IT Infrastructure, Strategy, and Charter Template

Best Practices ISO 27000

ISO 27001 and ISO 27002 Compliant
HIPAA PCI-DSS Compliant
Enterprise License Available

With the explosion of technology into every facet of the day-to-day business environment there is a need to define an effective infrastructure to support operating environment; have a strategy for the deployment and technology; and clearly define responsibilities and accountabilities for the use and application of technology.

Included with the template are a HIPAA Audit Program Guide and a 19 page ISO 27001 & 27002 Security Process Audit Checklist. The Template is 135 pages in length (the full table of contents can be downloaded by clicking on the link above) and the topics covered include:

IT Infrastructure, Strategy, and Charter Summary
Strategy and Charter Statement of Authority
IT Management Structure
Compliance
Personnel Practices
Controls
Application Development Standards
Service Requests
Local Area Network
Back-up and Recovery
Disaster Recovery Plan
Security
Access Control - Physical Site
Access Control - Software and Data
Facility Requirements
Security Audit Checklist
HIPAA Audit Program

Special Offer - Premium and Gold Editions

	Standard Edition	Premium Edition	Gold Edition
IT Infrastructure, Strategy, and Charter Template (Word)	X	X	X
IT Service Management (SOA) Template (Word) - see below		X	X
220 Internet and IT Job Descriptions (each as an individual Word document)			X
Security Audit Program (Excel Format)			X
Update Service Available	X	X	X

The IT Service Management Policy Template is a 130 page document that contains policies, standards, procedures and metrics that comply with the ITIL Standard. Chapters of the template include:

Service Requests Policy

Service Request Standard

Help Desk Policy

Help Desk Standards

Help Desk Procedures

Help Desk Service Level Agreement

Change Control Standard

Change Control Quality Assurance Standard

Change Control Management Workbook

Documentation Standard

Application Version Control Standard

Version Control Standard

Internet Policy

e-Mail Policy

Electronic Communication Policy

Blog & Personal Web Site Policy

Travel and Off-Site Meeting

Sensitive Information Policy

Manage Critical Steps in Infrastructure Definition

Defining Your Optimal IT Infrastructure is a critical task that can no longer wait with all of the changes mandated by Sarbanes-Oxley and changes to your operating environment. The template helps you:

Understand and explain what infrastructure is, enabling you, your constituents, and the executive team to manage the organization's technology environment more effectively.
Analyze the current state of your infrastructure so you know where it works well and where to focus improvement efforts.
Justify infrastructure spending, using the template's comprehensive definitions and ready to use examples to link IT infrastructure and your company's bottom line.
Prioritize your resources with a prescriptive toolset that lets you focus your efforts.

An Essential Strategic Advantage for Your IT Team

Implementing a cost effective IT Infrastructure that aligns with your organization's business strategy is essential to ensuring the success of the Information Technology function. For many IT professionals, the amount of time it takes to develop and implement such a infrastructure, and the unknown process required to complete it, makes infrastructure design and implementation a daunting task. The IT Infrastructure, Strategy, and Charter Template draws on the experiences of some of the best IT and business operations executives in the industry to provide you with the right shortcuts.

Strategy and Charter News

How companies protect laptops is an issue

More than 50% of organizations surveyed have indicated that they protected sensitive information with encryption software. A further 43% reported the use of asset tracking software. Simply knowing where all mobile computers are located is a powerful security measure, however, traditional IT asset management solutions are designed to track only those laptops that connect to a local area network (LAN) or virtual private network (VPN) connection. For a large proportion of laptop users, returning to head office is an intermittent event - allowing many laptop computers to remain below the radar of IT.

Encryption software is commonly referred to as the computer security fall back. In the event that a computer protected by organizational policy and physical deterrents is stolen, sensitive information on the laptop is made unreadable by encryption. For encryption software to be effective however, laptop users must consistently and accurately follow company encryption policy. Even more worrisome is the fact that more than 30% of companies believe employees are actively involved in the theft of company computers. Armed with the necessary passwords and encryption keys to access data, disgruntled or dishonest employees represent a threat that cannot be addressed by encryption alone.

The common failing of these laptop security measures is the fact that they are heavily reliant on the diligent action of laptop-using employees to remain effective. If a cable lock is not used, an authentication password is taped to the keyboard for convenience or a regular encryption process not completed, organizations remain unnecessarily vulnerable to public data breach. By the same token, complex, expensive and ultimately productivity-dampening security measures may be effective but greatly reduce the benefits of laptop computers. Endpoint security solutions complement other security measures by providing a final, user-independent layer of protection.
- more info

Data breaches continine to be CIO's concern

The FBI received a record number of complaints in 2008, and the associated direct cost of the frauds carried out with stolen data was $265 million versus $235million in 2007. Adding to this is the challenge of securing personal information and intellectual property data. Companies are granting access to more systems and information - bank customers access to account balances; workers maintain their own 401k and investment accounts; web shoppers place orders and make purchases with a single click; and business partners work on projects in a collaborative manner online.

To reduce the risk of a data breach or theft, organizations must adopt new tactics. In addition, companies must address e-mail and Web security along with employing a functional data loss and prevention strategy. The application of multiple security techniques is required to reduce risk. For example, there must be a way to control spam and block the downloading of malicious software from poisoned Web sites. In today's open Web 2.0 and social networking environments, companies need a way to defend against attacks and protect secret or sensitive data. At the same time, they must maintain a flexible and responsive infrastructure to support today's business working habits.

The Janco Security Manual Template has helped over 2,000 enterprises world-wide to meet these requirements.
- more info

Pandemic Disaster Recovery Plans At Risk

Pandemic disaster recovery planning should consider the impact the H1N1 flu virus could have on the Internet if workers and students are forced to stay home because of the pandemic. Officials at the U.S. Government Accountability Office weighed in on the potential for clogged networks in a 71 page preport.

Although the issue has been raised before by various ISPs and network carriers, recent worries have focused on securities firms that depend on third parties to clear trades and process payments over the Internet, according to the GAO.

"Internet congestion during a severe pandemic that hampers teleworkers is anticipated, but responsible government agencies have not developed plans to to address such congestion and may lack clear authority to act," the GAO warned.

Internet backbone congestion from a pandemic is not a major concern. The larger problem may be with the network "edge" or "last mile" in the residential portion of the Internet. Janco says that work-at-home strategies for organization may not work as advertized as residential Internet access may not be sufficient. This is true both from a capacity and bandwidth at work at home sites.

Often many residential DSL users could share a single DSLAM connection at the carrier's switching office to reach the backbone, contributing to congestion problems. Last-mile DSL and cable modem networks are where remote access falls apart.

While the network edge impact would vary by neighborhood, the Centers for Disease Control planning guideline that assumes 40 percent of the workforce might not be in the workplace for an extended period of time during a pandemic.
- more info

Best Practices for CIOs and IT Departments

Business continuity is not just a good business practice - it can mean success or failure if data and applications on a production server are lost. Disaster recovery planning ensures organizations have the capability to continue essential functions across a wide range of situations that could disrupt normal operations. High availability is the cornerstone for most business continuity plans and is one of the reasons for evaluating and deploying data protection solutions. However, traditional data protection strategies focus on just the data and not the application.

CIOs and IT departments design the organization's infrastructure with continuity of business operations in mind. However, most organizations are not doing enough to protect mission-critical data, applications and systems from unexpected disruption and potential loss -- volatilities, such as viruses, power outages, natural disasters, corruption, human error and media failures can't always be prevented. Environments today are characterized by rapid data growth, complexity, stringent business requirements and the increasing government regulations, making it difficult for organizations to get their arms around their data protection strategies. In many cases, the focus is on just protecting data - not necessarily on recovering it. And when there is a focus on recovery, it usually involves just making data available to an application.
- more info

Audit Fatigue is Setting In for Some

(Internet Research Group) - Regulation is a part of business, regardless of company size, industry, or geography. In addition, for the most part, the larger the enterprise, the larger the potential for non-compliance risk. Non-compliance can mean a number of things - sanctions, fines, legal action, market value impact, and the cost of remediation may exceed the perceived cost of prevention. Audit program is required

The results are supportive of the term audit fatigue, that unmanaged IT Audit efforts within regulated organizations have a negative business impact on IT resources and reduce IT efficiency. However, respondents are largely aware of and interested in tools to automate audit processes and controls as a means of overcoming audit fatigue and freeing up IT budget and resources for innovation rather than compliance. This results in the following:

Compliance impact is increasing, resulting in high audit frequency and number: As can be expected, larger organizations must satisfy a number of IT audits. Small to mid-sized enterprises (SMBs) are also subject to an increased level of compliance requirements - resulting in higher than expected IT audit engagements. Given the lack of consistent IT standards across industries and geographies for audit criteria and reporting, compliance efforts - i.e., IT audit and remediation - are largely manual.

Audit costs are unmanaged, resulting in increased cost: Many respondents conduct audits on an ad-hoc basis rather than as a scheduled effort of an enterprise risk-management program. Given the inability to forecast audit and remediation, spending, budgetary control is lost - exacerbating the perceived impact of compliance efforts.

Lack of controls automation, limited process maturity: Audit fatigue can be attributed to lack of controls automation and unmanaged IT Audit processes. Limited controls maturity - i.e., repeatable and sustainable controls enforcement and audit processes - constrains IT innovation due to uncontrolled costs associated with IT Audit and issue remediation.

Security Policies and Procedures missing
- more info

CIOs controlling costs in the new year

As CIOs move into the New Year they are faced with reduced budgets and rising cost. One of the first things that are doing is establishing standardized metrics to identify and control costs. Metrics are the key

As that process proceeds Janco suggests that CIO then do the following to control costs in the new year:

Justify hardware and applications - Underutilized or old systems should be taken out, and workloads should be shifted to more-efficient hardware. Rationalization and consolidation programs can reduce the number of servers deployed.
Consolidate data center sites and server farms - Financial savings often follow consolidation of multiple sites into a small number of larger sites.
Manage energy and facilities cost. Tools and techniques include raising the temperature of the data center to 75 degrees Fahrenheit, using outside air when possible as an alternative to air conditioning, setting up hot aisle/cold aisle configurations and deploying server-based energy management software tools to run workloads the most energy-efficient way
Manage the employee and contractor costs - Workers remain the single largest cost element for most IT organizations, accounting for as much as 50% of overall costs.
Eliminate or defer procurement of new assets - Servers' useful life often exceeds their amortized life, so monitor the condition of hardware carefully.
Monitor energy consumption - Advanced monitoring, modeling, and measuring techniques and processes are essential to the adoption of many new technologies and going green.
- more info

Security Manual Template

As enterprises move more of their business transactions online, they face the challenge of defending a perimeter that grows increasingly porous. The network firewalls that once locked down the enterprise perimeter are ineffective against Web-based threats such as SQL, Cross Site Scripting, and DDoS attacks. By exploiting common Web application security flaws, the attacks are able to cause tremendous business disruption, particularly through the theft of sensitive enterprise information as well as customer and employee personal data.

Security Manual Template

ISO 27000 / HIPAA / SOX / CobiT Compliant

Includes PCI DSS Audit Program

The IT Security Manual Template provides all the essential sections of a complete security manual and walks you through the creation of each step. Detailed language addressing more than a dozen security topics is included in a 230 plus page Microsoft Word document, which you can modify as much or as little as you need to fit your business requirements. The template includes sections on critical topics like:

Risk analysis

Staff member roles

Physical security

Electronic Communication (email / Smartphones)

Blogs and Personal Web Sites

Facility design, construction and operations

Media and documentation

Data and software security

Network security

Internet and IT contingency planning

Insurance

Outsourced services

Waiver procedures

Employee Termination Procedures and Forms

Incident reporting procedures

Access control guidelines

PCI DSS Audit Program as a separate document

Security Compliance Checklists

Massachusetts 201 CMR 17 Compliance Checklist

- more info

Safety Program Updated by Janco

Effective management of worker safety and health protection is a decisive factor in reducing the extent and the severity of work-related injuries and illnesses. Effective management addresses all work-related hazards, including the potential hazards that could result from a change in worksite conditions or practices. Additionally, it addresses hazards whether or not they are regulated by government standards.

The electronic document includes proven written text and examples for the following major sections of a disaster recovery plan:

Policy Statement
Safety Rules - including a check list of standard proven rules
Accident Investigation Process
Hazard Recognition and Control
Safety Committee including membership and procedures
Training including guidelines for orientation, job instruction, Supervisor training as well as specialized training
Communication including for management and employees
Record Keeping including inspection; accident investigation; training and coordination with Safety Committee.
Job Description for Safety Director (ADA compliant)
Technical Appendix including definition of necessary phone numbers and contact points; and sample forms:

First Report of Injury
Safety Audit Checklist
Alternate Work site Safety Checklist (i.e. work at home)

There is an extensive description that shows how a full test of the Safety Program can be conducted.

- more info

Security Manual TemplategGives CIOs one more tool

A business-driven approach to security is differant than a technology-centric approach in that the business goals drive the requirements in securing the enterprise. Many enterprises take a bottoms-up approach to security since security solution vendors, more often than not, promote this approach to their clients. To close identified security gaps, enterprises broaden and bolster their defenses by continually building on top of or adding to their existing security investments. This technology-centric methodology often creates an excessively complex and disjointed security infrastructure. It becomes difficult to manage and prone to unseen vulnerability gaps, needlessly escalates IT costs and eventually fosters unnecessary operational inefficiencies that inhibit business growth rather than enhance it.Instead of trying to protect against every conceivable threat, organizations should understand and prioritize the security risk management activities that make the most sense for their organization. By understanding the level of risk tolerance within an organization, the IT team can more easily focus on mitigating risks that the organization cant afford to neglect. Overemphasizing certain risks leads to wasted resources and efforts, while underemphasizing others can have disastrous consequences.

The Janco Security Manual template addresses these issues and is a quick way for CIOs to overcome these issues.
- more info

How to establish a telecommunting policy - Infrastructure

Organizations that have or want to establish a companywide telecommuting program should establish a formal, written telecommuting policy document that is regularly reviewed and updated by IT, human resources, legal, and finance. This will ensure that managers and the corporate services and technical support groups within the organization are aware of their respective role and responsibilities for enabling and supporting telecommuting. It also will help ensure that telecommuting employees know about their responsibilities too, along with new company and approved third-party applications and support services available outside company facilities. - more info

Feds peg unemployment at beyond 10%

The federal government's recent jobs report pegs unemployment at 10 percent (arguable, maybe). So, what's the outlook in IT? Two recent studies tell us that it's still the winter of our recession.

Janco Associates' most recent report shows IT hiring and spending to be as frigid as the weather fronts sweeping across the U.S. -- and salaries are just as icy. A study from Computer Economics mirrors Janco's report in IT hiring. But then it offers a ray of sunshine, predicting that those who plan to spend more has jumped from 11 percent in 2009 to 52 percent in 2010.
- more info

IT Salaries Stay Flat According to Janco 2010 Salary Survey

Janco has just released it January 2010 IT Salary Survey. The major finding are:



Many companies have instituted hiring and spending freezes in addition to laying-off of staff. This has been augmented by extensive outsourcing, bonus reductions, and elimination of IT contractors -- which has decreased the demand for IT professionals and in some cases lowered wages, with higher priced positions being eliminated.

Layoffs have focused on middle management and IT support staff
Many mid-sized enterprises have stopped hiring all together
There are over 200 IT professionals in the Metro New York are who earned well into six figures that are looking for work due to mergers, bankruptcies, and layoffs

Layers of middle management have been eliminated and the number of direct reports has increased for many IT Directors, Managers, and Supervisors.
Enterprises that have cut costs in lieu of laying staff off are now planning to institute a round of layoffs in order to meet their numbers for 2010.
Companies are continuing to reduce the benefits provided to IT professionals.

Personal and company bonuses have been reduced if not eliminated altogether.
Raises have be eliminated by many. For example in a survey conducted by Redmondmag.com it was reported that 36.5% of Microsoft employees saw no raise in 2009.

Hiring is limited to a few selected positions as enterprise continue to cut costs
There now is a surplus of seasoned IT professionals available. For the second time in less than ten years, retirements are being put off because of the downturn in the stock market and the resultant reduction in savings available to support IT professionals as they retire. Added to this is an influx of retirees who are looking to get back into the job market due to of the massive reduction in their investment portfolio
- more info

Retirements put on hold for IT professionals

The IT career sector has been ravaged by the recession - however, experts say that it has weathered the storm better than most. (For example, data from the U.S. Bureau of Labor Statistics for the third quarter of fiscal year 2009 indicated that unemployment rates for several key IT positions averaged 5.8%, which is substantially lower than the overall Q3 U.S. average unemployment rate of 8.9% for all fields.)

But budget cuts and layoffs have forced many IT departments to make do with less, leaving older IT workers vulnerable to younger employees whose skills may be more up to date and who are often willing to take less pay, work more hours and take on less desirable assignments.



Overall, the recession has had far more of an economic impact on late-middle-aged adults. In an April Pew Research Center study of 2,969 adults aged 50 to 64, nearly 75% said the nation's economic problems are making it difficult to afford retirement.

Nearly two-thirds of those surveyed in that age bracket said their 401(k) accounts or individual stocks have been clobbered, with two in 10 claiming that their investments have lost 40% of their value and another four in 10 saying nearly 20% to 40% of their retirement funds have been erased.
- more info

Copying music is not "fair use"

A federal judge approved a $675,000 fine that a jury assessed against Boston University doctoral student Joel Tenenbaum for illegally sharing 30 copyrighted songs.

But in an unusual decision, U.S. District Court Judge expressed "very,very" deep concerns at the "astronomical penalties" available to music companies under copyright laws. The court would have been willing to consider a fair use defense in the case but concluded that the manner in which the arguments were presented by the defense counsel made it all but impossible for her to do so.

In this case, the damages were assessed after he admitted to illegally downloading the contested songs during a brief jury trial in July. Before the trial had even begun, the judge had forbidden the defendant from asserting a "fair use" defense in the case.

The fair use doctrine allows for the use of copyrighted material without permission from the rights holders in certain circumstances, including nonprofit academic purposes, or if the copyrighted work is used in a different way for a limited purpose such as to comment or criticize something.
- more info

Users demand support for iPhone and Droid

CIOs indicate that 80% of their users are demanding not requesting - support for the iPhone and Droids. This is not too surprising given that, even in the face of an overall recession and cutback on discretionary spending, consumers are still purchasing iPhones and Droids at their own expense at unprecedented rates. Simply put, the iPhone and Droid are the most compelling mobile device ever made and users from the execuitive suite down are all demanding that their enterprises support it.

At the same time, nearly 30% of all CIOs say that they have already experienced a security breach due to employees use of unauthorized mobile devices. This puts CIOs in a difficult position. How can they respond to this overwhelming user demand for the iPhone and Droid while still meeting their strict requirements for security, management, and control on a device that they know users are already using and will continue to use extensively for personal purposes?

These new device platforms create opportunities for corporate IT to:

Simultaneously increase enterprise productivity and reduce the overall mobility spending

Embrace the "consumerization" of enterprise mobility in a controlled way

The key to taking advantage of these opportunities is bridging the gap between the "personal" and "protected" with a solution that enables IT to control and secure the devices in its organization.
- more info

Survey shows trade secrets are at risk from terminated employees

A recent survey by the Ponemon Institute of almost 1,000 individuals who were laid off, fired or quit their jobs shows that 59% admitted to stealing company data and 67% used their former company's confidential information to leverage a new job. Security policies help to mitigate the risk if they are implemented correctly.

The firm found that 61% of respondents who felt negatively about the company took data while only 26% of those with a favorable view did. Only 31% of those surveyed said they had "trust" in their former employer to "act with integrity and fairness," 25% were "unsure" and 44% did not have trust. Of the individuals survyed 37% said they were asked to leave, 38% said they had found a new job and 21% moved on because they anticipated lay-offs.

The respondents described their work roles as 20% corporate information technology, 10% financial and accounting, 24% sales, 8% marketing and communications, and the remainder spread across fields that include general management, logistics and transportation, research and development, and human resources. They came from close to two dozen vertical industries, such as manufacturing or healthcare, as well as education and government

Trade secrets are increasingly becoming a company's most valuable assets, and not surprisingly, threats to those assets have increased concomitantly. The greatest threat to company data is, of course, not outsiders but a company's own employees A company's ability to protect against rogue employees (as well as against unintentional harm) is governed by both federal and state laws, which vary by jurisdiction and, worse, are in a state of flux in many of those jurisdictions.
- more info

Mobile workforce security and business continuity CIO issue

Providing IT support to employees is always a challenge, but now organizations have to contend with a multitude of factors that are complicating the support picture. Remote employees - those who travel, telecommute, or work in branch offices without dedicated IT staff - are growing in number. As the ranks of these employees increase, organizations need to contend with providing support and managing far-flung devices. Not only is end-user productivity at stake, but organizations had to deal with IT governance, regulatory compliance, and security issues. As the workforce becomes increasingly mobile, security concerns move beyond the traditional risks such as malware to include the considerably more significant threat posed by lost or stolen laptops.

Security policies and procedures along with disaster recovery / business continuity are necessary to ensure compliance with IT policies are now key to providing support and mitigating security risks posed by the remote workforce.
- more info

Security, for many IT organizations, is an afterthought

Security, for many IT organizations, is an afterthought

Security defects in the Web application layer can allow attackers to steal data, plant malicious code or break into other internal systems. Some of the most common vulnerabilities include SQL injection and cross-site scripting flaws and authorization and authentication errors. The massive data thefts at Heartland Payment Systems and several retailers recently resulted from SQL injection errors that allowed intruders to insert malicious code into their enterprise networks.

The number of security flaws in Web applications continues to grow and will likely dominate the security agenda for years to come, according to a report by security specialist Cenzic.

Almost 80 percent of more than 3,000 software security flaws publicly reported so far this year have been in Web technologies such as Web servers, applications, plugins, and Web browsers. That number is about 10 percent higher than the number of flaws reported in the same period last year -- and nine out of 10 of the flaws were found in commercial code

Similar numbers have been reported by others. A mid-year trend and risk report released by IBM showed that Web application threats have become the No. 1 source of security pain for enterprises. Attacks targeting these flaws have also risen sharply, in some cases doubling in less than a year.

The numbers suggest that vendors and Web application owners need to address Web application security issues, said Cenzic's CTO. The kind of "significant muscle" the industry put into dealing with network and perimeter-based software vulnerabilities has been missing when it comes to application security, he said. "This is going to be long-winded process."

Though the security risks posed by such vulnerabilities have been well understood for years, a large and growing number of companies continue to be exposed to them. Part of the growth in vulnerabilities is tied to the rising number of Web applications and new Web sites. But buggy Web software products and sloppy in-house development processes continue to be huge issues, too.

Roughly 90 percent of the vulnerabilities analyzed by Cenzic for its report existed in commercial, off-the-shelf software from both big and small vendors. Much of it appears to be the result of a continued emphasis on time-to-market at the expense of secure coding practices. IT organizations are being measured on how fast they can respond to market pressures as opposed to how secure a system they can build.
- more info

What are security policies and procedures

Security policies and procedures may appear primarily defensive in nature, but they also enable more reliable business operations. When line managers and executives are confident their operation procedures can and will function under a range of circumstances, these processes will be more adaptive to the changing demands of the market:

Would an executive be willing to sign off on a new project to launch a Webbased customer service portal if she was not sure the customer database was secure?

Would a CIO allow employees to use their personal mobile devices to access corporate email and databases if those devices were not properly secured?

Could an IT administrator support remote networks without proper monitoring and management tools?

Security Information Management and other security measures reduce the likelihood that concerns about security will curtail innovation. As the demands for compliance grow, businesses need tools to monitor and respond to security incidents and to document and report on their ability to respond. Security policies and procedures can help reduce the time and staff resources required to meet immediate compliance requirements as well as facilitate compliance over the long term.
- more info

Cloud storage for DRP and SOA is the wave of the future

The advent of cloud computing and service-oriented data protection is mutating the role of backup administrator. The backup process is becoming a service offering by the IT department as part of the internal cloud's application service level agreement.

The backup administrator's role is transforming from the traditional "tape jockey" into a "data protection policy manager". An example of this is the push by many to make network backup more of a policy engine for backup and disaster recovery business continuity.

Three recent advancements in technology are beginning to transform data center operations and the role of the IT Administrator:

·         Virtualization (Server and Storage)

·         Disk-based continuous and snapshot data protection

·         Data Deduplication

Virtualization (Server and Storage): The role of server virtualization is to provide an abstraction layer between the server hardware and applications, so they can be moved between servers at will, and the role of storage virtualization is to provide the same abstraction between the servers and the storage.

The ability to abstract applications and storage from the actual hardware makes the hardware a commodity, enables applications to be moved from one server to another at anytime, without downtime, and allows storage to be purchased based on price and reliability, rather than functionality in the firmware.

Storage virtualization also facilitates the movement of data. Application data can be moved anywhere, anytime, based on performance or other requirements via a policy created by the IT admin.

Disk-based continuous and snapshot data protection: A continuous data protection (CDP) and snapshots to the mix eliminates the need to do bulk transfers of data over the network to make actual backup copies. The definition of a backup is a copy of the data, and it has to be a full copy to actually be a backup.

The backup copy must be separate from the production copy, and must be stored on physically separate hardware or storage media. Once the base copy is available, that copy can be used as the source for snapshots so that the primary copy is unaffected.

In order to accomplish real-time non-disruptive snapshots, the copy must be continually updated via CDP technology to capture any new information between snapshots. Instead of the traditional method of backing the data up with a bulk copy operation, data is simply always protected, continually through CDP, and periodically via the snapshots.

Data Deduplication (DD ): So far, we have virtualized everything and have implemented continuous protection for our critical data, and are making periodic snapshots of everything else. Backup is the killer application for DD, but DD also helps make DRP/BCP much more efficient. The reason backup is the killer application is because a full backup copies the same files over and over again. As an example, let's take a legal company with 500 desktops running Excel that are backed up using weekly full copies with a 30 day retention.

How many copies of excel.exe do you need to store? Without DD the first week there are 500 copies of it on tape, the next week there are 1000, the week after that there are 1500 copies, and the last week there are 2000 copies of that one file before the tapes are over written.

Now extrapolate that out to every file in the organization. You can see how it a DDs up real fast. If you do the math, using typical backup operations and retention requirements, 20TB worth of data with a 2% change rate and 3% growth rate will require over 101TB of media storage if retained over 5 weeks.

With DD The same 20TB with the same growth and change rate at a 7:1 DD ratio could be stored in about 24TB. (101TB - 24TB = a savings of 77TB worth of space!) You can begin to see how much money you can save over time here. But that's not the main benefit of DD.

The main financial benefit of DD (besides less media and storage) is how it saves WAN bandwidth for data replication. WAN bandwidth is typically a re-occurring monthly cost, and although the cost has been going down, it's still a major part of most IT budgets, which is the reason many companies are still shipping backup tapes offsite for disaster recovery. Imagine being able to get data replicated offsite electronically more efficiently and at a lower cost than shipping and storing tapes!

In summary the steps to create an internal corporate cloud.

1.       Virtualize everything so application and data location are irrelevant

2.       Continually protect, rather than use a bulk copy backup for data protection, which will change the physics of backup by removing the need to move large amounts of data at the same time.

3.       DD everything so it can be stored and moved efficiently

4.       Create policies for storage tiers and data life-cycle, and apply those policies on the objects being stored (files, blocks, and tapes) so that the entire data life-cycle is automated, and everything moves to where it belongs based on that policy.

- more info

Pandemic Disaster Recovery and Business Continuity Planning First Steps

It is not possible to estimate the number of cases of the swine flu - (H1N1) England alone has over 100,000 infections and over 100 deaths. A worldwide pandemic is occurring. Young, obese, and pregnant individuals are primarily affected. The virus is easily destroyed; most cleansers will work, and it appears to be viable about 7 hours on a hard surface and one hour on porous fabric. Patients are most infectious when first coming down with flu, but remain infectious throughout the illness.

Disaster Planning documentation needs to be updated. In addition, businesses should take common-sense precautions before the pandemic, such as frequently having disinfecting wipes available, having employees and visitors wash hands with soap, use disposable towels in toilet areas, and having employees stay at home if they are feeling ill.

Organizations should start preparing now to operate in a quarantine scenario. A key word is cluster, when there are a number of related infections in a department or facility, you can expect to see it close for ten to twenty days and people either voluntarily not going there, or being directed not to go to that location.

Two of the most important issues are how to keep Information Technology and Computer Operations up. CIO and IT managers need to start asking hard questions right now, about how operations will continue if a significant number of people get sick. Technical people do not tend to look at all of the parts of the system and you do not want to wait till you are in a flu situation before you start asking questions and finding out that everything except backups and fund transfers can be done remotely.

Janco has just issued a pandemic press release on how to upate your disaster recovery plan.
- more info

Poor access contols encourage internal data breaches

Poor access controls cause most security and data breaches. A solution is to have access controls implemented which enforces specific tasks different administrators can perform, without disclosing the root password. This would help prevent the majority of data breaches that have occurred. Insider attacks are dependent upon access, and the following are effects, which are common and are inherently insecure and expose the enterprise to significant risk:

Full access to the network and user accounts. Even junior-level administrators have access to the network and to user accounts, so they can reset passwords, restart servers, and perform other administrative tasks. Of course, this may mean they can use the passwords of other users, if so inclined. This practice is even riskier in the Unix/Linux environment where it is a common occurrence for an entire IT department to share the root password for convenience at the expense of security.

Full access to the operating system of servers through a senior administrative account. Senior network and system administrators must have superuser (root) access to do their jobs. These privileged accounts are usually required for system functionality and are created when the system is installed. They can bypass system controls to access or destroy sensitive information. Superuser accounts make a variety of attack techniques possible, including the planting of logic bombs during system upgrades.

Unauthorized access to a privileged account. An example of this is seen when an unauthorized user may retrieve privileged account information for a database from an application server's configuration file, and subsequently use the credentials in a Structured Query Language (SQL) session over the network to retrieve or modify sensitive data.

Compromised encryption keys. This is commonly seen from any employees that have access to the operating system. System administrators know where to find these encryption keys, and they are frequently stored without security or encryption of any kind. Once encryption keys are stolen, all the vulnerable encrypted data is compromised.

Unauthorized uses of administrative access. Administrative accounts have been called the "keys to the kingdom" because they have unrestrained access. In native environments, someone with administrative access can destroy audit data to cover his tracks as he/she commits fraud by changing databases whose data is used to create financial records and statements. Worse yet, entire applications or databases are at risk to be destroyed.
- more info

Air Force activates new cyberspace defense unit

The Air Force has activated a new communications organization that will support the Air Force's Space Command, a new command that combines space and cyber-space operations under one organization. The new 689th Combat Communications Wing, headquartered at Robins Air Force Base in Georgia, specializes in deployed communications.

The wing will play a support role in combat theaters where resources are sparse, such as Afghanistan, and in humanitarian aid operations, according to the Air Force. The dedicated cyber command, the 24th Air Force, reports to the Air Force Space Command. The Air Force created the cyber command this year, and it became operational Aug. 18.

As the Air Force activates the Combat Communications Wing it fills in a critical security niche. The 24th Air Force's integration under Space Command represents a landmark in Air Force operations, combining space and cyberspace under a single organization. Like traditional Air Force units, the 24th is set to provide forces for combat -- but unlike traditional units, these forces can also conduct cyber warfare.

The CCW is the newest of three sub-organizations supporting the 24th Air Force; the other two are the 688th Information Operations Wing and the 67th Network Warfare Wing.

The CCW nationwide will comprise roughly 6,000 active duty, reserve and National Guard airmen, as well as civilian and contractor support from the 3rd and 5th Combat Communications Groups, ten Air National Guard Combat Communications units and four Air Force Reserve Combat Communications squadrons.
- more info

Harm threshold a concern to Congress

The so-called "harm threshold" provision was included in an interim final rule published late last month by the U.S. Department of Health and Human Services (HHS) in a bill requiring breach notification for unsecured health information. Under the provision, health-care entities would have to publicly disclose data compromises only if they think the breach would cause financial harm to those whose data was compromised or hurt their reputation.

In a letter dated Oct. 1, members of the House committee asked HHS Secretary Kathleen Sebelius to revise or repeal the new provision at the "soonest appropriate opportunity."

The letter noted that the new harm threshold provision runs counter to Congress' intent in passing the breach notification bill. The bill's statutory language does not imply a harm standard, Waxman wrote. In fact, in drafting the bill, Congress had explicitly rejected the idea of including such a provision because of the "breadth of discretion" it would have given a breached entity, the letter said.

The health-care breach notification law is part of the $20 billion Health Information Technology for Economic and Clinical Health Act (HITECH) that was passed by Congress earlier this year as part of President Obama's economic stimulus plan. The law, which went into effect last week, requires any organization covered under the Health Insurance Portability and Accountability Act (HIPAA) to notify patients of a data breach involving their personal health information. Companies that use encryption and data destruction methodologies to render sensitive health information unusable and unreadable to unauthorized individuals are exempt.
- more info

Mobile Device Security Options

Because mobile devices reside outside the company firewall and beyond the reach of corporate security policies, they are often where unauthorized activity can occur. Users can inadvertently pass viruses, spyware, and other malware to the company network through the VPN. It still matters that a network has a formidable configuration of layered security, but when a notebook or smartphone is lost or stolen, the data stored on the notebooks is exposed. Enterprises have to have ways to protect that data regardless of its location or place of breach. Options available to the enterprise include:

VPN - Many enterprises use Internet Protocol Security (IPSec) VPNs, but the fact that IPSec works at the network layer can add exposure of the entire network to malware found on remote machines. Secure Sockets Layer (SSL) VPN technology works at the transport layer of the Transport Control Protocol/Internet Protocol (TCP/IP) stack and is session-oriented, offering more precision in granting access - even down to a specific application, file or window of time. Some vendors are offering all-in-one appliances that package not only VPN working on both layers, but also firewall, intrusion prevention and network antivirus.
Network Access Control (NAC) - NAC gives the network the ability to grant access to a device based on preset criteria, and then monitor it throughout its connection cycle. If the device behaves in a way that is out of line with policies, it is quarantined, given an opportunity to remediate and then disconnected if it remains noncompliant.
Encryption - A data-level form of protection, encryption is centrally managed and updated. It works by jumbling data according to a complex algorithm that machines are able to unlock once they have been authenticated. Everything from a single file to the entire hard disk can be encrypted.
Intrusion detection and prevention - Intrusion detection and prevention systems focus on identifying incidents, logging information about them, taking action to stop intrusions and reporting incidents to administrators for further review. These systems work well to stop unusual IPs and to block worms, botnets and other malware. They add an additional layer of security between the firewall and antivirus software.
Remote Lock Down and Data Destrition - Credentials and devices that are tagged as inactive can have "self desruct" or "remote lock down" code downloaded and activated in such a way that all of the "sensitive data" on the remote device is "erased" and the device put in such a state that it is not usable with intervention by the enterprise.. Extreme care should be used if this option is used and the help desk should have procedures in place so that devices remotely locked down in such a manner can be re-activated.
Data leakage protection - You can secure data, regardless of where it is in relation to the network, with data leakage prevention (DLP) technology. DLP solutions tag data based on a set of criteria such as location of data, application type, file type, keywords and common data strings. These tags alert IT when the data is being used in a certain manner. DLP can prevent the data from being copied, e-mailed, sent via IM, printed, saved to a different device, changed to a different file type or otherwise altered.

- more info