Janco News Feed
Sensitive Information Policy
HIPAA Audit Program Guide and a PCI Audit Program
Includes ElectronicSensitive Information Policy Compliance Agreement Form for Easy Depolyment of Policy
With identify theft and cyber attacks on the rise, you’re facing new pressures to protect sensitive information. In fact, in 46 states have now passed data security laws that apply to companies that do business with residents of those states. These laws are designed to protect residents against identity theft by mandating security practices
such as:
- Implementing an information security program
- Encrypting data
- Notifying customers in the event of a security breach that compromises unencrypted personal information
To protect sensitive information, many states are now required to implement security programs that include capabilities for incident monitoring and alerting, trend reporting, logging, security information management (SIM), and other prudent security controls and practices.
This policy is easily modified and defines how to treat Credit Card, Social Security, Employee, and Customer Data. The template is 34 pages in length and complies with Sarbanes Oxley Section 404, ISO 27000 (17799), and HIPAA. The electronic word form that is provided can be delivered electronically, completed via computer, and filed electronically. The PCI Audit Program that is included is an additional 50 plus pages in length.
The Massachusetts and California mandated requirements were specifically included as part of the policy.
This policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) , co-location providers, and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals).
The HIPAA Audit Program Guide provides you with a checklist of the must be implemented items which HIPAA mandates. (see also Nationalized ID)
You can download the Table of Contents and some sample pages by clicking on the link below.
The policy contains text that can be used immediately. For example::
General Policy Statement
The Chief Security Officer or delegate must approve all processing activities at ENTERPRISE associated with sensitive information. This information includes but is not limited to social security numbers, credit card numbers, credit card expiration dates, security codes, passwords, customer names, customer numbers, ENTERPRISE proprietary data, and any other data (i.e. California Personal ID number) that is deemed to be confidential by ENTERPRISE, its external auditors, any governmental agency, or other body that has jurisdiction over ENTERPRISE or its industry.
This policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) and co-location providers and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals).
All processing, storage and retrieval activities for sensitive information must maintain the strict access control standards and the Chief Security Officer mandates the these specific polices be followed.
Other Policies
The policies have just been updated to comply with all mandated requirements and include electronic forms that can be Emailed, filled out completely on the computer, routed and stored electronically -- a total solution.- CIO IT Infrastructure Policy Bundle (All of the policies below are included as individual MS Word files and a single PDF file. Electronic forms are all individual documents that are easily modifiable)
- Backup and Backup Retention Policy
- Blog and Personal Web Site Policy (Includes electronic Blog Compliance Agreement Form)
- BYOD Policy Template
(Includes electronic BYOD Access and Use Agreement Form) - Incident Communication Plan Policy (Updated to include social networks as a communication path)
- Internet, e-Mail, Social Networking, Mobile Device, Electronic Communications, and Record Retention Policy (Includes 5 electronic forms to aid in the quick deployment of this policy)
- Mobile Device Access and Use Policy
- Patch Management Policy
- Outsourcing Policy
- Record Management, Retention, and Destruction Policy
- Sensitive Information Policy (HIPAA Compliant and includes electronic Sensitive Information Policy Compliance Agreement Form)
- Service Level Agreement (SLA) Policy Template with Metrics
- Social Networking Policy (includes electronic form)
- Telecommuting Policy (includes 3 electronic forms to help to effectively manage work at home staff)
- Travel and Off-Site Meeting Policy
- IT Infrastructure Electronic Forms
Note: Look at the Practical Guide for Outsourcing over 110 page document for a more extensive process for outsourcing
Current Information Technology News
Security is a concern of CIOs with the increase in use of mobile devices
May 12th, 2012
By definition, mobile devices are extending beyond corporate physical security controls and data on devices or transmitted over public Wi-Fi networks is at risk. Security is a key concern for CIOs as they begin to implement mobile device solutions. Over two thirds of all CIO, according to Janco Associates, Inc. , feel that security of mobile devices is the largest risk to deal with when building a mobility strategy.
Lost or stolen devices are the most common type of mobile security incident today. How many times have we heard in the media that an employee of a hardware vendor loses a device in a bar or cab before it is released? Add to this, unauthorized applications or malware targeted at mobile devices that do put corporate systems at risk.
- more info
CIOs are drivers of BYOD
April 28th, 2012
Organizations that choose to support their employees' personal devices within a secure environment will measurably increase their business productivity as well as extend their employees' flexibility. Additionally, the results underline a need for businesses to develop a platform agnostic device strategy that ensures corporate data remains secure.
Janco recommends:
- more info
- Organizations provide comprehensive support to BYOD: Employees will workaround corporate IT infrastructure in order to be productive and find ways to leverage their personal devices, regardless of if they're supported by the business or not. Supporting as many computing platforms as possible will ensure employees are accessing and sharing business data within a secure environment approved by the organization.
- CIO should focus on data when implementing BYOD: Over three quarters of all CIOs identify their role as a data custodian or someone responsible for locating content and establishing context that is aligned with associated business rules. An organization's mobile strategy therefore needs to not only enable IT professionals to effectively manage the volume of data, but also provide the solutions that allow employees to securely access and leverage data as a business asset.
- BYOD implementation should enable productivity: Identify the business applications employees rely on (such as the organization's email or social collaboration tools) and provide mobile and tablet support for these applications to ensure employees can remain productive.
HIPAA des not address all security issues
April 13th, 2012
HIPAA places a requirement on health care and insurance organizations to go further than simply complying with regulations to protect health information. Although those organizations deal with many types of government and professional regulations, as adoption of electronic health records (EHRs) progresses, they also need to form policies of their own to secure patient data.
Health care organizations have turned to government guidelines on security, but they need their own security measures as well. These government security guidelines include the 1996 Health Insurance Portability and Accountability Act (HIPAA) and the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, which made penalties for data breaches more severe.
Evolving threats will always outpace even the most thorough regulatory requirements. For that reason, organizations need to constantly assess their security risk levels and evolve their policies and procedures to ensure that they are in the best possible position to protect their patients and their bottom lines.
A large number of health care breaches reported to the U.S. Department of Health and Human Services were also due to portable devices. The expanded use of mobile devices offers new operational efficiencies and increased vulnerabilities. Security steps for mobile devices should be included in the action plans so that guidelines are set.
- more info
Saftey incidents need to be tracked
April 4th, 2012
Health, Safety, and Environmental Professionals can spend significant time trying to manage behavioral based safety programs. They know that employees and supervisors should conduct behavioral based observations on an on-going basis, but the volume of observations and the data analytics required to determine trends makes this process difficult and time consuming. By using tracking, documenting, and analyzing safety observations you can determine behavior based safety metrics and trends.
- more info
IT Jobs Will Grow 22% Through 2020
March 31st, 2012
The Bureau of Labor Statistics (BLS) has released its biennial employment forecasts, and this year's report has some good news for IT workers. The agency predicts that employment in all computer-related fields will grow 22 percent through 2020. Some job titles will do even better, for example software developers (28-32 percent growth), database administrators (31 percent growth), and network and systems administrators (28 percent growth).
While the forecast looks good, some experts say the U.S. IT job growth isn't as high as it needs to be. Victor Janulaitis, CEO of research firm Janco Associates, characterized the IT job growth as "anemic," saying, "When you consider the overall demand for systems and applications in high-growth markets like China and India, the BLS projections mean the U.S. will be doing a diminishing portion of the development and implementation work. If that's the case, the U.S. will no longer be the leader in IT."
He added, "The BLS projections are a bad sign for the U.S. IT graduates from universities. Those numbers do not cover the net growth necessary to give all of the graduates jobs."
- more info
Backup lacking in many small businesses
March 16th, 2012
In a recent survey it was found that an increasing number of professionals (80%) work remotely and rely on personal devices (many BYODs) such as smartphones - 63 %, iPads -30 %, and laptops - 80 % to access company data. Despite the expectation that professionals with sensitive client data would understand the associated risks and responsibilities, the numbers reflect that many professionals working remotely, and their companies, are either unaware or too casual about how to keep this information safe and secure. Interestingly, legal professionals trailed the field, with 78% of lawyers reporting they were either not at all concerned, not that concerned or only somewhat concerned about the security of their company data for employees using personal devices for work.
Other findings for small-to-midsize businesses with fewer than 1,000 employees include:- more info
- 66% of all have a formal procedure for backing up company data
- 87% have no formal policy in place regarding employees' use of personal devices for work purposes
- 32% let employees make their own decisions about how to back up company and client data on their devices
- Over 50% do not have backup or data recovery plans that meet current standards for data protection
- 41% store and back up company data on portable USB devices - which may be used by family members, get lost, or even stolen
- Over 30% had a hard drive crash in the last 12 months where data was not fully recovered
- 67% have a formal back up process - most are using external hard drives located locally
Electronic Medical Record requirement drives IT opportunities
March 1st, 2012
Electronic Health Records and Electronic Medical Records are all over the news with recent focus on Health Care Information Technology. Over the next few years, the world of medical information tech is changing as Health Care is getting a major information technology overhaul as the world moves towards a digital age in health care.
Personal mobile devices are becoming a fixture in health care as 85 percent of hospital IT departments allow doctors and staff to use personal devices at work, according to a new survey of health care IT professionals by a manufacturer of mobile networking infrastructure.
The survey showed that 83 percent of health care IT professionals allow iPads on their enterprise networks and 65 percent support iPhones and iPod Touch devices.
Meanwhile, 52 percent of hospitals support personal BlackBerry devices while other industries are not enabling access to personal BlackBerry devices as much as the health care industry is.
- more info
Mobile phone has hidden features
February 24th, 2012
- more info
- Emergency Number - The Emergency Number worldwide for Mobile is 112. If you find yourself out of the coverage area of your mobile network and there is an Emergency, dial 112 and the mobile will search any existing network to establish the emergency number for you, and interestingly, this number 112 can be dialed even if the keypad is locked.
- Hidden Battery Power - Imagine your cell battery is very low. To activate, press the keys *3370#. Your cell phone will restart with this reserve and the instrument will show a 50% increase in battery. This reserve will get charged when you charge your cell phone next time.
- Disable a STOLEN or lost mobile phone - To check your Mobile phone's serial number, key in the following Digits on your phone: *#06# . A 15-digit code will appear on the screen. This number is unique to your handset. Write it down and keep it somewhere safe. If the phone is lost or stolen, you can phone your service provider and give them this code. They will then be able to block your handset so even if the thief changes the SIM card, your phone will be totally useless. You probably won't get the phone back, but at least you know that whoever stole or has it can't use/sell it either. If everybody does this, there would be no point in people stealing mobile phones.
- Free Directory Service for Mobile Phones - Telephone companies are charging us $1.00 to $1.75 or more for 411 information calls made from mobile phones. Most people do not carry a telephone directory which makes this situation a problem. When a number is need instead of 411, simply dial: (800) FREE411 or (800) 373-3411 without incurring any charge at all. Program this into your cell phone now.
Cybersecurity is not just an IT issue
February 16th, 2012
Putting the onuss for all data security on the IT department to address security attacks is not a successful strategy. The attackers are exploiting the end-users more and more, thus circumventing security controls altogether.
With that in mind, the two most urgent actions are for organizations to create awareness of the problem and build commitment among leadership to tackle it. A strong cybersecurity program warrants a comprehensive strategy to address any risks within the environment. These include everything from developing the strategy and a human capital plan to awareness and training.
Cybersecurity is not just an IT issue; thats not how your adversaries are looking at it. Using IT happens to be the way they get into networks. Technology is only one aspect. Organizations need to look at it as a foreign intelligence collection effort. Bottom line, cybersecurity needs to be top-down driven, from the head of the agency or a CEO on down. Only then will the enterprise be adequately protected.
- more info
Mobile workforce and multiple devices concern CIOs
February 11th, 2012
Traditionally CIOs and the IT departments determined the technology issued to employees and the policies strictly governing their use. However that is an approach the may have worked for an office-bound and is no longer practical in today's highly connected, mobile, environment. In addition, with the increase in IT complexity, security challenges have become more complex and insidious. Security threats are growing in volume and sophistication at an alarming rate.
A policy is needed to deal with the mobile workforce that most organizations have.
- more info
Hiring and keeping younger workers
January 28th, 2012
Today's young workers are extremely tech-savvy, and the technology they'll have access to is a major consideration for many as they join the workforce. Many are used to having 24/7 access to email and the Internet on their smartphones or tablets. And with extensive knowledge of the Internet and its many services, more are using Web-based applications for many of the solutions they use on a daily basis. As an employer, making sure you have the right technology on hand to both appeal to and keep your younger workers happy is an important consideration when plotting out your technology roadmap.
Keeping workers helps reduce training costs over time, and it could also help you sell your CEO on some product purchases. You know that cloud solution you're dying to implement? Well, tell the CEO about your young workforce being able to take advantage of it to work extra hours, and it might just happen. Want to bring iPads to the office? Tell the top executive that it might just improve productivity. As your company tries to find an edge in a job market filled with educated Millennials, technology could very well be the differentiating factor that helps you attract and retain a young workforce.
- more info
Cloud as an alternative to outsourcing
January 20th, 2012
CEOs at three of India's top ten outsourcing providers recently told the Times of India that they plan to "reduce on-site work by up to five percent over the next year and handle traditional onsite projects such as managing takeover of an existing outsourcing contract& through videoconferencing. (The Times did not name the CEOs or their companies.)
As the whistleblower case against Infosys, alleging that the Indian IT services provider misused B-1 visas to bring offshore staff to the U.S., heads to court later this year, it's unlikely that scrutiny of the temporary worker visa system will subside. And, as of Monday, talks between the U.S. and India intended to address these visa complaints among other issues, were called off indefinitely.
Prepare now for the inevitable effects of reductions in onshore and on-site headcount:
- more info
- Conduct a Process Design Review - Make sure that essential on-site roles required for seamless operation of global delivery will be filled. Consider contract resources to handle short-term gaps, advises Amneet Singh, vice president of global sourcing for outsourcing consultancy Everest Group. Longer term, developing such skills in-house maybe a better bet. "Buyers are picking and choosing certain roles to bring back in-house," says Esteban Herrera, chief operating officer of outsourcing analyst firm HfS Research.
- Invest in Change Management Efforts - Prepare users for potential tweaks in the delivery model and changes in their day-to-day working experience, says Singh, and execute an effective communication strategy to address any uncertainty in the business
Consider Nearshore Alternatives - Providers with alternate delivery locations, like Mexico, do not have the same temporary visa restrictions as a result of the North American Free Trade Agreement (NAFTA), Herrera points out. They can more easily transfer workers across borders to manage projects and knowledge transfer.- Beef Up Your Technology Backbone - Your offshore provider is likely to require more high-end videoconferencing or digitization capabilities to manage future projects. Ensure you have the right infrastructure and software to handle the proposed technology enablers of diminished on-site staff, says Singh. Also, make sure to design and execute effective internal training programs for the new tools.
- Revisit Contract Pricing - If your IT service provider is planning to move on-site roles overseas, it's probably a good time to renegotiate price, but don't play hardball. Sharing the upside of sending more work to less costly locales will result in a happier and healthier relationship long-term.
Half of European companys have no Disaster Plam
January 12th, 2012
The survey of 160 IT decision-makers found that 58% of small organisations (50-250 employees) do not have a formal disaster recovery plan, and nearly one fifth of mid-sized enterprises (250- 1,000 employees) are in the same position.
Industry differences became apparent when comparing how prepared organisations are for a potential disaster. companies within the Financial Services sector (90%), as well as those in Communications and Media (81%), have formal disaster recovery plans in place. However, a much smaller percentage of businesses in Retail & Distribution, and Manufacturing, have done the same, with less than 40% having drawn up formal disaster recovery plans.
- more info
Security Template now has electronic forms
January 7th, 2012
The policies and procedures template now has electonic forms including:
- more info
- Blog Policy Compliance
- Company Asset Employee Control Log
- Email - Employee Acknowledgment
- Employee Termination Checklist
- Internet Access Request
- Internet Use Approval
- Internet & Electronic Communication - Employee Acknowledgment
- Mobile Device Access and Use Agreement
- Employee Security Acknowledgement Release
- Preliminary Security Audit Checklist
- Security Access Application
- Security Audit Report
- Security Violation Reporting
- Sensitive Information Policy Compliance Agreement
Federal agencies are not spending as much as private businesses on security
November 22nd, 2011
Federal agencies have budgeted $6.5 billion for security in 2012, much less on a percentage basis than other businesses and industries.
Many agencies report they don't feel they have enough money to spend on security and, in general, security investments by the federal government are less than that spent by other business sectors.
In total, federal agencies have budgeted $6.5 billion for all security investments in fiscal 2012. However, the entire IT budget for the feds for that year is expected to top $81.3 billion.
Not surprisingly, the Department of Defense spends more than any other agency on security, according to the report. Its budget in 2012 for security for both legacy systems and development, modernization, and enhancement, in 2012 is $4.1 billion, according to the report, which does not provide data on total IT budgets for agencies. The Department of Homeland Security also is one of the leading security investors among agencies, having budgeted $525.7 million for security in 2012.
- more info
US Senate looking to tax Internet Sales
November 9th, 2011
The US Senate has a new bill on its agenda, The Marketplace Fairness Act, that would allow states to collect taxes on Internet sales, even when the seller does not have a physical presence in the taxing state.
In essence the bill would allow states that sign on to collect sales taxes from Web-based sellers, reversing a widespread practice of no Internet sales taxes since the beginning of the commercial Web.
The new bill would allow states to collect sales taxes from remote sellers if they sign on to the Streamlined Sales and Use Tax Agreement (SSUTA), a 12-year-old effort to meet the Supreme Court's requirements to simplify sales tax collection, or if they adopt a so-called alternative tax simplification plan.
Sponsors of the bill, similar to past efforts to allow Internet sales taxes, said the current system is unfair to small bricks-and-mortar businesses that have to charge sales tax to local customers.
- more info
Correcting Social Media Errors
November 8th, 2011
What matters first with a social media mistake is responding quickly, being transparent and demonstrating sincerity -- all of which should follow a social gaffe committed in person and in public. Social media, though, introduces complications all its own: How you've been using it all along will also affect your ability to clean up after it.
This is why what comes after the mistake is just as important, if not more so: The chance to learn why it happened in the first place and do something about it. You may find better ways to use social media because of this. If you've been spammy or thoughtless, you need to own up to that. If your audience makes good points about your shortcomings (however badly they phrase them), you need to respond to those too.
- more info
Smartphones impact how CIOs implement a secured DR infrastructure
November 5th, 2011
The world of smartphones, tablets and mobile devices is evolving rapidly and is changing the way CIOs think about topics ranging from telework to disaster recovery to information security.
- more info
- Mobile Device Security: Before you can make your users more productive with mobile devices, you need to make certain that those devices are highly secure and remotely managed.
- Custom Applications: The rapid advances in COTS smartphone technology have changed the game for creating custom, multi-platform applications that can dramatically boost your mobile users productivity.
- Disaster Recovery and Emergency Response: New commercial wireless technologies can be a key part of your disaster response/Continuity of Operations (COOP) plans.
- Mandated Mobile Security: While modern cellular networks provide security good enough for everyday usage, there are some situations such as when youre dealing with sensitive or classified information where you need a higher grade of information assurance for your wireless voice communications.
- Mobile Resource Management: Whether youre tracking vehicles or other transportable assets, Wireless asset management systems enables CIOs to increase your asset protection and tracking capabilities and save money at the same time.
- Field Force Automation: Virtually any job process that is done with paper-based forms or on unconnected terminals can be adapted to mobile handheld or tablet devices.
Small businesses have a false sense of security about Internet access
October 27th, 2011
Most small business owners believe that Internet security is critical to their success and that their companies are safe from cyber security threats: but most fail to take fundamental precautions. This is the major finding from a survey of US small businesses.
The survey found that two-thirds (67 percent) of US small businesses have become more dependent on the Internet in the last year and 66 percent are dependent on the network for their day-to-day operations. What's more, 57 percent of firms say that a loss of Internet access for 48 hours would be disruptive to their business, 38 percent said it would be 'extremely disruptive' and 76 percent say that most of their employees use the Internet daily.
The vast majority of small business owners think their company is cyber-secure as 85 percent of respondents said their company is safe from hackers, viruses, malware or a cyber-security breach and seven in ten (69 percent) believe that Internet security critical to their business's success. Additionally, a majority (57 percent) of small businesses believe that having a strong cyber security and online safety posture is good for their company's brand.
Despite this, a closer look reveals that most small businesses lack sufficient cyber security policies and training. 77 percent said they do not have a formal written Internet security policy for employees and of those, 49 percent reported that they do not even have an informal policy. More small business owners also said they do not provide Internet safety training to their employees than said they do - to a tune of 45 versus 37 percent. And a majority of businesses (56 percent) do not have Internet usage policies that clarify what websites and web services employees can use and only 52 percent have a plan in place for keeping their business cyber-secure.
At the same time, small businesses may not understand how to respond to online threats or the danger they pose. For example, 40 percent of small businesses say that if their business suffered a data breach or loss of customer or employee information, credit card information or intellectual property, their business does not have a contingency plan outlining procedures for responding and reporting it. Two-fifths (43 percent) also say they do not let their customers and partners/suppliers know what they do to protect their information.
The survey also found that 69 percent of their businesses handle customer data while about half (49 percent) handle financial records, one-third (34 percent) handle credit card information, one quarter (23 percent) have their own intellectual property, and one in five (18 percent) handled intellectual property belonging to others outside their company. When asked to rank the top concern of small business owners while their employees are on the Internet, 32 percent reported viruses, 17 percent spyware/malware and 10 percent reported loss of data. Yet only 8 percent are concerned about loss of customer information, 4 percent about loss of intellectual property and only 1 percent worry about loss of employee data, even though cyber security experts believe the loss of any of this kind of information would be devastating to a business.
- more info
Data Center Consolidation Impacts DRP and BCP
October 16th, 2011
While this has given IT greater operational control and lower costs, it also can lead to increased risk. Each remote site that accesses the centralized data center creates a potential point of failure. If the new centralized location were to fail, all the applications and services housed therein would be unavailable and its impact - as measured in lost productivity and revenue - could be far greater.
- more info
Security threats to increase according to a University of Georgia report
October 12th, 2011
In 2012 there will be new and increasingly sophisticated ways used to capture and exploit user data, as well as escalated battles over the control of online information which will threaten to compromise content and erode public trust and privacy. In the Georgia Tech Emerging Cyber Threats Report for 2012 reportspecific issues which are expected to cause the most problems to organizations are:
- Mobile applications rely increasingly on the browser, presenting unique challenges to security in terms of usability and
- Expect compound threats targeting mobile devices to use SMS, e-mail and the mobile Web browser to launch an attack, then silently record and steal data.
- While USB flash drives have long been recognized for their ability to spread malware, mobile phones are becoming a new vector that could introduce attacks on otherwise-protected systems.
- Encapsulation and encryption for sensitive portions of a mobile device can strengthen security.
Botnets - the evolving nature of adversaries, tactics, techniques and procedure
- Botnet controllers build massive information profiles on their compromised users and sell the data to the highest bidder.
- Advanced persistent adversaries query botnet operators in search of already compromised machines belonging to their attack targets.
- Bad guys will borrow techniques from Black Hat SEO to deceive current botnet defenses like dynamic reputation systems.
Controlling information online - a new frontier in information security
- Security researchers are currently debating whether personalization online could become a form of censorship.
- Attackers are performing search engine optimization to help their malicious sites rank highly in search results.
- The trend in compromised certificate authorities exposes numerous weaknesses in the overall trust model for the Internet.
- Advanced persistent threats and the intersection of cyber threats with physical and critical infrastructure
Advanced persistent threats will adapt to security measures until malicious objectives are achieved
- more info
- Human error, lack of user education and weak passwords are still major vulnerabilities.
- Cloud computing and computer hardware may present new avenues of attack, with all malware moving down the stack.
- Large, flat networks with perimeter defenses at the Internet ingress/egress point break down quickly in the face of advanced persistent threats.
Data loss in a cloud environment is a major issue for CIOs
October 10th, 2011
IT professionals surveyed reported that 65 percent of organizations frequently experienced data loss from a virtual environment. This represents a 140 percent increase in virtual data loss when compared to a similar survey last year.
Common causes of data loss from virtualized environments include file system corruption, deleted virtual machines, internal virtual disk corruption, RAID and other storage/server hardware failures and deleted or corrupt files contained within virtualized storage systems.
A virtualization data loss can be catastrophic for an organization. Determining the financial impact of a business disruption is difficult because there are both tangible factors, including productivity loss, missed sales opportunities and staff's hourly time, but also less tangible factors such as potential non-compliance penalties, damage to corporate image and weakened customer confidence.
"Successful organizations realize that any disruption within the virtual infrastructure, regardless of how small, will have an amplified impact on the business as a whole," said a manager of data recovery operations. "Virtualization contracts often claim no liability for data corruption, deletion, destruction or loss. As a result, it is critical for IT leaders and business continuity planners to proactively include a data recovery service provider in their contingency plans."
In addition to implementing virtual data centers onsite, organizations are increasingly turning to third-party cloud providers as a means of data storage. When asked about their cloud providers ability to properly handle data loss incidents, 55 percent revealed a lack of confidence. In fact, only 39 percent of respondents said their cloud provider educated their organization on how they would approach a data disaster/data recovery situation from the cloud.
- more info
Data in the cloud puts many enterprise's at risk
October 1st, 2011
Steps that CIO must take
- more info
- Evaluate your enterprise's current database controls to identify gaps and compensatory or mitigating controls for those gaps.
- Conduct a database risk assessment, applying a balanced approach to risk management and mitigation based on risk, criticality, and regulatory and other compliance requirements.
- Identify the monitoring use cases that apply to their enterprise's database infrastructure, and deploy tools to support those use cases effectively and efficiently.
- Develop and communicate a clear policy specifying what database-related behaviors should be audited and why.
CIO who are paid more that $1MM are not that rare
September 23rd, 2011
The federal securities laws require clear, concise and understandable disclosure about compensation paid to CEOs, CFOs and certain other high-ranking executive officers of public companies. Several types of documents that a company files with the Commission include information about the company's executive compensation policies and practices. You can locate information about executive pay in: (1) the company's annual proxy statement; (2) the company's annual report on Form 10-K; and (3) registration statements filed by the company to register securities for sale to the public.
As a part of documents that need to be filed by public corporations, the total compensation of the top 3 paid executives in these corporations needs to be published each year. From those records we have identified these information technology executives who fall in that category. This is not an all inclusive list of the highest paid IT executives but a snap shot of their compensation and other CIOs can are paid more.
- more info
What defines cloud computing
September 16th, 2011
Cloud computing is very different from traditional networks and applications. In general, a service or offering is considered cloud computing if it has at least four of these seven traits:
- Internet (or intranet) accessible
- A massively scalable, user-configurable pool of elastic computing resources (such as network
bandwidth, compute power, memory, etc.)- Multitenancy (one large software instance shared by many customer accounts)
- A broad authentication scheme
- Subscription or usage-based payment
- Self-service
- Location indepedent
All of these traits offer new challenges to the computer security professional, but accessibility, multitenancy, broad authentication, and lack of location specificity are the four items responsible for the biggest technology shift and demand for new security solutions.
- more info