Bestitdocuments.com Blog

Project Statement

The project statement is a modified version of the form provided as part of the Organizations Project Management Methodology.  At each phase of the project, the project statement should be reviewed to insure it remains current and accurate. A blank project statement form may be found on the Corporate web site under “Templates”. 

The project statement identifies:

• Project planners
• Sponsor
• Project manager
• Technical lead
• Assumptions
• Business problem
• Statement of work
• Goals & objectives
• Success factors (project scope)
• Planning budget & timeline
• High level plan & timeline 

Risk Analysis Assessment

• Staffing & Skills Assessment 

What are the skills required to complete this project?

• Project management
• Web
• Middle-ware
• Unix, Linux, Microsoft, Novell administration
• Database expertise (Oracle, Microsoft SQL, MySQL, DB2, etc..)
• Authentication
• Security
• Application management
• Training
• Do we have the necessary skills to begin the project?
• Is training required before we begin?
• Do we have sufficient staff to begin the project?
• Has time been planned for acquiring staff?

As part of most business processes, information is generated and stored on many different types of media including paper documents, computer media (e.g., tapes, compact discs, flash drives / memory) and others. Much of the information being stored on paper and electronically is critical and can include (among others): 

• Mission-critical data
• Financial information 
• Operational data
• Sensitive information 
• Personnel files 

Other questionnaires have covered different aspects of security as it relates to the examples listed above in areas such as backup and recovery and physical security. One aspect of securing this information that has not been covered in any detail is the protection of the media where the information is stored, which is the content of this questionnaire. 

The questions below are primarily based on the International Standards Orga­nization (ISO) 2700x information security standard for media handling. The key areas addressed in media handling include: 

• Media management
• Media disposal
• Media in transit 

The questions below are a starting point in discussing security related to media handling. Other questions should be added based on the client’s specific business. 

General 

Is there a documented policy for media handling? 

Guidance: A security policy to communicate management’s position on media handling should exist. The policy should outline high-level roles and responsibilities and the requirements as they relate to media handling. 

The policy should be easily accessible to employees so they can refer to it as necessary. The policy also helps in enforcing good media handling practices.

Cisco Command Reference

Network Management Evolution

 Management protocol SNMP

Costs are not just associated with Compliance but other areas of the business… like keeping employees productive. If you look at one aspect of IT that relates to user productivity, Help Desk calls and their associated costs, you’ll see that on average nearly 70% of all helpdesk calls are associated with Security. (next slide security challenges)

Most Help Desk calls relate to security

1. 20-25% Password Reset (still)
2. 10% (User Request Access)
3. 20-30% PC Performance related to spyware
4. 0-30% Phishing/Spam
5. 5%-Other

Roadmap to Maturity - FISMA and ISO 2700x

Simple - Access Control Model View

Overview:

Data Archiving which is the disciplined process by which data is migrated or copied and migrated for long term retention under a chain of custody control to media at designated archive location/s where retention, security, retrieval, rendering, and authentication are all specified by formalized archiving policy 

• The value of data changes over time…
  • Spend more to protect it when it is at its highest value
  • Spend less, when it’s at a lower value
  • Business seeks to align the management of data with its actual business value to the organization

Data Archiving Impact

• Storage
• Slower rate of tier-1 storage growth
• Improve application performance
• Backup
• Reduce exponential growth
• Improve performance
• Enabler for disk-based backup
• Disaster Recovery
• Enable faster recovery (improve RTO)
• Reduce DR infrastructure requirements 

Service Level Considerations:

Recovery Time Objective is the maximum tolerable elapsed time (from actual disaster not declaration) for restoration of business operational viability

• Retrieval Time objective is the target upper limit of elapsed time (latency) allowable for retrieval of a specified archived object
• Recovery Point Objective is the maximum tolerable data loss on recovery from a disaster, normally expressed as a time metric (e.g. one hour) 

Possible solution:

HSM (Hierarchical Storage Management) is the disciplined migration of data from production storage to less expensive storage based on the value of the data or its access requirement; HSM is substantially transparent to the accessing application

Today Businesses barely have a strategy and it's only to sustain they current track.

Get off this track it dead ends.

The Road to Business Succes PowerPoint

The CIO is on the firing line for much of the new attention – he or she is getting pressure from CEO and the board of directors as well as newly created Chief Compliance Officer positions.

They are being asked to address new business concerns:

• Control costs while managing complexity
• Focusing on core competencies
• Increasing end-user productivity
• Meeting regulations 

Risk didn’t used to be on the radar screen for CIOs (according to Gartner studies) – at least this type of risk

Increased dependencies and exposures – reliance on value chain partners – according to Gartner analyst half of all spent in IT is for some form of interoperability

• Executive criminality --- explosion of scandals – breeds new regulations – not fully interpreted (explain how process goes with supervisory guidance) – greater risk of misunderstanding and non compliance
• Demand for privacy protection – consumer, government, etc
• Managing degree of risk directly impacts margin
• CEO’s and the Board are directly seeking answers for Emotional Security
• Several regulations affecting the management of information were passed long before wide-spread use of computers.
• During the 1980’s the use of desktops began to increase, but we had not yet truly entered the Information Age
• Once the use of desktops, laptops, the Internet, and EDI became ubiquitous in the mid-to-late 1990’s we begin to see a lot more legislative activity.
• Recently there has been an explosion of new security and privacy regulations. Still missing is a US Data Privacy Act that would apply to all industries. Future trends should show a slow down of new national legislation, but additional state & local laws and revisions of existing regulations. Europe, Canada, and Australia are all discussing their own versions of Sarbanes-Oxley as well.
• HIPAA – Health Insurance Portability & Accountability Act includes Privacy Rule & Security Rule
• FDA 21 CFR Part 11 – security regulations for electronic filing of paperwork with the FDA. Affects Pharmacy, Biotech, & Medical Equipment Mfg
• GLBA – Gramm-Leach-Bliley Act deregulated the financial services industry, but added privacy & security requirements
• C6 (a.k.a. PIPEDA – Personal Information Protection & Electronic Documents Act) – Canadian privacy law
• CAN SPAM - Controlling the Assault of Non-Solicited Pornography and Marketing Act
• USA PATRIOT - Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism
• CIPA 2002 – Children’s Internet Protection Act
• FISMA – Federal Information Systems Management Act applies only to non-defense systems of US goverment agencies
• Sarbanes-Oxley – US corporate governance reform
• Basel II – EU banking reform, incorporates IT risk management in to gold reserves calculation
• CLERP 9 - Corporate Law Economic Reform Program in Australia
• NERC - North American Electric Reliability Council establishes security requirements for the energy industry
• COPPA – Child’s Online Privacy Protection Act 

Here we see the primary regulations mapped out by industry. Financial Services is clearly hardest hit by regulatory requirements. Retail organizations must deal with Credit Card vendor requirements for their merchants that are not technically regulations, but have effectively the same impact. No matter your industry you need to develop a compliance program that can meet the requirements of multiple regulations.

Visa CISP – security requirements for all Visa credit card merchants (now PCI DSS – Payment Card Industry Data Security Standards)

As we saw earlier, organizations today are facing many different regulations. It is inefficient to develop compliance programs for each regulation. Instead, you must understand the total requirements from all regulations your organization must comply with.

Very few specific requirements are laid out within the regulations themselves, so that they can remain robust and relevant over time to a broad range of organizations. In order to understand the regulatory requirements, you must identify the underlying guidance associated with that regulation. This guidance may come from industry best practices such as ISO2700x, CobiT, or COSO or it may come from the associated regulatory agency (SEC, FFIEC, HHS, CMS, etc.). In pretty much all cases, there is a standard set of information security best practices that will enable you to meet all of the existing regulations.

Commonly referred to as the GLBA Data Protection Rule, Section 501 is intended to ensure the confidentiality and security of customer data against internal and external threats.  The rules require a written security plan that describes their protection program for customer information which is defined as any record paper or electronic which contains non public personal information about a customer.

Stipulates:  Board of Directors involvement in plan development, implementation, and maintenance.  Continually audited for compliance, as well as progress and improvement. 

Independent assessment of Any and All third party vendors and service providers and requires review and monitoring by institutions to ensure their own compliance. A “program” means documented policies and successful tests (including improvements).  We are hearing requests for SAS 70 (Statement of Auditing Standards).

Sarbanes Oxley has 11 parts and 66 sections.  Of primary importance for us today are the following which directly impact both IT departments at our target set of customers and those units within SunGard who sell to them.

• 302 – CEO's due to prospect of civil and CRIMINAL prosecution – are getting CFO’s to sign as well as themselves for their financial statuses. 
• The SEC requires within Section 404 a statement of management’s responsibility for internal controls and their assessment of how effective they are

Requirements:

• Well defined “internal controls” over financial reporting
• Management accountability as to effectiveness of controls
• Auditor sign-off

Section 404, requiring the Commission to adopt rules requiring a company's management to present an internal control report in the company's annual report containing: (1) a statement of the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) an assessment, as of the end of the company's most recent fiscal year, of the effectiveness of the company's internal control structure and procedures for financial reporting. Section 404 also requires the company's registered public accounting firm²⁵ to attest to, and report on, management's assessment.

• Section 409 is now a  4 day turn around

Firewall Request Form

ITIL Software Catalogue Service Descriptions

ITIL Help Desk Catalogue Service Descriptions

ITIL Internet Catalogue Service Descriptions

Load Balancing Load Balancing Request Form

Fair and Accurate Credit Transactions Act (FACT) and related global regulatory requirements

• TREAD Act
• NASD 3110
• IASB/FASB
• Computer Fraud and Abuse Act
• SEC Rules 17a-3 and 17a-4
• Computer Security Act
• Canada’s PIPEDA
• Foreign Corrupt Practices Act
• Customs C-TPAT
• EPA
• Basel II
• FDA 21 CFR 11
• CA SB 1386, 1950
• FISMA
• E.U. Data Protection Directive
• U.K .Public Records Office DOD 5015.2

Enterprise Vendor Selection Steps