IT Manager's Handbook: Getting Your New Job Done (59 page)

While these audits can take a toll on IT resources, they do serve to help ensure that defined procedures are followed. Also, if something is overlooked, it's better to find them during an audit than as a result of an interruption of service or loss of data.

Disaster Recovery and Business Continuity

While disaster recovery and business continuity may also be the subject of some regulatory compliance, most organizations are concerned about it more for their own interests. Both of these subjects are covered in
Chapter 9, Disaster Recovery
on
page 247.

Definition of Policies and Procedures

The compliance legislation discussed previously is sufficient reason for establishing policies and procedures. However, even without being compelled by law, it's always wise to define and document policies and procedures for the IT department, as well as the user community.

For example, there may be an informal policy that has determined when personal printers (as opposed to shared network printers) are permitted. However, if this policy is documented and posted, it helps ensure that all employees (both IT and users) are aware of it and that it can be applied consistently. Other examples of policies that can be defined include:

•
Password requirements (length, frequency of changes, etc.)

•
Limits on the size of e-mail messages and mailboxes

•
Retention period for files and messages

•
Resources and rules in place for spam and virus defense (e.g., the blocking of certain attachment types)

•
Rules and approvals needed for nonstandard equipment requests (laptops, over-sized monitors, equipment at home)

•
Requirements for password-protected screen savers

•
Process for dealing with nonstandard software requests

•
Policies for disabling/deleting unused accounts

•
Policies pertaining to IDs and access for nonemployees (temps, consultants, partners, suppliers, etc.)

•
Provisions for requesting a restore of files

•
Approval required for accessing the files of a former or unreachable employee

•
Employee reimbursement for special services (cell phones, broadband connections at home)

•
Proper use of IT resources (e.g., no personal use of computer equipment, handhelds)

•
Guidelines for use of social networking sites during working hours and/or on company equipment.

•
Limitations of support for company equipment at home

Of course, many of these policies should include comment and approval beyond IT before being considered official. In some cases (e.g., file and message retention), Legal should be involved. In other cases (e.g., company equipment at home), it would be wise to involve HR and Finance. Involving other departments not only helps IT establish partnerships with these groups, but it ensures that IT isn't determining policies in a vacuum.

Outsourcing

Over the past few years, outsourcing and offshoring have become very attractive solutions. However, it's important to remember that when you outsource certain business activities, your organization is still responsible for ethical and compliance activities. While outsourcing is adding value to your organization's services, products, and bottom line, you want to make sure that you're not risking the company's reputation or compliance responsibilities as a result. Any agreement for the use of third parties should take compliance, security, privacy, etc. into consideration; and detail the responsibilities and expectations of the outsourcer.

For a much more detailed discussion on outsourcing, see
Chapter 6, Managing the Money,
on
page 161.

8.11 Further References

Websites

[email protected]
. [Bugtrac mailing list].

www.accenture.com/SiteCollectionDocuments/PDF/global_millennial_generation_research.pdf
. [report on Millennials use of technology].

www.aicpa.org/InterestAreas/InformationTechnology/Resources/Privacy/PrivacyOutsourcing/DownloadableDocuments/9127383_Privacy4.pdf
. [privacy and outsourcing].

www.cert.org
. [federally funded Computer Emergency Response Team at Carnegie Mellon].

www.checkpoint.com
. [security solutions vendor].

www.cisco.com
. [security solutions vendor].

news.cnet.com/Tesco-to-track-milk-deliveries-by-RFID/2100-1033_3-6079022.html?tag=lia;rcol
.

www.cnn.com/2011/TECH/web/06/26/tech.lulzsec.hackers
.

www.credant.com
. [mobile data encryption vendor].

www.discover6sigma.org
. [information about Six Sigma].

www.elcomsoft.com/survey/survey2009.pdf
. [survey about password security].

www.isaca.org
. [trade association for IT governance professionals].

www.isc2.org
. [industry organization leader in educating and certifying information security professionals].

www.isixsigma.com
. [information about Six Sigma].

www.iso.org
. [information about the International Organization for Standards and ISO 9000].

www.itgi.org
. [trade association for IT governance professionals].

www.itil-officialsite.com/home/home.asp
. [information about ITIL].

www.juniper.net
. [security solutions vendor].

www.mcafee.com/us
. [security software vendor].

www.microsoft.com/technet/security/default.mspx
. [Microsoft's security website].

technet.microsoft.com/en-us/library/dd206732.aspx
. [Microsoft's IT Compliance Management Guide].

onguardonline.gov
. [a U.S. government site about computer security].

csrc.nist.gov/index.html
. [National Institute of Standards and Technology's website about computer security].

www.organicconsumers.org/clothes/nike041505.cfm
. [article about Nike's offshore practices].

www.ponemon.org/blog/post/cost-of-a-data-breach-climbs-higher
. [report on the cost of data breaches].

www.privacyrights.org/ar/ChronDataBreaches.htm#CP
. [list of data breach/loss incidents].

www.sec.gov/news/studies/2009/sox-404_study.pdf
. [report on impact of Sarbanes–Oxley].

www.securityguidance.com
. [Microsoft security assessment tool].

www.security-risk-analysis.com/introduction.htm
. [introduction to risk analysis].

www.sei.cmu.edu/cmmi
. [information about CMMI].

www.slashdot.org
.

www.snpx.com
. [security website for IT professionals].

www.symantec.com
. [security software vendor].

www.trendmicro.com
. [security software vendor].

pr.webroot.com/threat-research/cons/protect-your-computer-from-hackers-101210.html
.

Books and Articles

Alexander P, (2008).
Information Security: A Manager's Guide to Thwarting Data Thieves and Hackers
. Praeger.

Bacik S, (2008).
Building an Effective Information Security Policy Architecture
. CRC.

Biegelman MT, Biegelman DR, (2008).
Building a World-Class Compliance Program: Best Practices and Strategies for Success
. Wiley.

Chickowski E, (2009).
Is Your Information Really Safe?
. Baseline Magazine [April].

Chorafas DN, (2008).
IT Auditing and Sarbanes–Oxley Compliance: Key Strategies for Business Improvement
. Auerbach Publications.

DeLuccia IV, James J, (2008).
IT Compliance and Controls: Best Practices for Implementation
. Wiley.

Foresti S, (2010).
Preserving Privacy in Data Outsourcing
. Springer.

Greengard S, (2011).
Managing a Multigenerational Workforce
. CIO Insight Magazine [May/June].

Keefe M, (2009). A Short History of Hacks, Worms, and Cyberterror.
Computerworld
. [April, 27].

Matwyshyn A, (2009).
Harboring Data: Information Security, Law, and the Corporation
. Stanford Law Books.

McClure S, Scambray J, Kurtz G, (2009).
Hacking Exposed: Network Security Secrets and Solutions
. McGraw-Hill Osborne.

Mitnick K, (2011).
Ghosts in the Wires
. Browne and Company: Little;.

Perkins B, (2011). Data Breaches’ Costly Fallout.
Computerworld
. [June 6].

Rashid F, (2011). Cloud Security Services Can Reduce Malware.
eWeek
. [July 18].

Rashid F, (2011). Hackers Shift from Vandalism to Data Theft.
eWeek
. [August 15].

Saporito B, (2011). Hack Attack.
Time
. [July 4].

Selig GJ, Wilkinson J, (2008).
Implementing IT Governance: A Practical Guide to Global Best Practices in IT Management
. Van Haren Publishing.

Senft S, Gallegos F, (2008).
Information Technology Control and Audit
. third ed Auerbach Publications.

Sengupta S, (2011). Guardians of Internet Security Are Targets.
New York Times
. [August 4].

Steele BK, (2009).
Due Diligence
. Baseline Magazine [March].

Tipton HF, Krause M, (2009).
Information Security Management Handbook
. Auerback Publications.

Vijayan J, (2009). Internet Warfare: Are We Focusing on the Wrong Things?.
Computerworld
. [April, 27].

Wallace M, Weber L, (2008).
IT Governance 2009: Policies & Procedures
. Aspen Publishing.

Whitman ME, Mattord HJ, (2011).
Principles of Information Security
. Course Technology.

Wright CS, (2008).
The IT Regulatory and Standards Compliance Handbook: How to Survive Information Systems Audit and Assessments
. Syngress.

SOX

www.aicpa.org/Advocacy/Issues/Pages/Section404bofSOX.aspxnews.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf
.