Travel and Off-Site Meeting Policy
Protect your data from lost and theft
Travel and Off-Site Meeting Policy - Protection of data and software is often is complicated by the fact that it can be accessed from remote locations. As individuals travel and attend off-site meetings with other employees, contractors, suppliers and customers data and software can be compromised. This policy is seven (7) page in length and covers:
- Laptop and PDA Security
- Wireless and Virtual Private Networks (VPN)
- Data and Application Security
- Public Shared Resources
- Minimizing attention
- Off-Site Meetings
- Remote Computing Best Practices
This policy has been updated to reflect the requirements of PCI-DSS, Sarbanes-Oxley, HIPAA, and ISO. The policy comes as both a WORD file and a PDF file utilizing a standard CSS style sheet.
Laptops can and do get lost or stolen. In studies conducted by several security firms, it has been found that over 50% of all lost or stolen laptops disappear at airport security checkpoints an departure gates. Unfortunately almost 70% of these laptops are never recovered.
Mobile security options
Because mobile devices reside outside the company firewall and beyond the reach of corporate security policies, they are often where unauthorized activity can occur. Users can inadvertently pass viruses, spyware, and other malware to the company network through the VPN. It still matters that a network has a formidable configuration of layered security, but when a notebook or smartphone is lost or stolen, the data stored on the notebook’s is exposed. Enterprises have to have ways to protect that data regardless of its location or place of breach. Options available to the enterprise include:
- VPN - Many enterprises use Internet Protocol Security (IPSec) VPNs, but the fact that IPSec works at the network layer can add exposure of the entire network to malware found on remote machines. Secure Sockets Layer (SSL) VPN technology works at the transport layer of the Transport Control Protocol/Internet Protocol (TCP/IP) stack and is session-oriented, offering more precision in granting access - even down to a specific application, file or window of time. Some vendors are offering all-in-one appliances that package not only VPN working on both layers, but also firewall, intrusion prevention and network antivirus.
- Network Access Control (NAC) - NAC gives the network the ability to grant access to a device based on preset criteria, and then monitor it throughout its connection cycle. If the device behaves in a way that is out of line with policies, it is quarantined, given an opportunity to remediate and then disconnected if it remains noncompliant.
- Encryption - A data-level form of protection, encryption is centrally managed and updated. It works by jumbling data according to a complex algorithm that machines are able to unlock once they have been authenticated. Everything from a single file to the entire hard disk can be encrypted.
- Intrusion detection and prevention - Intrusion detection and prevention systems focus on identifying incidents, logging information about them, taking action to stop intrusions and reporting incidents to administrators for further review. These systems work well to stop unusual IPs and to block worms, botnets and other malware. They add an additional layer of security between the firewall and antivirus software.
- Remote Lock Down and Data Destrition - Credentials and devices that are tagged as inactive can have "self desruct" or "remote lock down" code downloaded and activated in such a way that all of the "sensitive data" on the remote device is "erased" and the device put in such a state that it is not usable with intervention by the enterprise.. Extreme care should be used if this option is used and the help desk should have procedures in place so that devices remotely locked down in such a manner can be re-activated.
- Data leakage protection - You can secure data, regardless of where it is in relation to the network, with data leakage prevention (DLP) technology. DLP solutions tag data based on a set of criteria such as location of data, application type, file type, keywords and common data strings. These tags alert IT when the data is being used in a certain manner. DLP can prevent the data from being copied, e-mailed, sent via IM, printed, saved to a different device, changed to a different file type or otherwise altered.
Individual Policies
All of the policies that are provided here are contained within one or more of the templates that are on this site. These policies have been added as individual documents in WORD format (WORD 2003 and WORD 2007) for those clients who just need this particular policy. All policies are Sarbanes-Oxley, HIPAA, PCI-DSS, and ISO compliant.
Internet,
e-Mail, Social Networks,
Mobile Device,
Electronic Communications, and
Record Retention Policy
This policy is is compliant with all recent legislation (SOX, HIPAA, Patriot Act, and Sensitive information), and
covers: 
- Appropriate Use of Equipment
- Mobile Devices
- Internet Access
- Social Networks
- Electronic Mail
- Retention of Email on Personal Systems
- E-mail and Business Records Retention
- Copyrighted Materials
- Banned Activities
- Ownership of Information
- Security
- Sarbanes-Oxley
- Abuse
Included with the policy are forms that can be used to facilitate the implementation of the policy. Included are these ready to use forms:
- Internet & Electronic Communication Employee Acknowledgement
- E-Mail - Employee Acknowledgement
- Internet Use Approval Form
- Internet Access Request Form
- Security Access Application Form
The WORD
template uses the latest CSS style sheet and can easily be modified
to conform to the style used in your enterprise policy manual.
Outsourcing Policy
Outsourcing Policy - This policy is eighteen page in length and defines everything that is need for function to be outsourced. The policy comes as a Microsoft Word document that can be modified as needed. The template has been updated to include a HIPAA audit program definition in length and covers:
- Outsourcing Management Standard
- Service Level Agreement
- Responsibility
- Outsourcing Policy
- Policy Statement
- Goal
- Approval Standard
- Base Case
- Responsibilities
Note: Look at the Practical Guide for Outsourcing over 110 page document for a more extensive process for outsourcing
Sensitive Information Policy
Includes HIPAA Audit Program Guide and a PCI Audit Program
This
policy is easily modified and defines how to treat Credit Card,
Social Security, Employee, and Customer Data. The template is 34
pages in length and complies with Sarbanes Oxley Section 404,
ISO 27000 (17799), and HIPAA. The PCI Audit Program that is
included is an additional 50 plus pages in length.
This policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) and co-location providers and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals).
The HIPAA Audit Program Guide provides you with a checklist of the must be implemented items which HIPAA mandates.
You can download the Table of Contents and some sample pages by clicking on the link below.
Backup and Backup Retention Policy
IT organizations of all sizes contend with a growing data footprint with more data to manage, protect and preserve for longer periods of time. Online primary storage, has focus a on fast lowlatency, reliable access to data while near-line secondary storage has a focus on low cost and high capacity. Long-term data retention requires a combination of ultra-low cost, good performance during storage and retrieval, and reduced footprint in terms of power, cooling, floor-space and economics (PCFE) - also known as a small green footprint - for inactive data.
Factors that CIOs and IT professionals need to consider for data retention include:
- Business and regulatory requirements – regulatory compliance and data preservation
- Economic and budgetary concerns – doing more with less
- Data loss prevention and information protection – protect, preserve and serve
- Environmental and business sustainment – green and economically efficient
- Maximize IT resource effectiveness and return on investment (ROI)
- Reduce total cost ownership (TCO) of IT resources and service delivery
The Backup and Backup Retention policy is an 11 page sample policy that is a complete policy which can be implemented immediately.
The document is provided in both Word 2003 and Word 2007 format and is easily modified. This policy is included in the Disaster Recovery / Business Continuity Template.
Below is a table from the policy:
Type of Data |
Minimal Backup Policy |
Backup Retention Policy |
System software |
Latest Version plus patches |
Annual (verified) Backup |
Application software |
Latest Version plus patches |
Annual (verified) Backup |
System data |
Daily |
Annual (verified) Backup |
Application Data |
Daily with real time transaction files |
Annual (verified) Backup |
Software licenses, encryption keys, & Protocol Data |
Weekly |
Annual (verified) Backup |
IT Policies and Procedures News
~~~BeginItemsRecord~~~~~~SortByPubDate~~~
~~~ItemTitle~~~
~~~ItemDescription~~~ - more info~~~EndItemsRecord~~~