Thi

si
sasampl
eoft
hef
i
nalpr
oduct
t
hesepagesar
ef
oryourr
evi
ew onl
y
and ar
epr
ot
ect
ed byJanco
scopyr
i
ght
PAGES HAVEBEEN EXCLUDED

Internet &
PC WorkStation
Policies &
Procedures
HandiGuide

 Copyright 2007 M. Victor Janulaitis

Copyright 2007 Janco Associates, Inc.
ALL RIGHTS RESERVED

All Rights reserved. No part of this book may be reproduced by any means without
the prior written permission of the publisher. No reproduction or derivation of this
book shall be re-sold or given away without royalties being paid to the authors. All
other publishers rights under the copyright laws will be strictly enforced.
Published by:

Janco Associates, Inc.

Park City, UT 84060
435 940-9300
e-mail support@e-janco.com

Publisher cannot in any way guarantee the procedures and approaches presented in
this book are being used for the purposes intended and therefore assumes no
responsibility for their proper and correct use.
Printed in the United States of America
ISBN 13 978-1-881218-00-5
HandiGuide is a registered trademark of M. Victor Janulaitis.

Thi
si
sasampl
eoft
hef
i
nalpr
oduct
t
hesepagesar
ef
oryourr
evi
ew onl
y
and ar
epr
ot
ect
ed byJanco
scopyr
i
ght
PAGES HAVEBEEN EXCLUDED

Thi
si
sasampl
eoft
hef
i
nalpr
oduct
t
hesepagesar
ef
oryourr
evi
ew onl
y
and ar
epr
ot
ect
ed byJanco
scopyr
i
ght
PAGES HAVEBEEN EXCLUDED
License Conditions

This product is NOT FOR RESALE or REDISTRIBUTION in any physical or electronic format. The purchaser of this template has
acquired the rights to use it for a SINGLE Disaster Recovery Plan unless the user has purchased a multi-use license. Anyone who
makes an unlicensed copy of or uses the template or any derivative of it is in violation of United States and International copyright
laws and subject to fines that are treble damages as determined by the courts. A REWARD of up to 1/3 of those fines will be paid to
anyone reporting such a violation upon the successful prosecution of such violators.

The purchaser agrees that derivative of this template will contain the following words within the first five pages of that document.
The words are:
2001 - 2007 Copyright Janco Associates, Inc. ALL RIGHTS RESERVED

Easy use steps:

1.
2.
3.
4.
5.
6.
7.
8.

Read this License Conditions

Print the first two pages of this template
Delete the first two pages.
Save As your file name
Edit replace ENTERPRISE with your enterprises name.
Edit replace company logo with your enterprises logo
Save As your filename.v001
As you modify the plan continue to save the DRP with a name that has an updated version
number.

The Template is saved in two formats. They are

*.doc is in WORD 2003 format

*.docx is in WORD 2007 format

Both of these documents are the same but we have provided them in both
for your use. If you have any questions on these documents please send an email to

support@e-janco.com and reference your order number.

Telephone support can be obtained if you have registered your product by going to

http://www.e-janco.com/register.asp

If you register your product within thirty (30) days of purchase Janco will send you a coupon for 10% off on your
next purchase from any of Janco's direct sites. These include:

http://www.e-janco.com
http://www.itproductivity.org
http://www.ejobdescription.com
http://www.it-toolkits.com

iii

Thi
si
sasampl
eoft
hef
i
nalpr
oduct
t
hesepagesar
ef
oryourr
evi
ew onl
y
and ar
epr
ot
ect
ed byJanco
scopyr
i
ght
PAGES HAVEBEEN EXCLUDED

TABLE OF CONTENTS

TABLE OF CONTENTS ............................................................ I

INTRODUCTION ............................................................... 3
FOREWORD ......................................................................... 5
Scope And Applicability ............................................................................................ 9
Book Structure ........................................................................................................... 9
Administrative Management ................................................................................ 9
Technology Management ................................................................................... 10
Asset Protection .................................................................................................. 10
Appendix ............................................................................................................... 10

ADMINISTRATIVE MANAGEMENT ................................. 11

MANAGEMENT OVERVIEW .................................................. 13
Base Assumptions And Objectives ....................................................................... 13

MANAGEMENT PROCESS .................................................... 17

Executive Management .......................................................................................... 17
General Operations Management ......................................................................... 17
Individual Managers And Staff Members ............................................................. 18
Information Technology Resource Group ........................................................ 18
Technology Support Staff................................................................................... 19
Technology Resources and Information .......................................................... 19
Risk Analysis Program Components .................................................................... 21
Software Control and Security ........................................................................... 21
Hardware Control and Security ......................................................................... 21
Internet / Intranet Control and Security ............................................................ 21
Network Control and Security ............................................................................ 21
Logical Access Controls ..................................................................................... 22
Software Development Controls........................................................................ 22

RESPONSIBILITIES.............................................................. 23
Manager, IT Support Resource Group ................................................................. 24
Manager, Enterprise Operational Group .............................................................. 24
Steering Committee................................................................................................. 25
Manager Internet and PC Control and Security ................................................... 25
All Enterprise Managers (Enterprise Groups, Departments and Divisions) .... 26
Asset Owners ........................................................................................................... 26
PC Support Managers ........................................................................................ 28
Users ..................................................................................................................... 28
Help Desk ............................................................................................................. 28
Outside Information Technology Services ........................................................... 29
Applicability .......................................................................................................... 30
Responsibilities When Using Information Technology Services .................. 30
Outside Information Technology Services - Basic Policies ........................... 31

INTERNET AND PC WORK STATION

POLICIES AND PROCEDURES HANDIGUIDE

Thi
si
sasampl
eoft
hef
i
nalpr
oduct
t
hesepagesar
ef
oryourr
evi
ew onl
y
and ar
epr
ot
ect
ed byJanco
scopyr
i
ght
PAGES HAVEBEEN EXCLUDED

TECHNOLOGY MANAGEMENT ...................................... 35

JUSTIFICATION, ACQUISITION, AND SUPPORT ....................... 37
Guidelines ................................................................................................................. 37
Functional Needs ................................................................................................ 38
Software Needs ................................................................................................... 38
Hardware Configuration...................................................................................... 39
Back up/Recovery ............................................................................................... 42
LAN Back ups ...................................................................................................... 42
Documentation .................................................................................................... 42
Supported Configurations ....................................................................................... 44
Support Organization .......................................................................................... 44
Registration .......................................................................................................... 44
Hardware .............................................................................................................. 44
Software ............................................................................................................... 46
Connectivity.......................................................................................................... 46
Hardware and Software Inventory..................................................................... 47
Adoption of Non-Standard Hardware or Software .......................................... 47

APPLICATION DEVELOPMENT .............................................. 49

What is an Application? .......................................................................................... 52
Relation to Support Groups .................................................................................... 53
Project Conceptualization and Justification ......................................................... 53
Notifying the Information Technology Department ............................................. 54
Technical Assistance .............................................................................................. 54
Project Approval ...................................................................................................... 55
Selecting the Best Alternative ................................................................................ 55
Development Assistance ........................................................................................ 56
Development ............................................................................................................ 56
Monitoring............................................................................................................. 56
Testing .................................................................................................................. 56
Final Certification ................................................................................................ 57
Installation ............................................................................................................ 57
Implementation ........................................................................................................ 57
Conversion ........................................................................................................... 57
Training ................................................................................................................. 58
Documentation .................................................................................................... 58
Support ................................................................................................................. 58
Application Development - Small Development .................................................. 59
Reasons for Documentation .............................................................................. 59
Standards ............................................................................................................. 59
Special Items ....................................................................................................... 60
Application Development - Typical Development ............................................... 61
Documentation .................................................................................................... 63
Departmental Reports ........................................................................................ 63
Typical Work Plan - Two Month Effort .................................................................. 64

TRAINING........................................................................... 67
Hardware Training ................................................................................................... 67
Operating System Training .................................................................................... 68
Application Software Training ................................................................................ 68
Sources of Training ................................................................................................. 69
Supplier Training ................................................................................................. 69
Local Experts ....................................................................................................... 69
Third Party Training Organizations ................................................................... 69
User Support Center ........................................................................................... 70
Special Training ................................................................................................... 70
Enterprise Staff ........................................................................................................ 70
Contractor Personnel .............................................................................................. 71

LOCAL AREA NETWORKS (LANS) ........................................ 73

ii

Thi
si
sasampl
eoft
hef
i
nalpr
oduct
t
hesepagesar
ef
oryourr
evi
ew onl
y
and ar
epr
ot
ect
ed byJanco
scopyr
i
ght
PAGES HAVEBEEN EXCLUDED

TABLE OF CONTENTS

Features .................................................................................................................... 73
Physical Components ............................................................................................. 74
Workstations ........................................................................................................ 75
Network Cables ................................................................................................... 75
Network Adapters .................................................................................................... 75
File Servers .......................................................................................................... 75
Network Peripherals ............................................................................................ 76
Network Operating System ................................................................................ 76
Configuration ............................................................................................................ 76
Users ......................................................................................................................... 76
Network Supervisors ........................................................................................... 77
Regular Network Users ...................................................................................... 77
Network Operators .............................................................................................. 77
Security ..................................................................................................................... 77
Directory Rights ................................................................................................... 78
Back up ..................................................................................................................... 80

BACK UP & RECOVERY ....................................................... 81

Data Storage And Media Protection...................................................................... 82
Labeling ................................................................................................................ 83
Storage ................................................................................................................. 83
Retention Schedule ............................................................................................. 83
Disposal Of Sensitive Information ..................................................................... 83
Back up Program and Schedule ............................................................................ 84
Creating a Back up Program ............................................................................. 85
Monitoring the Back up Program....................................................................... 86
LAN/Wide Area Local Area Networks (WANs) ............................................... 86
Recovering From Back up Media ...................................................................... 87
CD / DVD Back up .............................................................................................. 88
Hard Disk Back up .............................................................................................. 88
Application Software Back up ............................................................................ 89
PC File Back ups ................................................................................................. 89
Back up Software ................................................................................................ 89
Documentation..................................................................................................... 90
Storage of Back up ............................................................................................. 90
Naming Conventions ............................................................................................... 90

SERVICE REQUESTS .......................................................... 91

Policies ...................................................................................................................... 93
Process ..................................................................................................................... 94
Opening A Service Request .............................................................................. 95
Identify Need and Prepare Service Request ................................................... 95
Log and Assess SR ............................................................................................ 95
Prioritize and Approve SR .................................................................................. 96
Analyze SR and Design Solution ...................................................................... 96
Review and Approve Design Solution .............................................................. 96
Modify Programs and Test ................................................................................. 97
Conduct User Acceptance Testing ................................................................... 97
Move New/Modified Programs into Production ............................................... 98
Implement Changes in User Environment ....................................................... 98
Close Service Request ....................................................................................... 98
Priority Setting .......................................................................................................... 98
Service Request ....................................................................................................... 98
Status Reporting .................................................................................................. 99

ELECTRONIC COMMUNICATION ......................................... 100

Electronic Communication Usage Guidelines ................................................... 100
Electronic Mail ................................................................................................... 100
Blogs ................................................................................................................... 102

iii

INTERNET AND PC WORK STATION

POLICIES AND PROCEDURES HANDIGUIDE

Thi
si
sasampl
eoft
hef
i
nalpr
oduct
t
hesepagesar
ef
oryourr
evi
ew onl
y
and ar
epr
ot
ect
ed byJanco
scopyr
i
ght
PAGES HAVEBEEN EXCLUDED

INTERNET ........................................................................103
Internet Characteristics ......................................................................................... 104
Electronic Mail (e-mail) ..................................................................................... 105
File Transfer Protocol (FTP) ............................................................................ 105
Gopher ................................................................................................................ 105
Home Page ........................................................................................................ 105
TCP/IP Network Protocol ................................................................................. 106
Telenet ................................................................................................................ 106
USENET Newsgroups ...................................................................................... 106
Internet - World Wide Web (WWW) ............................................................... 106
Security Concerns ................................................................................................. 107
Firewalls ............................................................................................................. 108
Screening Router .............................................................................................. 108
Dual-Homed Gateway ...................................................................................... 109
Screening Router and Bastion Host ............................................................... 110
Encryption .......................................................................................................... 110
Policy and Procedures .......................................................................................... 111
Pitfalls ...................................................................................................................... 111
Service Installation ............................................................................................ 112
Hardware ................................................................................................................ 112
Software .................................................................................................................. 113

ASSET PROTECTION ...................................................115

CONTROLS ......................................................................117
Acceptable Uses for PCs and Controls .............................................................. 117
Risks Due to Lack of Controls ............................................................................. 119
Types of Controls .................................................................................................. 121
Logging And Audit Trails ...................................................................................... 125
Accountability..................................................................................................... 125
Reconstruction of Events ................................................................................. 125
Information to Be Recorded ............................................................................. 125
Tracing Transactions ........................................................................................ 126
Support Information .......................................................................................... 126
Retention Period of Documentation and Audit Trail Data ............................ 126
Need for Source Documents ........................................................................... 126
Audit Logs In The Mainframe Environment ................................................... 126
Satisfactory Compliance ....................................................................................... 129

BUSINESS RESUMPTION PROGRAM ...................................131

Critical Function Analysis ..................................................................................... 132
BRP Procedures for Critical Data ........................................................................ 133
Back up Criteria ..................................................................................................... 133
Back up Procedures .............................................................................................. 134
Storage Criteria ...................................................................................................... 134
Business Recovery Procedures .......................................................................... 135
Requirements for Recovery ................................................................................. 135
Recovery Guidelines ............................................................................................. 135
Restoring Damaged Equipment .......................................................................... 136
Recovery Management ......................................................................................... 136
Contingency Planning ........................................................................................... 137
Responsibilities.................................................................................................. 137
Planning Activities ................................................................................................. 139
Function Of Planning Activities ....................................................................... 139
Development Activities ..................................................................................... 139
Planning Manual ................................................................................................ 140
Maintenance Activities ...................................................................................... 140
Plan Activation And Recovery ............................................................................. 140

SECURITY ........................................................................143
iv

Thi
si
sasampl
eoft
hef
i
nalpr
oduct
t
hesepagesar
ef
oryourr
evi
ew onl
y
and ar
epr
ot
ect
ed byJanco
scopyr
i
ght
PAGES HAVEBEEN EXCLUDED

TABLE OF CONTENTS

PC Processing Area Classification...................................................................... 144

Criteria ................................................................................................................ 144
Classification Categories .................................................................................. 145
Work Stations and Remote Terminals ................................................................ 146
Attended terminals ............................................................................................ 146
Unattended terminals ........................................................................................ 147
Management Control Tools .................................................................................. 147
Staff Member Security .......................................................................................... 148
Review ................................................................................................................ 148
Risky Practices .................................................................................................. 148
Violations ............................................................................................................ 148
Management Action .......................................................................................... 149
Responsibilities ...................................................................................................... 149
Sensitive Positions ................................................................................................ 150
Network Security .................................................................................................... 151
Vulnerabilities..................................................................................................... 151
Exploitation Techniques ................................................................................... 151
Reasons for Security ........................................................................................ 152
Responsibilities .................................................................................................. 152

FACILITY REQUIREMENTS ................................................. 155

Physical Plan Considerations .............................................................................. 155
Processing Location .............................................................................................. 156
Construction Standards .................................................................................... 157
Protection From Water Damage ..................................................................... 158
Air Conditioning ................................................................................................. 158
Entrances And Exits.......................................................................................... 159
Interior Furnishings ........................................................................................... 159
Fire Protection ........................................................................................................ 160

ACCESS CONTROL ........................................................... 163

Separation of Duties .............................................................................................. 163
Least Privilege ........................................................................................................ 164
Individual Accountability ....................................................................................... 164
Category I - Processing Areas ........................................................................ 165
Category II - Processing Areas ....................................................................... 165
Category III - Processing Areas ...................................................................... 165
Category IV - Processing Areas ...................................................................... 165
Definitions Of PC Access Control Zones ........................................................... 166
Public Areas ....................................................................................................... 166
Controlled Areas ................................................................................................ 166
Responsibilities ...................................................................................................... 166
Levels Of Access Authority .................................................................................. 167
Permanent Access ............................................................................................ 167
Temporary Access ............................................................................................ 167
Implementation Requirements ............................................................................. 167
Protection Of Supporting Utilities ........................................................................ 168
Resource Protection .............................................................................................. 169
Network Components ....................................................................................... 169
Wire Closets....................................................................................................... 169
Terminal And Remote Job Entry Devices ...................................................... 169
Dial-Up Controls ................................................................................................ 170
Message Authentication ................................................................................... 170
Encryption .......................................................................................................... 171
Exceptions .......................................................................................................... 172
Software and Data ................................................................................................. 172
Resources To Be Protected............................................................................. 173
Basic Standards ................................................................................................ 174
Controllability ..................................................................................................... 176
Integrity ............................................................................................................... 176

INTERNET AND PC WORK STATION

POLICIES AND PROCEDURES HANDIGUIDE

PASSWORDS ...................................................................177
Identification ....................................................................................................... 177
Authentication .................................................................................................... 177
Standards for Passwords ................................................................................. 178
Authorization Verification ................................................................................. 178

APPENDIX ........................................................................181
HARDWARE/SOFTWARE SUPPORTED FORMS .....................183
Supported Software ............................................................................................... 183
Supported PCs - Standalone ............................................................................... 183
Supported PCs - Networked ................................................................................ 185
Supported Add-In Boards ..................................................................................... 186
Unsupported Hardware ......................................................................................... 187
Unsupported Software .......................................................................................... 188

Thi
si
sasampl
eoft
hef
i
nalpr
oduct
t
hesepagesar
ef
oryourr
evi
ew onl
y
and ar
epr
ot
ect
ed byJanco
scopyr
i
ght
PAGES HAVEBEEN EXCLUDED

vi

Thi
si
sasampl
eoft
hef
i
nalpr
oduct
t
hesepagesar
ef
oryourr
evi
ew onl
y
and ar
epr
ot
ect
ed byJanco
scopyr
i
ght
PAGES HAVEBEEN EXCLUDED

MANAGEMENT OVERVIEW

A common concern in many enterprise-wide operational management approaches

is needed to maximize value, while protecting technological resources and data
assets. In addition, they need to assure the availability of support for these new
tools.
The purpose of this HandiGuide is to provide an enterprise with the tools to
effectively and efficiently manage all of the capital and information resources
associated with PC and workstation operations. This includes both PC operations
and the development of application in the enterprise.
All elements of the enterprises technology management, control and oversight
should be structured to maximize its value. This includes:

Cost effective utilization of the resources;

Protection from damage which might result from accidental or
intentional events; or

Actions that might breach the confidentiality of enterprise records,

result in fraud or abuse, or delay meeting of the enterprises
objectives.

BASE ASSUMPTIONS AND OBJECTIVES

There are a number of base assumptions associated with the operational
management of the PC environment which were used in the creation of this
HandiGuide:

Integrated management of all components including operational

management is necessary for all technology hardware, operating
and application software, data, and network linkages. Each of
these components must be considered from a total-system
perspective (i.e., the cost effective use and protection of
information must be considered from its origination to its final
destruction, to include all processes affecting the information).

13

INTERNET AND PC WORK STATION

POLICIES AND PROCEDURES HANDIGUIDE

Thi
si
sasampl
eoft
hef
i
nalpr
oduct
t
hesepagesar
ef
oryourr
evi
ew onl
y
and ar
epr
ot
ect
ed byJanco
scopyr
i
ght
PAGES HAVEBEEN EXCLUDED

Operational management of technology resources requires

extensive policies, responsibility assignment and procedures to
provide the necessary operational framework and infrastructure.

Operational management complies with the intent of prevailing

privacy legislation regarding safeguards and with the Foreign
Corrupt Practices Act.

Operational management requires documentation, justification,

and administrative controls which are cost-effective, prudent and
operationally efficient.

Good operational management requires monitoring the

implementation of selected metrics4, controls and procedures.
This includes the definition of the functions necessary to ensure
compliance with stated guidelines within this book.
Operational management guidelines, as presented in this book, should be considered as the
minimum standard for all technology based applications and supporting manual activities.

Given these assumptions we have tried to achieve several very specific objectives
in this HandiGuide. The first and foremost is to provide a tool with which readers
can create their own operational management manual for individual PC sites or
applications, as well as a manual that covers all of Information Technology in the
5
entire enterprise . With that as a primary objective, the other objectives are:

Provide a uniform set of rules and guidelines for dealing with all
known and recognized aspects of the technology operations
affecting the enterprise and its operations.

Provide pragmatic rules to ensure that all sensitive information6

handled by computer and manual systems is protected in relation
to the risk of loss, inadvertent or deliberate disclosure, fraud,
misappropriation, misuse, sabotage or espionage of enterprise
assets. This includes:
Provide tools to minimize and prevent damage to the
enterprises business operations due to misuse, poor or
inappropriate-design of all technology-based applications.
Protect property and rights of contractors, vendors and other
organizations.

4 Information Systems, Information Technology, and Communications Metrics HandiGuide and Metrics HandiGuide for the Internet and Information
Technology published by Janco Associates both provide a base level definition of necessary metrics.

5 Readers of this book can submit a letter on their company letterhead to request the inclusion in part or in entirety of sections of this HandiGuide in
company manuals. The primary requirements are the inclusion of Janco Associates, Inc.s copyright and the use of the final document is for internal use
only (i.e. not for resale).

6 For the purposes of this document, sensitive information includes, but is not restricted to, that information which must be safeguarded so enterprise
assets are not misused or abused in any fashion.

14

ADMINISTRATIVE MANAGEMENT
MANAGEMENT OVERVIEW
7

Provide a method to disseminate institutional learning on the

technological operating environment within an enterprise.

Ensure the integrity and accuracy of all enterprise information.

Protect enterprises technology hardware, application and
operations from incidents of hardware, software or network failure
resulting from human carelessness, intentional abuse or accidental
misuse of the system.

Ensure the ability of all enterprise technology applications and

Information Technology operations to survive business
interruptions and to function adequately after recovery.
With the use of this material, based upon an active and continuous risk analysis
program, an enterprise should be able to create a process where the following
elements of technology operational management can be successfully integrated and
implemented:

Ability to audit all transactions and processes impacting enterprise

information resources and operational outputs;

Ability to have traditional physical security controls and

accountability with manual as well as automated processes;

Ability in the systems development review and testing procedures

to ensure enterprises operational and senior management
objectives are met in all technology designs, implementations and
operations;

Ability to deny access to technology resources based upon a

defined access requirement plan; and
8

A realistic and exercised business resumption program .

Thi
si
sasampl
eoft
hef
i
nalpr
oduct
t
hesepagesar
ef
oryourr
evi
ew onl
y
and ar
epr
ot
ect
ed byJanco
scopyr
i
ght
PAGES HAVEBEEN EXCLUDED

This is the information that is learned by and known to members of an enterprise that is normal and necessary to conduct business within the enterprise
on a day-to-day basis.
8

A template for a Disaster Recovery Plan in Word or HTML format can be obtained from the site www.e-janco.com.

15