Top 10 Security Management rules are defined in Janco’s Security Manual Template.
Top 10 Reputation Management Rules are defined in detail in Janco’s Security Manual Template.
Without constant vigilance, your company is vulnerable to attack. The first step to take is to assess your current security stance, then make a plan to increase security with proper best practices and technologies.
Top ten commandments of security management for CSOs, CIOs, and IT Managers
Limit access to information to those who need to have it. People can’t misuse information that they don’t have.
Conduct frequent and deep security audits. Identify who has access to what – and how their actions could weaken the protection of valuable data/information.
Set limits to information access. Do not exclude all information from access – data exclusion locks down access. Limits set authorizations so specific people can do specific things under specific circumstances.
Limit administrative rights to as few individuals as possible. Very few individuals need them to do their jobs.
Ignore organizational hierarchy when setting access capabilities. Access and authorization should be based upon responsibilities, not position.
Make Security Invisible. Minimize extra commands, screens, pop-ups for employees; if an action is allowed, just let it happen.
Analyze Security End back doors. Compliance logs reveal threat patterns, and show how security steps are hurting productivity.
Monitor information access and updates. User-initiated application information updates can invite vulnerabilities.
Educate everyone on security policies and procedures. The more that people know about the rules the better
Make security best practices the watch word for everyone. IT and the general workforce must address the constantly changing nature of security breaches.
Security Manual Template
Security Policies and Procedures Manual for the Internet and Information Technology is over over 230 pages in length. All versions of the Security Manual template include both the Business & IT Impact Questionnaire and the Threat & Vulnerability Assessment Tool (both were redesigned to address GDPR, CaCPA, ISO, Sarbanes Oxley and CobiT compliance).
GDPR Compliance is at risk with 3rd Party providers
GDPR Compliance Management is more complex with the increased use of 3rd Party providers
Security and GDPR Compliance risks from third parties are on the rise. A security compliance study found that 56 percent of companies admitted to a security incident caused by a third party.
With GDPR now in place, security of third-party vendors and consultants is more important than ever. Their security failure will impact your company and could result in a breach of your data.
So how do you approach third-party security in a GDPR world? The first step is to know who your vendors are and other outsiders with access to your network. These tiers are based on the level and volume of data they have access to, determining which are the most critical. Companies need to know who has any access to their data and get an accurate understanding of exactly what information they can access, why, and how often. With this information in hand, you can then develop an accurate response plan.
GDPR compliance plans should also take into consideration all of your third-party vendors. Thus, when establishing a dedicated Data Privacy Officer (DPO), that person will help the company meet GDPR requirements and should keep tabs on third-party practices and data systems as they affect your business. Lunetta added:
To support the DPO with additional expertise on making decisions such as, “We need X solution to address Y compliance/security requirement,” it’s imperative for IT security teams to conduct regular self-assessments for uncovering gaps and determining options for remediating them.
Some tips for ensuring that your third parties are staying in GDPR compliance:
Address cybersecurity governance because while it’s one thing to invest in security solutions that help address personal data protection, it’s another to use them in a manner that is also GDPR-compliant.
Access Policy Governance – Having robust access controls isn’t good enough to comply with GDPR. Instead, you also need a set of policies that can be defined, implemented and enforced around how your enterprise controls access to personal data.
Pay attention to privileged. Users, such as systems administrators, can circumvent standard controls inside of an application or a database. Identify those users, establish governance controls, and implement enforcement mechanisms through technology solutions such as network access control.
Compliance Management is one of the top concerns of CIOs and other C-Level exeutives.
Compliance Management Kit was just released. All of the components of the kit were just updated to meet privacy and security madatesdue to GDPR for the EU and CaCPA for the state of California.
The kit comes in 3 versions: Silver, Gold, and Platinum. Each can be acquired with either 1 year or 2 years of update service. Janco feels mandates will continue to be added due to this high volume of cyber-attacks and privacy issues that are of concern to individuals and corporations.
First, he Silver version of the kit comes with the Compliance Management White Paper, a self-scoring Security Audit, a PCI Audit Program, and 31 key Job Descriptions including Chief Security Officer (CSO). Second, the Gold version of the kit come with all of that plus two full policies. The policies are the Record Classification and Management Policy and a Privacy Compliance Policy with a detail implementation work plan. The detail wok plan can be utilized right out of the box to ensure that privacy and security are implemented fully within the enterprise. And third, the Platinum version of the kit comes with everything in the first two, plus Janco’s Security Manual Template.
CIO Infrastructure Policy Bundle Update 2019-02 now available
CIO IT Infrastructure Policy Bundle contains 20 full polices that are easily modified to meet an enterprise’s unique operation environment.
CIO Infrastructure Policy Bundle has just been updated. It inclues both the updated Record Classification, Management, Retention and Disposition Policy and the BYOD Access and Use Policy. This is all part of the annual review process which Janco is going through for its entire product like of CIO and IT Management tools to validate they meet all of the compliance, security and privacy mandates.
The policies are all part of the overall IT Governance Model. That model addresses the issues associated with the overall processes associated the design, developement, implementation , and ongoing operation of technology in the ever changing Internet based operational enviroment.
Currently, data classification is an area that CIOs need to address in light of GDPR and CaCPA.
Each of the polices in the CIO IT Infrastructure Policy Bundle can be acquired separately. See Policy offerings.
Blog and Personal Website Policy (revised 01/2019)
BYOD Access and Use Policy (revised 03/2019)
Mobile Device Access and Use Policy (revised 01/2019)
Physical and Virtual Server Security (revised 01/2019)
Record Classification, Management, Retention, and Disposition Policy (revised 03/2019)
Sensitive Information Policy (revised 1/2019)
Travel, Laptop, PDA and Off-Site Meeting Policy (revised 01/2019)
Updated in 2018 – Scheduled to be updated within the next three (3) months:
Backup and Backup Retention Policy
Google Glass Policy
Incident Communication Policy
Internet, Email, Social Networking, Mobile Device, and Electronic Communication Policy
Outsourcing and Cloud-Based File Sharing Policy
Patch Management Version Control
Privacy Compliance Policy
Service Level Agreement Policy including sample metrics
Social Networking Policy
Technology Acquisition Policy
Text Messaging Sensitive and Confidential Information
Record Classification, Management, Retention, and Destruction Policy Updated
Record Classification was just added to the Data Management Policy. The purpose of the addition was to reduce the sensitive data footprint to meet the most recent rigorous compliance standards,
Record Classification, Management, Retention, and Disposition Policy can be acquired separately or with the CIO IT Infrastructure Policy Bundle.
Most other data classification tools don’t go the extra mile. Their technology only looks for specific terms in your documents; it doesn’t provide the intelligence you need to secure the personal information of your customers or employees. Janco’s Record Classification, Management. Retention and Disposition Poicy provides visibility into where sensitive files are, what content is inside, who can access the files and who actually uses them.
Included with the policy is a crisp definition of data classification.
The foundation of any good record management program is developing a consistent records classification system across the organization.
While there are many record classification systems, one recommended best practice is a three-tier classification based on business function, record class, and record type.
The first step toward developing a records classification system is taking an inventory or a comprehensive and accurate listing of locations and contents of all records within the organization.
The second step is grouping the records in the inventory according to business functions, record class, and record type:
Common business functions include operations, finance, legal, marketing, human resources, and others.
The top-level business functions are broken down into record classes. For instance, two record classes of record-function accounting are accounts payable and accounts receivable.
Record types are a further subdivision of record classes. For instance, the accounts payable record class can be further broken down into accounts payable aging reports, accounts payable distribution reports, cash disbursement reports, and other categories.
BYOD Best Practices to ensure the security of enterprise sensitive an confidential information
BYOD Best Practices – BYOD (Bring Your Own Device) now is standard practice for most individuals working for companies. Device include everything from laptop computer to tablets and smartphones. 10 Best Practices to secure BYODs – More employees and enterprise associates are bringing their own iPhones and tablets to the office. How sure are you that they are secure. While these oersonal devices are great for employee productivity, they can introduce security risks to your organization.
Implement a formal written BYOD policy that clearly states which devices and applications are supported.
Set up a locking password on each device. Integrate password usage with wipe the phone after x number of invalid tries. At the same time have a way to restore the phone if the phone is wiped.
Implement a phone locater on all SmartPhones. In the case of the iPhone use the “Find My Phone” application.
Protect the access point of your network so that only devices that meet your stringent security requirements are allowed access to you network and data.
Implement anti-virus where possible. In the case of iPhone there is not anti-virus. That means that you email service provider needs to do the scan BEFORE emails are sent to the device.
Manage authorized applications so the contact and other sensitive data is not extracted from the device by the applications.
Utilized data encryption on e-mails and enterprise data
Utilize the cloud as a back up source
Be wary of applications like QR coder readers. They can direct the user to sites that can take control of the device.
Monitor access and data usage by device and by user. Have processes in place that actively inform management of any potential ares were the network and data can be compromised.
Top 10 Net Neutrality advantages for the general public are all centered around the factor that without it the Internet will not longer be a universally accepted standard infrastructure.
Only way to keep the internet open for small to mid-sized companies.
If net neutrality is not made the basis for connectivity and access, the large companies like Google, Amazon and Twitter will have a complete monopoly in their markets. Also the large carriers like AT&T and Verizon will have no incentive to create better and faster access to the Internet.
Net Neutrality is a core requirement for IT Governance and Infrastructure definition.
Creates an open playing field.
With net neutrality in place, Internet Service Providers (ISP) have do not control what passes through the devices that are used by customers to access the Internet. This means an ISP under net neutrality cannot block access, change services, or alter the flow of data simply because there is something that goes on which they don’t like.
Remain as an international channel without governmental interference.
Recently whenever there has been civil unrest, governments have taken over or eliminated access. Without small players in the space, there can be no alternative sources for access. Add to that the recent moves by the Russian government to to close down all connectivity to the general Internet in “troubled political” situations will only be enhanced without net neutrality.
Innovation is encouraged and protected with the internet remains neutral. Big companies still have the same access as SMBs or freelancers and this allows everyone come with new and creative solutions. Just look at companies that started with a video and audio attached to door bells. Now and entire new segment of the security industry has been created with “self-service” security. No longer do companies like ADT have a monopoly on that sector of the industry.
Freedom of expression is fostered.
Blogs, services, businesses, and any website that can operate legally is able to do so and be available because of net neutrality. There isn’t any censorship available as long as the content being offered meets legal obligations. If illegal content is discovered, it can be immediately reported to law enforcement officials. Without this freedom of expression, it could become easier for illegal content, such as child pornography, to become more available. If a small ISP blocked access to all and approved of such a thing, it could hamper keeping our communities safe.
Illegal activities are monitored.
ISPs, are like utilities as they provide everyone with the services they need. For example , illegal file sharing, due to the fact that each ISP is treated as a regulated common carrier.
Unlimited data is available to everyone equally.
In the 1990s, internet users had a good time being online in AOL chat rooms or waiting 20 minutes for a cool website to load. Today, there are real-time video calls. Companies like Netflix providing legal streaming. YouTube has grown into an educational and entertainment network.
Income from internet uses has moved to a subscription base.
There are certain businesses and high-use individuals who consume large amounts of bandwidth every month. Entire industries have been created that generate revenue based on service provided not access. It is like the Interstate Highway System, everyone benefits.
Competition thrives. There are numerous online streaming services that offer live TV today: Hulu, PlayStation Vue, and Sling by Dish Network are just three examples. If a customer must choose Comcast as their ISP, then these streaming services could be given a lower priority because they are rival organizations. Comcast could choose to offer the highest speeds to the networks and services it owns and slow down the signals provided by the competition. This would effectively limit consumer choice.
Free internet access is Free.
When the internet becomes a place where profitability is the primary concern, the idea of providing free internet access to those who cannot afford it goes away. Providers could charge whatever they wanted and restrict access to whomever they please. This could lead to demographic discrimination, socioeconomic discrimination, or prioritize content to the wealthiest who are willing to pay high prices for the fastest data streams.
This is an ever evolving area as Net Neutrality is not in the area of political influence. Time will only tell what will happen.
Cyber Currency Hacker Target as the population of Blockchain applications expands.In the last year there was a boom in malicious cryptocurrency mining. That is where cyber attackers secretly hijack the processing power of computers, servers and even IoT devices and use it to mine for cryptocurrency. While it is not very lucrative in the short term, it is stealthy and can be sustained over a long period of time. Typically it is taking very little from each PC, most users don’t even know their machine’s processor is being used to line someone else’s pockets.
Ransomware a much more aggressive approach: pay up, or risk having your files permanently locked.
Both cryptojacking and ransomware continue to be widespread threats, other attackers are quietly deploy a potentially much more damaging threat: trojan malware.
Trojan malware sneaks onto your PC by disguising itself as something else, often hidden in a malicious attachment that’s distributed with a phishing email.
Trojan attacks range from those using commodity malware, with phishing emails spammed out in bulk in the hope of scooping up victims for the purposes of stealing their login credentials, banking information or other private information. Other attacks are far more precise, targeting organisations or even individuals to gain access to specific data or information: this can be for creating a persistence presence on their network for espionage, stealing data and selling it, or loading other malware onto the system.
Median Compensation for IT Professionals based on Janco’s January 2019 IT Salary Survey
High Paying IT Jobs that are in high demand are associated with the new e-commerce roles and Internet based application areas. All of the job titles that we have listed here fall into positions where the starting salaries are above the median salary of $93,077 for all IT professionals.
The positions that fall we define as high paying for this analysis are associated with IoT (Internet of Things), Salesforce Automation, Virtual Reality and Security. These are the hot Job titles. The entry level for each of these positions is over $100,000 and some have pay ranges that exceed $200,000.
The positions most in demand and commanding the highest are the associated with Salesforce Automation and that unique application. That is followed closely by IoT and Security.
If the current demand for these skills continues, two things will happen. First, there will continue to be an increase in the compensation levels for these positions. Second, more IT Pros will migrate into these positions increasing the supply. That in turn will be dampening factor on compensation.
We have seen this before when new technologies required specialized skills. Typically we found that it took 24 to 36 months for the supply to catch up with the demand. At that time salaries leveled off.
In any case, we see the median salary for all IT professionals at around $97,000 by the end of 2019.
Top 10 Security Weakness Issues – In a review of over 100 enterprises we identified the security weakness issues that CIOs, CSOs, and IT pros need to address. There are:
Using only single level verification for access to sensitive data
Having “public” workstations or access point is connected to a secure network
Sharing login credentials
Connect to network from an unsecure access point
Corporate web site is encrypted but the login process is not
Using weak encryption for back end management
Using unencrypted or weak encryption for Web site or Web server management
Top 10 Security Weakness Issues Identified
Janco’s Security Manaual provides tools that IT Professionals can use to address these issues. In addition, there are a number of articles that have been published on Janco’s main web site. To see them go to the site and under the main menu bar there is a search option. With that you will be able to see all the web pages that have the term security weakness or any sub-set of the seach term.