Disaster Planning Knowledge Base

Disaster Recovery Planning and Business Continuity Planning

It is essential to have a proper backup strategy in place in case something goes wrong. Below are articles and links to tools that can help you in the Disaster Recovery and Business Continuity Planning and execution process. This knowledge base has been developed by Janco Associate, Inc.

News Feed

Disaster Recovery Plan Template

April 29th, 2012

An information technology (IT) disaster recovery (DR) plan provides a structured approach for responding to unplanned incidents that threaten an IT infrastructure, which includes hardware, software, networks, processes and people.

Protecting your firm's investment in its technology infrastructure, and protecting your firm's ability to conduct business are the key reasons for implementing an IT disaster recovery plan. Janco Associates IT disaster recovery template will help facilitate the initiation and completion of an IT DR plan.
- more info

EU adds mandated security requirements

April 7th, 2012
Expanding Your Business Overseas: The Privacy Challenge

The Internet gives even the smallest of online businesses the opportunity to acquire customers around the world. However, the European Union (EU) regulations could pose a problem if you have a US-based business with customers in the EU, because EU and US data protection and privacy regulations differ widely.

The security audit program is defined so an enterprise can identify deficiencies in existing policies, procedures and practices that exist between mandated security standards and what an organization is actually doing.

- more info

Should CIO be innovators?

April 2nd, 2012
Remaining technologically creative over time isnt only a matter of smarts, talent or intuition. Succcessfl CIOs say that they rely on structured approaches and strategies to stay on top of technology and market trends. They reason their way through the hype and come up with effective solutions to the most pressing problems currently facing both industry and government.

Being innovative for innovations sake is just as potentially adverse as deploying technology for technology's sake.

CIOs should not be in the business of sending people into labs to invent things just in case somebody needs them. The innovation that we do is in the context of a customer problem, so CIO should fouc on getting invited by their customers to help solve their hardest problems.

At the same time the role of the CIO and CTO is changing as more enterprises more towards a "Value Added" role for the Information Technology function. Those changes are depicted in the detail job descriptions that have been created for all of the functions with IT -- especially for the CIO and CTO. The table below depicts several of those changes.

The job descriptions created by Janco's executive consultants have taken these changes in role into consideration when the job descriptions for the CIO and CTO where updated. The Chief Information Officer and Chief Technology Officer job description are both over 4 pages in length.

- more info

Disaster Recovery Business Continuity for Remote Offices

March 11th, 2012
Data residing outside the data center at remote and branch offices (ROBOs) accounts for a significant portion of an enterprise's information store, yet it often either is protected with inefficient backup processes or is not protected at all -- leaving companies at risk on many fronts.

In a recent research report, high priority projects for ROBOs included improving information security measures; ensuring compliance with government, industry or corporate governance mandates; and improving Disaster Recovery Business Continuity processes.
- more info

Having a records management policy is a madate that all organizations need to comply with

March 1st, 2012
Backing up, retaining, and safeguarding business records and all electronic data - including email, financial records, medical information, and other electronic documents - are essential steps and mandated requirements for organizations. However, many organizations still need to implement an electronic data retention policy or refine an existing one.

Janco's Record Management, Retention, and Destruction Policy helps organizations of all sizes to implement a policy and set of practices which ensure business records and all electronic data are properly safeguarded in compliance with federal, state, local, and industry laws, rules, and regulations.

- more info

Mobile Data is on the rise

February 24th, 2012
The number of connected mobile devices is expected to exceed the number of people on Earth by 2016 10 billion devices to 7.3 billion. Additionally, mobile cloud traffic, which currently accounts for 45 percent of mobile data traffic, is expected to grow 28 fold by 2016, accounting for a 71 percent share of traffic.

With increases in streaming content, growing connections from mobile device and machine-to-machine (M2M) modules and powerful mobile devices leading the way, Cisco Systems reports that worldwide mobile data traffic is expected to increase eighteenfold over the next five years, reaching an annual run rate of 130 exabytes by 2016.

Records Management, Retention, and Destruction Policy - A detail policy and standard for record management which include a full job description for a Manager Records Administration and 12 forms that can be used immediately to create a record retention and destruction schedule. Includes Best Practices for Record Management
- more info

Core question that a backup strategy for sensitive data that must be addressed

February 15th, 2012
Core issues that a backup and recovery strategy have to address are:

Is our sensitive data safe when it is in transit and at rest?

What prevents hackers from gaining access to our sensitive data?

Is our sensitive data properly stored and deleted?

Who can access our sensitive data?

What are our SLAs and benchmark measurements for our senstive data?

Is our data backup strategy compliant with all mandated requirement?
- more info

Backups of data is a key element of a business continutiy

February 11th, 2012
Backup and Recovery Issues that CIOs need to address include:

Required backup cannot be completed (full or incremental) during their allotted backup windows

Streaming backup for key applications requires more network and processor power, and more time, than is typically available

Server virtualization projects and cloud initiatives cannot be fully implemented or started with legacy protection models

Non-critical data is not systematically protected

Managing backup activities is overly difficult because of a myriad of point products that have been cobbled together over time

Recovery is slow and is not a sure thing

The full vision of tiered storage has not been realized
- more info

FBI wants to be 1984's big brother

January 28th, 2012
The FBI is in the early stages of designing a complex system for monitoring tweets, Facebook status updates, Google+ posts, and the like in real time, all in the name of identifying and heading off potential security threats. The FBI is in the process of soliciting information from companies as to the feasibility and cost of building an open source geospatial social media alert, mapping, and analysis Web application portal built on mash-up technology.

The application would have the ability to rapidly assemble critical open source information and intelligence that would allow the FBI to quickly vet, identify, and geolocate breaking events, incidents, and emerging threats according to the FBI's RFI (request for information).

The FBI is looking to harvest feeds from Twitter, Facebook, and the like because "social media has become a primary source of intelligence because it has become the premier first response to key events and the primal alert to possible developing situations," according to the RFI. "It has emerged to be the first instance of communication about a crisis, trumping traditional first responders that included police, firefighters, EMT, and journalists."
- more info

Security breaches that can be easily prevented

January 11th, 2012
Many IT security department invest countless hours and dollars into defending its company's data from infiltration by malicious outsiders, only to hand over a laptop containing highly sensitive information to third-party data recovery outfit that ends up selling the laptop drive's contents for cash.

In a recent study 87 percent who said their organization suffered a data breach in the past two years, 21 percent said the breach occurred when a drive was in the possession of a third-party data recovery service provider.

The IT Security Manual Template provides all the essential sections of a complete security manual and walks you through the creation of each step. Detailed language addressing more than a dozen security topics is included in a 230 plus page Microsoft Word document, which you can modify as much or as little as you need to fit your business requirements.
- more info

2012 Salary Survey shows pay is flat

January 7th, 2012
Overall IT compensation has remained flat for the last 12 months. The total mean compensation for all IT Professionals has increased modestly by 0.81% to $78,229 from $77,604 at the beginning of 2011. This puts overall compensation back at the levels they were at in January 2008.

- more info

Unlimited Internet Access With Social Networks Puts Companies at Risk

November 11th, 2011
Twitter, Facebook, and UTube Cause Many CIOs Concern... Look at Domiono Pizza where Two Domino's Pizza employees in North Carolina faced felony charges after a video showed them passing gas on salami, stuffing cheese up their nostrils - then using the foul fixins' in the fast food.

When enterprises allow their employees to have uncontrolled free access to the web they run a serious risk that there will be misuse of the web. Web misuse has serious implications for your enterprise and its employees. The implications are:

Reputation risk - Social networking can create opportunities for employees to leak confidential information or spread damaging rumors online. Bad behavior by a single employee can reflect on the reputation of the whole organization.

Reduced productivity - If employees spend their time on social networking sites such as Tweeter they are not spending it doing their job.

Data Leakage - Confidential and sensitive information could be transmitted to unauthorized individuals and competitors. In addition, data that is covered by mandated privacy and security requirements (HIPAA and PCI-DSS) could be exposed.

Security problems - Malware hides on websites and can install itself as users browse infected pages. One company reports that the number of new, malicious websites blocked each day by it nearly doubled (91 percent) in just one month.

Legal risks - When users download inappropriate material to their computers, other employees may take serious

Wasted bandwidth - Internet connections cost money. If half of an enterprise's bandwidth is taken up with non-work related traffic, the enterprise could be paying than they need to and the enterprise-critical communications could be running at half their speed capacity.

Unlicensed software - When users download and install software from the internet, they create a legal risk. If an organization uses unlicensed copies of software, it may face a civil suit and company directors risk criminal penalties.

- more info

Mobile device strategy and policy

November 5th, 2011
Nearly 60% of all corporate employees share, access and manage content outside the office with their iPhone, iPad, Blackberry, Android and more. Indications are that numbers only going to increase.

This makes sense: mobile content management increases user productivity, ramps up customer engagement, enhances customer service, maximizes collaboration and drives more effective business decision-making. What does all this user mobility mean for IT? Simply this - A modern mobile strategy is no longer a "nice-to-have" it's an absolute business necessity.
- more info

Social media poses risks for most businesses

October 27th, 2011
Social media poses significant risks businesses of all sizes, according to a survey by the Federation of Risk Management Associations in cooperation with the Institute of Risk Management (IRM).

Risk professionals from both organizations were asked which three cyber risks they thought were the greatest threats to business in general and to their own organizations. A total of 186 replied to the online survey.

For business in general, reputation risk from social media was cited as a material risk by nearly 50 percent of respondents and loss of confidential information through social media by 20 percent. These concerns ranked social media along with non-malicious operational IT risks, theft of customer information and malicious interference with IT systems as the greatest cyber threats to business in the eyes of the risk professionals.

The emphasis shifted somewhat when it came to respondents own organizations. More than half put operational, non-malicious IT risks among the top three, followed by 43 percent who mentioned theft of customer information. However social media risks were next with 42 percent who included them among the biggest exposures to their own organization with 21 percent concerned about loss of confidential information through social media.

In response to additional questions to FERMA members, one-third of 36 responses said they had already been concerned by a denigration attack. One-quarter of the 98 responses said their company had suffered an attack on confidential information.
- more info

Disaster Plan & Business Continuity Infrastructure

October 16th, 2011
The key technology elements of a Disaster Recovery Plan and Business Continuity Plan (DRP/BCP) infrastructure are the primary data center, a remote site that duplicates the resources in that primary location and the method used to get files (master and transaction) between the two sites - such as high-bandwidth network connections. The best DRP/BCP strategies follow a "redundant every-thing" philosophy throughout the data center. Multiple mainframes and servers should run in the production and backup data facilities. Then, if a component in the production system encounters problems, it immediately fails over to the local backup as a first line of defense.

Power supplies and communication links are one of the most critical components in a DRP/BCP strategy.

- more info

Being prepared for e-discovery

October 10th, 2011
Being prepared to respond responsibly and efficiently to an e-discovery request goes beyond just preserving evidence; it begins with good information management. To borrow a mantra from a popular Wall Street investor: "Know what you own." Just as investors should know their portfolios in detail, organizations need to know what information they own, including all electronic data. They need to know where data is stored, who has access and control of it, its value, and, if there is no value, why it is being kept. They also need to determine its retention schedule. A data map and management policy that defines clearly all of these attributes and establishes a foundation for ongoing governance is paramount to being prepared for an e-discovery request.

Companies with no information management programs - or programs that do not sufficiently address the full life-cycle of electronic data - end up creating mountains of legacy data and media. Most of this data has no real business value, is free from any statutory or regulatory retention requirements, and is not subject to any legal preservation obligations.
- more info

Data loss is an every day occurance

October 1st, 2011
A recent survey has found that almost 90 percent of businesses experienced data loss in the last year.

As a result of this threat, investment in data protection and recovery continues to rise, with 94 percent of businesses maintaining expenditure on it and 35 percent increasing budgets for it from 2010 to 2011.

The independent survey 'Insights: Data Protection and the Cloud 2011,'also reveals that 41 percent of organizations expect cloud computing to play an increasingly important role in their business continuity plans over the next year.

Of the businesses surveyed, 39 percent have data that resides in the private cloud and 21 percent in the public cloud. Encouragingly, these companies displayed high levels of confidence in the safety of this data. A significant 68 percent of those using private cloud trust that their data and applications are properly protected in the event of a disaster whilst 78 percent of those using public cloud are confident in the data protection SLAs agreed with their provider.

88 percent of respondents suffered application and data loss incidents in the last year. These were due to a wide variety of causes. Nearly two thirds (63 percent) of companies had experienced an IT systems failure (e.g. network, storage, software failure) the most common cause of data loss. Other recurrent causes included employee or human error (40 percent of companies) and external attacks on IT (36 percent).

Although there was a high frequency of data loss across the UK, few businesses have adequate disaster recovery systems in place. Just over a third (34 percent) reported having full and comprehensive disaster recovery plans to protect their data in the event of such an incident. The primary reason given for this lack of DR planning was inadequate training of IT personnel in risk and DR planning (42 percent). Lack of budget was also a significant factor (40 percent).
- more info

Recovering from disaster

September 16th, 2011
Much of the discussion of business continuity has been focused on "silver bullets" in an effort to prevent disasters from occurring in the first place. Truth be told, this is only one of the two goals of continuity planning: to prevent avoidable interruptions. To be successful, planners must also confront the second, and much greater, challenge of what to do about the interruption events that cannot be prevented -the familiar realm of traditional disaster recovery planning.

In disaster recovery, three jobs need to be accomplished quickly:

The data associated with critical applications needs to be recovered and placed into a usable form: no small feat given the massive amounts of data involved (though much of it non-essential to recovery).

The applications serving critical business functions must be re-hosted on platforms that are adequate to support comparable (though not always identical) workload to what is experienced in normal production environments.

Users, suppliers and customers need to be re-connected to the newly-instantiated application platform so that work can continue.
- more info

Sharing data with partners, vendors and customers is risky

September 12th, 2011
Just how risky is it to share data with you partners. One hospital recently found out. They discovered last month that a contractor had posted a database containing medical records of 20,000 patients to a public homework assistance Website in search of help on how to create bar graphs.

Unfortunately, this kind of breach is becoming altogether common as information is shared between partners, customers and contractors to reduce costs and improve services. The idea of protected information staying within the network perimeter is effectively dead.

A data privacy breach at the hospital has resulted in medical records for 20,000 emergency room patients being posted on a public Website for nearly a year. The records included names, diagnosis codes, account numbers, dates of admission and discharge, and billing charges. Social Security numbers, birth dates, credit card accounts or other information that could potentially result in identity theft was not exposed. Even so, the hospital is offering free identity-protection services to all affected patients.

The spreadsheet originated at one of the hospital's vendors, a billing contractor called Multi-Specialty Collection Services. The spreadsheet appeared on a Website called Student of Fortune, where students pay for assistance with schoolwork. The spreadsheet was part of a question on how to convert the data into a bar graph. Student of Fortune removed the post with the spreadsheet immediately after being contacted by the hospital last month.
- more info

Simple Disaster Planning Activities

September 5th, 2011
Creating a disaster recovery plan is a complex task; however there are a number of basic steps that you can follow to start thre process

Prepare your systems, processes, and people for an organized response to disaster when it strikes.

Identify critical IT systems and develop a long-range strategy.

Select and train your disaster recovery team.

Conduct a Business Impact Analysis.

Determine risks to your business from natural or human-made causes.

Get management support.

Create appropriate plan documents.

Test your plan.
- more info

Denial of Service Attacks Defined

August 30th, 2011 A denial-of-service (DoS) attack occurs when traffic is sent from one host to another computer with the intent of disrupting an online application or service. A distributed denial-of-service (DDoS) attack occurs when multiple hosts (such as compromised PCs) are leveraged to carry out and amplify an attack. Attackers usually create the denial-of-service condition by either consuming server bandwidth or by impairing the server itself. Typical targets include Web servers, DNS servers, application servers, routers, fi rewalls, and Internet bandwidth. - more info

How Reliable is Your Disaster Recovery Plan?

August 8th, 2011
Minimize downtime, lower costs and reduce risk: Those are the three goals your disaster recovery plan must meet. But, as the need for "always on" capability and business continuity has increased, so has the complexity and labor intensity of maintaining a reliable disaster recovery plan. The Disaster Recovery Business Continuity Template provides the roadmap you need to address these challenges and help your enterprise meet the key goals of a viable disaster recovery plan.

Disaster recovery and business continuity planning are processes that help organizations prepare for disruptive eventswhether those event might include a hurricane or simply a power outage caused by a backhoe in the parking lot.
- more info

Future IT staffing requirements

July 28th, 2011
Technology, economic and cultural issues are coming together and are forcing IT organizational change. Rather than being seen as simply letting that just happen to the IT department, CIOs and IT Managers would be well advised to be the ones seen as driving those actual changes.

A writer Jason Hiner at TechRepublic states that because most workers have used technology for at least a decade and often want to select and set up their own technology, most companies don't need that much in the way of IT staff. His forecast is that three jobs will be in high demand in the future:

Consultants: Companies increasingly are farming out traditional IT administration and support functions to outsourcers and third-party consultants. Predictions are that more IT staff will be working instead for the service providers.

Project managers: It staff to be working in the business units rather than a centralized IT department.

Developers: Someone has to program.
- more info

Roles in Developing a Disaster Recovery Plan

July 12th, 2011
The disaster recovery policy must be reviewed at least annually to assure its relevance. Just as in the development of such a policy, a planning team that consists of upper management, and personnel from information security, information technology, human resources, or other operations should be assembled to review the disaster policy. Roles and responsibilities of the planning team should be as follows:

Perform an initial risk assessment to determine current information systems vulnerabilities.

Perform an initial business impact analysis to document and understand the interdependencies among business processes and determine how the business would be affected by an information systems outage.

Take an inventory of information systems assets such as computer hardware, software, applications, and data.

Identify single points of failure within the information systems infrastructure.

Identify critical applications, systems, and data.

Prioritize key business functions.

The Disaster Recovery Plan Template has tools that can be used immediately and defined in detail all of these responsiblities and provides a work plan that can be use as is.
- more info

Many users use common un-lock codes for iPhones

July 9th, 2011
The 10 most common passcodes used by iPhone users accounted for 15 percent of all the passwords analyzed. The most common values were: 1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212 and 1998.

"1234" was the most commonly used and the second most common code was "0000". People choosing "1234," "0000" and "1111" as their passcode are doing the equivalent of locking up their cars with a piece of thin string. "0852" and "2580" aren't that much better, as the code is just going up and down the keypad.
- more info

Malware attacks on the rise

June 30th, 2011
Recent headlines concerning attacks on Sony, Citibank and Amazon highlight the growth of criminal malware worldwide. No longer the work of individual hackers out to make mischief, these botnet malware attacks are launched by crime syndicates intent on financial gain. And while studies from numerous experts paint a bleak picture - most say you will be infected - there are critical steps you can take to protect your organization.

Security policies and procedures are a must to help set up the first line of defense.
- more info

Disaster Recovery Planning International Standard Set by Janco

June 18th, 2011
Disaster Recovery Business Continuity Template Now Accepted as the International Standard

Update to the Disaster Recovery Business Continuity Template has just been released by Janco Associates..

Park City, UT - The Disaster Recovery Business Continuity Planning template has been sold to enterprise in over 65 countries around the globe. With the release the latest verison of the template it is in complete compliance with Sarbanes-Oxley, HIPAA, ITIL (Ver 3), ISO 27031, and PCI DSS.

M V Janulaitis the CEO of Janco said, "Our DRP /BCP Template has been accepted by enterprise around the globe as the standard for disaster recovery plan and business continuity plan creation." In response to that need Janco has updated its "Disaster Recovery / Business Continuity Template" by increasing the content of the template as well as updating the entire document to be compliant with Sarbanes-Oxley, HIPAA, ITIL (Ver. 3), ISO 17799, and PCI DSS.

The Disaster Recovery Business Continuity Plan has been purchased for use in over 65 countries around the globe including:

Angola
Australia
Austria
Bahamas
Barbados
Belgium
Belize
Bermuda
Brazil
Bulgaria
Canada
Cayman Islands
Columbia
Croatia
Czech Republic
Denmark
Egypt

Finland
France
Germany
Greece
Honduras
Hungary
Iceland
India
Indonesia
Israel
Italy
Jamaica
Japan
Jordan
Kenya
Lebanon
Lithuania

Macao
Malta
Mexico
Mozambique
Namibia
Netherlands
New Zealand
Nigeria
Norway
Panama
Philippines
Poland
Portugal
Puerto Rico
Qatar
Republic of Ireland
Romania

Russia
Saudi Arabia
Singapore
South Africa
South Korea
Spain
Sri Lanka
Swaziland
Switzerland
Taiwan
Thailand
Trinidad & Tobago
Uganda
United Kingdom
United States
Venezuela
Zambia

The Disaster Recovery Business Continuity Plan has been purchased for use in government, public, and private enterprises in almost all industries including:

Federal Government
State Governments
Local Governments
Law Firms
Think Tanks
Chemical
Telecommunication
Real Estate
Manufacturing

Universities
School Districts
Consulting Firms
Banks
Financial Service
Investment Banks
Credit Unions
Outsourcers
Property Mgt

Heavy Industry
Light Industry
Distribution
Retail
Hospitality
Energy
Insurance
Medical
ISPs

Application Development
Construction
Graphics
Entertainment
Paper Products
Defense
Aerospace
Media
- more info

Security best practices

June 4th, 2011
Best security practices that IT professionals should implement for security include:

Have a plan in place for what data to save - Define "personal information" as it applies to your organization, taking into account all the types of personal information that fall under your applicable legal requirements for information protection. Establish an inventory, and make sure to maintain it.

Have policies in procedures in place for your employees data retention and access - Especially for mobile technology, social media and emerging technologies, identify who collects, processes, stores or accesses personal information. Determine who is, or should be, responsible for these activities.

Document where valuable data is kept -Identify storage locations, including mobile endpoints. Also include third parties you trust to store information.

Know what to collect, and what to keep and not to keep -Create policies to limit what you and your marketing teams collect for data. Are you really using what you have? If not, do not collect it. Follow data retention requirements. Incorporate this into your inventory information, or use a completely separate system to manage. Be sure to dispose of data securely and irreversibly.

Limit access -Restrict access to only those who have a business need to access the information for business purposes. Don't give access beyond the purposes for which you collected the information.

Put in place appropriate safeguards -Do a risk assessment, and then implement effective safeguards to appropriately mitigate the risks, following your policies and procedures. Be sure you communicate information about how to do this through regular training and ongoing awareness communications.
- more info

Can SmartPhones cause cancer

May 31st, 2011
For years, consumer advocates and scientists have questioned the safety of cell phones. Scientists know that humans absorb radiation from cell phones, but whether that radiation causes health risks, such as cancer, is unclear.

Why is it still unclear? There's plenty of research and it is often contradictory, sometimes based on outdated data, sometimes driven by industry groups soft-pedaling concerns, sometimes driven by health advocates who appear too alarmist and unreasonable. About the only thing researchers agree on is that they need to do more research.

What's more, a close look at the research used to set federal safety standards indicates that the standards themselves may be outdated at best and could be meaningless at worst. Some countries, like Finland and France, are concerned enough to issue public warnings, especially when it comes to allowing children to use cell phones. And some local and state governments in the U.S., such as San Francisco and the state of Maine, have tried to create their own warning labels for cell phone use despite the lack of consensus.
- more info

Tablets and mobile devices take hold

May 29th, 2011

CIOs who figured (or hoped) that this whole tablet "fad" wouldn't gain traction in the corporate world is in for a surprise: 41 percent of today's mobile workforce is equipped with a tablet, and by year's end, that figure could reach 75 percent, according to survey results released today by iPass. And no, employees aren't just using their slick portable machines to play Angry Birds; 87 percent of workers with tablets said they use the machines for actual job purposes.

This leaves IT departments with two choices: They can stick their heads in the sand and ignore tablets, thus risking security breaches, employee ire, and lost opportunities, or they can accept this next wave of mobile computing and adapt policies and practices accordingly.
- more info

Internet is a risky place to put your trust

May 19th, 2011
Any organization, regardless of its size or the industry that it serves, is vulnerable to a growing variety of sophisticated Web exploits. While many of these can enter an organization through the growing number of Web 2.0 applications that are in use, exploits can be introduced into a corporate network by doing nothing more than surfing the Web. Consider the following:

One source estimates that a large organization of 40,000 computer users will view 48 million Web pages on a typical day and 0.17%, or 83,000, of those pages will be infected with malware3, an average of more than two infected Web pages per user each day.

An Osterman Research survey conducted in 2009 found that 55% of mid-sized and large organizations had been infiltrated by a Web exploit during the previous 12 months; a year earlier, that figure was only 39%.

Smaller organizations are particularly vulnerable to Web exploits because they often lack the IT staff and technical expertise necessary to detect and remediate these threats before they can do real damage. Examples of organizations that have been impacted include an auto arts supplier in Georgia that lost $75,000 to a banking Trojan and a county government in Kentucky that lost more than $400,000 to a similar exploit.

Webroot4 has found that 85% of malware is distributed through the Web; Blue Coat has pegged the figure at 65%5.

The Anti Phishing Working Group (APWG) received a record 40,621 phishing reports and 56,362 unique phishing sites detected in August 2009. The third quarter of 2009 saw more than 340 brands attacked the previous high was 310 brands.
- more info

Cloud security an issue for CIOs

May 14th, 2011
Cloud-hosted application delivery models have many compelling advantages when compared with hosting applications in house. These include faster time to value, lower total cost of ownership and the ability to efficiently and cost-effectively address fluctuating levels of application demand. Still, the pace of enterprise adoption for both software-as-a-service (SaaS) and infrastructure-as-a-service (IaaS) solutions has been slowed by the challenges of having to create, use and manage yet another set of identities for each new service-based offering.

editable Microsoft WORD and PDF formats:

Practical Guide for Cloud Outsourcing includes a job descriptions for Manager Cloud applications, Cloud Computing Architect, sample contract, service level agreement, ISO 27001 - 27002 - 27031 security audit checklist, Business and IT Impact Questionnaire and much more.

Disaster Recovery Plan (DRP) can be used in whole or in part to establish defined responsibilities, actions and procedures to recover the computer, communication and network environment in the event of an unexpected and unscheduled interruption. The template is IS0 27000 (27031) Series, COBIT, Sarbanes Oxley, PCI-DSS, and HIPAA compliant.

Cloud Outsourcing, Disaster Recovery, and Security Bundle

The bundle includes in editable Microsoft WORD and PDF formats:

Practical Guide for Cloud Outsourcing includes a job descriptions for Manager Cloud applications, Cloud Computing Architect, sample contract, service level agreement, ISO 27001 - 27002 - 27031 security audit checklist, Business and IT Impact Questionnaire and much more.

Disaster Recovery Plan (DRP) can be used in whole or in part to establish defined responsibilities, actions and procedures to recover the computer, communication and network environment in the event of an unexpected and unscheduled interruption. The template is IS0 27000 (27031) Series, COBIT, Sarbanes Oxley, PCI-DSS, and HIPAA compliant.

Security Manual Template - (ISO CobiT SOX HIPAA Compliant) includes the Business Impact questionnaire and a Threat and Vulnerability Assessment Form (PDF and Excel). It is a complete Security Manual and can be used in whole or in part to comply with Sarbanes Oxley, define responsibilities, actions and procedures to manage the security of your computer, communication, Internet and network environment.

Implementing a cost effective Cloud Infrastructure that aligns with your organizations business strategy is essential to ensuring the success of the Information Technology function. For many IT professionals, the amount of time it takes to develop and implement such a infrastructure, and the unknown process required to complete it, makes infrastructure design and implementation a daunting task. The Cloud Outsourcing Template draws on the experiences of some of the best IT and business operations executives in the industry to provide you with the right shortcuts.
- more info

Discrimination in IT

May 4th, 2011
In order to avoid age discrimination, older IT workers have confessed to dying their gray hair (it's not just women who do this) and leaving the dates they graduated from college off of their resumes, along with work experiences that date back to the 80s. When they speak about the effect of their age on their IT careers, an air of powerlessness overcomes these otherwise assertive IT professionals. They don't think there's any way to fight age discrimination.

In fact, IT workers who believe they're being or have been discriminated against - whether on the basis of their age, sex, race, national origin, religion or disability - can file a discrimination charge with the U.S. Equal Employment Opportunity Commission (EEOC), the federal agency responsible for enforcing anti-discrimination laws.

In 2010, the EEOC processed nearly 100,000 discrimination and retaliation charges, filed 271 lawsuits on behalf of victims, resolved 315 suits from previous years in federal district courts, and won $85.1 million in benefits for victims of discrimination, according to EEOC data.
- more info

Cloud skill set for IT Pros

April 28th, 2011
As companies move more of their software to the cloud, there are some indispensible skills IT pros need to hone or acquire, and theyre not technical skills.

They'll need to be better business problem solvers, like Salesforce.com specialists who sit with marketing teams and cook up new ways to use that software to help them. They'll need to be big picture thinkers, like someone who anticipates how executives might make better use of an iPhone, rather than someone who just knows how to get corporate email onto the device. And they'll need to be first-rate program managers, people who can drive projects to the finish, not just take orders and knock out the technical piece of it.
- more info

Security threats abound

April 6th, 2011
A network engineer fired by fashion house Gucci has been charged with going on an IT rampage against his former employer in which he deleted data, shut down servers and left the company nursing an estimated $200,000 cleanup bill.

Data breaches are a fact of life with the advance of Wi-Fi, 3G, and remote computing as it is done in todays flexible business environment.

Data breaches and network intrusions occur because the personal information compromised includes data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver's license numbers. Some breaches do not expose such sensitive information; however, they still expose individuals to identity theft and business to a compromise of their electronic assets and that must be disclosed under Sarbanes-Oxley and various state laws.
- more info

Infrastructure lacking in many SMBs

March 25th, 2011
Small and mid-sized businesses (SMBs) (often defined as businesses with up to a thousand employees) are now seeking to achieve many of the disaster recovery and business continuity planning advantages of server virtualization as large enterprises. But there are significant challenges in planning, implementing, and managing a virtualized IT infrastructure with a smaller and less specialized IT staff.

SMB IT staff members tend to be generalists who are able to perform multiple roles in the IT structure. This is driven by the small numbers of IT staff members at the SMB; it is simply not possible for smaller organizations to employ the same number of IT staff as large enterprises. Even in organizations with a few hundred employees, there are only a handful of IT staff members who must handle everything from the help desk to network and server implementation and operations.

Therefore, SMBs tend to have a reactive approach to IT operations, which leads to challenges when implementing and maintaining virtualized servers:

Lack of planning - IT staff at SMBs tend to be highly competent identifying and resolving technical issues, but lack the resources to plan extensively for them; they often implement new technologies without extensive planning and worst-case scenarios.

Inability to implement specialized solutions - In addition, they may lack the specialized training and expertise needed to implement sophisticated solutions in any particular area of virtualization. For example, backup and recovery are significantly different in a virtualized application environment. Most generalist IT staff members would have to spend a significant amount of time to learn the best practices and available technologies - time they simply do not have.

Lack of standardized, documented processes - IT staff at SMBs also frequently lack the resources and expertise to define and document their IT processes; instead, they often have a just keep the lights on philosophy that precludes taking the time to employ standardized IT processes, collect data on the effectiveness of those processes, and so on.

Focus on Windows environments - Many SMBs employ primarily a Windows environment, especially their internal applications and virtual machines. Experience with Windows Server and other Windows-oriented technologies is valuable and easily transferrable, but is based on a specific type of systems management approach that does not apply to all virtual operations.

- more info

Cybersecurity Spending Up

February 15th, 2011
The White House is proposing a big increase in cybersecurity research and development in next year's budget to improve, in part, its ability to reduce the risk of insider threats, and ensure the safety of control systems such as those used at power plants.

Overall, the budget seeks $66.1 billion for basic and applied research across all areas, a 11.6% increase. "The aim of that is to develop the solutions - the innovative solutions to the many challenges we face," John Holdren, Obama's top science advisor, said at the budget briefing.

Other cybersecurity initiatives that are funded in this spending plan include new research programs at the National Science Foundation (NSF), as well as research on a trusted identity system. Day-to-day spending on cybersecurity by federal agencies is not part of this research budget.

The cybersecurity research spending is part of an overall research and development budget proposal for next year that includes across-the-board increases for a range of research efforts, including robotics, climate change, and funding to expand the supply and capabilities of science, technology, engineering, and math teachers.
- more info

Cloud Is Not The End All Solution For Backup

February 12th, 2011
An enterprise cloud storage provider has published the results of a cloud storage and data protection survey of more than 230 IT professionals. The survey covered various industries, with the top five being government, education, software and technology, financial services, and manufacturing.

The most cited benefits of the cloud were lower costs and dynamic growth, at 49 percent each. Applications most often planned for the cloud included backup (44 percent of respondents) and online archive (38 percent).

As expected, security and privacy were mentioned as a barrier to cloud storage adoption by 60 percent of the IT pros, up from the 47 percent that the survey revealed. The most cited data protection issue was recovery time, with 58 percent of the respondents claiming this problem. 65 percent of the respondents were not able to consistently achieve their own recovery time objective.
- more info

EU to define CIO best practices

January 29th, 2011
Questionnaires will be sent out to CIOs around Europe as research funded by the European Commission seeks to set out guidelines for IT best practice.

The Innovation Value Institute (IVI) at Maynooth University in Ireland was awarded 300,000 last month to conduct the project, which aims to strengthen and professionalize the role of CIOs (chief information officers) and IT professionals in European business, public sector and academic organizations.

The European Union is expected to spend more than 600 billion on IT in 2011, but according to some reports, there will be a 13% shortage of people with the appropriate skills in the workforce by 2015. As part of its research, IVI will seek to establish a European training program for IT managers.
- more info

CAN-SPAM goes international

January 24th, 2011
Laws in many jurisdictions regulate unsubscribe behavior, including the U.S. CAN-SPAM Act and the brand-new Canadian Fighting Internet and Wireless Spam Act (C-28). Huge fines are possible, so it's important for IT people to keep a close eye on what their marketing friends are up to, and ensure that any systems you're providing them work correctly. - more info