Best IT Documents.com Blog


Sample Word – JCL Conventions

Posted in Compliances (1300),O S (375) by Guest on the January 30th, 2015

Free Word document download

JCL Conventions

Comments Off on Sample Word – JCL Conventions

Sample – Network UAT Change Policy

Posted in Compliances (1300),Networking (340),Security (1500) by Guest on the January 29th, 2015

Network Services is requiring User Acceptance Testing (UAT) on all high risk/high impact changes and/or changes that will result in a known impact or system degradation. The risk scoring of the change is based on information entered in the change record as well as the Enterprise model used for scoring changes.

The change is to be thoroughly researched as to impact, proper notifications made to the Lines of Business, and testing coordinated.  The intent of the UAT requirement is to ensure that applications and servers impacted by a change validate their applications during the change window by executing tests and checks that the teams deem appropriate to verify that the applications are working as expected.

The name and email address of the line of business tester will be required to be documented in the long-description section of the change record.  For those changes that are on shared devices and that impact multiple lines of business, the project manager or technology project manager will be expected to coordinate the UAT.

The UAT is to be done during the approved change window so that should there be issues, they can be resolved prior to the start of the production day.

Some lines of business will not be able to test during this period due to services/exchanges needed to test not being available.  For these types of situations, the teams can follow their normal process for validating changes and will not be required to submit a waiver accompanied by Lines of Business approvals.

Issues reported outside of the change window will be handled as break-fix subject to normal SLA’s for incident restoral.

If the client decides they do not want to provide user acceptance testing, they must provide a UAT waiver email with Lines of Business approval attached to the change record.

Other relevant conditions that apply are outlined below:

  • Vendors in some cases are approved to test on behalf of the lines of business. That is acceptable as long as there is a detail test plan that covers all features and functionality associated with the device being changed.
  • Low risk- repeatable type changes, although not subject to this requirement, should be validated by the line of business as well.
  • Firewall rules changes are many times bundled into one change.   It is expected that the Service Request submitter will perform the UAT.
  • Non-prod devices, labs, and lower level development platforms are out of scope.

 

Comments Off on Sample – Network UAT Change Policy

Sample Word – Physical Data Center Local Recovery Considerations

Posted in Policies - Standards (600),Security (1500) by Guest on the January 28th, 2015
Comments Off on Sample Word – Physical Data Center Local Recovery Considerations

Sample Excel – Application Discovery 2

Posted in O S (375),Sample - IT Spreadsheets - PowerPoints (251) by Guest on the January 27th, 2015

Free Excel document download

Application Discovery 2

Comments Off on Sample Excel – Application Discovery 2

How to create Unit Managers in Qualys for Remediation Management

Posted in Compliances (1300),Security (1500),Visio Samples - Stencils (457) by Guest on the January 26th, 2015

Background: In order to remediate vulnerabilities found, all assets must have an identified asset owner who will work to either fix the vulnerabilities or route the issue to someone who will. Persons who will remediate assets are called “Unit Managers.” This document outlines how to setup an individual as a Unit Manager. Only Qualys Administrators will be able to perform this setup function.

InfoSec Policy: All external assets that are internet facing, and therefore at a higher risk, must be scanned on a weekly basis. All internal assets that are not exposed to the Internet must be scanned on a monthly basis.

Steps:

Identify Assets, and group into asset groups. Note that there should be separate groups for internal and external facing assets since the scanning schedule. Admins should already be familiar with creating asset groups.

Create or Promote user to Unit Manager Role.

Assign Asset group to Business Unit, or create new Business Unit using the New Business Unit button. Name the Business Unit to include the Unit Manager’s name and the geographic region or asset type, such as US-Eastern or UnixOps, etc. Then assign the asset groups to the Business Unit.

Create a standard Remediation Policy for the Business Unit. Under Tools in the Navigation Pane, click on Remediation Policy and then select New and choose Rule. Name it after the geographic region or asset type. Add the asset groups. Ensure that all levels 4 and 5, including potential vulnerabilities are checked. Assign the remediation to the Unit Manager. Set the deadline for remediation as 14 days (standard).

Schedule the Scan. Admins should be familiar with scheduling scans. Remember to schedule scans for external assets on a weekly basis, typically on Fridays after business hours on the West Coast. 23:00 hrs PST works fine. Schedule the internal assets to be scanned on a monthly basis, typically earlier in the month, or at a negotiated time that is best for the Unit Manager.

Review the Open Tickets. After the first scan completes, ensure that the Unit Manager received his automated alert about his asset groups being scanned. If so, schedule a meeting to review his scan results, review open tickets and answer any questions he may have about the remediation process. Be sure he knows how to close, ignore or route tickets and to reference Remedy ticket numbers in the comment field.

 

Comments Off on How to create Unit Managers in Qualys for Remediation Management

Qualys Business Units

Posted in Compliances (1300),Security (1500) by Guest on the January 25th, 2015

Management and Remediation

Introduction

Per regulatory compliance, Information Security team conducts periodic vulnerability assessment (VA) scans on all Symantec internal networks. Business units in QualysGuard are used to delegate remediation responsibilities. If you are a business unit manager, please follow these instructions for assistance on managing your business unit.

If you need assistance or guidance on remediation, please refer to “Qualys new user and remediation guidelines” document.

Asset Groups

Business units start with Asset Groups. Asset Groups are logical groping of networks which belongs to your business unit.

Logon to QualysGuard and click “Asset Groups” under Tools. On the right pane, you will see asset groups which are part of your business unit:

Screen shot here….

Asset groups are owned and managed by IT Security Operations team. For asset group support, please contact Security Operations team: IT – Security Operations.

Vulnerability Scans

Information Security team conducts periodic VA scanning on all asset groups. Current schedule for VA scanning is once a quarter or more.

Prior to quarterly scans, you will receive an IT advance notification email from Operation Global Shield (see example below):

When VA scans start, you may receive several emails from “Qualys Inc.” with the subject “QualysGuard: Scan Results”. These are scan status emails. Look for “Scan Status” line in each email. If Scan Status reads FINISHED, then follow the instructions from “Qualys new user and remediation guidelines” document.

User Accounts

If you would like to delegate remediation responsibilities further to your team members, please contact IT Security Operations (IT – Security Operations) and have them create new user account for your team members.

You can also create new accounts yourself as the business unit manager. In QualysGuard, goto User Accounts under Tools and click New – User…

Screen shot here….

Enter account details as shown below. Double check the email address and make sure user role is: Reader and under asset groups, add asset groups which will belong to the new user:

Screen shot here….

Click Save when done (you may need to scroll all the way down)

If you want to change a users asset groups later on, you can always edit your business unit users and add/remove asset groups as necessary.

Currently VA scans are managed by Security Operations team. If you want a VA scan run on an asset group in your business unit, please contact Security Operations team: (IT – Security Operations)

For remediation assistance, please refer to the “Qualys new user and remediation guidelines” document.

 

Comments Off on Qualys Business Units
Next Page »