CIO IT Infrastructure Policy Bundle

Size: px

Start display at page:

Download "CIO IT Infrastructure Policy Bundle"

Neil Cross
6 years ago
Views:

2 CIO IT Infrastructure Policy Bundle License Conditions This product is NOT FOR RESALE or REDISTRIBUTION in any physical or electronic format. The purchaser of this template has acquired the rights to use it for a SINGLE enterprise in a single county unless they have a multi-use license. Anyone who makes copies of or uses the template or any derivative of it is in violation of the United States and International copyright laws and subject to fines that are treble damages as determined by the courts. A REWARD of up to 1/3 of those fines will be anyone reporting such a violation upon the successful prosecution of such violators. The purchaser agrees that derivative of this template will contain the following words within the first five pages of that document. The words are: 2018 Copyright Janco Associates, Inc. ALL RIGHTS RESERVED All Rights Reserved. No part of this document may be reproduced by any means without the prior written permission of the publisher. No reproduction or derivation of this book shall be re-sold or given away without royalties being paid to the authors. All other publisher s rights under the copyright laws will be strictly enforced. Published by: Janco Associates Inc. Park City, UT support@e-janco.com The publisher cannot in any way guarantee the procedures and approaches presented in this book are being used for the purposes intended and therefore assumes no responsibility for their proper and correct use. In addition, we are not attorneys and are not providing a legal opinion as to the data that should be retained nor the time periods that the data should be retained. The user should check with their own legal counsel to determine the specific requirements for record retention and destruction. Printed in the United States of America Page Copyright Janco Associates, Inc. ALL RIGHTS RESERVED

3 CIO IT Infrastructure Policy Bundle Table of Contents This document contains the following policies: Backup and Backup Retention Policy (revised 02/2018) Blog and Personal Web Site Policy (revised 2017) BYOD Access and Use Policy (revised 02/2018) Google Glass Policy (revised 01/2018) Incident Communication Policy (revised 01/2018) Internet, , Social Networking, Mobile Device, and Electronic Communication Policy (revised 01/2018) Mobile Device Access and Use Policy (revised 02/2018) Outsourcing and Cloud-Based File Sharing Policy (revised 01/2018) Patch Management Version Control (revised 2017) Physical and Virtual Server Security (revised 2017) Record Management, Retention, and Disposition Policy (revised 02/2018) Sensitive Information Policy (revised 2018) Service Level Agreement Policy including sample metrics (revised 2017) Social Networking Policy (revised 02/2018) Technology Acquisition Policy (added 2017) Telecommuting Policy (revised 02/2018) Text Messaging Sensitive and Confidential Information (revised 2017) Travel, Laptop, PDA and Off-Site Meeting Policy (revised 02/2018) Wearable Devices (revised 02/2018) Page Copyright Janco Associates, Inc. ALL RIGHTS RESERVED

5 Backup and Record Retention Policy Table of Contents Table of Contents... 3 Backup and Backup Retention Policy... 4 Policy... 4 Applicability... 4 Backup Versus Archive... 4 Archiving Implications Sarbanes-Oxley... 5 SOX Section Record Retention Requirements... 5 Types of Backups... 6 Storage Management... 7 Minimal Backup Policy... 7 Requirements... 8 Backup Retention... 8 Documentation and Backup Media Labeling... 9 Storage... 9 Cloud Backup... 9 Responsibilities Testing and Training System Specific Backup Policy Backup Retention Documentation and Backup Media Labeling Storage Responsibilities Testing and Training Issues to Manage with SLAs for Backup Proposed Service Level Agreement Metrics Appendix EU Safe Harbor Act Compliance and Data Backup Conflicts Backup - Best Practices Cloud Backup Best Practices Mobile Device Backup - Best Practices Electronic Forms Outsourcing and Cloud Security Compliance Agreement Remote Location Contact Form Vendor Contact Information Form What s New Janco Associates, Inc. -- All Rights Reserved - Page 3

6 Backup and Record Retention Policy What s New Version 3.1 Version 3.0 Updated all the electronic forms Update Backup for Mobile Device Data Updated to meet mandated compliance, ISO, and EU privacy requirements EU Safe Harbor Act Compliance and Data Backup Conflicts Add Electronic Forms o Outsourcing and Cloud Security Compliance Agreement o Remote Location Contact Information o Vendor Contact Information Version 2.3 Added section on issues to manage with SLAs for backup and restoration processes Added proposed metrics for backup and restoration processes SLAs Version 2.2 Updated tables and graphics to meet latest compliance requirements Updated tables to include specific references to mobile devices Version 2.1 Version 2.0 Version 1.3 Added section on best practices for mobile devices Added section on Cloud Backup Add Appendix Section Cloud Backup Best Practices Modified Best Practices Section Added Appendix Section Best Practices Update Style Sheet Version 1.2 Updated stylesheet Added section on backup versus archive Updated System Specific Backup Policy table 2018 Janco Associates, Inc. -- All Rights Reserved - Page 28

7 Backup and Record Retention Policy Version 1.1 Updated Template to use WORD CSS style sheet Expanded section of type of backups Storage management 2018 Janco Associates, Inc. -- All Rights Reserved - Page 29

9 Blog and Personal Web Site Policy Table of Contents Blog and Personal Web Sites Policy... 2 Policy... 2 Rights to content... 3 Option for More Restrictive License Terms... 3 Attribution... 3 Guidelines... 4 Personal Website and Blog Guidelines Non ENTERPRISE domains... 6 Security Standards... 7 Best Practice Blog Guideline for Publishers... 8 Blog Best Practices to Improve the Value of Your Blog... 9 Issues to Manage with SLAs for Blog and Web Site Security Proposed Service Level Agreement Metrics Blog Policy Compliance Agreement What s New Copyright Janco Associates, Inc. ALL RIGHTS RESERVED - 1 -

10 Blog and Personal Web Site Policy What s New Version 2.6 Updated to meet the latest compliance requirements Added best practices blog guideline for Publishers Version 2.5 Added section on issues to manage with SLAs for blogs and personal websites Added proposed metrics for blogs and personal websites SLAs Version 2.4 Added section on Blog Best Practices to Improve the Value of Your Blog Updated Electronic Blog Compliance Agreement Form Version 2.3 Updated Blog Compliance Agreement Form Provided Blog Compliance Agreement Form as an electronic document Version 2.2 Updated to CSS style sheet Updated to meet compliance guidelines Version 2.1 Update policy to reflect recent court ruling on anonymous blog posting. Version 2.0 Updated to meet Sarbanes-Oxley requirements Update Blog and Personal Web Site Compliance Agreement Added section on Rights to Content 2017 Copyright Janco Associates, Inc. ALL RIGHTS RESERVED

12 BYOD Policy Table of Contents Bring Your Own Device (BYOD) Access and Use Policy... 3 Overview... 3 Components of the BYOD Strategy and Basics for BYOD Policy... 4 Policy... 7 Device Requirements... 7 Policy Definitions... 8 Access Control... 8 Security... 9 Help & Support Enterprise Mobile Device Infrastructure BYOD Infrastructure Disaster Recovery Backups Tablet Computer (ipads) Internal Network Access Repair Procedure Upgrade Procedure Patching Policy BYOD Security Best Practices Security Controls Remote BYOD Management Access Management Controls Tablet and Smartphone Applications BYOD Metrics and SLA Agreement Executive management Business unit executives IT organization Legal Considerations Privacy Record Retention Appendix Electronic Forms BYOD Access and Use Agreement Form Mobile Device Security Access and Use Agreement Form Mobile Device Security and Compliance Checklist IT Job Descriptions BYOD Support Specialist BYOD Support Supervisor Manager BYOD Support What s New Page Copyright Janco Associates, Inc. -- ALL RIGHTS RESERVED --

13 BYOD Policy What s New Version 2.0 Electronic Forms have been updated to meet the latest compliance requirements Added additional text for biometric security preferences Added 3 job descriptions o BYOD Support Specialist o BYOD Support Supervisor o Manager BYOD Support Electronic Forms and Job Description are provided as separate documents Version 1.6 Updated BYOD strategy and policy guidelines Updated all electronic forms Added Mobile Device and Compliance Checklist Version 1.5 Version 1.4 Version 1.3 Version 1.2 Added SLA and Balance Scorecard metrics for BYOD Updated to include strategy planning definition for BYOD policy Updated to include latest compliance requirements Updated BYOD best practices Updated BYOD Access and Use Agreement Form Updated BYOD Access and Use Agreement Form Added Electronic Form Mobile Device Security and Compliance Checklist Updated the BYOD Access and Use Agreement Added Device Access Security Added BYOD and Mobile Device Best of Breed Security Checklist Updated to meet all current compliance requirements Page Copyright Janco Associates, Inc. -- ALL RIGHTS RESERVED --

14 BYOD Policy Version 1.1 Version 1.0 Added materials on disaster recovery Added materials on back-up of company intellectual properties Policy Released Page Copyright Janco Associates, Inc. -- ALL RIGHTS RESERVED --

16 Google Glass Policy Table of Contents Google Glass Policy... 3 Overview... 3 Policy... 3 Google Glass Policy Requirements... 4 Policy Definitions... 4 Access Control... 5 Security... 6 Help & Support... 7 Enterprise Mobile Device Infrastructure... 8 Google Glass Infrastructure... 8 Disaster Recovery... 8 Backups... 9 Intellectual Property... 9 Google Glass Physical Device... 9 Security... 9 Supported Problems... 9 Internal Network Access... 9 Repair Procedure... 9 Upgrade Procedure Patching Policy Google Glass Security Best Practices General Security Controls Remote Google Glass Management Access Management Controls Google Glass Applications Legal Considerations Privacy Record Retention Record Retention Federal and State Requirements Implications Sarbanes-Oxley and Gramm-Leach-Bliley Security Requirements Appendix Electronic Forms Google Glass Access and Use Agreement Equipment/Expenses Confidentiality/Security What s New Copyright Janco Associates, Inc.

17 Google Glass Policy What s New Version 1.3 Version 1.2 Version 1.1 Version 1.0 Google Glass Electronic form updated Updated to meet the latest compliance requirements Google Glass Electronic form updated Added Google Glass best practices Google Glass Electronic form updated Policy updated to meet the latest compliance requirements Policy Released Copyright Janco Associates, Inc.

19 Policy Incident Communication Plan Table of Contents Incident Communication Plan... 3 Overview... 3 Objective... 3 Policy... 4 Guidelines... 4 Request for Information... 5 Editorial or Letter to Editor Requests... 6 Requests for Interviews... 6 Emergency Response... 6 Unannounced Visit... 7 Press Releases... 8 Business Continuity Communication Lifecycle... 9 Pre-event... 9 Event Occurrence On-going event impact Resumption of business operation Post-event evaluation Best Practices News Conference Media Relations Best Practices Federal Computer Security Incident Handling Requirements Appendix Job Description Director Media Communications Social Networking Checklist Creating Twitter Accounts Creating LinkedIn account Creating and operating a blog Incident Communication Contact Form What s New Copyright Janco Associates, Inc.

20 Policy Incident Communication Plan What s New Version 1.5 Updated section on Twitter communication Added Best Practices for Press Releases Updated all of the other Best Practices Version 1.4 Added Federal Computer Security Incident Handling Requirements Updated Electronic Forms Version 1.3 Added more emphasis to social media and networking Updated electronic forms Version 1.2 Business Continuity Communication Lifecycle Incident Communication Contact Form Version 1.1 Updated policy to reflect social networks, automated news feeds and Internet sites Added Social Networking Checklist Copyright Janco Associates, Inc.

22 Internet, , Social Networking, Mobile Device, and Electronic Communication Policy TABLE OF CONTENTS Internet, , Social Networking, Mobile Device, and Electronic Communication Policy... 2 Risks and Costs Associated with , Social Networking, Electronic Communication, and Mobile Devices... 2 Appropriate use of Equipment... 2 BYOD Security... 2 Internet Access... 3 Internet Browsing Best Practices... 3 Tablets, PDAs, and SmartPhones... 3 Federal Rules of Civil Procedures... 4 Enterprise Acceptable Use Overview for Electronic Communications... 5 Electronic Mail... 5 Retention of on Personal Systems Forwarding Outside of ENTERPRISE User Best Practices Commercial Best Practices for Opt-In Social Networking Copyrighted Materials Ownership of Information Security Skype Text Messaging Forms Internet & Electronic Communication - Employee Acknowledgment Form Employee Acknowledgement Form Internet Use Approval Form Internet Access Request Form Security Access Application Form Social Networking Policy Compliance Agreement Telecommuting Work Agreement Text Messaging Sensitive Information Agreement Reference Section Canada's Anti-spam Law (CASL), Bill C Liability Best Practices to Meet Compliance Requirement Definitions What s News Janco Associates, Inc. -- All Rights Reserved

23 Internet, , Social Networking, Mobile Device, and Electronic Communication Policy What s News Version 4.6 Added section on text messaging Added section on SKYPE type calls Updated to meet the latest compliance requirement Version 4.5 Updated to meet the latest mandated and regulatory compliance requirements Added Social Networking Policy Compliance Form Added Telecommuting Work Agreement Form Added Text Messaging Sensitive Information Form Version 4.4 Added a section on the Federal Rules of Civil Procedures Added a section on BYOD Security Updated compliance materials for auditing and e-discovery Listed 10 action steps to be followed in the enterprise s acceptable use policy Version 4.3 Updated all of the forms Added section on Best Practices for Internet browsing Version 4.2 Updated Forms Added electronic version of forms Added reference section Canada's Anti-spam Law (CASL), Bill C-28 Update styles Version 4.1 Added section on policies for tablets, PDA s, and SmartPhones Version 4.0 Added Section for commercial Added Best Practices for Opt-In Reviews and revised policy to comply with all current security and privacy legislation Version 3.3 Added Social Networking Policy Update prior materials to include social networking policy Janco Associates, Inc. -- All Rights Reserved

24 Internet, , Social Networking, Mobile Device, and Electronic Communication Policy Version 3.2 Updated retention and destruction with materials from the Records Retention and Destruction policy Expanded policy to include specifics on materials that are mandated to be archived Version 3.1 Updated policy to include user best practices Updated stylesheet to be CSS and WORD 2007 compliant Updated forms Version 3.0 Updated policy to cover mobile devices Added materials for Smartphones and USB Storage Devices Defined risks and costs associated with mobile devices Forms Added: Internet & Electronic Communication Employee Acknowledgement Form Employee Acknowledgement Form Internet Use Approval Form Internet Access Request Form Security Access Application Form Version 2.2 Added table for Regulations and Industry Impact Version 2.1 Forwarding Added Janco Associates, Inc. -- All Rights Reserved

26 Mobile Access and Use Policy Table of Contents Mobile Access and Use Policy Overview... 2 Components of the BYOD Strategy and Basics for BYOD Policy... 3 Policy... 6 Policy and Appropriate Use... 6 Mobile Devices... 8 Policy Definitions... 8 Access Control... 8 Federal Trade Commission Mobile Policy Guidelines... 9 Security Help & Support Enterprise Mobile Device Infrastructure Equipment and Supplies Tablet Computer (ipads and Microsoft Surface) Mobile Device Security Best Practices Top 10 Mobile Device Security Best practices Security controls Remote device management Access management controls Tablet and Smartphone applications Appendix Electronic Forms BYOD Access and Use Agreement Form Company Asset Employee Contol Log Mobile Device Security Access and Use Agreement Form Mobile Device Security and Compliance Checklist What s New Copyright Janco Associates, Inc.

27 Mobile Access and Use Policy What s New Version 2.1 Restructured Policy Added top 10 Mobile Device Security Best Practices Updated all electronic forms Version 2.0 Updated all electronic forms Updated to meet all mandated, ISO, and EU compliance requirements Version 1.5 Updated to meet compliance requirements Updated electronic forms Mobile Device Security and Compliance Checklist BYOD Access and Use Agreement Version 1.4 Updated to meet latest compliance requirements Updated to include references to BYOD and wearable devices Added section in Appendix for establishing BYOD policy Version 1.3 Added FTC Mobile Device Policy Guidelines Updated security procedure to meet mandated compliance requirements Version 1.2 Added Mobile Device Security Best Practices Updated the electronic forms and corrected minor errata Version 1.1 Added section on ipad and tablet computers Added electronic forms Mobile Device Use and Agreement Company Asset Employee Control Log Version 1.0 Policy released Copyright Janco Associates, Inc.

28 Policy Outsourcing and Cloud-Based File Sharing Version 3.3

29 Outsourcing and Cloud-Based File Sharing Policy Table of Contents Outsourcing and Cloud-Based File Sharing Policy... 2 Outsourcing Cloud-Based File Sharing Management Standard... 2 Overview... 2 Standard... 2 Service Level Agreements (SLA)... 2 Responsibility... 2 Security, Disaster Recovery, Business Continuity, Records Retention and Compliance... 3 Outsourcing Policy... 3 Policy Statement... 3 Goal... 3 Approval Standard... 4 Overview... 4 Standard... 4 Base Case... 4 Cloud-Based File Sharing... 5 Risk Assessment... 5 Categorization... 6 Planning... 6 Retained Costs... 6 Unit Cost... 7 Selecting an Outsourcer... 7 Contract and Confidentiality Agreements... 7 Contract Negotiation... 8 Responsibilities... 9 Appendix Outsourcing and Cloud Security Compliance Agreement Outsourcing Security Compliance Agreement Audit Program Guide Background ISO requirements Planning the Audit Audit Scope Audit Objectives Audit Wrap Up Top 10 Cloud and Outsourcing SLA Best Practices Job Description - Manager Outsourcing Job Description - Manager Vendor Management What s New Janco Associates, Inc. -- All Rights Reserved

30 Outsourcing and Cloud-Based File Sharing Policy Outsourcing and Cloud-Based File Sharing Policy Outsourcing Cloud-Based File Sharing Management Standard Overview Outsourcing and Cloud-Based File Sharing do not remove the enterprise s requirement to manage the process or the data. Even a comprehensive outsourcing and cloud-based file sharing arrangement require Service Level Agreement (SLA) monitoring and redefinition, as well as strategic management and other retained functions. Standard Service Level Agreements (SLA) The SLA is the central instrument for managing an outsourced function. The Information Technology Contract Management Group (ITCMG) will track SLA fulfillment and enforce the contract terms if an SLA is not met. ITCMG must also take an active role in defining and redefining SLAs in order to take into account changes in the operating environment. 1 Responsibility The efficient assignment of End-User complaints to the appropriate entity is critical to maintaining high service levels. IT will ensure that the Help Desk staff is trained to identify whether a problem lies with IT or a particular vendor. In a multi-vendor environment, this task becomes even more critical if one is to avoid a constant reassignment of the problem. In the case of file sharing, the Help Desk Staff should be able to manage and diagnose issues associated with this technology. At the same time, they should be versed in reviewing logs and diagnostics of the vendors who provide the service. 1 The web site has a tool kit and sample metrics that can be used for this Janco Associates, Inc. -- All Rights Reserved

31 Outsourcing and Cloud-Based File Sharing Policy What s New Version 3.3 Add job descriptions for Manager Outsourcing and Manager Vendor Management Updated to meet the latest security and compliance Version 3.2 Updated electronic forms Added Outsourcing Security Compliance Agreement Updated to meet latest compliance requirements Added Top 10 Cloud and Outsourcing SLA Best Practices Version 3.1 Added cloud-based file sharing to the outsourcing policy Updated to meet latest compliance requirements Added references to Cloud-based file-sharing services Version 3.0 Added electronic form for Outsourcing Security Policy Compliance Updated to meet all mandated compliance requirements Version 2.2 Updated policy to comply with ISO Security Requirements Security Audit Program updated Version 2.1 Updated to Office 2007 CSS Style Sheet Version 2.0 Converted to Janco standard policy format Added Outsourcing Secure Information Policy Agreement Form Audit Program Added Office 2007 version Added Janco Associates, Inc. -- All Rights Reserved

33 Policy Patch Management Version Control Table of Contents Patch Management Version Control Policy... 2 The Patch Management Version Control Process... 2 Policy... 2 Vendor Updates... 3 Concepts... 3 Responsibility... 3 Organizational Roles... 4 Monitoring... 5 Review and evaluation... 5 Risk assessment and testing... 6 Notification and scheduling... 6 Implementation... 7 Emergency patches... 7 Critical Patches... 7 Auditing, assessment, and verification... 7 User responsibilities and practices... 7 Best Practices... 8 Security Patch Management Best Practices Appendix Change and Patch Management Control Log Job Descriptions Manager Change Control (under separate cover) Change Control Supervisor (under separate cover) Change Control Analyst (under separate cover) What s New Copyright Janco Associates, Inc.

34 Policy Patch Management Version Control What s New Version 2.2 Added ten (10) best practices for security compliance and patch management Added 3 job descriptions o Manager Change Control o Change Control Supervisor o Change Control Analyst Updated to meet the latest compliance requirements Updated Patch Management Electronic Form Version 2.1 Update to meet ISO compliance standards Updated electronic form Version 2.0 Updated version control process within the policy Version 1.1 Added Organizational Responsibility Matrix including BYOD Added Electronic Form Change and Patch Management Log (Excel.xlsx format) Version 1.0 Policy Released Copyright Janco Associates, Inc.

and Virtural Server Security Policy Janco Associates, Inc www.e-janco.

35 Physical and Virtual File Server Security Policy 0 servers which are private and public including Cloud based applications and data Physical and Virtural Server Security Policy Janco Associates, Inc Copyright 2017 Janco Associates, Inc. ALL RIGHTS RESERVED

36 Physical and Virtual File Server Security Policy 1 Table of Contents _Toc Physical and Virtual File Server Security Policy... 3 Policy Purpose... 3 Policy Statement... 3 Applicability... 3 Terms and Definitions... 3 Server Requirements... 3 Critical Server Requirements... 4 General Server Requirements... 4 Public Server Requirements... 4 Server Configuration Guidelines... 5 Forms... 7 Server Registration... 9 Copyright 2017 Janco Associates, Inc. ALL RIGHTS RESERVED

38 Record Management, Retention, and Disposition Policy Table of Contents Record Management, Retention and Disposition Policy Statement... 4 Overview... 4 Scope... 4 Regulatory Overview... 5 Record Retention Federal and State Requirements... 5 Record Retention Implications Sarbanes-Oxley Sections 302, 404, and SOX - Section SOX - Section SOX Section SOX Sections 103a and 801a... 7 SOX Section Record Retention Requirements and Time Periods... 7 Primary list of Records to Be Retained... 8 What ENTERPRISE Should Do... 9 Record Management, Retention and Disposition Standard Purpose Scope Responsibilities Record Management Record Creation Data Security Classification Record Retention Designation Vital Records Record Use Record Disposition Non-Archival Records Archival Records Record Destruction Compliance and Enforcement Legal Definitions Retention Compliance Policy Unclassified Temporary to Be Deleted to be maintained to be printed Regulations and Industry Impact Keys to Archiving Compliance Implementation Interview Checklist Interviewee Questions Records Accessed Records Created Record Management, Retention, and Disposition Annual Review Process Understand all the requirements for every type record your organization has Develop and maintain clear and well-documented Record Management policies Copyright Janco Associates, Inc.

39 Record Management, Retention, and Disposition Policy Get management concurrence on those policies Annually review your Record Management practices Review systems, technologies, and facilities, as well as your practices Document the results Record Management Best Practices Engage key managers and record stakeholders Define scope, needs, and Objectives Implement metrics and monitor processes Define meaningful retention periods Define search and retrieval core requirements Automate the record retention and destruction processes Start the process with current records add old records over time Train staff Review and update the policy at least annually Appendix Job Descriptions Job Description Manager Record Administrator Job Description - Record Management Coordinator Electronic Forms Personnel Records sections of this form have been pre-completed for areas that are mandated by US federal laws and are consistent across all industries Administrative Records Facility Records Financial Records Sales Records Computer and Information Security Records Computer Operations and Technical Support Data Administration General Systems and Application Development Network and Communication Services User and Office Automation Support Safety Records Document Retention Time Periods Federal Law Record Retention Federal Acquisition Regulation Retention Periods Job Advertisements and Postings Resumes and Applications Employment Action Records Wage and Hour Records Tax Records Retirement and Pension Records Leave Records I-9 Forms Job-Related Illness and Injury Records Federal Legal Citations Pennsylvania Record Retention Guidelines for Retention of Records Massachusetts Record Retention Copyright Janco Associates, Inc.

40 Record Management, Retention, and Disposition Policy The doctrine of spoliation When does the duty to preserve evidence arise? How does a party establish that spoliation has occurred? What are the consequences? Application to electronically stored information I-9 Retention Retaining Form I Paper Retention of Forms I Retention of Forms I-9 Using Microfilm and Microfiche Electronic Forms I Retaining Copies of Form I-9 Documentation Retaining Electronic Signature of Forms I System Documentation Security Remote Hires Guidelines for Using Third Party Service Providers Inspection Version History Copyright Janco Associates, Inc.

41 Record Management, Retention, and Disposition Policy Version History Version 2.3 Restructured the policy to meet best practices standard Updated all electronic forms Updated all job descriptions Updated to meet latest compliance mandates Version 2.2 Updated all of the electronic forms to meet the latest mandated, ISO, and EU requirements Reviewed record retention requirements - made adjustments as necessary Updated Job Descriptions Version 2.1 Added job description - Record Management Coordinator Added legal definitions Updated to meet latest compliance requirements Version 2.0 Restructured the entire procedure Added interviewee checklist for implementation of record management, retention and disposition policy Add annual review process of record management, retention and disposition policy Updated compliance requirements Updated all electronic forms Copyright Janco Associates, Inc.

42 Record Management, Retention, and Disposition Policy Version 1.7 Updated Employer Record Retention Federal Requirements Updated for the Affordable Care Act Added Electronic Forms for Record Retention and Disposition Schedule o Personnel Records o Administrative Records o Facility Records o Financial Records o Sales Records o Computer and Information Security Records o Computer Operations and Technical Support o Data Administration o General Systems and Application Development o Network and Communication Services o User and Office Automation Support o Safety Records Version 1.6 Updated for latest I-9 record retention requirements Updated citations to include Lilly Ledbetter Fair Pay Act Version 1.5 Updated Citations for Federal Laws Version 1.4 Added Citations for Federal Laws Version 1.3 Updated Regulations and Impact Section Added citations for Pennsylvania in Appendix Added citations for Massachusetts in Appendix Version 1.2 Updated Job Description Manager Record Administration Added Record Management Best Practices Updated Regulations and Impact Section Copyright Janco Associates, Inc.

43 Record Management, Retention, and Disposition Policy Version 1.1 Expanded Retention and Destruction Section Added Document Retention and Destruction Table in Appendix Version 1.0 Policy Released Copyright Janco Associates, Inc.

45 Sensitive Information Policy Credit Card, Social Security, Employee, and Customer Data Table of Contents Sensitive Information Policy - Credit Card, Social Security, Employee, and Customer Data... 3 Overview... 3 Policy... 3 PCI... 4 HIPAA... 4 General Data Protection Regulation (GDPR)... 4 Gramm-Leach-Bliley (Financial Services Modernization Act of California SB 1386 Personal Information Privacy... 5 Massachusetts 201 CMR Data Protection Requirements... 6 User/Customer Sensitive Information and Privacy Bill of Rights... 7 Secure Network Standards... 8 Payment Card Industry Data Security Standard (PCI DSS)... 8 Install and Maintain a Network Configuration Which Protects Data Wireless & VPN Modify Vendor Defaults Protect Sensitive Data Protect Encryption Keys, User IDs, and Passwords Protect Development and Maintenance of Secure Systems and Applications Manage User IDs to Meet Security Requirements Restrict Physical Access to Secure Data Paper and Electronic Files Regularly Monitor and Test Networks Test Security Systems and Processes Retention Compliance Policy to be printed Regulations and Industry Impact Keys to Archiving Compliance Privacy Guidelines Best Practices Best Practices for Text Messaging of Sensitive Information US government classification system Executive Order Appendix Sensitive Information Policy Compliance Agreement HIPAA Audit Program Guide What s New Copyright Janco Associates, Inc.

46 Sensitive Information Policy Credit Card, Social Security, Employee, and Customer Data What s New Version 3.5 Added General Data Protection Regulation (GDPR) requirements definition Updated electronic forms Version3.4 Updated to reflect latest compliance requirements' Updated to reflect lessons learned from recent business disruption events and known security breaches Included US government security classification system definition Added epub (ereader) format to the standard offering Version 3.3 Updated electronic forms Added section on best practices for sensitive information text messaging Version 3.2 Added user/customer sensitive information and privacy Bill of Rights Version 3.1 Added an overview section to the policy including a definition of what sensitive information is. Updated electronic form Updated to meet latest mandated requirements Version 3.0 Added privacy guidelines section Added MS WORD electronic version of the Sensitive Information Policy Compliance Agreement Updated to comply with new mandated requirements.docx and.pdf formats support enhanced Version 2.4 Updated to comply with Gramm-Leach-Bliley Updated to comply with Massachusetts and California requirements Version 2.3 Updated General Policy Statement to Include references to PCI and HIPAA Requirements Copyright Janco Associates, Inc.

47 Sensitive Information Policy Credit Card, Social Security, Employee, and Customer Data Version 2.2 Updated to CSS Stylesheet Modified to comply with Record Management, Retention, and Destruction Policy Update record retention compliance requirements Version 2.1 Payment Card Industry Data Security Standard (PCI DSS) Added Best Practices Added Wireless and VPN Added Added as a separate document PCI DSS Audit Program (extracted from PCI standards documentation with modifications) Version 2.0 HIPAA Audit Program Added Office 2007 version Added Copyright Janco Associates, Inc.

49 Service Level Agreement Policy Table of Contents Service Level Agreement... 3 Definition of What a Service Level Agreement is... 3 Sample Service Level Agreement... 4 Assumptions... 4 Service Stakeholders... 5 Service Scope... 5 IT Provider Responsibility... 6 Prioritization... 6 Typical Service Level Agreements... 7 Internal IT SLAs... 7 External SLA... 9 Director IT Management and Control - Job Description Position Purpose Problems and Challenges Essential Position Functions Authority Contacts Position Requirements Career Ladder Sample Metrics System Management Sample Metrics Report What's New Service Level Agreement Sample Metrics Page Copyright Janco Associates, Inc.

50 Social Networking Policy Managing and Controlling Employee Social Networks Version 2.1

51 Social Network Policy Managing and Controlling Employees Social Network Access Table of Contents Social Network Policy...3 Definitions... 3 Overview... 3 Policy... 4 Overview... 4 Statement... 5 Rights to content... 7 Confidential Information... 7 Private versus Public Information... 8 Option for More Restrictive License Terms... 9 Attribution... 9 Guidelines Security Standards BYOD Security Protect Sensitive Data Disaster Recovery and Business Continuity Best Practices in Managing Social Networks and Social Relationship Steps to Prevent Being Scammed by Social Media Appendix Job Descriptions Job Description Social Media Specialist Electronic Forms Internet and Electronic Communication Agreement Social Network Policy Compliance Agreement Protection from Phishing and Whaling Attacks Social Networking Best Practices Twitter LinkedIn Blog What s News Copyright Janco Associates, Inc.

52 Social Network Policy Managing and Controlling Employees Social Network Access What s News Version 2.1 Added Internet and Electronic Communication Agreement electronic form Updated Social Networking Policy Compliance Agreement electronic form Updated Social Media Specialist job description Updated policy to meet EU compliance requirement Version 2.0 Updated Social Networking Compliance Agreement Form Added Social Networking Best Practices Updated to include latest security compliance requirements Version 1.6 Updated electronic form - Social Networking Compliance Agreement Form - added pdf fillable form Added job description for Social Media Specialist Version 1.5 Updated to meet the latest compliance requirements Added best practices for social networking Added tips on how to avoid being scammed in social networks. Version 1.4 Added BYOD security standard Added section of what to include for Disaster Recovery and Business Continuity Updated electronic forms Copyright Janco Associates, Inc.

53 Social Network Policy Managing and Controlling Employees Social Network Access Version 1.3 Updated to comply with the Office of the General Counsel of the Division of Operations Management Version 1.2 Updated to include electronic form Social Networking Policy Compliance Agreement Version 1.1 Added section on protection from phishing and whaling attacks Copyright Janco Associates, Inc.

54 Technology Acquisition Policy 0 Any technology that accesses, adds, alters, or deletes any enterprise data is covered by this policy Technology Acquisiton Policy Janco Associates Inc Copyright 2017 Janco Associates, Inc. ALL RIGHTS RESERVED

55 Technology Acquisition Policy 1 Table of Contents Technology Acquistion Policy... 3 Policy Purpose... 3 Policy Statement... 3 Applicability... 3 Requirements... 3 Roles... 4 IT s Role... 4 For Purchases within IT... 4 Standard Items... 5 Non-Standard Items... 5 Capital Expenditures... 5 Reimbursable Expenses... 5 Vendor Evaluation... 6 Preferred Vendors... 6 Purchase Approval... 7 Emergency Purchasing... 8 Confidentiality... 8 Conflict of Interest... 8 Non-Compliance... 8 Appendix... 9 Security and Compliance Requirements... 9 Copyright 2017 Janco Associates, Inc. ALL RIGHTS RESERVED

56 Version 2.1

57 Telecommuting Policy Table of Contents Telecommuting Policy... 2 Overview... 2 Telecommuting resource misuse can have serious implications for an enterprise... 2 Policy... 4 Policy Definitions... 4 ENTERPRISE Responsibilities... 5 ENTERPRISE Policy Requirements... 5 Termination of Agreement... 5 Terms and Conditions... 5 Compensation and Benefits... 5 Hours of Work... 5 Attendance at Meetings... 6 Sick Leave and Time Off... 6 Workers Compensation and Safety Program Liability... 6 Equipment and Supplies... 6 Record Management Process and BCP... 7 BYOD Security... 7 Telecommuting costs... 8 Work Agreements... 8 BYOD, Tablets, PDAs, and SmartPhones Appendix Employer Legal Workplace Responsibilities Position Requirements for Qualification for Telecommuting Determining positions that are appropriate for telecommuting Employee qualities that are appropriate for telecommuting Electronic Forms Enterprise Owned Equipment Internet and Electronic Communication Agreement Mobile Device Access and Use Agreement Mobile Device Security and Compliance Checklist Safety Checklist - Work at Alternative Location Security Access Application Mobile Telecommuting IT Checklist Telecommuting Work Agreement What s New Copyright Janco Associates, Inc.

Telecommuting Policy What s New Version 2.1 Add two electronic forms Internet and Electronic Communication Agreement Security Access Application Mobile Updated all of the electronic forms Version 2.

references the DRP/BCP processes to meet compliance requirements Version 1.

58 Telecommuting Policy What s New Version 2.1 Add two electronic forms Internet and Electronic Communication Agreement Security Access Application Mobile Updated all of the electronic forms Version 2.0 Updated all electronic forms to meet the latest compliance requirements Updated Telecommuting overview with productivity inhibitors Updated to meet the latest compliance requirements Included references the DRP/BCP processes to meet compliance requirements Version 1.4 Telecommuting risks faced by business identified Updated to meet compliance requirements Updated all electronic forms Added Mobile Device Access and Use Agreement Form Added Mobile Device Security and Compliance Checklist Form Version 1.3 Updated electronic forms Added BYOD security Added specific references to BYOD Version 1.2 Add section on legal responsibilities of the employer in a workplace that apply to telecommuting worksites Added electronic forms Telecommuting Work Agreement Enterprise Owned Equipment Inventory Safety Checklist Telecommuting Worksite Version 1.1 Updated policy to include tablet, PDA, and SmartPhone Requirement Copyright Janco Associates, Inc.

60 Text Messaging Sensitive and Confidential Information Policy Table of Contents Text Messaging of Sensitive and Confidential Information Policy... 2 Policy... 2 Text Messaging Best Practices... 3 Policy Specific Requirements... 4 Secure Text Message Requirements... 6 Authentication methods... 6 Password management... 6 Administrator rights... 7 Login monitoring and auditing... 7 Automatic logoff... 7 Access control... 7 Account Management... 8 Protection of data on the mobile device... 8 Backup processes... 8 Secure photo and screen capture sharing... 9 Notifications & read receipts... 9 Remote wipe for lost or stolen devices... 9 Tracking & Monitoring Text Message Marketing Best Practices Appendix Form - Text Messaging Sensitive Information Agreement Text Messaging Sensitive Information Agreement Confidentiality/Security Equipment/Expenses What s New Copyright Janco Associates, Inc.

61 Text Messaging Sensitive and Confidential Information Policy What s New Version 1.2 Added section on text message marketing Added best practices for text message marketing Updated electronic form Updated to meet the latest compliance requirement Version 1.1 Added section on best practices for text messaging Updated to meet compliance requirements Updated electronic form Version 1.0 Policy Released Copyright Janco Associates, Inc.

62 Travel Policy Travel, Laptop, PDA, Electronic and Off-Site Meetings Policy Travel, Laptop, PDA, Electronic and Off-Site Meetings Version 3.1

63 Travel Policy Travel, Laptop, PDA, Electronic and Off-Site Meetings Table of Contents Travel, Laptop, PDA, and Off-Site Meetings... 2 Laptop and PDA Security... 2 BYOD Security... 2 Service Provider Selection... 3 Wi-Fi & VPN... 3 Data and Application Security... 4 Minimize Attention... 4 Public Shared Resources Wireless and Shared Computers... 5 Off-Site Meeting Special Considerations... 6 International Travel Best Practices... 7 Remote Computing Best Practices... 8 Electronic Meetings Best Practices for Electronic Meetings Appendix Electronic Forms Mobile Device Access and Use Agreement Mobile Device Security and Compliance Checklist Revision History Copyright Janco Associates, Inc.

64 Travel Policy Travel, Laptop, PDA, Electronic and Off-Site Meetings Revision History Version 3.1 Updated International travel best practices Updated electronic forms Updated graphics and statistics Corrected minor errata Version 3.0 Updated to meet the latest mandated compliance, ISO, EU requirements Updated Best Practices for Electronic Meeting Updated Remote Computing Best Practices Added electronic forms Version 2.7 Added best practices for international travel Version 2.6 Added section for electronic meeting Defined 10 best practices for electronic meetings Added section for service provider selection Version 2.5 Added section on BYOD security Version 2.4 Updated best practices Validated compliance with mandated security standards Corrected errata Version 2.3 Added section on wireless communications Copyright Janco Associates, Inc.

65 Travel Policy Travel, Laptop, PDA, Electronic and Off-Site Meetings Version 2.2 Converted to standard CSS Style Sheet Updated to meet PCI-DSS requirements Added section on best practices for remote computing Version 2.1 Laptop and PDA Security Added Wi-Fi and VPN Added Copyright Janco Associates, Inc.

66 Version 2.1

67 Wearable Device Policy Table of Contents Wearable Device Policy... 3 Overview... 3 Policy... 3 Wearable Device Policy Requirements... 4 Policy Definitions... 4 Access Control... 5 Security... 6 Help & Support... 7 Creating a Wear Your Own Device Strategy (WYOD)... 7 Enterprise Mobile Device Infrastructure... 8 Wearable Device Infrastructure... 8 Disaster Recovery... 8 Backups... 9 Intellectual Property... 9 Wearable Device Physical Device... 9 Security... 9 Supported Problems... 9 Internal Network Access... 9 Repair Procedure Upgrade Procedure Patching Policy Wearable Devices Security Best Practices Security Controls Remote Wearable Devices Management Access Management Controls Wearable Device Applications Legal Considerations Privacy Record Retention Record Retention Federal and State Requirements Implications Sarbanes-Oxley and Gramm-Leach-Bliley Security Requirements WYOD Management Security Options Appendix Top 10 WYOD Best Practices Electronic Forms Wearable Device Access and Use Agreement What s New Copyright Janco Associates, Inc.

68 Wearable Device Policy What s New Version 2.1 Version 2.0 Version 1.1 Version 1.0 Added WYOD Management Security Options Updated electronic form Updated electronic forms to comply with mandated requirements, ISO, and EU Updated WYOD strategy creation process Added 10 best practices for WYOD Added a process to create a Wear Your Own Device (WYOD) strategy Updated to meet compliance requirements Policy Released Copyright Janco Associates, Inc.

Mobility Policy Bundle

Version 2018-02 Mobility Policy Bundle Table of Contents This document contains the following policies: BYOD Access and Use Policy (revised 02/2018) Mobile Device Access and Use Policy (revised 02/2018)