Data Security - Top 10 Best Practices

Security Policies

CIO's and IT Managers' are challenged to meet compliance requirements for data security and at the same time meet the data requirements of a full range of desperate users

They are tasked with protecting an organization's data, but often without the business-context needed to do this effectively. When considering how valuable an organization's data is, a 'best guess' scenario is not enough. There are certain best practices that CIOs and  IT departments should follow to keep data  secure and protected, while still allowing authorized users to have the access to the data and information they need in a timely manner.

A company's data is typically is protected by access control lists containing security groups and particular organizational roles. Users are assigned to a security group depending on their role in the company and/or organizational need.

Order Security Manual Template Download sample Version History

However, access control lists rarely reflect the true needs of the business. More often than not, users have access to far more information than they need to do their jobs effectively, greatly increasing the risk of theft, data loss or misuse. At the same time, IT is not able to reduce access without having a negative impact on organizational activity.

There are best practices that CIOs need to implement in order to protect a businesses' data:

  1. Understand who is accessing data via frequent auditing and real-time monitoring of data access - A comprehensive record of access is vital to the effective management of any data. A proper record of data use, allows an organization to answer critical questions, such as who deleted particular files, what data specific individuals use and what is not being used. It will also allow a business to answer more complicated questions such as who owns a particular data, which data support a particular business unit and how can data be locked down without disrupting work-flows.
  2. Keep current records on data access permissions - CIOs cannot effectively manage any data without understanding that can and can't access it. All too often IT cannot quickly and easily answer data protection questions such as who has access to a particular data? Or what data a user or group does have access to? IT must be able to answer these questions accurately and quickly for data protection and management projects to work.
  3. Classify data by sensitivity - While all a company's information needs to be protected, some information needs that protection more urgently. Audit trails, data classification technology and access control information help businesses to identify active and stale data, as well as data that is sensitive, classified or internal, and data that is accessible to many people.
  4. Minimize and remove global access rights - Sometimes folders on file shares have access control permissions allowing 'everyone' or 'all domain users' to access the data they contain. This is a significant potential risk, as any information housed in that folder will inherit those permissions, and those who place information in these wide-open folders may be unaware of the unsecured settings. Sensitive data, such as PII, credit card information, intellectual property or HR information can lead to enormous security problems.
  5. Identify data owners and users - An organization's technical department should maintain a list of data business owners and the data they own. Through this list, CIOs and IT departments can expedite many of the previously identified tasks, such as verifying permissions revocation and review and identifying data for archival. Ultimately, being able to identify the data owners will lead to a marked increase in the accuracy of data entitlement permissions and, in turn, data protectionSecurity Manual.
  6. Include data access reviews when individuals are transferred, promoted, or terminated - When an individual within a company changes their role, that user should more than likely no longer have access to data resources that they no longer need. In order to do this successfully, the business must know at the very minimum what data and which security groups require review, which groups grant access to which data and who owns a particular data set. Performing these reviews will make sure that can only be accessed by individuals who strictly need it.
  7. Align groups to data ownership and management - When data access is controlled by groups, it is vital that the groups are properly aligned with the data they are in place to protect. A group should have the ability to grant access to the data that are control and nothing else.
  8. Audit permissions and group changes - Access control lists play a vital role in protecting data from loss, tampering or exposure. Group membership should be authorized and reviewed by the owner of the data or resource to which the group provides access.
  9. Lock down, delete or archive stale, unused data - A significant amount of data housed on unstructured and semi-structured platforms is stale. By archiving stale or unused data to off-line storage or deleting it, IT makes the job of managing the remainder simpler and easier, while freeing up an expensive resource.
  10. Clean up security groupings - Unneeded complexity hampers performance and facilitates mistakes. Businesses create so many groups that they often have as many as they do users and many of these groups are likely to be empty, unused or redundant. Access control lists often contain references to previously deleted users and groups and these groups must be identified and re-mediated.

Security Manual - Comprehensive, Detailed, and Customizable

The Security Manual is over 240 pages in length. All versions of the Security Manual Template include both the Business IT Impact Questionnaire and the Threat Vulnerability Assessment Tool (they were redesigned to address Sarbanes Oxley compliance).

Order Security Manual Template Download Sample

In addition, the Security Manual Template PREMIUM Edition  contains 16 detail job descriptions that apply specifically to security and Sarbanes Oxley, ISO security domains, ISO 27000 (ISO27001 and ISO27002), PCI-DSS, HIPAA, FIPS 199, and CobiT.

Security template electronic formsThe Security Manual has recommended policies, procedures and written agreements with employees, vendors and other parties who have access to the company's technology assets. To make this process as easy as possible, Janco provides 18 formatted electronic forms for distribution and documentation. All forms are in easy-to-edit Microsoft Word templates so all you need to do is add your corporate logo, make your own additions and changes and your task of policy and procedure documentation is nearly complete!

The forms included are:

    1. Application & File Server Inventory
    2. Blog Policy Compliance Agreement
    3. BYOD Access and Use Agreement
    4. Company Asset Employee Control Log
    5. Email Employee Agreement
    6. Employee Termination Procedures and Checklist
    7. FIPS 199 Assessment
    8. Internet Access Request Form
    9. Internet and Electronic Communication Employee Agreement
    10. Internet use Approval
    11. Mobile Device Access and Use Agreement
    12. Mobile Device Security and Compliance Checklist
    13. New Employee Security Acknowledgment and Release
    14. Outsourcing and Cloud Security Compliance Agreement
    15. Outsourcing Security Compliance Agreement
    16. Preliminary Security Audit Checklist
    17. Privacy Compliance Policy Acceptance Agreement
    18. Risk Assessment (pdf & docx)
    19. Security Access Application
    20. Security Audit Report
    21. Security Violation Procedures
    22. Sensitive Information Policy Compliance Agreement
    23. Server Registration
    24. Social networking Policy Compliance Agreement
    25. Telecommuting Work Agreement
    26. Text Messaging Sensitive Information Agreement
    27. Threat and Vulnerability Assessment Inventory
    28. Work From Home Work Agreement

Data Security and Protection are a priority and this template is a must have tool for every CIO and IT department. Over 3,000 enterprise worldwide have acquired this tool and it is viewed by many as the Industry Standard for Security Management and Security Compliance.

Security Manual Template purchase options

Security Manual Template - Standard Edition

Security Manual Template
  • Business and IT Impact Questionnaire
  • Threat and Vulnerability Assessment Toolkit
  • Security Management Checklist
  • Full Detail Policies for
    • Blog and Personal Website Policy
    • Internet, Email, Social Networking, Mobile Device, and Electronic Communication Policy
    • Mobile Device Policy
    • Physical and Virtual File Server Policy
    • Sensitive Information Policy
    • Travel and Off-Site Meeting Policy
  • Job Descriptions for the Chief Compliance Officer, Chief Security Officer, Data Protection Officer, Manager Security and Workstations, Manager WFH Support, Security Architect, and Systems Administrator.
  • Work From Home (WFH) operational rules
  • HIPAA Audit Program
  • GDPR Compliance Checklist to meet EU Requirements
  • CCPA - California Consumer Privacy Act requirements definition
  • Consumer Bill of Rights
  • Sarbanes Oxley Section 404 Checklist
  • HIPPA Audit Proram
  • Security Audit Program- fully editable -- Comes in MS EXCEL and PDF formats -- Meets GDPR, ISO 28000, 27001, 27002, Sarbanes-Oxley, PCI-DSS, HIPAA FIPS 199, and NIS SP 800-53 requirements -- Over 400 unique tasks divided into 11 areas of audit focus which are the divided into 38 separate task groupings
  • Electronic forms that can be Emailed, completed via a computer or tablet, and stored electronically including: Blog Policy Compliance, BYOD Access and Use, Company Asset Employee Control Log, Email - Employee Acknowledgment, Employee Termination Checklist, FIPS 199 Assessment Electronic Form, Internet Access Request, Internet Use Approval, Internet & Electronic Communication - Employee Acknowledgment, Mobile Device Access and Use Agreement, Employee Security Acknowledgment Release, Preliminary Security Audit Checklist, Risk Assessment, Security Access Application, Security Audit Report, Security Violation Reporting, Sensitive Information Policy Compliance Agreement, Server Registration, and Threat and Vulnerability Assessment
  • eReader version of the Security Manual Template

Security Manual Template - Premium Edition

  • Security Manual Template Standard Edition - Electronically DeliveredSecurity Manual Template

  • Security Team Job Descriptions MS Word Format
    •  Chief Compliance Officer (CCO); Chief Security Officer (CSO); VP Strategy and Architecture; Data Protection Officer (DPO); Director e-Commerce; Database Administrator; Data Security Administrator; Manager Data Security; Manager Facilities and Equipment; Manager Network and Computing Services; Manager Network Services; Manager Training and Documentation; Manager Voice and Data Communication; Manager Wireless Systems; Identity Management Protection Analyst, Information Security Analyst, Network Security Analyst; System Administrator - Linux, System Administrator - Unix; and System Administrator - Windows

Security Manual Template - Gold Edition

  • Security Manual Template Premium Edition Electronically Delivered Security Manual Gold Edition

  • IT Job Descriptions MS Word Format - Updated to meet all mandated security requirements
    • 320 Job Descriptions from the Internet and IT Job Descriptions HandiGuide in MS Word Format including all of the job descriptions in the Premium Edition. Each job description is at least 2 pages long and some of the more senior positions are up to 8 pages in length.

Order Security Manual with Update Service Download Sample