You are on page 1of 13

Thisisasampl eofthefinalproduct

thesepagesareforyourr eview only


and areprot
ected byJanco’scopyright
PAGES HAVEBEEN EXCLUDED

Information
Technology

Infrastructure,
Strategy, &

Charter

TEMPLATE -- Version 2.1

ISO 27000 Series Compliant

E-mail: support@e-janco.com
http://www.e-janco.com
February 2008

 Copyright 2008 M. Victor Janulaitis


 Copyright 2008 Janco Associates, Inc.
ALL RIGHTS RESERVED

All Rights Reserved. No part of this book may be reproduced by any means without the prior written
permission of the publisher. No reproduction or derivation of this book shall be re-sold or given away
without royalties being paid to the authors. All other publisher‟s rights under the copyright laws will be
strictly enforced.

Published by: Janco Associates Inc.


11 Eagle Landing Court
Park City, UT 84060

435 940-9300

e-mail - support@e-janco.com

Publisher cannot in any way guarantee the procedures and approaches presented in this book are being used
for the purposes intended and therefore assumes no responsibility for their proper and correct use.
Printed in the United States of America
ISBN13 ( 978-1-881218-01-2)
HandiGuide is a registered trademark of Janco Associates, Inc.
*** IMPORTANT ************************************************************
In order to get support you MUST register your product by going to
http://www.e-janco.com/register.asp
If your product is not registered you will have to pay for support via
a credit card (MasterCard, Visa, or American Express). Please have
your credit card ready prior to calling.

**************************************************************************

Both of these documents are the same but we have provided them in both for your use. If you have any
questions on these documents please send an email to support@e-janco.com and reference your order
number.

Telephone support can be obtained if you have registered your product by going to http://www.e-
janco.com/register.asp

If you register your product within thirty (30) days of purchase and follow the instructions provided Janco
will send you a coupon for 10% off on your next purchase from any of Janco's direct sites.
These include:

1. http://www.e-janco.com
2. http://www.itproductivity.org
3. http://www.ejobdescription.com
4. http://www.it-toolkits.com

© 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED Page ii


READ ME - How to modify this template

This template was compiled in Word and we have used VISIO for the exhibits. You
need Microsoft WORD to modify the text and VISIO to modify the exhibits. ent.
The steps that you should follow to use this template are:
Make the original version of the document a read only file and restrict access to
it.
Save a copy of the word template with a new name in a place that you can access
it without altering the original.
Using Microsoft WORD‟s functionality (Edit Replace)
Mandatory
 [Enterprise] with your enterprise’s name
Optional
 IT Management Council with the name of your priority and
resource setting group i.e. Steering Committee.
 Chief Information Officer with Chief Technology Officer
 CIO with CTO (make sure that you tag this as case sensitive)
 IT with IS (make sure that you tag this as case sensitive)
Customize your headings and footers. Note somewhere within the document the
reference to the fact that his charter was generated for one of our copyrighted
templates needs to be mentioned.
Delete this page
Go to the table of contents and right click on any part of the table of contents and
select the option to replace the Table of Contents and the new Table of
Contents will be generated.
Save the document with a name (i.e. Strategy001.doc). Increment the number
each time that you save the document and you will have back-ups of your
Charter that you can refer to as you customize it to meet your needs

© 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED Page iii
Thisisasampl eofthefinalproduct
thesepagesareforyourr eview only
and areprot
ected byJanco’scopyright
PAGES HAVEBEEN EXCLUDED

Table of Contents

IT INFRASTRUCTURE, STRATEGY, AND CHARTER SUMMARY .......................................................1


Base Assumptions and Objectives ..........................................................................................................1
Scope and Applicability ..........................................................................................................................1
Operating Philosophy ..............................................................................................................................2
Compliance .............................................................................................................................................2
International Organization for Standardization .......................................................................................2
ISO 27000 ............................................................................................................................................2
STRATEGY AND CHARTER STATEMENT OF AUTHORITY ................................................................5
Chief Information Officer (CIO) .............................................................................................................5
Strategy and Charter .............................................................................................................................5
Authority ..............................................................................................................................................6
Functional IT Group Heads .....................................................................................................................7
Strategy and Charter .............................................................................................................................7
Authority ..............................................................................................................................................8
IT Management Council .........................................................................................................................9
Strategy and Charter .............................................................................................................................9
Authority ..............................................................................................................................................9
Users .....................................................................................................................................................10
Strategy and Charter ...........................................................................................................................10
IT MANAGEMENT STRUCTURE .............................................................................................................11
Organizational Approach ......................................................................................................................11
[Enterprise] IT Group............................................................................................................................12
Planning, Project Management and Control .......................................................................................12
Technology.........................................................................................................................................12
Systems Development ........................................................................................................................12
Organization, Staffing and Resource Development ...........................................................................12
[Enterprise] IT Resources .....................................................................................................................13
Functional IT Groups ............................................................................................................................14
COMPLIANCE .............................................................................................................................................15
Objective ...............................................................................................................................................15
Responsibilities .....................................................................................................................................15
CIO .....................................................................................................................................................15
IT Management Council.....................................................................................................................16
Functional IT Heads ...........................................................................................................................16
Users ..................................................................................................................................................16
Auditors ..............................................................................................................................................17
PERSONNEL PRACTICES.........................................................................................................................18
Formal Job Descriptions .......................................................................................................................18
Job Description Format ......................................................................................................................18
Job Title ................................................................................................................................................................. 18
Position Purpose ............................................................................................................................................... 18
Problems and Challenges ....................................................................................................................................... 19
Essential Position Functions ............................................................................................................................. 19
Principal Accountabilities ............................................................................................................................ 19
Authority ..................................................................................................................................................... 20
Job Contacts................................................................................................................................................. 20
Job Specifications ........................................................................................................................................ 20
Career Ladder ................................................................................................................................................... 21
Hiring ....................................................................................................................................................21

© 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED Page iv


Termination ...........................................................................................................................................21
Voluntary Termination .......................................................................................................................21
Job Abandonment...............................................................................................................................22
Involuntary Termination ....................................................................................................................22
Termination Actions...........................................................................................................................22
Training .................................................................................................................................................23
Hardware Training .............................................................................................................................23
Operating System Training ................................................................................................................23
Applications Training.........................................................................................................................23
[Enterprise] Staff ...................................................................................................................................23
Contractor Personnel .............................................................................................................................24
CONTROLS ..................................................................................................................................................25
Types of Controls ..................................................................................................................................25
Risks......................................................................................................................................................26
Types of Risk .....................................................................................................................................26
Management Error ................................................................................................................................................. 26
Inadvertent Disclosure ........................................................................................................................................... 26
Competitive Disadvantage ..................................................................................................................................... 27
Legal Issues ........................................................................................................................................................... 27
Regulatory Problems ............................................................................................................................................. 27
Monetary Losses .................................................................................................................................................... 27
Controls Standards ................................................................................................................................27
Policies and Procedures ......................................................................................................................................... 27
Application Development and Testing .................................................................................................................. 27
Program Changes ................................................................................................................................................... 28
Documentation....................................................................................................................................................... 28
Data Editing ........................................................................................................................................................... 28
Input/Output Controls ............................................................................................................................................ 28
Physical Access Restrictions ................................................................................................................................. 28
Logical Access Restrictions ................................................................................................................................... 29
Back-up and Contingency Planning....................................................................................................................... 29
Audit ...................................................................................................................................................................... 29
Logging and Audit Trails ......................................................................................................................29
Accountability ....................................................................................................................................................... 29
Reconstruction of Events ....................................................................................................................................... 29
Information to Be Recorded .................................................................................................................................. 30
Tracing Transactions ............................................................................................................................................. 30
Support Information .............................................................................................................................................. 30
Retention Period of Documentation and Audit Trail Data ..................................................................................... 30
Need for Source Documents .................................................................................................................................. 30
Audit Logs ............................................................................................................................................................. 31
Job-related Data ................................................................................................................................................ 31
Program-related Data ........................................................................................................................................ 31
File-related Data ............................................................................................................................................... 31
Transaction-related Data ................................................................................................................................... 31
Message Data.................................................................................................................................................... 32
Database-related Data ....................................................................................................................................... 32

APPLICATION DEVELOPMENT STANDARDS .....................................................................................33


SAMMY ...............................................................................................................................................34
Quality Assurance Process ....................................................................................................................36
SERVICE REQUESTS ................................................................................................................................37
Policies ..................................................................................................................................................37
Process ..................................................................................................................................................38
Service Request Management ...............................................................................................................38
Equipment/Service Request ..................................................................................................................39
Problem Resolution Process ..................................................................................................................39
© 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED Page v
LOCAL AREA NETWORKS (LANS) ..........................................................................................................41
Features .................................................................................................................................................41
Directory Rights .................................................................................................................................................... 42
File Security........................................................................................................................................................... 43
LAN Standards......................................................................................................................................44
LAN Councils and Workgroups............................................................................................................44
BACK-UP & RECOVERY............................................................................................................................45
Data Storage and Media Protection .......................................................................................................45
Labeling .............................................................................................................................................46
Storage ...............................................................................................................................................46
Retention Schedule.............................................................................................................................46
Disposal of Sensitive Information ......................................................................................................46
Back-up Program and Schedule ............................................................................................................47
Creating a Back-up Program ..............................................................................................................47
Monitoring the Back-up Program ......................................................................................................48
Recovering From Back-up Media ......................................................................................................48
DISASTER RECOVERY PLAN ..................................................................................................................49
Description ............................................................................................................................................49
Critical Function Analysis ....................................................................................................................50
DRP Procedures for Critical Data .........................................................................................................50
Back-up Criteria ....................................................................................................................................51
Back-up Procedures ..............................................................................................................................51
Storage Criteria .....................................................................................................................................51
Business Recovery Procedures .............................................................................................................52
Requirements for Recovery...................................................................................................................52
Recovery Guidelines .............................................................................................................................52
Restoring Damaged Equipment ............................................................................................................52
Recovery Management .........................................................................................................................53
Contingency Planning ...........................................................................................................................54
Responsibilities ..................................................................................................................................54
Manager, Functional IT Group .............................................................................................................................. 54
Managers, IT Processing Areas ............................................................................................................................. 54
Managers, all departments ..................................................................................................................................... 55
User organizations ................................................................................................................................................. 55
IT Computer Operations ........................................................................................................................................ 55
Outside Organizations ........................................................................................................................................... 55
Planning Activities ................................................................................................................................55
Function of Planning Activities ..........................................................................................................55
Development Activities ......................................................................................................................56
Planning Manual ................................................................................................................................56
Maintenance Activities .......................................................................................................................56
SECURITY....................................................................................................................................................58
IT Processing Area Classification .........................................................................................................59
Criteria ...............................................................................................................................................59
Classification Categories.......................................................................................................................59
Category I - IT Processing Area ............................................................................................................................ 59
Category II - IT Processing Area ........................................................................................................................... 60
Category III - IT Processing Area .......................................................................................................................... 60
Category IV - IT Processing Area ......................................................................................................................... 60
Physical Security ................................................................................................................................60
Work Stations and Remote Terminals ..................................................................................................61
Attended terminals .............................................................................................................................61
Unattended terminals .........................................................................................................................62
Systems Security ...................................................................................................................................62

© 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED Page vi


Management Control Tools ................................................................................................................63
Staff Member Security ..........................................................................................................................63
Review ...............................................................................................................................................63
Risky Practices ...................................................................................................................................63
Violations ...........................................................................................................................................63
Management Action ...........................................................................................................................64
Responsibilities .....................................................................................................................................64
[Enterprise] Information Security Officer.............................................................................................................. 64
Group Security Administrator ............................................................................................................................... 64
System Security Administrator .............................................................................................................................. 64
Users ...................................................................................................................................................................... 64
Manager, Audit Department .................................................................................................................................. 64
Managers, Personnel Organizations....................................................................................................................... 64
User Sensitive Positions ........................................................................................................................65
Network Security ..................................................................................................................................65
Vulnerabilities ....................................................................................................................................66
Responsibilities .....................................................................................................................................66
Application Owners ............................................................................................................................................... 66
Support Organizations ........................................................................................................................................... 66
[Enterprise] IT ....................................................................................................................................................... 67
Violation Reporting and Follow-Up .....................................................................................................67
Violation Logging ..............................................................................................................................67
ACCESS CONTROL - PHYSICAL SITE ....................................................................................................69
Separation of Duties ..............................................................................................................................69
Least Privilege ......................................................................................................................................70
Access Areas .........................................................................................................................................70
Individual Accountability ...................................................................................................................70
Category I - IT Processing Areas .......................................................................................................70
Category II - IT Processing Areas ......................................................................................................71
Category III - IT Processing Areas.....................................................................................................71
Category IV IT Processing Areas .......................................................................................................71
Definitions of IT Access Control Zones ...............................................................................................71
Public Areas .......................................................................................................................................71
Controlled Areas ................................................................................................................................71
General Areas ........................................................................................................................................................ 71
Restricted Areas ..................................................................................................................................................... 71
Responsibilities .....................................................................................................................................72
Functional IT Group .............................................................................................................................................. 72
Security Management Group (SMG) ..................................................................................................................... 72
Requesting Manager Responsibilities .................................................................................................................... 73
Authorizing Managers ........................................................................................................................................... 74
Security Guards ..................................................................................................................................................... 74
Staff Members ....................................................................................................................................................... 74
Audit Department .................................................................................................................................................. 75
Badges ...................................................................................................................................................75
Permanent Badge/Permanent Staff Member ......................................................................................75
Permanent Badge/Temporary Staff Member ......................................................................................75
Temporary Badge/Permanent Staff ....................................................................................................76
Temporary Badge/Temporary Staff Member .....................................................................................76
Temporary Badge/Non-staff Members (Visitors and Vendors) .........................................................76
Access Control Methods .......................................................................................................................76
Levels of Access Authority ...................................................................................................................77
Permanent Access ..............................................................................................................................77
Temporary Access ..............................................................................................................................77
Protection of Supporting Utilities .........................................................................................................77
Resource Protection ..............................................................................................................................78
© 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED Page vii
Network Control Centers ...................................................................................................................78
Network Components.........................................................................................................................78
Wire Closets .......................................................................................................................................78
Terminal and Remote Job Entry Devices ...........................................................................................78
Configuration Management ................................................................................................................79
Dial-Up Controls ................................................................................................................................79
Message Authentication .....................................................................................................................80
Exceptions ..........................................................................................................................................80
ACCESS CONTROL - SOFTWARE AND DATA ......................................................................................81
Resources to Be Protected.....................................................................................................................81
Basic Standards .....................................................................................................................................82
Classification Of Data, Software And Documentation .........................................................................83
Sensitive Information............................................................................................................................................. 83
Non-sensitive Information ..................................................................................................................................... 84
Control Types .....................................................................................................................................84
Access from Other Facilities .................................................................................................................84
Controllability ....................................................................................................................................84
Integrity ..............................................................................................................................................85
Identification ......................................................................................................................................85
Authentication ....................................................................................................................................85
Classification of Techniques ..............................................................................................................86
Standards for Passwords.....................................................................................................................86
Authorization Verification ....................................................................................................................87
FACILITY REQUIREMENTS ....................................................................................................................88
Physical Plan Considerations ................................................................................................................88
Building Location...............................................................................................................................88
External Characteristics......................................................................................................................89
Location of IT Processing Areas ........................................................................................................90
Construction Standards ......................................................................................................................90
Protection from Water Damage ..........................................................................................................91
Air Conditioning ................................................................................................................................91
Entrances and Exits ............................................................................................................................91
Interior Furnishings ............................................................................................................................92
Fire ........................................................................................................................................................92
Protection ...........................................................................................................................................92
Detection ............................................................................................................................................94
Suppression ........................................................................................................................................94
Sprinklers............................................................................................................................................................... 94
Halon ..................................................................................................................................................................... 95
Emergency Shut Down Control ............................................................................................................................. 95
Portable Fire Extinguishers .................................................................................................................................... 96
Power ....................................................................................................................................................96
Uninterruptible Power Supply ............................................................................................................96
Emergency Power ..............................................................................................................................96
Air Conditioning ...................................................................................................................................97
Category I Areas ................................................................................................................................97
OTHER TECHNICAL GUIDES .................................................................................................................98
APPENDIX ...................................................................................................................................................99
HIPAA Audit Program Guide .............................................................................................................100
Background ......................................................................................................................................100
Ensuring HIPAA Compliance ..........................................................................................................101
HIPAA requires: .................................................................................................................................................. 101
HIPAA implementation requires ......................................................................................................................... 101

© 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED Page viii
Planning the Audit............................................................................................................................102
HIPAA Audit Scope .........................................................................................................................104
Audit Objectives .................................................................................................................................................. 104
Objective 1 ..................................................................................................................................................... 104
Objective 2 ..................................................................................................................................................... 104
Objective 3 ..................................................................................................................................................... 104
Audit Wrap Up .................................................................................................................................................... 105
ISO 27001 & 27002 Security Process Audit Checklist .......................................................................106
Security Policy Management Objectives..........................................................................................106
Corporate Security Management Objectives ....................................................................................107
Organizational Asset Management Objectives ................................................................................109
Human Resource Security Management Objectives ........................................................................110
Physical and Environmental Security Management Objectives .......................................................112
Communications and Operations Management Objectives ..............................................................113
Information Access Control Management Objectives ......................................................................116
Systems Development and Maintenance Objectives ........................................................................119
Information Security Incident Management Objectives ...................................................................121
DRP and Business Continuity Management Objectives ..................................................................122
Compliance Management Objectives ...............................................................................................124
Control and Security Objectives.......................................................................................................125
What‟s News .......................................................................................................................................126
Version 2.1 February 2008 ...............................................................................................................126
Version 2.0 February 2007 ...............................................................................................................126

© 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED Page ix


IT Infrastructure, Strategy, and Charter Summary
Base Assumptions and Objectives

IT Infrastructure, Strategy, and Charter Summary


[Enterprise] Information Technology (IT) is a large and diverse organization
that manages the information, internet, communication, and computer
resources of [Enterprise]. This document
 Defines IT responsibilities that are the building blocks of a
well performing organization
 Highlights the overall guidelines and policies of [Enterprise]
IT
 Provides an understanding of how IT integrates with the
enterprise
 References additional documentation that addresses more
tactical standards and guidelines found throughout the
company

Base Assumptions and Objectives


The IT Strategy and Charter provides a framework for documenting the key
operating guidelines necessary to support both the functional and process
oriented business requirements of [Enterprise]. This framework enables IT
to:
 Serve an evolving client base that is both fluid and dynamic
 Promote teamwork with cross company management and
technical support
 Identify opportunities for leveraging cross functional systems
 Integrate process re-engineering with ongoing planning and
budgeting activities
 Institutionalize the delivery of timely, quality and reliable
[Enterprise]-wide systems

Scope and Applicability


This Strategy and Charter, together with other technical and reference
documents, will assist management, clients, and professional staff, in working
together to deliver cost effective technologies that will provide [Enterprise]
with industry leading solutions. Its impact will cross-divisional, regional, and
operating unit boundaries in order to achieve a commonalty of purpose and
consistency of results that can be leveraged to the greatest competitive
advantage.

© 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED Page 1


Appendix
HIPAA Audit Program Guide

HIPAA Audit Program Guide

Background
All providers of medical services were required to comply with the
Health Information Portability and Accountability Act (HIPAA).
HIPAA was created to improve the efficiency and effectiveness of the
health care system through the development of national standards for
electronic health care transactions.

HIPAA mandates that the organizations:

 Provide information to patients about their privacy rights and


how their information can be used.
 Train employees so that they understand the privacy
procedures.
 Designate an individual to be responsible for seeing that the
privacy procedures are adopted and followed.
 Perform privacy risk assessment.
 Adopt clear privacy procedures for practice, hospital, or plan.
 Secure patient records containing individually identifiable
health information, so that they are not readily available to
those who do not need them.

The focus of the HIPAA audit is:

 Review of written policies and practices on security


 Review of written policies and practices on privacy
 Review of processes in practice vs. privacy policies and
procedures
 Review of processes in practice vs. security policies and
procedures
 Review of business associates to assure that each has a valid
contract or agreement, especially new associates or partners

© 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED Page 100
Appendix
ISO 27001 & 27002 Security Process Audit Checklist

Corporate Security Management Objectives


Establish an internal security organization.
 Establish a management framework to control how your enterprise implements
information security.
 Validate that your enterprise‟s management approves your enterprise‟s information
security policy.
 Validate that your enterprise‟s management assigns security roles.
 Validate that your enterprise‟s management coordinates the implementation of
security across your enterprise.
 Validate that your enterprise‟s management reviews the implementation of security
across your enterprise.
 Validate that your enterprise has access to information security experts and advisors
within your own enterprise.
 Validate that your enterprise‟s internal experts are able to provide specialized
information security advice.
 Validate that your enterprise has access to external security experts, advisors, and
authorities.
 Use your external advisors to help your enterprise monitor changes in security
standards.
 Use your external advisors to help your enterprise monitor changes in security
assessment methods.
 Use your external advisors to help your enterprise keep up with industrial security
trends.
 Validate that your enterprise‟s external information security experts and advisors can
help your enterprise to deal with security incidents.
 Validate that your enterprise‟s enterprise encourages the use of a multi disciplinary
approach to information security.
Control external use of your enterprise‟s information.
 Maintain the security of your enterprise‟s information whenever it is being accessed
by external parties.
 Maintain the security of your enterprise‟s information whenever it is being processed
by external parties.
 Maintain the security of your enterprise‟s information whenever it is being managed
by external parties.
 Maintain the security of your enterprise‟s information processing facilities whenever
they are being managed by external parties.
 Maintain the security of your enterprise‟s information processing facilities whenever
they are being accessed by external parties.
 Maintain the security of your enterprise‟s information processing facilities whenever
information is processed by external parties.
 Maintain the security of your enterprise‟s information processing facilities whenever
external parties are allowed to communicate with these facilities.
 Validate that your enterprise‟s security of your enterprise‟s information processing
facilities is not compromised by the influence of external party products or services.
 Validate that your enterprise‟s security of your enterprise‟s information is not
compromised by external party products or services.
 Control external party access to your enterprise‟s information.

© 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED Page 107
Appendix
What’s News

What’s News

Version 2.1 February 2008


 Added section defining ISO
 Added section defining ISO 27000 standard series
 Update template to comply with ISO 27001 and 27002
 Update Security Process Audit Check List to comply with ISO 27001
and ISO 27002
 Corrected errata

Version 2.0 February 2007


 HIPAA Audit Program Added
 ISO 177799 Security Process Audit Check List Added
 Office 2007 version Added

© 2008 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED Page 126

You might also like