Procedures

Download free Policy & Procedure Manager 4.5

root — Tue, 05 May 2009 15:10:45 -0700

Well its 30 days free trial actually, but still its a very useful software for those working with a lot of documentation, policy and procedures. For more information you can visit their main site or directly download (29MB) from download.com

The web-based Policy & Procedure Manager provides your staff with instant access to your organization's policies and procedures. It notifies those who are required to read specific documents and tracks who has read them. You can use the software to create, review, approve, and archive all of your documents, not just policies and procedures.

Eleven golden rules for user registration controls

root — Sat, 21 Feb 2009 23:49:36 -0800

ISO27002 recommends that an organization’s user registration process should cover the following:
1. Unique user identifications (IDs) should be issued so that users can be linked to, and made responsible for, their actions.

2. The user’s access rights should be documented and describe what assets and systems the user is allowed to access.

3. System owners should authorize proposed users to use the system, and the access rights document should also be authorized by the individual’s line manager, to ensure that it is appropriate.

OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security

root — Mon, 11 Aug 2008 00:26:05 -0700

These guidelines apply to all participants in the new information society and suggest the need for a greater awareness and understanding of security issues, including the need to develop a "culture of security" - that is, a focus on security in the development of information systems and networks, and the adoption of new ways of thinking and behaving when using and interacting within information systems and networks. The guidelines constitute a foundation for work towards a culture of security throughout society.

Download Free Policy & Procedure Manager 4.5 for Regulatory Compliance Standards

root — Fri, 11 Jul 2008 03:32:45 -0700

The web-based Policy & Procedure Manager provides your staff with instant access to your organization's policies and procedures. It notifies those who are required to read specific documents and tracks who has read them. You can use the software to create, review, approve, and archive all of your documents, not just policies and procedures. Email reminders and reports ensure that everything stays up to date. You can also organize documents according to any regulatory compliance standards - such as Sarbanes Oxley, ISO 9000, JCAHO, HIPAA, state guidelines.

Size: 29.57MB
License: Free to try
Requirements: Windows 95/98/Me/NT/2000/XP
Limitations: 30-day trial
Date Added: February 19, 2008

Download Page

The truth about IT security policy

root — Thu, 26 Jun 2008 00:58:48 -0700

"…IT security policy for IT auditor day to day perspective.."

I've been working for the IT security policy and procedures making for the last four years. And my main responsibility for that period is doing consulting services for the company who need to comply with some kind of security standard such as Sarbanes Oxley, ISO 27001 or event just some guidelines from our government.

Security policy and procedures are my main deliverables. So if you see my client you will see that in their office, there are a lot of policy and procedures that created by many prestigious company, my company is also contributed there. They took international standard such as COBIT or ITIL to ensure that the company confidential data is keep secure

The four things every IT security must do every day

root — Tue, 24 Jun 2008 15:10:42 -0700

Security work is a continuous and daily process. You can’t just install a firewall or an intrusion-detection system and say that you’re suddenly secure. In some cases, you’ll be lucky to enter an organization that already has a relatively mature security program. In these cases, most of the items discussed in the following sections will already be implemented and your job will be easier to manage. In other cases, you may find yourself hired into an organization that has not had a security program in the past. In this case, you’ll have the opportunity to build the program from the ground up. Although this might sound like more work, and a potentially bigger hassle, you may find it easier creating everything from scratch and ensuring that it’s all done correctly. But let’s look at some of the items you’ll need to understand.

1. Patches and Hot Fixes
Both operating systems and applications have a single huge flaw: They are written by human beings. Because of that, they have bugs and security issues. Vendors release patches or hot fixes on a periodic basis to address security concerns that may have arisen since the last patch came out. To keep an organization secure, you need to ensure that these software patches are applied in a timely manner. One important item to note here: Test your patches in a test environment before you implement them in production systems. In some cases, patches have caused more harm than good because of unexpected issues.

How to manage CMDB Scope

root — Mon, 02 Jun 2008 18:28:32 -0700

Although a CMDB can be extremely complex, it is built of only two elementary constructs, called configuration items and relationships. Configuration items represent static portions of the IT environment, such as computers, software programs, or process documents. Relationships, as the name implies, track how these configuration items are related to one another, and are much more dynamic because these relationships can change frequently. Given these simple building blocks, defining the scope of a configuration management system is as simple as deciding which types of configuration items you want to track and which relationships will be important.

Note that we define scope as which types of configuration items will be tracked, not which configuration items. Once we decide that a particular type of thing is going to be tracked, it becomes part of our scope, even if we choose to track only a single instance of that type of thing. The choice of how many of each type, and exactly which ones, is part of the span of the CMDB

Well writen policy using 5Ws of Journalism

root — Thu, 22 May 2008 12:15:00 -0700

The written policy should clear up confusion, not generate new problems. When preparing a document for a specific audience, remember that the writer will not have the luxury to sit down with each reader and explain what each item means and how it impacts the user's daily assignments. Know the audience for whom the policies are being developed. Remember the reading and comprehension level of the average employee. When writing the policy, remember the "5 Ws of Journalism 101":

What: what is to be protected (the topic)
Who: who is responsible (responsibilities)
Where: where within the organization does the policy reach (scope)
How: how compliance will be monitored (compliance)
When: when does the policy take effect
Why: why the policy was developed

What is the first priority in IT audit?

root — Mon, 19 May 2008 14:33:45 -0700

If you’re the first person responsible for performing information system audit in your company, then what is your first priority? Repairing the IT process in your company? Prepare risk control matrices or just recruit another experience IS auditor for brainstorming with you?

In my experience, all start from planning first. Yes IT planning plays the significant role at this stage. Remember that auditing mean a lot of interaction with a lot of departments and function across the company. So coordination is the first issue to be noted.

Have you ever be in this situation?

Develop, Buy or Customize?

root — Tue, 13 May 2008 21:42:48 -0700

Although this is not a step in the SDLC, an organization might decide to buy a product instead of building it. The decision typically comes down to time, cost, and availability of a predesigned substitute.

Before moving forward with the option to buy, the project team should develop a request for proposal (RFP) to solicit bids from vendors. Vendor responses should be closely examined to find the vendor that best meets the project team’s requirements. Some of the questions that should be asked include these:
. Does the vendor have a software product that will work as is?
. Will the vendor have to modify the software product to meet our needs?
. Will the vendor have to create a new, nonexistent software product for us?