................................................................................................. 18 Position Purpose ............................................................................................................................................... 18 Problems and Challenges ....................................................................................................................................... 19 Essential Position Functions ............................................................................................................................. 19 Principal Accountabilities ............................................................................................................................ 19 Authority ..................................................................................................................................................... 20 Job Contacts................................................................................................................................................. 20 Job Specifications ........................................................................................................................................ 20 Career Ladder ................................................................................................................................................... 21
Hiring ....................................................................................................................................................21 © 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED
Page iv
Termination ...........................................................................................................................................21 Voluntary Termination .......................................................................................................................21 Job Abandonment...............................................................................................................................22 Involuntary Termination ....................................................................................................................22 Termination Actions...........................................................................................................................22 Training .................................................................................................................................................23 Hardware Training .............................................................................................................................23 Operating System Training ................................................................................................................23 Applications Training.........................................................................................................................23 [Enterprise] Staff ...................................................................................................................................23 Contractor Personnel .............................................................................................................................24 CONTROLS ..................................................................................................................................................25 Types of Controls ..................................................................................................................................25 Risks......................................................................................................................................................26 Types of Risk .....................................................................................................................................26 Management Error ................................................................................................................................................. 26 Inadvertent Disclosure ........................................................................................................................................... 26 Competitive Disadvantage ..................................................................................................................................... 27 Legal Issues ........................................................................................................................................................... 27 Regulatory Problems ............................................................................................................................................. 27 Monetary Losses .................................................................................................................................................... 27
Controls Standards ................................................................................................................................27 Policies and Procedures ......................................................................................................................................... 27 Application Development and Testing .................................................................................................................. 27 Program Changes ................................................................................................................................................... 28 Documentation....................................................................................................................................................... 28 Data Editing ........................................................................................................................................................... 28 Input/Output Controls ............................................................................................................................................ 28 Physical Access Restrictions ................................................................................................................................. 28 Logical Access Restrictions ................................................................................................................................... 29 Back-up and Contingency Planning....................................................................................................................... 29 Audit ...................................................................................................................................................................... 29
Logging and Audit Trails ......................................................................................................................29 Accountability ....................................................................................................................................................... 29 Reconstruction of Events ....................................................................................................................................... 29 Information to Be Recorded .................................................................................................................................. 30 Tracing Transactions ............................................................................................................................................. 30 Support Information .............................................................................................................................................. 30 Retention Period of Documentation and Audit Trail Data ..................................................................................... 30 Need for Source Documents .................................................................................................................................. 30 Audit Logs ............................................................................................................................................................. 31 Job-related Data ................................................................................................................................................ 31 Program-related Data ........................................................................................................................................ 31 File-related Data ............................................................................................................................................... 31 Transaction-related Data ................................................................................................................................... 31 Message Data.................................................................................................................................................... 32 Database-related Data ....................................................................................................................................... 32
APPLICATION DEVELOPMENT STANDARDS .....................................................................................33 SAMMY ...............................................................................................................................................34 Quality Assurance Process ....................................................................................................................36 SERVICE REQUESTS ................................................................................................................................37 Policies ..................................................................................................................................................37 Process ..................................................................................................................................................38 Service Request Management ...............................................................................................................38 Equipment/Service Request ..................................................................................................................39 Problem Resolution Process ..................................................................................................................39 © 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED
Page v
LOCAL AREA NETWORKS (LANS) ..........................................................................................................41 Features .................................................................................................................................................41 Directory Rights .................................................................................................................................................... 42 File Security........................................................................................................................................................... 43
LAN Standards......................................................................................................................................44 LAN Councils and Workgroups............................................................................................................44 BACK-UP & RECOVERY............................................................................................................................45 Data Storage and Media Protection .......................................................................................................45 Labeling .............................................................................................................................................46 Storage ...............................................................................................................................................46 Retention Schedule.............................................................................................................................46 Disposal of Sensitive Information ......................................................................................................46 Back-up Program and Schedule ............................................................................................................47 Creating a Back-up Program ..............................................................................................................47 Monitoring the Back-up Program ......................................................................................................48 Recovering From Back-up Media ......................................................................................................48 DISASTER RECOVERY PLAN ..................................................................................................................49 Description ............................................................................................................................................49 Critical Function Analysis ....................................................................................................................50 DRP Procedures for Critical Data .........................................................................................................50 Back-up Criteria ....................................................................................................................................51 Back-up Procedures ..............................................................................................................................51 Storage Criteria .....................................................................................................................................51 Business Recovery Procedures .............................................................................................................52 Requirements for Recovery...................................................................................................................52 Recovery Guidelines .............................................................................................................................52 Restoring Damaged Equipment ............................................................................................................52 Recovery Management .........................................................................................................................53 Contingency Planning ...........................................................................................................................54 Responsibilities ..................................................................................................................................54 Manager, Functional IT Group .............................................................................................................................. 54 Managers, IT Processing Areas ............................................................................................................................. 54 Managers, all departments ..................................................................................................................................... 55 User organizations ................................................................................................................................................. 55 IT Computer Operations ........................................................................................................................................ 55 Outside Organizations ........................................................................................................................................... 55
Planning Activities ................................................................................................................................55 Function of Planning Activities ..........................................................................................................55 Development Activities ......................................................................................................................56 Planning Manual ................................................................................................................................56 Maintenance Activities .......................................................................................................................56 SECURITY....................................................................................................................................................58 IT Processing Area Classification .........................................................................................................59 Criteria ...............................................................................................................................................59 Classification Categories.......................................................................................................................59 Category I - IT Processing Area ............................................................................................................................ 59 Category II - IT Processing Area ........................................................................................................................... 60 Category III - IT Processing Area .......................................................................................................................... 60 Category IV - IT Processing Area ......................................................................................................................... 60
Physical Security ................................................................................................................................60 Work Stations and Remote Terminals ..................................................................................................61 Attended terminals .............................................................................................................................61 Unattended terminals .........................................................................................................................62 Systems Security ...................................................................................................................................62 © 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED
Page vi
Management Control Tools ................................................................................................................63 Staff Member Security ..........................................................................................................................63 Review ...............................................................................................................................................63 Risky Practices ...................................................................................................................................63 Violations ...........................................................................................................................................63 Management Action ...........................................................................................................................64 Responsibilities .....................................................................................................................................64 [Enterprise] Information Security Officer.............................................................................................................. 64 Group Security Administrator ............................................................................................................................... 64 System Security Administrator .............................................................................................................................. 64 Users ...................................................................................................................................................................... 64 Manager, Audit Department .................................................................................................................................. 64 Managers, Personnel Organizations....................................................................................................................... 64
User Sensitive Positions ........................................................................................................................65 Network Security ..................................................................................................................................65 Vulnerabilities ....................................................................................................................................66 Responsibilities .....................................................................................................................................66 Application Owners ............................................................................................................................................... 66 Support Organizations ........................................................................................................................................... 66 [Enterprise] IT ....................................................................................................................................................... 67
Violation Reporting and Follow-Up .....................................................................................................67 Violation Logging ..............................................................................................................................67 ACCESS CONTROL - PHYSICAL SITE ....................................................................................................69 Separation of Duties ..............................................................................................................................69 Least Privilege ......................................................................................................................................70 Access Areas .........................................................................................................................................70 Individual Accountability ...................................................................................................................70 Category I - IT Processing Areas .......................................................................................................70 Category II - IT Processing Areas ......................................................................................................71 Category III - IT Processing Areas.....................................................................................................71 Category IV IT Processing Areas .......................................................................................................71 Definitions of IT Access Control Zones ...............................................................................................71 Public Areas .......................................................................................................................................71 Controlled Areas ................................................................................................................................71 General Areas ........................................................................................................................................................ 71 Restricted Areas ..................................................................................................................................................... 71
Responsibilities .....................................................................................................................................72 Functional IT Group .............................................................................................................................................. 72 Security Management Group (SMG) ..................................................................................................................... 72 Requesting Manager Responsibilities .................................................................................................................... 73 Authorizing Managers ........................................................................................................................................... 74 Security Guards ..................................................................................................................................................... 74 Staff Members ....................................................................................................................................................... 74 Audit Department .................................................................................................................................................. 75
Badges ...................................................................................................................................................75 Permanent Badge/Permanent Staff Member ......................................................................................75 Permanent Badge/Temporary Staff Member ......................................................................................75 Temporary Badge/Permanent Staff ....................................................................................................76 Temporary Badge/Temporary Staff Member .....................................................................................76 Temporary Badge/Non-staff Members (Visitors and Vendors) .........................................................76 Access Control Methods .......................................................................................................................76 Levels of Access Authority ...................................................................................................................77 Permanent Access ..............................................................................................................................77 Temporary Access ..............................................................................................................................77 Protection of Supporting Utilities .........................................................................................................77 Resource Protection ..............................................................................................................................78 © 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED
Page vii
Network Control Centers ...................................................................................................................78 Network Components.........................................................................................................................78 Wire Closets .......................................................................................................................................78 Terminal and Remote Job Entry Devices ...........................................................................................78 Configuration Management ................................................................................................................79 Dial-Up Controls ................................................................................................................................79 Message Authentication .....................................................................................................................80 Exceptions ..........................................................................................................................................80 ACCESS CONTROL - SOFTWARE AND DATA ......................................................................................81 Resources to Be Protected.....................................................................................................................81 Basic Standards .....................................................................................................................................82 Classification Of Data, Software And Documentation .........................................................................83 Sensitive Information............................................................................................................................................. 83 Non-sensitive Information ..................................................................................................................................... 84
Control Types .....................................................................................................................................84 Access from Other Facilities .................................................................................................................84 Controllability ....................................................................................................................................84 Integrity ..............................................................................................................................................85 Identification ......................................................................................................................................85 Authentication ....................................................................................................................................85 Classification of Techniques ..............................................................................................................86 Standards for Passwords.....................................................................................................................86 Authorization Verification ....................................................................................................................87 FACILITY REQUIREMENTS ....................................................................................................................88 Physical Plan Considerations ................................................................................................................88 Building Location...............................................................................................................................88 External Characteristics......................................................................................................................89 Location of IT Processing Areas ........................................................................................................90 Construction Standards ......................................................................................................................90 Protection from Water Damage ..........................................................................................................91 Air Conditioning ................................................................................................................................91 Entrances and Exits ............................................................................................................................91 Interior Furnishings ............................................................................................................................92 Fire ........................................................................................................................................................92 Protection ...........................................................................................................................................92 Detection ............................................................................................................................................94 Suppression ........................................................................................................................................94 Sprinklers............................................................................................................................................................... 94 Halon ..................................................................................................................................................................... 95 Emergency Shut Down Control ............................................................................................................................. 95 Portable Fire Extinguishers .................................................................................................................................... 96
Power ....................................................................................................................................................96 Uninterruptible Power Supply ............................................................................................................96 Emergency Power ..............................................................................................................................96 Air Conditioning ...................................................................................................................................97 Category I Areas ................................................................................................................................97 OTHER TECHNICAL GUIDES .................................................................................................................98 APPENDIX ...................................................................................................................................................99 HIPAA Audit Program Guide .............................................................................................................100 Background ......................................................................................................................................100 Ensuring HIPAA Compliance ..........................................................................................................101 HIPAA requires: .................................................................................................................................................. 101 HIPAA implementation requires ......................................................................................................................... 101 © 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED
Page viii
Planning the Audit............................................................................................................................102 HIPAA Audit Scope .........................................................................................................................104 Audit Objectives .................................................................................................................................................. 104 Objective 1 ..................................................................................................................................................... 104 Objective 2 ..................................................................................................................................................... 104 Objective 3 ..................................................................................................................................................... 104 Audit Wrap Up .................................................................................................................................................... 105
ISO 27001 & 27002 Security Process Audit Checklist .......................................................................106 Security Policy Management Objectives..........................................................................................106 Corporate Security Management Objectives ....................................................................................107 Organizational Asset Management Objectives ................................................................................109 Human Resource Security Management Objectives ........................................................................110 Physical and Environmental Security Management Objectives .......................................................112 Communications and Operations Management Objectives ..............................................................113 Information Access Control Management Objectives ......................................................................116 Systems Development and Maintenance Objectives ........................................................................119 Information Security Incident Management Objectives ...................................................................121 DRP and Business Continuity Management Objectives ..................................................................122 Compliance Management Objectives ...............................................................................................124 Control and Security Objectives.......................................................................................................125 What‟s News .......................................................................................................................................126 Version 2.1 February 2008 ...............................................................................................................126 Version 2.0 February 2007 ...............................................................................................................126
© 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED
Page ix
IT Infrastructure, Strategy, and Charter Summary Base Assumptions and Objectives
IT Infrastructure, Strategy, and Charter Summary [Enterprise] Information Technology (IT) is a large and diverse organization that manages the information, internet, communication, and computer resources of [Enterprise]. This document
Defines IT responsibilities that are the building blocks of a well performing organization
Highlights the overall guidelines and policies of [Enterprise] IT
Provides an understanding of how IT integrates with the enterprise
References additional documentation that addresses more tactical standards and guidelines found throughout the company
Base Assumptions and Objectives The IT Strategy and Charter provides a framework for documenting the key operating guidelines necessary to support both the functional and process oriented business requirements of [Enterprise]. This framework enables IT to:
Serve an evolving client base that is both fluid and dynamic
Promote teamwork with cross company management and technical support
Identify opportunities for leveraging cross functional systems
Integrate process re-engineering with ongoing planning and budgeting activities
Institutionalize the delivery of timely, quality and reliable [Enterprise]-wide systems
Scope and Applicability This Strategy and Charter, together with other technical and reference documents, will assist management, clients, and professional staff, in working together to deliver cost effective technologies that will provide [Enterprise] with industry leading solutions. Its impact will cross-divisional, regional, and operating unit boundaries in order to achieve a commonalty of purpose and consistency of results that can be leveraged to the greatest competitive advantage.
© 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED
Page 1
Appendix HIPAA Audit Program Guide
HIPAA Audit Program Guide Background All providers of medical services were required to comply with the Health Information Portability and Accountability Act (HIPAA). HIPAA was created to improve the efficiency and effectiveness of the health care system through the development of national standards for electronic health care transactions. HIPAA mandates that the organizations:
Provide information to patients about their privacy rights and how their information can be used.
Train employees so that they understand the privacy procedures.
Designate an individual to be responsible for seeing that the privacy procedures are adopted and followed.
Perform privacy risk assessment.
Adopt clear privacy procedures for practice, hospital, or plan.
Secure patient records containing individually identifiable health information, so that they are not readily available to those who do not need them.
The focus of the HIPAA audit is:
Review of written policies and practices on security
Review of written policies and practices on privacy
Review of processes in practice vs. privacy policies and procedures
Review of processes in practice vs. security policies and procedures
Review of business associates to assure that each has a valid contract or agreement, especially new associates or partners
© 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED
Page 100
Appendix ISO 27001 & 27002 Security Process Audit Checklist Corporate Security Management Objectives Establish an internal security organization. Establish a management framework to control how your enterprise implements information security. Validate that your enterprise‟s management approves your enterprise‟s information security policy. Validate that your enterprise‟s management assigns security roles. Validate that your enterprise‟s management coordinates the implementation of security across your enterprise. Validate that your enterprise‟s management reviews the implementation of security across your enterprise. Validate that your enterprise has access to information security experts and advisors within your own enterprise. Validate that your enterprise‟s internal experts are able to provide specialized information security advice. Validate that your enterprise has access to external security experts, advisors, and authorities. Use your external advisors to help your enterprise monitor changes in security standards. Use your external advisors to help your enterprise monitor changes in security assessment methods. Use your external advisors to help your enterprise keep up with industrial security trends. Validate that your enterprise‟s external information security experts and advisors can help your enterprise to deal with security incidents. Validate that your enterprise‟s enterprise encourages the use of a multi disciplinary approach to information security. Control external use of your enterprise‟s information. Maintain the security of your enterprise‟s information whenever it is being accessed by external parties. Maintain the security of your enterprise‟s information whenever it is being processed by external parties. Maintain the security of your enterprise‟s information whenever it is being managed by external parties. Maintain the security of your enterprise‟s information processing facilities whenever they are being managed by external parties. Maintain the security of your enterprise‟s information processing facilities whenever they are being accessed by external parties. Maintain the security of your enterprise‟s information processing facilities whenever information is processed by external parties. Maintain the security of your enterprise‟s information processing facilities whenever external parties are allowed to communicate with these facilities. Validate that your enterprise‟s security of your enterprise‟s information processing facilities is not compromised by the influence of external party products or services. Validate that your enterprise‟s security of your enterprise‟s information is not compromised by external party products or services. Control external party access to your enterprise‟s information.
© 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED
Page 107
Appendix What’s News What’s News Version 2.1 February 2008 Added section defining ISO Added section defining ISO 27000 standard series Update template to comply with ISO 27001 and 27002 Update Security Process Audit Check List to comply with ISO 27001 and ISO 27002 Corrected errata Version 2.0 February 2007 HIPAA Audit Program Added ISO 177799 Security Process Audit Check List Added Office 2007 version Added
© 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED
Page 126
Information Technology
Infrastructure, Strategy, Charter &
TEMPLATE
-- Version 2.1
ISO 27000 Series Compliant E-mail: [email protected] http://www.e-janco.com
February 2008 Copyright 2008 M. Victor Janulaitis Copyright 2008 Janco Associates, Inc. ALL RIGHTS RESERVED
All Rights Reserved. No part of this book may be reproduced by any means without the prior written permission of the publisher. No reproduction or derivation of this book shall be re-sold or given away without royalties being paid to the authors. All other publisher‟s rights under the copyright laws will be strictly enforced.
Published by: Janco Associates Inc. 11 Eagle Landing Court Park City, UT 84060
435 940-9300
e-mail - [email protected] Publisher cannot in any way guarantee the procedures and approaches presented in this book are being used for the purposes intended and therefore assumes no responsibility for their proper and correct use. Printed in the United States of America ISBN13 ( 978-1-881218-01-2) HandiGuide is a registered trademark of Janco Associates, Inc. *** IMPORTANT ************************************************************ In order to get support you MUST register your product by going to http://www.e-janco.com/register.asp If your product is not registered you will have to pay for support via a credit card (MasterCard, Visa, or American Express). Please have your credit card ready prior to calling. ************************************************************************** Both of these documents are the same but we have provided them in both for your use. If you have any questions on these documents please send an email to [email protected] and reference your order number. Telephone support can be obtained if you have registered your product by going to http://www.ejanco.com/register.asp If you register your product within thirty (30) days of purchase and follow the instructions provided Janco will send you a coupon for 10% off on your next purchase from any of Janco's direct sites. These include: 1. http://www.e-janco.com 2. http://www.itproductivity.org 3. http://www.ejobdescription.com 4. http://www.it-toolkits.com © 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED
Page ii
READ ME - How to modify this template This template was compiled in Word and we have used VISIO for the exhibits. You need Microsoft WORD to modify the text and VISIO to modify the exhibits. ent. The steps that you should follow to use this template are: Make the original version of the document a read only file and restrict access to it. Save a copy of the word template with a new name in a place that you can access it without altering the original. Using Microsoft WORD‟s functionality (Edit Replace) Mandatory [Enterprise] with your enterprise’s name Optional IT Management Council with the name of your priority and resource setting group i.e. Steering Committee. Chief Information Officer with Chief Technology Officer CIO with CTO (make sure that you tag this as case sensitive) IT with IS (make sure that you tag this as case sensitive) Customize your headings and footers. Note somewhere within the document the reference to the fact that his charter was generated for one of our copyrighted templates needs to be mentioned. Delete this page Go to the table of contents and right click on any part of the table of contents and select the option to replace the Table of Contents and the new Table of Contents will be generated. Save the document with a name (i.e. Strategy001.doc). Increment the number each time that you save the document and you will have back-ups of your Charter that you can refer to as you customize it to meet your needs
© 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED
Page iii
Thi si sasampl eoft hef i nalpr oduct t hesepagesar ef oryourr evi ew onl y and ar epr ot ect ed byJanco’ scopyr i ght PAGES HAVEBEEN EXCLUDED
Table of Contents IT INFRASTRUCTURE, STRATEGY, AND CHARTER SUMMARY .......................................................1 Base Assumptions and Objectives ..........................................................................................................1 Scope and Applicability ..........................................................................................................................1 Operating Philosophy ..............................................................................................................................2 Compliance .............................................................................................................................................2 International Organization for Standardization .......................................................................................2 ISO 27000 ............................................................................................................................................2 STRATEGY AND CHARTER STATEMENT OF AUTHORITY ................................................................5 Chief Information Officer (CIO) .............................................................................................................5 Strategy and Charter .............................................................................................................................5 Authority ..............................................................................................................................................6 Functional IT Group Heads .....................................................................................................................7 Strategy and Charter .............................................................................................................................7 Authority ..............................................................................................................................................8 IT Management Council .........................................................................................................................9 Strategy and Charter .............................................................................................................................9 Authority ..............................................................................................................................................9 Users .....................................................................................................................................................10 Strategy and Charter ...........................................................................................................................10 IT MANAGEMENT STRUCTURE .............................................................................................................11 Organizational Approach ......................................................................................................................11 [Enterprise] IT Group............................................................................................................................12 Planning, Project Management and Control .......................................................................................12 Technology.........................................................................................................................................12 Systems Development ........................................................................................................................12 Organization, Staffing and Resource Development ...........................................................................12 [Enterprise] IT Resources .....................................................................................................................13 Functional IT Groups ............................................................................................................................14 COMPLIANCE .............................................................................................................................................15 Objective ...............................................................................................................................................15 Responsibilities .....................................................................................................................................15 CIO .....................................................................................................................................................15 IT Management Council.....................................................................................................................16 Functional IT Heads ...........................................................................................................................16 Users ..................................................................................................................................................16 Auditors ..............................................................................................................................................17 PERSONNEL PRACTICES.........................................................................................................................18 Formal Job Descriptions .......................................................................................................................18 Job Description Format ......................................................................................................................18 Job Title ................................................................................................................................................................. 18 Position Purpose ............................................................................................................................................... 18 Problems and Challenges ....................................................................................................................................... 19 Essential Position Functions ............................................................................................................................. 19 Principal Accountabilities ............................................................................................................................ 19 Authority ..................................................................................................................................................... 20 Job Contacts................................................................................................................................................. 20 Job Specifications ........................................................................................................................................ 20 Career Ladder ................................................................................................................................................... 21
Hiring ....................................................................................................................................................21 © 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED
Page iv
Termination ...........................................................................................................................................21 Voluntary Termination .......................................................................................................................21 Job Abandonment...............................................................................................................................22 Involuntary Termination ....................................................................................................................22 Termination Actions...........................................................................................................................22 Training .................................................................................................................................................23 Hardware Training .............................................................................................................................23 Operating System Training ................................................................................................................23 Applications Training.........................................................................................................................23 [Enterprise] Staff ...................................................................................................................................23 Contractor Personnel .............................................................................................................................24 CONTROLS ..................................................................................................................................................25 Types of Controls ..................................................................................................................................25 Risks......................................................................................................................................................26 Types of Risk .....................................................................................................................................26 Management Error ................................................................................................................................................. 26 Inadvertent Disclosure ........................................................................................................................................... 26 Competitive Disadvantage ..................................................................................................................................... 27 Legal Issues ........................................................................................................................................................... 27 Regulatory Problems ............................................................................................................................................. 27 Monetary Losses .................................................................................................................................................... 27
Controls Standards ................................................................................................................................27 Policies and Procedures ......................................................................................................................................... 27 Application Development and Testing .................................................................................................................. 27 Program Changes ................................................................................................................................................... 28 Documentation....................................................................................................................................................... 28 Data Editing ........................................................................................................................................................... 28 Input/Output Controls ............................................................................................................................................ 28 Physical Access Restrictions ................................................................................................................................. 28 Logical Access Restrictions ................................................................................................................................... 29 Back-up and Contingency Planning....................................................................................................................... 29 Audit ...................................................................................................................................................................... 29
Logging and Audit Trails ......................................................................................................................29 Accountability ....................................................................................................................................................... 29 Reconstruction of Events ....................................................................................................................................... 29 Information to Be Recorded .................................................................................................................................. 30 Tracing Transactions ............................................................................................................................................. 30 Support Information .............................................................................................................................................. 30 Retention Period of Documentation and Audit Trail Data ..................................................................................... 30 Need for Source Documents .................................................................................................................................. 30 Audit Logs ............................................................................................................................................................. 31 Job-related Data ................................................................................................................................................ 31 Program-related Data ........................................................................................................................................ 31 File-related Data ............................................................................................................................................... 31 Transaction-related Data ................................................................................................................................... 31 Message Data.................................................................................................................................................... 32 Database-related Data ....................................................................................................................................... 32
APPLICATION DEVELOPMENT STANDARDS .....................................................................................33 SAMMY ...............................................................................................................................................34 Quality Assurance Process ....................................................................................................................36 SERVICE REQUESTS ................................................................................................................................37 Policies ..................................................................................................................................................37 Process ..................................................................................................................................................38 Service Request Management ...............................................................................................................38 Equipment/Service Request ..................................................................................................................39 Problem Resolution Process ..................................................................................................................39 © 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED
Page v
LOCAL AREA NETWORKS (LANS) ..........................................................................................................41 Features .................................................................................................................................................41 Directory Rights .................................................................................................................................................... 42 File Security........................................................................................................................................................... 43
LAN Standards......................................................................................................................................44 LAN Councils and Workgroups............................................................................................................44 BACK-UP & RECOVERY............................................................................................................................45 Data Storage and Media Protection .......................................................................................................45 Labeling .............................................................................................................................................46 Storage ...............................................................................................................................................46 Retention Schedule.............................................................................................................................46 Disposal of Sensitive Information ......................................................................................................46 Back-up Program and Schedule ............................................................................................................47 Creating a Back-up Program ..............................................................................................................47 Monitoring the Back-up Program ......................................................................................................48 Recovering From Back-up Media ......................................................................................................48 DISASTER RECOVERY PLAN ..................................................................................................................49 Description ............................................................................................................................................49 Critical Function Analysis ....................................................................................................................50 DRP Procedures for Critical Data .........................................................................................................50 Back-up Criteria ....................................................................................................................................51 Back-up Procedures ..............................................................................................................................51 Storage Criteria .....................................................................................................................................51 Business Recovery Procedures .............................................................................................................52 Requirements for Recovery...................................................................................................................52 Recovery Guidelines .............................................................................................................................52 Restoring Damaged Equipment ............................................................................................................52 Recovery Management .........................................................................................................................53 Contingency Planning ...........................................................................................................................54 Responsibilities ..................................................................................................................................54 Manager, Functional IT Group .............................................................................................................................. 54 Managers, IT Processing Areas ............................................................................................................................. 54 Managers, all departments ..................................................................................................................................... 55 User organizations ................................................................................................................................................. 55 IT Computer Operations ........................................................................................................................................ 55 Outside Organizations ........................................................................................................................................... 55
Planning Activities ................................................................................................................................55 Function of Planning Activities ..........................................................................................................55 Development Activities ......................................................................................................................56 Planning Manual ................................................................................................................................56 Maintenance Activities .......................................................................................................................56 SECURITY....................................................................................................................................................58 IT Processing Area Classification .........................................................................................................59 Criteria ...............................................................................................................................................59 Classification Categories.......................................................................................................................59 Category I - IT Processing Area ............................................................................................................................ 59 Category II - IT Processing Area ........................................................................................................................... 60 Category III - IT Processing Area .......................................................................................................................... 60 Category IV - IT Processing Area ......................................................................................................................... 60
Physical Security ................................................................................................................................60 Work Stations and Remote Terminals ..................................................................................................61 Attended terminals .............................................................................................................................61 Unattended terminals .........................................................................................................................62 Systems Security ...................................................................................................................................62 © 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED
Page vi
Management Control Tools ................................................................................................................63 Staff Member Security ..........................................................................................................................63 Review ...............................................................................................................................................63 Risky Practices ...................................................................................................................................63 Violations ...........................................................................................................................................63 Management Action ...........................................................................................................................64 Responsibilities .....................................................................................................................................64 [Enterprise] Information Security Officer.............................................................................................................. 64 Group Security Administrator ............................................................................................................................... 64 System Security Administrator .............................................................................................................................. 64 Users ...................................................................................................................................................................... 64 Manager, Audit Department .................................................................................................................................. 64 Managers, Personnel Organizations....................................................................................................................... 64
User Sensitive Positions ........................................................................................................................65 Network Security ..................................................................................................................................65 Vulnerabilities ....................................................................................................................................66 Responsibilities .....................................................................................................................................66 Application Owners ............................................................................................................................................... 66 Support Organizations ........................................................................................................................................... 66 [Enterprise] IT ....................................................................................................................................................... 67
Violation Reporting and Follow-Up .....................................................................................................67 Violation Logging ..............................................................................................................................67 ACCESS CONTROL - PHYSICAL SITE ....................................................................................................69 Separation of Duties ..............................................................................................................................69 Least Privilege ......................................................................................................................................70 Access Areas .........................................................................................................................................70 Individual Accountability ...................................................................................................................70 Category I - IT Processing Areas .......................................................................................................70 Category II - IT Processing Areas ......................................................................................................71 Category III - IT Processing Areas.....................................................................................................71 Category IV IT Processing Areas .......................................................................................................71 Definitions of IT Access Control Zones ...............................................................................................71 Public Areas .......................................................................................................................................71 Controlled Areas ................................................................................................................................71 General Areas ........................................................................................................................................................ 71 Restricted Areas ..................................................................................................................................................... 71
Responsibilities .....................................................................................................................................72 Functional IT Group .............................................................................................................................................. 72 Security Management Group (SMG) ..................................................................................................................... 72 Requesting Manager Responsibilities .................................................................................................................... 73 Authorizing Managers ........................................................................................................................................... 74 Security Guards ..................................................................................................................................................... 74 Staff Members ....................................................................................................................................................... 74 Audit Department .................................................................................................................................................. 75
Badges ...................................................................................................................................................75 Permanent Badge/Permanent Staff Member ......................................................................................75 Permanent Badge/Temporary Staff Member ......................................................................................75 Temporary Badge/Permanent Staff ....................................................................................................76 Temporary Badge/Temporary Staff Member .....................................................................................76 Temporary Badge/Non-staff Members (Visitors and Vendors) .........................................................76 Access Control Methods .......................................................................................................................76 Levels of Access Authority ...................................................................................................................77 Permanent Access ..............................................................................................................................77 Temporary Access ..............................................................................................................................77 Protection of Supporting Utilities .........................................................................................................77 Resource Protection ..............................................................................................................................78 © 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED
Page vii
Network Control Centers ...................................................................................................................78 Network Components.........................................................................................................................78 Wire Closets .......................................................................................................................................78 Terminal and Remote Job Entry Devices ...........................................................................................78 Configuration Management ................................................................................................................79 Dial-Up Controls ................................................................................................................................79 Message Authentication .....................................................................................................................80 Exceptions ..........................................................................................................................................80 ACCESS CONTROL - SOFTWARE AND DATA ......................................................................................81 Resources to Be Protected.....................................................................................................................81 Basic Standards .....................................................................................................................................82 Classification Of Data, Software And Documentation .........................................................................83 Sensitive Information............................................................................................................................................. 83 Non-sensitive Information ..................................................................................................................................... 84
Control Types .....................................................................................................................................84 Access from Other Facilities .................................................................................................................84 Controllability ....................................................................................................................................84 Integrity ..............................................................................................................................................85 Identification ......................................................................................................................................85 Authentication ....................................................................................................................................85 Classification of Techniques ..............................................................................................................86 Standards for Passwords.....................................................................................................................86 Authorization Verification ....................................................................................................................87 FACILITY REQUIREMENTS ....................................................................................................................88 Physical Plan Considerations ................................................................................................................88 Building Location...............................................................................................................................88 External Characteristics......................................................................................................................89 Location of IT Processing Areas ........................................................................................................90 Construction Standards ......................................................................................................................90 Protection from Water Damage ..........................................................................................................91 Air Conditioning ................................................................................................................................91 Entrances and Exits ............................................................................................................................91 Interior Furnishings ............................................................................................................................92 Fire ........................................................................................................................................................92 Protection ...........................................................................................................................................92 Detection ............................................................................................................................................94 Suppression ........................................................................................................................................94 Sprinklers............................................................................................................................................................... 94 Halon ..................................................................................................................................................................... 95 Emergency Shut Down Control ............................................................................................................................. 95 Portable Fire Extinguishers .................................................................................................................................... 96
Power ....................................................................................................................................................96 Uninterruptible Power Supply ............................................................................................................96 Emergency Power ..............................................................................................................................96 Air Conditioning ...................................................................................................................................97 Category I Areas ................................................................................................................................97 OTHER TECHNICAL GUIDES .................................................................................................................98 APPENDIX ...................................................................................................................................................99 HIPAA Audit Program Guide .............................................................................................................100 Background ......................................................................................................................................100 Ensuring HIPAA Compliance ..........................................................................................................101 HIPAA requires: .................................................................................................................................................. 101 HIPAA implementation requires ......................................................................................................................... 101 © 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED
Page viii
Planning the Audit............................................................................................................................102 HIPAA Audit Scope .........................................................................................................................104 Audit Objectives .................................................................................................................................................. 104 Objective 1 ..................................................................................................................................................... 104 Objective 2 ..................................................................................................................................................... 104 Objective 3 ..................................................................................................................................................... 104 Audit Wrap Up .................................................................................................................................................... 105
ISO 27001 & 27002 Security Process Audit Checklist .......................................................................106 Security Policy Management Objectives..........................................................................................106 Corporate Security Management Objectives ....................................................................................107 Organizational Asset Management Objectives ................................................................................109 Human Resource Security Management Objectives ........................................................................110 Physical and Environmental Security Management Objectives .......................................................112 Communications and Operations Management Objectives ..............................................................113 Information Access Control Management Objectives ......................................................................116 Systems Development and Maintenance Objectives ........................................................................119 Information Security Incident Management Objectives ...................................................................121 DRP and Business Continuity Management Objectives ..................................................................122 Compliance Management Objectives ...............................................................................................124 Control and Security Objectives.......................................................................................................125 What‟s News .......................................................................................................................................126 Version 2.1 February 2008 ...............................................................................................................126 Version 2.0 February 2007 ...............................................................................................................126
© 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED
Page ix
IT Infrastructure, Strategy, and Charter Summary Base Assumptions and Objectives
IT Infrastructure, Strategy, and Charter Summary [Enterprise] Information Technology (IT) is a large and diverse organization that manages the information, internet, communication, and computer resources of [Enterprise]. This document
Defines IT responsibilities that are the building blocks of a well performing organization
Highlights the overall guidelines and policies of [Enterprise] IT
Provides an understanding of how IT integrates with the enterprise
References additional documentation that addresses more tactical standards and guidelines found throughout the company
Base Assumptions and Objectives The IT Strategy and Charter provides a framework for documenting the key operating guidelines necessary to support both the functional and process oriented business requirements of [Enterprise]. This framework enables IT to:
Serve an evolving client base that is both fluid and dynamic
Promote teamwork with cross company management and technical support
Identify opportunities for leveraging cross functional systems
Integrate process re-engineering with ongoing planning and budgeting activities
Institutionalize the delivery of timely, quality and reliable [Enterprise]-wide systems
Scope and Applicability This Strategy and Charter, together with other technical and reference documents, will assist management, clients, and professional staff, in working together to deliver cost effective technologies that will provide [Enterprise] with industry leading solutions. Its impact will cross-divisional, regional, and operating unit boundaries in order to achieve a commonalty of purpose and consistency of results that can be leveraged to the greatest competitive advantage.
© 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED
Page 1
Appendix HIPAA Audit Program Guide
HIPAA Audit Program Guide Background All providers of medical services were required to comply with the Health Information Portability and Accountability Act (HIPAA). HIPAA was created to improve the efficiency and effectiveness of the health care system through the development of national standards for electronic health care transactions. HIPAA mandates that the organizations:
Provide information to patients about their privacy rights and how their information can be used.
Train employees so that they understand the privacy procedures.
Designate an individual to be responsible for seeing that the privacy procedures are adopted and followed.
Perform privacy risk assessment.
Adopt clear privacy procedures for practice, hospital, or plan.
Secure patient records containing individually identifiable health information, so that they are not readily available to those who do not need them.
The focus of the HIPAA audit is:
Review of written policies and practices on security
Review of written policies and practices on privacy
Review of processes in practice vs. privacy policies and procedures
Review of processes in practice vs. security policies and procedures
Review of business associates to assure that each has a valid contract or agreement, especially new associates or partners
© 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED
Page 100
Appendix ISO 27001 & 27002 Security Process Audit Checklist Corporate Security Management Objectives Establish an internal security organization. Establish a management framework to control how your enterprise implements information security. Validate that your enterprise‟s management approves your enterprise‟s information security policy. Validate that your enterprise‟s management assigns security roles. Validate that your enterprise‟s management coordinates the implementation of security across your enterprise. Validate that your enterprise‟s management reviews the implementation of security across your enterprise. Validate that your enterprise has access to information security experts and advisors within your own enterprise. Validate that your enterprise‟s internal experts are able to provide specialized information security advice. Validate that your enterprise has access to external security experts, advisors, and authorities. Use your external advisors to help your enterprise monitor changes in security standards. Use your external advisors to help your enterprise monitor changes in security assessment methods. Use your external advisors to help your enterprise keep up with industrial security trends. Validate that your enterprise‟s external information security experts and advisors can help your enterprise to deal with security incidents. Validate that your enterprise‟s enterprise encourages the use of a multi disciplinary approach to information security. Control external use of your enterprise‟s information. Maintain the security of your enterprise‟s information whenever it is being accessed by external parties. Maintain the security of your enterprise‟s information whenever it is being processed by external parties. Maintain the security of your enterprise‟s information whenever it is being managed by external parties. Maintain the security of your enterprise‟s information processing facilities whenever they are being managed by external parties. Maintain the security of your enterprise‟s information processing facilities whenever they are being accessed by external parties. Maintain the security of your enterprise‟s information processing facilities whenever information is processed by external parties. Maintain the security of your enterprise‟s information processing facilities whenever external parties are allowed to communicate with these facilities. Validate that your enterprise‟s security of your enterprise‟s information processing facilities is not compromised by the influence of external party products or services. Validate that your enterprise‟s security of your enterprise‟s information is not compromised by external party products or services. Control external party access to your enterprise‟s information.
© 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED
Page 107
Appendix What’s News What’s News Version 2.1 February 2008 Added section defining ISO Added section defining ISO 27000 standard series Update template to comply with ISO 27001 and 27002 Update Security Process Audit Check List to comply with ISO 27001 and ISO 27002 Corrected errata Version 2.0 February 2007 HIPAA Audit Program Added ISO 177799 Security Process Audit Check List Added Office 2007 version Added
© 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED
Page 126
Related Documents
It Infrastructure Strategy And Charter Toc
May 2020 3
Optimize Your It Infrastructure
May 2020 12
Toc Toc Toc
June 2020 24
05 It Infrastructure Hardware And Software.pdf
December 2019 13
It Strategy For Business
June 2020 7