Security Manual Templat and Audit ProgramSecurity Policy and Audit Program

ISO / COBIT / HIPAA / SOX Compliant

OrderTable of Contents

This Security Policy Manual (policies and procedures template) is over 240 pages in length. All versions of the Security Manual template include both the Business & IT Impact Questionnaire and the Threat & Vulnerability Assessment Tool (both were redesigned to address Sarbanes Oxley compliance). In addition, the Security Manual Template PREMIUM Edition contains 16 detail job descriptions that apply specifically to security and Sarbanes Oxley, ISO 27000 (ISO27001 and ISO27002), PCI-DSS, and HIPAA. Data Protection is a priority and security myths need to addressed.

Our security audit program can be used to identify the gaps that exist between mandated security standards and your organization's security practices. As a result, our audit tool can also be used to perform a very detailed gap analysis. Once you've filled all the gaps, you can be assured that you've done everything humanly possible to protect your information assets. If you use our Security Audit Program you will not only comply with the many mandated security requirements but you will also improve the overall performance of your information security program.

Comprehensive, Detailed and Customizable for Your Business

The Security Policy and Audit Program bundle provides all the essential sections of a complete security manual and walks you through the creation of each step. Detailed language addressing more than a dozen security topics is included in 220 plus page Microsoft Word document, which you can modify as much or as little as you need to fit your business requirements. The template includes sections on critical topics like:

  • Risk analysis
  • Staff member roles
  • Physical security
  • Electronic Communication (email / Smartphones)
  • Blogs and Personal Web Sites
  • Facility design, construction and operations
  • Media and documentation
  • Data and software security
  • Network security
  • Internet and IT contingency planning
  • Insurance
  • Outsourced services
  • Waiver procedures
  • Incident reporting procedures
  • Access control guidelines
  • PCI DSS Audit Program as a separate document
OrderTable of Contents

The Security Manual Template a stand alone item (Standard) or in the Premium or Gold sets:

Security Policies and Procedures

 

OrderTable of Contents

Each of the job descriptions is between 3 to 6 pages in length. They have all been updated to reflect the responsibility requirements of Sarbanes Oxley, HIPAA, PCI-DSS, ISO, and ITIL. The job description included in the premium bundle are:

  • Chief Compliance Officer CCO)
  • Chief Security Officer(CSO)
  • VP Strategy and Architecture
  • Director e-Commerce
  • Database Administrator
  • Data Security Administrator
  • Manager Data Security
  • Manager Facilities and Equipment
  • Manager Network and Computing Services
  • Manager Network Services
  • Manager Training and Documentation
  • Manager Voice and Data Communication
  • Manager Wireless Systems
  • Network Security Analyst
  • System Administrator - Unix
  • System Administrator - Windows
OrderTable of Contents

 

 

 

 

 

Security and Auditing News



Disaster Plan - Business Continuity Template Meets Sarbanes-Oxley Mandated Requirements

The Disaster Recovery / Business Continuity Template version 4.3 has just been released.  Janco contiues to update its templates to meet the ever changing requirements of the business environment.

With this new version a fully indexed PDF copy of the template is now provided in addition to the two versions of WORD (2003 and 2007). 

The updates to the template included:

1.      Defined generic metrics for DR/BC success

2.      Business & IT Impact Analysis Questionnaire Updated

3.      Updated references to DRP card

4.      Updated formatting to meet WORD 2007 requirements

 

The version history for updates to template can be seen at http://www.e-janco.com/drpversion.htm and the full Table of Contents with sample pages can be downloaded at http://www.e-janco.com/Register_drp.asp .

- more info


Solid State Disk (SSD) is an opportunity for CIOs

While SSD represents a premium in storage capacity, it's well worth it if it improves storage response time to users and critical applications.

Data storage managers are making moves toward solid-state storage and solid-state drives (SSDs), with 14% of 360 survey respondents planning to implement them this year and nearly 40% planning to evaluate them this year (in addition to the 7% who already have them in place). Those numbers mean that right now Many CIOs could use help in comparing SSD vs. HDD and determining what value they'd get from implementing SSD to fix performance problems. This is a role that's tailor-made for an operation's manager and represents an excellent value-add opportunity.

- more info


Security Threats Increase

In its recently released "2010 Midyear Security Report," Cisco Systems Inc. noted "an uptick in generalized SQL injection attacks, culminating with a June 2010 re-emergence of Asprox [a Trojan that wrought havoc on the United Kingdom government and computer systems two years ago]."

Security Procedures

Analysis "revealed that attackers had begun reconnaissance sweeps looking for susceptible SQL servers starting in late March 2010," blogged a market intelligence manager for ScanSafe, a Web security solution provider Cisco acquired last December.

Reconnaissance sweeps, which can indicate network mapping, are normal when generated from in a network. The same activity generated from outside a network is suspect, especially as about 51 percent of the injected malware is installed by a remote attacker, the Verizon report said.

Attackers will use different methods to get into a system, with numerous gambits exploiting Web browsers. "In so-called man-in-the-browser attacks, cyber attackers can exploit the ability of browsers to access the network stack on the host machines and get to the data before it’s been encrypted - that’s the goal," said the Enterprise Management Associates managing research director.

Search engine results pages play a significant role in driving traffic to compromised Web sites. During the first quarter of 2010, the Cisco report said, "7.4 percent of all Web-based malware encounters resulted from search engine queries, and nearly 90 percent of all Asprox encounters in June 2010 were the result of links in search engine results page."

- more info


Rules for avoiding man made disasters

The best way to prepare for a disaster is to avoid the disaster. Look for any potential problems you can find and correct them. You should address those issues that you can solve and which will provide benefit.

DRP Security Template

  • Maintain good general housekeeping: Keep areas clean and free of obstructions and fire hazards. Remove any stored paper from common areas and store in restricted areas. Consider implementing a “clean desk policy”. In the same way that a large city phone directory does not burn as easily as loose paper, removing loose paper from desk tops to files at the end of the work day can reduce losses due to fire. This will also help to protect those documents from sprinkler discharge and other incidents.
  • Look for, and eliminate, any obviously overloaded electrical circuits. Employees may have installed non-business electrical appliances such as coffeepots, radios, space heaters and fans. These appliances can cause electrical fires by shorting out themselves or overloading circuits not designed for these appliances. Your facilities or building maintenance staff may be able to help you educate your staff regarding the problems these appliances can cause.
  • Observe physical security procedures in your facility, and encourage increased security when appropriate. Questions to ask include; is your building open to the public? If you have restricted access, is “tailgating” allowed? If tailgating is not allowed, does it occur anyway?
  • Observe information security procedures regarding computers in your facility, and encourage increased security when appropriate. Questions to ask include Does your staff have their passwords taped to their monitors? Are your laptop computers secured at the end of the workday? Does your staff leave their computers logged on to the network when they are away from their desks for extended periods such as lunch?
- more info


Availability of e-mail a business continuity issue

Availability of e-mail for business continuity and associated data can impact an organization's ability to make or break a profit objectives -- as well as retain or lose customers. In today's economy, the importance of e-mail takes on new meaning. Recovery time and recovery point objectives (RTOs and RPOs) are no longer general rules. The Exchange administrator's ability to meet or exceed the proverbial lines in the sand, in terms of time to recover and the age of the data recovered, can mean the difference between gainful employment and prepping for a job interview.

Questions that you need to have answers to are:

  • What is the the impact of e-mail downtime on today's business,
  • What are the types of potential failures -- both the common and the not-so-common along with the general probability of occurrence, and
  • How do you plan to mitigate the impact of these challenges to ensure adequate levels of protection for your e-mail environment.
- more info


CIO Strategic Planning Guidelines

CIOs now are starting to develop new information technology strategies.  As they do that, they need to include understanding the fundamental business and operational trends that are driving businesses and enterprises of all types to redesign their operations.  The principles that CIOs need to keep in mind are:

  • Flexibility - CIOs must be able to respond to opportunities and challenges faster than ever before. These CIOs are usually battling well-resourced organizations that may be based where the opportunity originated, or another globalizing company that is reaching out for new opportunities. In order to compete, a CIO must create a strategy this helps the enterprise to deliver faster a product or service as good, or better, than that of potentially any other company in the world.
  • Simplicity - The increase in technology has led to increased complexity. While per unit costs of technology are decreasing, in aggregate IT budgets continue to increase. With the pressure on IT to act less as a cost center and more as a way to increase the profitability of business units, adding more storage, more bandwidth, or additional technologies throughout the organization is no longer an acceptable approach to managing information technology. Instead, smart CIOs are investigating technologies like continuous data protection, virtualization, and wireless connectivity to help IT slim down its footprint while increasing their business's competitive advantages. Therefore, the IT team is typically in a difficult position, assessing where to cut costs while still moving forward with a plan to continually enhance IT services to the business.
  • Security and Mandated Requirements - With the growing importance of applications and data, the sources of threats to enterprise data have multiplied dramatically. Everything from natural disasters, to criminals, and corrupt sources within the company can steal or corrupt data. While CIOs do everything that they can to stop these threats in the first place, they still must be prepared to recover from these threats as quickly as possible.
  • Disaster Recovery Business Continuity - As businesses have expanded, the need for anytime, anywhere application access has become a requirement. At the same time, "follow the sun" (global 24/7) operations have shrinking maintenance windows and a need for applications to be running at all times. Delay or loss of data for any reason - system failure, natural disasters - has a domino-like effect across the entire organization, at any time of the day or night.
- more info


Art Work In Danager - Disaster Plans Need to Address That

Disaster PlanNatural disasters, such as hurricanes that assault the southern Florida and Louisiana, make all of us acutely aware of our vulnerabilities to disaster. Fortunately, catastrophes of this magnitude are rare, but disaster can strike in many ways. For example, a broken water main inundated the Chicago Historical Society; fire severely damaged the Cabildo in New Orleans; the Loma Prieta earthquake damaged several San Francisco area museums and libraries; smoke from an electrical fire covered collections throughout the Huntington Gallery; mold damage threatened Mount Vernon's archival collections. Large or small, natural or man-made, emergencies put an institution's staff and collections in danger. - more info


Backup and Retention a DRP issue

Traditional storage environments have many of the same problems as distributed server farms: applications are tied to physical devices, making any response to changing needs both disruptive and time-consuming; capacity utilization is low; and many maintenance activities require application downtime. The simple and straightforward solution is storage virtualization, which decouples applications and data from the underlying physical devices. Storage virtualization simplifies storage management, as only a single set of tools are required for a given virtualized set of similar devices, such as managing a set of disk systems.

For IT departments charged with delivering greater business value in the face of unprecedented data growth, storage virtualization is a very attractive way to control costs, improve performance and maximize resource utilization.

- more info


HIPAA is a major compliance issue for CIOs in Heathcare

There is a high degree of mobility inherent in the work styles of most healthcare professionals, IT must remain cognizant of where critical data is being stored and what’s at risk on top of providing 24x7 productivity. In its healthcare and life sciences respondent base alone, it has been said that 89% of healthcare organizations have some percentage of their employees working away from the office at least one day per week, while 87% of healthcare organizations have some percentage of workers telecommuting from home at least one day per week, and more than 50% have some segment of workers telecommuting at least four days per week. To support this mobile work style, 95% of these enterprises have users relying on smartphones for work, usually in addition to laptop computers.

Regulatory compliance tops the list of concerns among healthcare and life sciences IT professionals with 86% of healthcare IT decision-makers rating it as a high or critical priority over the course of the coming year. Immediately following regulatory compliance is data security, with 31% of healthcare enterprises ranking it a critical priority and almost 60% ranking it as a high priority.

- more info


Goals of a Disaster Recovery Planning Defined

The ultimate goal of Disaster Recovery Plan (DRP) is to get your business restarted in an acceptable timeframe. For some organizations that means within minutes, while for others it means hours or possibly days. The cost of operational downtime varies among businesses and industries. For example, financial firms often calculate that cost in millions of dollars per hour, while other industries calculate operational downtime as thousands per day. These costs include lost business transactions, employee productivity, and customers - not to mention regulatory penalties. The ability to tolerate these losses generally determines business continuity strategy.

 

There are two types of disasters:

  • Physical destruction of a location and data (or access to location and data). Examples: fire, flood, earthquake, significant power or network outage.
  • Data destruction without physical destruction. Examples: hardware failure, virus/hacker attack, software malfunction, human error.

Each if these have a different set of requirements and your Disaster Recovery / Business Continuity Plan needs to take them into consideration.

 

- more info


Social networks - big worry for CIOs

Controlling communications on social networking Web sites is far more complex for corporations because they're attempting to control communications on Web sites that are outside their IT systems and that are almost continuously changing or adding to the number of applications that can be used to network.

This is one of the reasons why popular social networking sites, such as Facebook, Twitter, and LinkedIn, are causing a stir in the financial services community as well as other highly regulated industries as companies seek ways to control how the sites are used to communicate with potential clients and colleagues.

It is a bigger issue than email and IM.  For IM and email, you pretty much use standard port and protocols. You just have to be in the right spot in the network to capture it and monitor it.  That is not the case for these social networks.  Security is an issue.

- more info


Hackers focus on iPad

(Computerworld) Hackers are targeting iPad users with bogus update messages that dupe them into downloading malicious code onto their Windows PCs, a security researcher said today.

The messages claim that a recent update to iTunes has been released for the iPad, according to Romanian security company BitDefender. "It is very important to keep the software on your iPad updated for best performance, newer features and security," the message reads. "To get the latest version of iTunes software, please go to ... and install the application."

The link in the message leads to a copycat of the legitimate iTunes download site, where users are asked to approve the download of a file dubbed "itunessetup.exe."

The file masquerading as the iTunes update is actually a Trojan horse that injects code into Windows' "explorer.exe" process and opens a backdoor for hackers, who then use that entrance to add more malware to the PC. The "Backdoor.Bifrose.AADY" Trojan also tries to snatch activation keys from various programs on the hacked

- more info


States Attack Internet Tax Free Zone

Amazon.com filed a lawsuit on Monday to fight a demand from North Carolina's tax collectors for detailed records including names and addresses of customers and information on what was purchased.

The lawsuit says the demand violates the privacy and First Amendment rights of Amazon's customers. North Carolina's Department of Revenue had ordered the online retailer to provide full details on nearly 50 million purchases made by state residents between 2003 and 2010.

Amazon is asking a federal judge in Seattle to rule that the demand is illegal, and left open the possibility of requesting a preliminary injunction against North Carolina's tax collectors.

Because Amazon has no offices or warehouses in North Carolina, it is not required to collect the customary 5.75 percent sales tax on shipments, although tax collectors have reminded residents that what's known as a use tax applies on anything "purchased or received" through the mail.

- more info


Vendor management is a key to cost control

Vendor management is an area where costs and productivity can be improved.  What IT organizations must do is:

  • Have a consistant and uniform message
  • Know what your requirements are and what your vendor's abilities are
  • Do not get locked in on price
  • Have multiple suppliers
  • Use both small and large vendors
  • Review the relationship on an on on-going basis
- more info


Backup service providers an expanding DRP resource

Online backup and recovery service providers have emerged from different market spaces and have different product focuses and business drivers. These providers can be grouped into three categories:

  • Service providers leveraging existing core business resources to expand into adjacent markets to look for new revenue opportunities
  • Service providers concentrating on server backup in niche markets: backup and recovery only, single verticals, regional boundaries
  • Service providers whose backup and recovery service forms an integral part of a broader spectrum of information management and data protection services

The scope, strengths, and weaknesses of each type of online backup and recovery service provider are characterized with respect to the current and forward-looking requirements of companies looking to protect their server data. Such requirements range from full system (versus data only) backup and restore to comprehensive business continuity best practices and support. Understanding these strengths and weaknesses can help businesses clarify their server protection requirements and better align their selection criteria and focus with their business goals.

- more info


Security threats are on the rise and they are costly

Companies as well as individuals need well defined security policies and procedures to combat secrutiy threats.

In a report that was recently published it was estimated that breaches cost companies between $90 and $305 per lost record. This includes notifying customers, hiring contractors to fix computer systems, fines and lost business. In addition, over 95 percent of network attacks are entirely financially motivated. This is different than two or three years ago where it may have been a college student who wanted to crash your computer. Threats today burrow deep in computers and hide. They are a lot less visible today.

Indeed, the new threats are much more sophisticated than those security experts had foiled in the past. The easy things - viruses, Trojans and worms - are generally stoppable by most firewalls or certainly inline intrusion prevention. But now, hackers and the organizations that fund them have upped the ante for gateway and network security.

- more info


CIOs Major Responsibilities Are Focused

CIOs have three major responsibilities in helping enterprises succeed.

  • CIOs must keep all IT systems and networks managed, optimized, and available to contribute maximum business value at minimal cost.
  • CIOs need to protect critical infrastructure against an increasingly hostile threat environment spyware, viruses, attacks, intrusions and human-engineered security lapses.
  • CIOs  must prevent exposure to legal and regulatory compliance penalties or breach disclosure laws. If IT fails in any one of these areas, their organizations can go out of business, or face criminal sanctions.

In meeting these responsibilities, CIOs can no longer incrementally buy new tools to meet any new requirement that makes headlines in the technical or business media. Business drivers, security and compliance mandates converging on the enterprise require a converged response. CIOs now demand solutions that enable them to eliminate redundant technologies and processes and integrate disparate elements into a common workflow. While established enterprise software vendors have adopted the language of convergence and consolidation, their product lines remain constrained by legacy architectures and designs. Proposing radical change to their customers' carries the risk of disrupting established revenue flows not to mention technical risks inherent in overhauling or replacing obsolete products.

Business runs at a velocity unimagined a few short years ago. Complex and highly distributed environments have grown to support an intricate web of partners, suppliers, distributors, and customers. Service oriented architectures and web-based applications have progressed from vision to real-world instantiation as enterprises look to leverage technology to innovate and deliver new services. In this new world, IT-delivered services must be available 24x7 to customers, suppliers, employees, regulators, investors and other constituencies.

The highly exposed nature of today's IT infrastructures fundamentally changes how organizations manage IT assets, processes and data. IT organizations can no longer treat resource management and maintenance as back-end functions that can be performed at times and conditions of their choosing. Neither is their work protected from outside scrutiny. Processes whose success or failures were largely internal now make the difference between business success or failure, legal compliance or litigation, prudent stewardship or ineffective execution.

- more info


Passwords that hackers can attack

Hackers attack the most commonly used passwords. Security Policies should specifically exclude these as options for users.

  • 123456
  • 12345
  • 123456789
  • Password
  • iloveyou
  • princess
  • rockyou
  • 1234567
  • 12345678
  • abc123

Everyone needs to understand what the combination of poor passwords means in today's world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second - or 1000 accounts every 17 minutes according to Imperva. 

  • The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic forms of cyber attacks known as "brute force attacks."
  • Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password is "123456".
- more info


Today's cost savings increase cost of doing business

Metrics Internet and IT

In these economic times, CIO and CFO are tempted to have their company’s employees to hang on to their desktop and notebook computers for a couple of years beyond the usual three-year life cycle. This way they hope to avoid the capital expense of replacing them. However, knowledgeable professionals have data that shows that as a false savings.

Four to five years after a laptop has been put in service they often are more trouble than they are worth. The reasons are simple, the longer a laptop or a desktop is in service the greater the chance that they will need for repair, an upgrade of an internal card, an upgrade in memory, and a new OS.

After the three years, hard drive failures go up dramatically, as do problems with keyboards, screens, and batteries. In addition, the outdated notebooks will cost an organization in lost end-user productivity, since a machine that is two generations behind current models takes longer to boot up and runs sluggishly.

When CIO and CEO look to trim costs, care needs to be take so that long term productivity is not impacted.  In addition, if employees feel they are not productive because of "technology', once the economy improves they will find better jobs where the technology is more current..

- more info


Security Predictions

2009 began with the biggest data breach in history. Wonder what could possibly be in store this year? The experts have spoken and have issued their astute security predictions for the New Year:

  • Increased funding security budgets
  • New compliance regulations created and enforced by congress
  • New problems with mobile security: new mobile phone worms and Trojans
  • A new key area of competition: Cloud computing
  • Growth in desktop virtualization

Security Manual Template Policies and Procedures

ISO 27000 (27001 & 27002) - Sarbanes-Oxley - PCI - Patriot Act - HIPAA Compliant

  

This Security Manual for the Internet and Information Technology is over 240 pages in length.  The template is compliant with ISO 27000 (formerly ISO 17799), Sarbanes-Oxley, Patriot Act and HIPAA and includes a PCI DSS Audit program. All versions of the Security Manual template include both the Business & IT Impact Questionnaire and the Threat & Vulnerability Assessment Tool (both were redesigned to address Sarbanes Oxley compliance).   In addition, the Security Manual Template PREMIUM Edition contains 16 detail job descriptions that apply specifically to security and Sarbanes Oxley.

- more info


PCI-DSS is a global requirement

Although the Payment Card Industry Data Security Standard (PCI DSS) has become a global requirement, many organizations are lagging in compliance. For many companies, regulatory compliance can already be an overwhelming and confusing area to navigate, and the need to comply with the PCI DSS might feel like yet another burden. The PCI-DSS compliance kit meets fully meets enterprise compliance requirements. 

PCI-DSS Requirements Table
    Sample PCI Audit Program      Sample PCI Audit Program

The PCI DSS security requirements apply to all “system components.” A system component is defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances.

- more info


Data deduplications impacts IT budgets

Data deduplication is not just altering what media companies use as backup targets; it dramatically affects operating efficiencies, simplifies remote office data protection, and makes disaster recovery significantly more affordable and realistic for a much greater percentage of the overall market. Its advent is not unlike other storage innovations where market leadership was not necessarily determined by a technology capability, but rather the true achievable business benefits brought about by the entire solution.

Record Management  Backup Policy

Storage is more than a mainframe peripheral and as such has a profound impact on the entire IT industry and IT budgets in particular. Vendors are now poised to make a major impact by illuminating a series of expensive problems within storage environments caused by an endless array of duplicate data sprawl. CIOs and IT professionals now realize they do not have to keep buying more and more storage capacity as there are more efficient ways to store and manage information - especially in secondary storage environments.

- more info


ITSM is part of the necessary infrastructure cost of IT

IT Service Management and technical support of customers is still seen by many organizations as a necessary evil, one of the many costs of doing business. And while providing support does add a line to your balance sheet, it also creates a multitude of opportunities to cultivate relationships that maintain your customer base and even grow it.

IT Infrastructure, Strategy, & Charter TemplateIT Service Management SOA Change Control

The crux of the matter is this: Technical support should no longer be perceived as a pricy "fix-it shop around back"; technical support has grown into a revenue-generating, company-strengthening powerhouse right in the heart of the organization. With the right tactics and technology, your support center can realize its full potential by becoming an essential, strategic component of your organization's success. Just as a surgeon needs the proper tools to perform operations, so, too, must support center representatives have the proper tools to get their jobs done efficiently and cost-effectively.

- more info


IBM Will Leave 500 Call Center Jobs in the US

IBM is taking advantage of tax rebates in Colorado, and hiring 500 customer service call center workers over the next five years.  The workers will work outside of Denver in Boulder.

Outsourcing Guidelines Outsource proceduresIT Hiring IT Job Descriptions IT Salary Survey  The 500 jobs will come between now and 2014. IBM qualified for the rebates after passing environmental and community standards. The company retrofitted 22,000 square feet of space in a 62,000 square-foot space.

Call center job salaries in the area range from $23,000 to $38,000 a year.

The executive director of the Boulder Economic Council, said the expansion shows IBM's stake in staying in Boulder. "What it really indicates to us is that IBM corporate is feeling like Boulder is a key site for their operation," she said. "That says that IBM supports this site in the long run." Draper said the 500 jobs being created "probably aren't going to be the highest-paying jobs in the county by any means," but they will still be good jobs that come with training and stability.

IBM has taken a lot of heat in 2009 from its union and former employees after shedding an estimated 10,000 jobs. The exact figure of layoffs this year is not known, as IBM does not publicly announce its restructuring or job cuts, but former employees have well documented the occurrence of layoffs. Many workers have been forced to train employees in Asia and other countries who replaced many employees in North America.

- more info


Holiday on-line spending up due to reduced prices and sales

MetricsU.S. online holiday spending has risen 3 percent this holiday season, but shopping online slowed over the weekend after the special deals and discounts offered by retailers on Cyber Monday ended.

Cyber Monday refers to the Monday after the U.S. Thanksgiving holiday when retailers, ranging from Wal-Mart Stores Inc to Amazon.com Inc offer deep discounts or limited-time only deals on their websites to lure holiday shoppers.

Overall, Americans plan to spend an average of $1,096 on holiday gifts this season, up $207 from last year -- the largest year-on-year increase since the boom shopping season in 1999, the last time this annual survey hit the $1,000 mark.

Spending plans don't guarantee a strong shopping season; actual consumer spending can depend on the prices and products people see in the stores, the effect of marketing campaigns and economic conditions as they develop. But robust spending plans are surely a good sign.

The National Retail Federation raised its holiday shopping forecast, projecting 6 percent growth in sales over last year, up from its September forecast of a 5 percent increase. NRF said this was its first-ever mid-season adjustment in a holiday sales forecast; it cited strong retail sales in October and falling gasoline prices.

For the first 36 days of the November-December holiday season, online holiday spending reached nearly $16 billion,  up 3 percent from a year ago. For the week ending December 6,  online holiday spending rose 3 percent to $4.6 billion.

- more info