News
How companies protect laptops is an issue
More than 50% of organizations surveyed have indicated that they
protected sensitive information
with encryption software. A further 43% reported the use of asset tracking
software. Simply knowing where all mobile computers are located is a powerful
security measure, however, traditional IT asset management solutions are
designed to track only those laptops that connect to a local area network (LAN)
or virtual private network (VPN) connection. For a large proportion of laptop
users, returning to head office is an intermittent event - allowing many
laptop computers to remain below the radar of IT.
Encryption software is commonly referred to as the computer security fall back. In
the event that a computer protected by organizational policy and physical
deterrents is stolen, sensitive information on the laptop is made unreadable by
encryption. For encryption software to be effective however, laptop users must
consistently and accurately follow company encryption policy. Even more
worrisome is the fact that more than 30% of companies believe employees are
actively involved in the theft of company computers. Armed with the necessary
passwords and encryption keys to access data, disgruntled or dishonest employees
represent a threat that cannot be addressed by encryption alone.
The common failing of these laptop security measures is the fact that
they are heavily reliant on the diligent action of laptop-using employees to
remain effective. If a cable lock is not used, an authentication password is
taped to the keyboard for convenience or a regular encryption process not
completed, organizations remain unnecessarily vulnerable to public data breach.
By the same token, complex, expensive and ultimately productivity-dampening
security measures may be effective but greatly reduce the benefits of laptop
computers. Endpoint security solutions complement other security measures by
providing a final, user-independent layer of
protection.
-
more information
Data breaches continine to be CIO's concern
The FBI received a
record number of complaints in 2008, and the associated direct cost of the
frauds carried out with stolen data was $265 million versus $235million in
2007. Adding to this is the
challenge of securing personal information and intellectual property data. Companies are granting access to more
systems and information - bank customers access to account balances; workers
maintain their own 401k and investment accounts; web shoppers place orders and
make purchases with a single click; and business partners work on projects in a
collaborative manner online.
To
reduce the risk of a data breach or
theft, organizations must adopt new tactics. In addition, companies must address
e-mail and Web security along with employing a functional data loss and
prevention strategy. The
application of multiple security techniques is required to reduce risk. For
example, there must be a way to control spam and block the downloading of
malicious software from poisoned Web sites. In today's open Web 2.0 and social
networking environments, companies need a way to defend against attacks and
protect secret or sensitive data. At the same time, they must maintain a
flexible and responsive infrastructure to support today's business working
habits.
The
Janco Security Manual Template
has helped over 2,000 enterprises world-wide to meet these
requirements.
-
more information
Pandemic Disaster Recovery Plans At Risk
Pandemic disaster recovery
planning should consider the impact the H1N1 flu virus could have on the
Internet if workers and students are forced to stay home because of the pandemic. Officials at
the U.S. Government Accountability Office weighed in on the potential for
clogged networks in a 71 page preport.
Although the issue has been raised before by
various ISPs and network carriers, recent worries have focused on securities
firms that depend on third parties to clear trades and process payments over the
Internet, according to the GAO.
"Internet congestion during a severe pandemic that
hampers teleworkers is anticipated, but responsible government agencies have not
developed plans to to address such congestion and may lack clear authority to
act," the GAO warned.
Internet backbone congestion from a pandemic is not
a major concern. The larger problem may be with the network "edge" or "last
mile" in the residential portion of the Internet. Janco says that work-at-home
strategies for organization may not work as advertized as residential Internet
access may not be sufficient. This is true both from a capacity and
bandwidth at work at home sites.
Often many residential DSL users could share a
single DSLAM connection at the carrier's switching office to reach the backbone,
contributing to congestion problems. Last-mile DSL and cable modem networks are
where remote access falls apart.
While the network edge impact would vary by
neighborhood, the Centers for Disease Control planning guideline that assumes 40
percent of the workforce might not be in the workplace for an extended period of
time during a pandemic.
-
more information
Best Practices for CIOs and IT Departments
Business continuity
is not just a good business practice - it can mean success or failure if
data and applications on a production server are lost. Disaster recovery
planning ensures organizations have the capability to continue essential
functions across a wide range of situations that could disrupt normal
operations. High availability is the cornerstone for most business continuity
plans and is one of the reasons for evaluating and deploying data protection
solutions. However, traditional data protection strategies focus on just the
data and not the application.
CIOs and IT departments design the organization's infrastructure
with continuity of business operations in mind. However, most organizations are
not doing enough to protect mission-critical data, applications and systems
from unexpected disruption and potential loss -- volatilities, such as viruses,
power outages, natural disasters, corruption, human error and media failures
can't always be prevented. Environments today are characterized by rapid data
growth, complexity, stringent business requirements and the increasing
government regulations, making it difficult for organizations to get their arms
around their data protection strategies. In many cases, the focus is on just
protecting data - not necessarily on recovering it. And when there is a focus on
recovery, it usually involves just making data available to an
application.
-
more information
Audit Fatigue is Setting In for Some
(Internet
Research Group) - Regulation is a part of business, regardless of company size,
industry, or geography. In addition, for the most part, the larger the
enterprise, the larger the potential for non-compliance risk. Non-compliance can
mean a number of things - sanctions, fines, legal action, market value
impact, and the cost of remediation may exceed the perceived cost of prevention.
Audit program is required
The results are supportive of the term audit
fatigue, that
unmanaged IT Audit efforts within
regulated organizations have a negative business impact on IT resources and
reduce IT efficiency. However, respondents are largely aware of and interested
in tools to automate audit processes and controls as a means of overcoming audit
fatigue and freeing up IT budget and resources for innovation rather than
compliance. This results in the following:
-
Compliance impact is increasing,
resulting in high audit frequency and number: As can be expected, larger
organizations must satisfy a number of IT audits. Small to mid-sized
enterprises (SMBÂ’s) are also subject to an increased level of compliance
requirements - resulting in higher than expected IT audit engagements.
Given the lack of consistent IT standards across industries and geographies
for audit criteria and reporting, compliance efforts - i.e., IT audit and
remediation - are largely manual.
-
Audit costs are unmanaged, resulting in
increased cost: Many respondents conduct audits on an ad-hoc basis rather than
as a scheduled effort of an enterprise risk-management program. Given the
inability to forecast audit and remediation, spending, budgetary control is
lost - exacerbating the perceived impact of compliance
efforts.
-
Lack of controls automation, limited process
maturity: Audit fatigue can be attributed to lack of controls
automation and unmanaged IT Audit processes. Limited controls maturity - i.e.,
repeatable and sustainable controls enforcement and audit processes -
constrains IT innovation due to uncontrolled costs associated with IT
Audit and issue remediation.
-
-
more information
CIOs controlling costs in the new year
As CIOs move into the New Year they
are faced with reduced budgets and rising cost. One of the first things
that are doing is establishing standardized metrics to identify and control
costs. Metrics are the
key
As that process proceeds Janco suggests that CIO then do the
following to control costs in the new year:
- Justify hardware and applications -
Underutilized or old systems should be taken out, and workloads should be
shifted to more-efficient hardware. Rationalization and consolidation programs
can reduce the number of servers deployed.
- Consolidate data center sites and server
farms - Financial savings often follow consolidation of multiple
sites into a small number of larger sites.
Manage energy and facilities
cost. Tools and techniques include raising the temperature of the data center
to 75 degrees Fahrenheit, using outside air when possible as an alternative to
air conditioning, setting up hot aisle/cold aisle configurations and deploying
server-based energy management software tools to run workloads the most
energy-efficient way
- Manage the employee and contractor
costs - Workers remain the single largest cost element for most
IT organizations, accounting for as much as 50% of overall costs.
- Eliminate or defer procurement of new
assets - Servers' useful life often exceeds their amortized life,
so monitor the condition of hardware carefully.
- Monitor energy consumption - Advanced
monitoring, modeling, and measuring techniques and processes are essential to
the adoption of many new technologies and going
green.
-
more information
As enterprises
move more of their business transactions online, they face the challenge of
defending a perimeter that grows increasingly porous. The network firewalls that
once locked down the enterprise perimeter are ineffective against Web-based
threats such as SQL, Cross Site Scripting, and DDoS attacks. By exploiting
common Web application security
flaws, the attacks are able to cause tremendous business disruption,
particularly through the theft of sensitive enterprise information as well as
customer and employee personal data.
Security Manual Template
Includes PCI DSS Audit Program

The IT Security Manual Template provides all the essential sections of a
complete security manual and walks you through the creation of each step.
Detailed language addressing more than a dozen security topics is included in a
230 plus page Microsoft Word document, which you can modify as much or as little
as you need to fit your business requirements. The template includes sections on
critical topics like:
- Risk analysis
- Staff member roles
- Physical security
- Electronic Communication (email / Smartphones)
- Blogs and Personal Web Sites
- Facility design, construction and operations
- Media and documentation
- Data and software security
- Network security
- Internet and IT contingency planning
- Insurance
- Outsourced services
- Waiver procedures
- Employee Termination Procedures and Forms
- Incident reporting procedures
- Access control guidelines
- PCI DSS Audit Program as a separate document
- Security Compliance Checklists
- Massachusetts 201 CMR 17 Compliance Checklist
-
more information
Safety Program Updated by Janco
Effective management of worker safety and health
protection is a decisive factor in reducing the extent and the severity of
work-related injuries and illnesses. Effective management addresses all
work-related hazards, including the potential hazards that could result from a
change in worksite conditions or practices. Additionally, it addresses hazards
whether or not they are regulated by government standards.
The electronic document includes proven written text and examples for the
following major sections of a disaster recovery plan:
- Policy Statement
- Safety Rules - including a check list of standard proven rules
- Accident Investigation Process
- Hazard Recognition and Control
- Safety Committee including membership and procedures
- Training including guidelines for orientation, job instruction, Supervisor
training as well as specialized training
- Communication including for management and employees
- Record Keeping including inspection; accident investigation; training and
coordination with Safety Committee.
- Job Description for Safety Director (ADA compliant)
- Technical Appendix including definition of necessary phone numbers and
contact points; and sample forms:
- First Report of Injury
- Safety Audit Checklist
- Alternate Work site Safety Checklist (i.e. work at home)

There is an extensive description that shows how a full test of the Safety
Program can be conducted.
-
more information
Security Manual TemplategGives CIOs one more tool
A business-driven approach to security is differant than
a technology-centric approach in that the business goals drive the requirements
in securing the enterprise. Many enterprises take a bottoms-up approach to
security since security solution vendors, more often than not, promote this
approach to their clients. To close identified security gaps, enterprises
broaden and bolster their defenses by continually building on top of or adding
to their existing security investments. This technology-centric methodology
often creates an excessively complex and disjointed security infrastructure. It
becomes difficult to manage and prone to unseen vulnerability gaps, needlessly
escalates IT costs and eventually fosters unnecessary operational inefficiencies
that inhibit business growth rather than enhance it.Instead of trying to protect
against every conceivable threat, organizations should understand and prioritize
the security risk management activities that make the most sense for their
organization. By understanding the level of risk tolerance within an
organization, the IT team can more easily focus on mitigating risks that the
organization canÂ’t afford to neglect. Overemphasizing certain risks leads to
wasted resources and efforts, while underemphasizing others can have disastrous
consequences.
The Janco Security Manual
template addresses these issues and is a quick way for CIOs to overcome
these issues.
-
more information
How to establish a telecommunting policy - Infrastructure
Organizations that have or want to establish a
companywide telecommuting program should establish a formal, written
telecommuting policy document that is regularly reviewed and updated by IT,
human resources, legal, and finance. This will ensure that managers and the
corporate services and technical support groups within the organization are
aware of their respective role and responsibilities for enabling and supporting
telecommuting. It also will help ensure that telecommuting employees know about
their responsibilities too, along with new company and approved third-party
applications and support services available outside company
facilities.
-
more information