Gartner Group Sarbanes-Oxley News   ---  

Questions that you need to have answers to are:

• What is the the impact of e-mail downtime on today's business,
• What are the types of potential failures -- both the common and the not-so-common along with the general probability of occurrence, and
• How do you plan to mitigate the impact of these challenges to ensure adequate levels of protection for your e-mail environment.

• Flexibility - CIOs must be able to respond to opportunities and challenges faster than ever before. These CIOs are usually battling well-resourced organizations that may be based where the opportunity originated, or another globalizing company that is reaching out for new opportunities. In order to compete, a CIO must create a strategy this helps the enterprise to deliver faster a product or service as good, or better, than that of potentially any other company in the world.
• Simplicity - The increase in technology has led to increased complexity. While per unit costs of technology are decreasing, in aggregate IT budgets continue to increase. With the pressure on IT to act less as a cost center and more as a way to increase the profitability of business units, adding more storage, more bandwidth, or additional technologies throughout the organization is no longer an acceptable approach to managing information technology. Instead, smart CIOs are investigating technologies like continuous data protection, virtualization, and wireless connectivity to help IT slim down its footprint while increasing their business's competitive advantages. Therefore, the IT team is typically in a difficult position, assessing where to cut costs while still moving forward with a plan to continually enhance IT services to the business.
• Security and Mandated Requirements - With the growing importance of applications and data, the sources of threats to enterprise data have multiplied dramatically. Everything from natural disasters, to criminals, and corrupt sources within the company can steal or corrupt data. While CIOs do everything that they can to stop these threats in the first place, they still must be prepared to recover from these threats as quickly as possible.
• Disaster Recovery Business Continuity - As businesses have expanded, the need for anytime, anywhere application access has become a requirement. At the same time, "follow the sun" (global 24/7) operations have shrinking maintenance windows and a need for applications to be running at all times. Delay or loss of data for any reason - system failure, natural disasters - has a domino-like effect across the entire organization, at any time of the day or night.

For IT departments charged with delivering greater business value in the face of unprecedented data growth, storage virtualization is a very attractive way to control costs, improve performance and maximize resource utilization.

Regulatory compliance tops the list of concerns among healthcare and life sciences IT professionals with 86% of healthcare IT decision-makers rating it as a high or critical priority over the course of the coming year. Immediately following regulatory compliance is data security, with 31% of healthcare enterprises ranking it a critical priority and almost 60% ranking it as a high priority.

There are two types of disasters:

• Physical destruction of a location and data (or access to location and data). Examples: fire, flood, earthquake, significant power or network outage.
• Data destruction without physical destruction. Examples: hardware failure, virus/hacker attack, software malfunction, human error.

Each if these have a different set of requirements and your Disaster Recovery / Business Continuity Plan needs to take them into consideration.

This is one of the reasons why popular social networking sites, such as Facebook, Twitter, and LinkedIn, are causing a stir in the financial services community as well as other highly regulated industries as companies seek ways to control how the sites are used to communicate with potential clients and colleagues.

It is a bigger issue than email and IM.  For IM and email, you pretty much use standard port and protocols. You just have to be in the right spot in the network to capture it and monitor it.  That is not the case for these social networks.  Security is an issue.

The messages claim that a recent update to iTunes has been released for the iPad, according to Romanian security company BitDefender. "It is very important to keep the software on your iPad updated for best performance, newer features and security," the message reads. "To get the latest version of iTunes software, please go to ... and install the application."

The link in the message leads to a copycat of the legitimate iTunes download site, where users are asked to approve the download of a file dubbed "itunessetup.exe."

The file masquerading as the iTunes update is actually a Trojan horse that injects code into Windows' "explorer.exe" process and opens a backdoor for hackers, who then use that entrance to add more malware to the PC. The "Backdoor.Bifrose.AADY" Trojan also tries to snatch activation keys from various programs on the hacked

The lawsuit says the demand violates the privacy and First Amendment rights of Amazon's customers. North Carolina's Department of Revenue had ordered the online retailer to provide full details on nearly 50 million purchases made by state residents between 2003 and 2010.

Amazon is asking a federal judge in Seattle to rule that the demand is illegal, and left open the possibility of requesting a preliminary injunction against North Carolina's tax collectors.

Because Amazon has no offices or warehouses in North Carolina, it is not required to collect the customary 5.75 percent sales tax on shipments, although tax collectors have reminded residents that what's known as a use tax applies on anything "purchased or received" through the mail.

• Have a consistant and uniform message
• Know what your requirements are and what your vendor's abilities are
• Do not get locked in on price
• Have multiple suppliers
• Use both small and large vendors
• Review the relationship on an on on-going basis

• Service providers leveraging existing core business resources to expand into adjacent markets to look for new revenue opportunities
• Service providers concentrating on server backup in niche markets: backup and recovery only, single verticals, regional boundaries
• Service providers whose backup and recovery service forms an integral part of a broader spectrum of information management and data protection services

The scope, strengths, and weaknesses of each type of online backup and recovery service provider are characterized with respect to the current and forward-looking requirements of companies looking to protect their server data. Such requirements range from full system (versus data only) backup and restore to comprehensive business continuity best practices and support. Understanding these strengths and weaknesses can help businesses clarify their server protection requirements and better align their selection criteria and focus with their business goals.

In a report that was recently published it was estimated that breaches cost companies between $90 and $305 per lost record. This includes notifying customers, hiring contractors to fix computer systems, fines and lost business. In addition, over 95 percent of network attacks are entirely financially motivated. This is different than two or three years ago where it may have been a college student who wanted to crash your computer. Threats today burrow deep in computers and hide. They are a lot less visible today.

Indeed, the new threats are much more sophisticated than those security experts had foiled in the past. The easy things - viruses, Trojans and worms - are generally stoppable by most firewalls or certainly inline intrusion prevention. But now, hackers and the organizations that fund them have upped the ante for gateway and network security.

• CIOs must keep all IT systems and networks managed, optimized, and available to contribute maximum business value at minimal cost.
• CIOs need to protect critical infrastructure against an increasingly hostile threat environment spyware, viruses, attacks, intrusions and human-engineered security lapses.
• CIOs  must prevent exposure to legal and regulatory compliance penalties or breach disclosure laws. If IT fails in any one of these areas, their organizations can go out of business, or face criminal sanctions.

In meeting these responsibilities, CIOs can no longer incrementally buy new tools to meet any new requirement that makes headlines in the technical or business media. Business drivers, security and compliance mandates converging on the enterprise require a converged response. CIOs now demand solutions that enable them to eliminate redundant technologies and processes and integrate disparate elements into a common workflow. While established enterprise software vendors have adopted the language of convergence and consolidation, their product lines remain constrained by legacy architectures and designs. Proposing radical change to their customers' carries the risk of disrupting established revenue flows not to mention technical risks inherent in overhauling or replacing obsolete products.

Business runs at a velocity unimagined a few short years ago. Complex and highly distributed environments have grown to support an intricate web of partners, suppliers, distributors, and customers. Service oriented architectures and web-based applications have progressed from vision to real-world instantiation as enterprises look to leverage technology to innovate and deliver new services. In this new world, IT-delivered services must be available 24x7 to customers, suppliers, employees, regulators, investors and other constituencies.

The highly exposed nature of today's IT infrastructures fundamentally changes how organizations manage IT assets, processes and data. IT organizations can no longer treat resource management and maintenance as back-end functions that can be performed at times and conditions of their choosing. Neither is their work protected from outside scrutiny. Processes whose success or failures were largely internal now make the difference between business success or failure, legal compliance or litigation, prudent stewardship or ineffective execution.

• 123456
• 12345
• 123456789
• Password
• iloveyou
• princess
• rockyou
• 1234567
• 12345678
• abc123

Everyone needs to understand what the combination of poor passwords means in today's world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second - or 1000 accounts every 17 minutes according to Imperva. 

• The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic forms of cyber attacks known as "brute force attacks."
• Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password is "123456".

Data storage managers are making moves toward solid-state storage and solid-state drives (SSDs), with 14% of 360 survey respondents planning to implement them this year and nearly 40% planning to evaluate them this year (in addition to the 7% who already have them in place). Those numbers mean that right now Many CIOs could use help in comparing SSD vs. HDD and determining what value they'd get from implementing SSD to fix performance problems. This is a role that's tailor-made for an operation's manager and represents an excellent value-add opportunity.

When CIO and CEO look to trim costs, care needs to be take so that long term productivity is not impacted.  In addition, if employees feel they are not productive because of "technology', once the economy improves they will find better jobs where the technology is more current..

• Increased funding security budgets
• New compliance regulations created and enforced by congress
• New problems with mobile security: new mobile phone worms and Trojans
• A new key area of competition: Cloud computing
• Growth in desktop virtualization

Security Manual Template Policies and Procedures

ISO 27000 (27001 & 27002) - Sarbanes-Oxley - PCI - Patriot Act - HIPAA Compliant

This Security Manual for the Internet and Information Technology is over 240 pages in length.  The template is compliant with ISO 27000 (formerly ISO 17799), Sarbanes-Oxley, Patriot Act and HIPAA and includes a PCI DSS Audit program. All versions of the Security Manual template include both the Business & IT Impact Questionnaire and the Threat & Vulnerability Assessment Tool (both were redesigned to address Sarbanes Oxley compliance).   In addition, the Security Manual Template PREMIUM Edition contains 16 detail job descriptions that apply specifically to security and Sarbanes Oxley.

         

The PCI DSS security requirements apply to all “system components.” A system component is defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances.

Storage is more than a mainframe peripheral and as such has a profound impact on the entire IT industry and IT budgets in particular. Vendors are now poised to make a major impact by illuminating a series of expensive problems within storage environments caused by an endless array of duplicate data sprawl. CIOs and IT professionals now realize they do not have to keep buying more and more storage capacity as there are more efficient ways to store and manage information - especially in secondary storage environments.

The crux of the matter is this: Technical support should no longer be perceived as a pricy "fix-it shop around back"; technical support has grown into a revenue-generating, company-strengthening powerhouse right in the heart of the organization. With the right tactics and technology, your support center can realize its full potential by becoming an essential, strategic component of your organization's success. Just as a surgeon needs the proper tools to perform operations, so, too, must support center representatives have the proper tools to get their jobs done efficiently and cost-effectively.