IT compliance document

[cava83]

Hi,

Have any of you guys written one?

Our compliance guys are requiring a lot of information but don't quite know where to start, I could write endless amounts of stuff.

Have already looked on google before anyone asks!

G.

 

[Cookie]

"Compliance"

 

[Homer-Simpson]

Compliance for what?

 

[Cookie]

It's not Sarbanes-Oxley or anything is it? Or one of the ISO's?

 

[ChrisR]

Compliance for what?

This, what are you being asked about?

 

[iain187]

I can probably read compliance docs for anything at my work but i would image a lot of it is restricted - ie shouldn't post it

Might be able to speak generically about specific points though?

 

[cava83]

Here is some of the information;

The compliance guy just whacked it over an email of the kinds of things he is looking for.

I want to be fixing things, not making documents, anyhow......

IT Security

Key IT Security Risks

Personal Data is largely held in:

A) Financial Services Division
B) Private Clients Division

Key Data is that which could permit the possibility of Identity Theft or that relating to banking information.

Data could be stolen by staff or third-parties.

The controls and procedures below demonstrate how we attempt to mitigate these risks

Management Controls

The lines of responsibility relating to IT Security are …….

We have an information security policy held and reviewed regularly by …………

We can detect loss of data by …..

We train staff concerning their data security obligations by …...

Access rights to IT

How we control access to IT (unique username and unique and changing passwords); strong passwords; who controls the username and password?

Controls over internet and e-mail use

Files and lap-tops off-site

Data Management

Housekeeping - backing up

Offsite data – laptops, memory sticks, CDs - encryption

Encryption of data held offsite

Encryption of information sent off-site either electronically or physically

Theft of data by means of memory sticks and CD

Disabling of USB Ports and CD writers where appropriate

Log of memory sticks and laptops

Random Checks of laptops and memory stick

Clear, consistent and secure IT back-up and housekeeping procedures

Encryption of backed-up data (particularly if held at a third party)

Due Diligence on third-parties or staff holding backed-up data

Assessment of risk of staff’s use of web-mail, social networking sites, instant messaging and file sharing software

Disposal of Data

Data should be disposed of in a secure fashion

The following should be considered:

Security of data disposal procedures – removal, destruction and wiping of hard drives before disposal

Training of staff



Third Party Suppliers

You should be satisfied that you know any third-party suppliers are, the security surrounding any data they hold or have access to, and how they vet their staff

Third-party suppliers who could have access to IT data are:

· IT archive providers

2 Security personnel
3 Any other third-parties likely to visit the offices
4 IT suppliers



Compliance and Monitoring

We monitor the possible loss of data by …….

 

[Cookie]

Are they planning on selling up? That's the sort of stuff I had to go through in a due diligence exercise

 

[cava83]

Nope, not that I know of, and I am normally pretty up to speed with stuff.

Got a lot of work to do

I just want to play with toys and break things.

Are they planning on selling up? That's the sort of stuff I had to go through in a due diligence exercise

 

[Jay_A]

Seems a strange way of doing it. In most cases this would be dealt with by performing an internal audit of your IT systems and controls around those to maintain confidentiality, integrity and availability.

I'm an Information Security Manager for a large corporate company and have written my fair share of security policies and procedures over the years, including implementing ISO27001. To be honest, dumping all that on you if you haven't got the experience isn't benefitial to either party and the compliance officer should really help give you some pointers.

There's some great stuff on the net relating to ISO27001 which will help you out on this one. Feel free to drop me a pm tho and I'll help if I can.

 

[alanc1000]

Jay, who do you work for, didnt realise you were in IT?!?

OP - i work for Gartner and we have loads of toolkits and templates for this sort of stuff, but it is a huge list you have unless you are doing a high level compliance / IT security strategy or user policy.

I can probs bung you some stuff but it will be generic if you are to do that whole list.

 

[cava83]

Not all SME's have the budget for audits, we have compliance pro's, who are outsourced.

It is a lot of info to be dumped on me, there is no one else who can do it and we all have to learn at some point, just as you did

Do you have procedures/ISO27001 that I could have a look at?

I will have more of a search,

Many thanks for your message,

G.

 

[cava83]

Alan, that would be awesome

I can probs bung you some stuff but it will be generic if you are to do that whole list.

 

[Jay_A]

Forgot to mention the 27001 toolkit is seriously helpful;

http://www.iso27001security.com/html/iso27k_toolkit.html