Chief Information Officer and IT Managers Areas of Interest

Disaster Recovery Planning, Job Descriptions, Salary Survey, Business Continuity, ITSM, SOA, Compliance, SOX, and HIPAA

The Positive Support Review, Inc (PSRinc.com) News feed is an XML news feed that you can subscribe to and re-publish on your web site or blog. The only requirement that you need to meet is that the feed is included with no modifications and that the links within the feed are retained as is.

If you wish to subscribe to this news feed the options that you have are:

Disaster Recovery Plan First Steps

April 29th, 2012
Companies of all sizes have realized how critical it is to have a DR plan in place, and many have given top priority to developing one. But organizations need to know that developing a DR plan is not an overnight process but rather something that takes thorough consideration and numerous steps.

Janco's Disaster Recovery - Business Continuity Templated can help get you on the right track with creating a disaster recovery as over 3,000 enterprises around the globe of all sizes already have.

- more info

Lay offs continue to plague IT

April 9th, 2012
Information Techology continues to take major lay off hits. Last week it was JC Penny this week it is Yahoo. Yahoo revealed that it is laying off about 2,000 people, amounting to 14 percent, of the 13,100-person employee base who are no longer considered relevant in Yahoo's long-term plan.

Sources close to Yahoo believe this won't be the full extent of the staffing cuts the company will announce this year. That, of course, remains to be seen.

Yahoo estimated that the April 4 layoffs will result in $125 million to $145 million in charges and will save the company in the neighborhood of $375 million annually.
- more info

BYOD and mobile workforce are here to staty

April 4th, 2012
A modern BYOD and mobile strategy includes:

Supportability: IT departments are rolling out an ever-expanding variety of company-specific mobile applications

Security: Remote device management coupled with auto logout and locking

Visibility: Insight into how content is managed and accessed in the organization, featuring centralized security, password/permission management and comprehensive auditing and reporting

BYOD and mobile worker's are a reality. As nearly 50% of all firms say theyre focused on supporting more mobile applications for employees whose office is - increasingly - wherever they are.
- more info

BYODs will be drivers in the move towards private clouds

April 2nd, 2012
Mobile devices, especially BYODs, will soon be driving the shift towards cloud computing.

It's smart for CIOs to push the use of private clouds for security, management and other aspects of mobile applications. But getting there will require planning and investment by IT.

Some have already moved in this direction. In a survey of 3,645 IT decision-makers in eight countries, a third of the respondents said that providing information access to multiple devices was their top reason for implementing cloud computing. The survey said that cutting costs was the third most popular reason for implementing cloud, with only 17% of respondents choosing that option.

- more info

iPad3 will drive need for BYOD policy implementation

March 15th, 2012
As Apple prepares to further redefine personal and business computing with the introduction of the next iPad, a recently revealed the results of a survey of 120 CIOs, many of whom expect iPad and other mobile devices to directly impact their LANs. Regardless of whether companies have official BYOD policies, mobile device proliferation signifies the potential for a dramatic rise in LAN traffic.

40 percent say that employees use mobile devices to access their LANs regardless of an official Bring-Your-Own-Device (BYOD) policy
30 percent expect traffic on their networks to increase as a direct result of the iPad 3
65 percent have invested in campus LANs since 2009 to address tablet and smartphone usage
62 percent are replacing all or part of their network to handle an increase in traffic through mobile devices
60 percent of the organization rutilize multiple vendors to meet their networking goals
- more info

Key trends in outsourcing

March 1st, 2012
The U.S. outsourcing market is recovering, with the financial services segment leading the pack. For all industry sectors, however, 2011 activity was essentially at or above the five-year average, which we take as an indication of a broad-based increase in overall economic strength -- and a rising tide that is lifting all boats according to a major outsourcing provider.

Why did outsourcing slow during the worst of the recession? Companies balked at the high upfront costs of outsourcing (you pay the outsourcer a big chunk of change to learn your processes and technology, hire people, train them, and then transfer the work), and they weren't willing to wait the years it would taken to recover that initial outlay through subsequent savings.
- more info

Internet browsing best practices

February 29th, 2012
To protect your privacy while browsing the web follow these three best practices:

Delete cookies. Cookies store site-related information that may be stolen for cybercriminal use. Deleting cookies can have a downside though, as doing so will require you to reenter your user name and password every time you access a site.

Use the private browsing option. Browsers offer this special mode as a means to keep your online activities a secret from prying eyes. Opting for private browsing opens a new browser session that deletes its history and cookies as soon as you close the window. Note though that this doesnt guarantee anonymity while your browser window remains open, allowing advertisers to still track you down.

Use the Network Advertising Initiative's (NAI) opt-out tool. This tool allows you to opt out of being "targeted" by customized ads (http://www.networkadvertising.org/managing/opt_out.asp). As an organization that promotes online advertising self-regulation, the NAI allows users to opt out of advertising promotions its member companies run.

- more info

Traditional approaches to data backup puts companies at risk

February 24th, 2012

IT organizations of all sizes contend with a growing data footprint with more data to manage, protect, and preserve for longer periods of time. Online primary storage, has focus a on fast low latency, reliable access to data while near-line secondary storage has a focus on low cost and high capacity.

Traditional approaches to data backup and storage have fallen behind in the areas of protection and recovery of these massive volumes, or addressed them in a piecemeal fashion. With enterprises in jeopardy of losing irreplaceable business data, and personnel and budgets stretched to the breaking point, traditional backup and recovery is broken.

Many organizations today cannot complete full or even incremental backups during their allotted backup windows
Streaming backup for key applications requires more network and processor power, and more time, than is typically available
Server virtualization projects and cloud initiatives cannot be fully implemented or started with legacy protection models
Edge data is not systematically protected
Managing backup activities is overly difficult because of a myriad of point products that have been cobbled together over time
Recovery is slow, and far from granular and not a sure thing
Tiered storage has not been realized by very many enterprises

- more info

Federal employees depend on mobile devices

February 15th, 2012
Nearly half of federal IT workers recently surveyed use their mobile devices daily for work-related functions.

The survey of 200 federal IT workers, released by communications firm Bluetext. The findings reveal that 45 percent of federal IT employees are using mobile devices for work on an everyday basis.

The top three most commonly used applications are email (93 percent), project management tools (36 percent) and social media (20 percent), with Facebook being the overwhelming favorite. Thirteen percent said they use VoIP apps.

Most (68 percent) of those who use social media apps for work purposes turn to Facebook, while 21 percent use Twitter, 16 percent choose Google+ and 11 percent pick LinkedIn. Only 3 percent indicated they use YouTube, and the same number opt for MySpace.

2012 could become the year when mobile devices become the norm and not the exception for federal employees who use them for work purposes.
- more info

CIO expanding role

February 6th, 2012
The chief information officer's (CIO) influence is growing in today's boardroom. And the role of the IT organizations that they lead is expanding as well.

Every function, from sales, marketing and manufacturing to service and even human resources, affect not only the bottom line but also a company's systems and information integrity. Prudent companies are drawing their IT organizations into greater collaboration with the operational aspects of the enterprise. Moreover, they are asking their CIOs to take a more prominent position in defining strategy.
- more info

Big brother compliance requirement killed in Hawaii

January 28th, 2012
Lawmakers in Hawaii on Thursday killed a bill that would have required Internet service providers to collect the detailed browsing histories of Internet users in the state and store the data for at least two years. The bill would have required anyone providing access to the Internet in Hawaii to maintain "consumer records" of every Internet user's subscriber information and data such as the IP addresses, domain names and host names of the sites they visit. It would have covered not only ISPs but also libraries, coffee shops and employers.

One of those opposing the bill was the U.S. Internet Service Provider Association, which earlier this week sent a letter to the committee's chairman. The bill was overbroad, raised a "myriad privacy concerns," and would be hugely expensive to comply with, wrote the ISP association's Executive.
- more info

Disaster Recovery Planning is Required for Business Continuity Planning

January 8th, 2012
Disaster Recovery Plans are part of a larger, more extensive planning process known as Business Continuity Planning. Disaster Recovery plans should be tested frequently so that the as many individuals as possible are familiar with the specific actions they will need to take when a disaster occurs. Disaster Recovery plans must also be adaptable and updated frequently, e.g. if new people, a new branch office, or new hardware or software are added to an organization they should promptly be incorporated into the organization's disaster recovery plan. Enterprises must consider all these facets of their organization as well as update and practice their plan if they want to maximize their recovery after a disaster.

Disaster Recovery and Business Continuity Planning are the process an organization uses to recover access to their enterprise operations; software, data, and/or hardware that are needed to resume the performance of normal, critical business functions after the event of either a natural disaster or a disaster caused by humans. While Disaster Recovery and Business Continuity plans, or DRPs & BCPs, often focus on bridging the gap where data, software, or hardware have been damaged or lost, one cannot forget the vital element of work force that composes much of any organization. A building fire might predominantly affect vital data storage; whereas a pandemic or epidemic illness is more likely to have an effect on staffing. Both types of disaster need to be considered when creating a Disaster Recovery and Business Continuity Plans. Thus, enterprises should include in their DRPs & BCPs contingencies for how they will cope with the sudden and/or unexpected loss of key personnel as well as how to recover their data.
- more info

Public cloud poses a major security risk for CIOs

November 10th, 2011
Using some clouds like Amazon's EC2 (Elastic Compute Cloud) can pose a security threat to organizations and individuals alike, according to researchers. Some third parties evidently are not following best security practices when using preconfigured virtual machine images available in public catalogs, leaving users and providers open to such risks as unauthorized access, malware infections, and data loss.

The underlying message is that for all the power and opportunity of public clouds, providers and users alike need to approach with caution and embrace best security practices. Cloud infrastructure providers can't be expected to assess the security of every image, bit, and transaction that occurs on their machines any more than an apartment landlord can be responsible for everything that happens within his or her complex -- that is, what tenants do behind closed doors in the spaces they rent.

These vulnerabilities leave users exposed to malware, as well as to unsolicited connections, which malicious hackers could use to gather information about usage and to collect IP target addresses for future attacks through a backdoor.

A malicious hacker could use tools such asextundeleteandWinundelete to recover previously deleted data.

Researchers' stressed the importance of users being properly trained in using public cloud server images. Although public cloud server images are highly useful for organizations, if users are not properly trained, the risk associated with using these images can be quite high. The fact that these machines come pre-installed and pre-configured may communicate the wrong message, i.e., that they can provide an easy-to-use 'shortcut' for users that do not have the skills to configure and setup a complex server. The reality is quite different. Many different security considerations must be taken into account to make sure that a virtual image can be operated securely.
- more info

How to maximize data protection

November 5th, 2011
The top must-do tasks for maximizing data protection.

Audit Data Access - IT should keep a current list of data business owners and the folders and SharePoint sites under their responsibility. By having this list - at the ready, IT can expedite a number of the previously identified tasks, including verifying permissions revocation and review, and identifying data for archival. The net effect is a marked increase in the accuracy of data entitlement permissions and, therefore, data protection.
Inventory Permissions and Directory Services Group Objects - Effective management of any data set is also impossible without understanding who has access to it. Access controls lists and groups (in Active Directory, LDAP, etc.) are the fundamental protective control mechanism for all unstructured and semi structured data platforms, yet too often IT cannot easily answer fundamental data protection questions like, - Who has access to a data set? and - What data sets does a user or group have access to? Answers to these questions must be accurate and accessible for data protection and management projects to succeed.
Prioritize Which Data Should Be Addressed - While all data should be protected, some data needs to be protected much more urgently than other data. Some data sets have well known owners and well defined processes and controls for their protection, but many others are less understood. With an audit trail, data classification technology, and access control information, organizations can identify active and stale data, data that is considered sensitive, confidential, or internal, and data that is accessible to many people. These data sets should be reviewed and addressed quickly to reduce risk.
Remove Global Access Groups from ACLs (like "Everyone") - especially where sensitive data is located - It is not uncommon for folders on file shares to have access control permissions allowing - Everyone, or all - domain users‖ (nearly Everyone) to access the data contained therein. SharePoint has the same problem (with authenticated users). Exchange has these, as well as - Anonymous User‖ access. This creates a significant security risk; for any data placed in that folder will inherit those - exposed permissions, and those who place data in these wide-open folders may not be aware of the lax access settings. When sensitive data, like credit card information, intellectual property, or HR information are in these folders, the risks can become very significant. Global access to folders, SharePoint sites, and mailboxes should be removed and replaced with rules that give access to the explicit groups that need it.
Identify Data Owners - IT should keep a current list of data business owners and the folders and SharePoint sites under their responsibility. By having this list - at the ready,‖ IT can expedite a number of the previously identified tasks, including verifying permissions revocation and review, and identifying data for archival. The net effect is a marked increase in the accuracy of data entitlement permissions and, therefore, data protection.
Perform Regular Data Entitlement (ACL) Reviews and Revoke Unused and Unwarranted Permissions - Every file and folder on a Windows or UNIX file system, every SharePoint site, and every mailbox and public folder has access controls assigned to it which determine which users can access the data and how (i.e. read, write, execute, list). These controls need to be reviewed on a regular basis and the settings documented so that they can be verified as accurate by data business owners and security policy auditors.
Users with access to data that is not material to their jobs constitute a security risk for organizations. Most users only need access to a small fraction of the data that resides on file servers. It is important to review and then remove or revoke permissions that are unused.
Align Security Groups to Data - Whenever someone is placed in a group, they get file system access to all folders that list the group on its ACL. Unfortunately, organizations have completely lost track of what data folders contain which Active Directory, LDAP, SharePoint or NIS groups. This uncertainty undermines any access control review project, any Role Based Access Control (RBAC) initiative. In Role Based Access Control methodology, each role has a list of associated groups into which the user is placed when they are assigned that role. It is impossible to align the role with the right data if the organization cannot verify to what data a group provides access.
Audit Permissions and Group Membership Changes - Access Control Lists are the fundamental preventive control mechanism in place to protect data from loss, tampering, and exposure. IT requires the ability to capture and report on access control changes to data - especially for highly sensitive folders. If access is incorrectly assigned or changed to a more permissive state without good business reason, IT and the data business owner must be quickly alerted, and be able to execute remediation.
Directory Groups are the primary entities on Access Control Lists (Active Directory, LDAP, NIS, etc.); membership grants access to unstructured data (as well as many applications, VPN gateways, etc.). Servers also have their own - local groups that should be audited. Users are added to existing and newly created groups on a daily basis. Without an audit trail of who is being added and removed from these groups, enforcing access control processes is impossible. Ideally, group membership should be authorized and reviewed by the owner of the data or resource to which the group provides access.
Lock Down, Delete, or Archive Stale, Unused Data - Much of the data contained on unstructured and semi-structured platforms is stale. By archiving stale or unused data to offline storage or deleting it, IT reduces risk that stale data will be accessed by inappropriate parties, and makes the job of managing the remainder simpler and easier while freeing up expensive resources.
Clean Up Legacy Groups and Access Control Artifacts - Unneeded complexity slows down performance and makes mistakes more likely. Organizations create so many groups that they often have as many as they do users - many are empty, unused or redundant. Some groups contain other groups, which contain other groups, with so many levels of nesting (that they sometimes create circular a reference when they contain a group that contains itself). Access control lists often contain references to previously deleted users and groups (also known as - Orphans). These legacy groups and misconfigured access control objects should be identified and remediated.

- more info

Ten commandments of security management

October 27th, 2011
The ten commandments of security management are:

Limit access to information to those who need to have it -- People can't misuse information that they don't have.

Conduct frequent and deep security audits Identify who has access to what and how their actions could weaken the protection of valuable data/information.

Set limits to information access do not exclude all information from access data exclusion locks down access and limits set authorizations so specific people can do specific things under specific circumstances.

Limit admin to as few individuals as possible -- very few individuals need them to do their jobs.
Ignore organizational hierarch when setting access capabilities access and authorization should be based upon responsibilities, not

position.

Make Security Invisible -- Minimize extra commands, screens, pop-ups for employees; if an action is allowed, just let it happen.

Analyze Security End back doors -- Compliance logs reveal threat patterns, and show how security steps are hurting productivity.

Monitor information access and updates-- User-initiated app updates can invite vulnerabilities.

Educate everyone on security policies and procedures The more that people know about the rules the better

Make security best practices the watch word for everyone -- IT and the general workforce must address the constantly changing nature of security breaches.
- more info

Disaster Recovery Must Do Steps

October 16th, 2011
The must do things that your company must do to make sure the disaster recovery and business continuity plan will work when they are need are:

Distribute the disaster recovery and business continuity plan or a HandiGuide'® to all decision makers and key operating employees who will need access to it when the event occurs.
Define the chain of command with single leader but do not limit the people who would have to implement the disaster recovery business continuity plan when the event occurs if that leader is unavailable.
Conduct frequent tests and address all areas where shortcomings are found.
Conduct the tests in an unannounced mode
Validated that mission critical data is at sites other than the primary data center
Establish a communication plan that can be implemented after the disaster.

HandiGuide is a Janco Associates registered trademark
- more info

Records Management Policy is Key to e-discovery

October 10th, 2011
This explosion of electronic communications has opened new and creative ways of conducting business, but it has also created new challenges in the way litigation and investigations are conducted. Since communications and other records relevant to any legal matter are often found in electronic format, the methods for collecting, processing and reviewing potentially relevant evidence has changed. The process of finding, identifying, holding, searching, reviewing, producing and presenting electronic data to be used as evidence in a legal or investigative matter is called electronic discovery, or simply e-discovery.

The scope of an e-discovery effort can include any form of ESI, but the overwhelming majority of e-discovery is performed against email systems and data. In fact, email data has quickly become the de facto standard for prima facie evidence and affirmative defense in litigation or investigative matters. Unfortunately, searching against email systems often results in enormous amounts of data, which must then be processed and reviewed for relevance, typically by paralegals and attorneys who charge by the hour. Therefore, email processing and review is typically the most costly part of an e-discovery project.
- more info

Endpoint data is security and compliance risk

October 1st, 2011
CIOs all agree that endpoint information is a potential liability. The big question is, where do CIOs find a non-intrusive way to protect and classify endpoint data to minimize risk, all while making sense economically?

With compliance requirements and external threats on the rise, no business can afford to leave its data unprotected, especially at the endpoint. Fortunately, IT leaders understand the risk: Fifty-nine percent of recent survey rate backup and protection of desktop and laptop data as crucial or high priority. Unfortunately, even though the majority of survey respondents have something in place, many fall short in terms of meeting needs for identification, classification and discovery. As a result, these firms leave themselves in a position of vulnerability - especially those in highly regulated industries.

Sixty-one percent currently using or planning to use a desktop and laptop backup solution consider improving the accessibility and availability of user data a critical or very important objective.

Fifty percent rate the ability to quickly find endpoint data for discovery and compliance purposes a critical or high priority.

Forty-seven percent expect an improvement in the ability to improve compliance with industry and government regulations as a result of the efforts their companies are making to effectively backup, protect and manage endpoint data.
- more info

FEMA emergency response first steps

September 8th, 2011
For companies just starting to develop emergency-response plans, or reviewing the plans they have, FEMA and the Small Business Administration recommend focusing on the following questions:

Who is responsible for backing up critical records, including tax, accounting, payroll, and production? Store these records, including a copy of the business-continuity plan, site maps, insurance policies, and bank-account information, both on-site and at a second site at least 100 miles away.

How will the company protect its computer hardware, software, and databases?

How will the company communicate with employees during an emergency?

Has the CFO or risk-management chief met with the company's insurance providers to review coverage? Most policies do not cover flood damage, for instance.

Does the company have a shelter-in-place plan to protect employees in the event they need to remain inside the building during an emergency? Do employees know the plan?
- more info

Working at home works in the Singapore

September 5th, 2011
Singapore companies offering flexible and home-based work arrangements are reporting a 10 per cent increase in productivity, on top of savings in rental and transportation costs.

Such arrangements also allow them to tap into the more than one million economically-inactive residents in Singapore.

And according to a Manpower Ministry survey last year, 35 per cent of employers offer at least one form of flexible work arrangement, up from 25 per cent in 2007.

Policies that you could use include:

CIO IT Infrastructure Policy PDF (All of the policies below which come as individual MS Word files)

Backup and Backup Retention Policy

Blog and Personal Web Site Policy (Includes electronic Blog Compliance Agreement Form)

Incident Communication Plan Policy (Updated to include social networks as a communication path)

Internet, e-Mail, Social Networking, Mobile Device, Electronic Communications, and Record Retention Policy (Includes 5 electronic forms to aid in the quick deployment of this policy)

Mobile Device Access and Use Policy

Outsourcing Policy

Record Management, Retention, and Destruction Policy

Sensitive Information Policy (HIPAA Compliant and includes electronic Sensitive Information Policy Compliance Agreement Form)

Service Level Agreement (SLA) Policy Template with Metrics

Social Networking Policy

Telecommuting Policy

Travel and Off-Site Meeting Policy
- more info

Janco News

Other News