Messaging News   ---  

One of those opposing the bill was the U.S. Internet Service Provider Association, which earlier this week sent a letter to the committee's chairman. The bill was overbroad, raised a "myriad privacy concerns," and would be hugely expensive to comply with, wrote the ISP association's Executive.

Disaster Recovery and Business Continuity Planning are the process an organization uses to recover access to their enterprise operations; software, data, and/or hardware that are needed to resume the performance of normal, critical business functions after the event of either a natural disaster or a disaster caused by humans. While Disaster Recovery and Business Continuity plans, or DRPs & BCPs, often focus on bridging the gap where data, software, or hardware have been damaged or lost, one cannot forget the vital element of work force that composes much of any organization. A building fire might predominantly affect vital data storage; whereas a pandemic or epidemic illness is more likely to have an effect on staffing. Both types of disaster need to be considered when creating a Disaster Recovery and Business Continuity Plans. Thus, enterprises should include in their DRPs & BCPs contingencies for how they will cope with the sudden and/or unexpected loss of key personnel as well as how to recover their data.

Janco's Disaster Recovery - Business Continuity Templated can help get you on the right track with creating a disaster recovery as over 3,000 enterprises around the globe of all sizes already have.

The underlying message is that for all the power and opportunity of public clouds, providers and users alike need to approach with caution and embrace best security practices. Cloud infrastructure providers can't be expected to assess the security of every image, bit, and transaction that occurs on their machines any more than an apartment landlord can be responsible for everything that happens within his or her complex -- that is, what tenants do behind closed doors in the spaces they rent.

These vulnerabilities leave users exposed to malware, as well as to unsolicited connections, which malicious hackers could use to gather information about usage and to collect IP target addresses for future attacks through a backdoor.

A malicious hacker could use tools such asextundeleteandWinundelete to recover previously deleted data.

   

Researchers' stressed the importance of users being properly trained in using public cloud server images. Although public cloud server images are highly useful for organizations, if users are not properly trained, the risk associated with using these images can be quite high. The fact that these machines come pre-installed and pre-configured may communicate the wrong message, i.e., that they can provide an easy-to-use 'shortcut' for users that do not have the skills to configure and setup a complex server. The reality is quite different. Many different security considerations must be taken into account to make sure that a virtual image can be operated securely.

• Audit Data Access - IT should keep a current list of data business owners and the folders and SharePoint sites under their responsibility. By having this list - at the ready, IT can expedite a number of the previously identified tasks, including verifying permissions revocation and review, and identifying data for archival. The net effect is a marked increase in the accuracy of data entitlement permissions and, therefore, data protection.
• Inventory Permissions and Directory Services Group Objects - Effective management of any data set is also impossible without understanding who has access to it. Access controls lists and groups (in Active Directory, LDAP, etc.) are the fundamental protective control mechanism for all unstructured and semi structured data platforms, yet too often IT cannot easily answer fundamental data protection questions like, - Who has access to a data set? and - What data sets does a user or group have access to? Answers to these questions must be accurate and accessible for data protection and management projects to succeed.
• Prioritize Which Data Should Be Addressed - While all data should be protected, some data needs to be protected much more urgently than other data. Some data sets have well known owners and well defined processes and controls for their protection, but many others are less understood. With an audit trail, data classification technology, and access control information, organizations can identify active and stale data, data that is considered sensitive, confidential, or internal, and data that is accessible to many people. These data sets should be reviewed and addressed quickly to reduce risk.
• Remove Global Access Groups from ACLs (like "Everyone") - especially where sensitive data is located - It is not uncommon for folders on file shares to have access control permissions allowing - Everyone, or all  - domain users‖ (nearly Everyone) to access the data contained therein. SharePoint has the same problem (with authenticated users). Exchange has these, as well as - Anonymous User‖ access. This creates a significant security risk; for any data placed in that folder will inherit those - exposed permissions, and those who place data in these wide-open folders may not be aware of the lax access settings. When sensitive data, like credit card information, intellectual property, or HR information are in these folders, the risks can become very significant. Global access to folders, SharePoint sites, and mailboxes should be removed and replaced with rules that give access to the explicit groups that need it.
• Identify Data Owners - IT should keep a current list of data business owners and the folders and SharePoint sites under their responsibility. By having this list - at the ready,‖ IT can expedite a number of the previously identified tasks, including verifying permissions revocation and review, and identifying data for archival. The net effect is a marked increase in the accuracy of data entitlement permissions and, therefore, data protection.
• Perform Regular Data Entitlement (ACL) Reviews and Revoke Unused and Unwarranted Permissions -  Every file and folder on a Windows or UNIX file system, every SharePoint site, and every mailbox and public folder has access controls assigned to it which determine which users can access the data and how (i.e. read, write, execute, list). These controls need to be reviewed on a regular basis and the settings documented so that they can be verified as accurate by data business owners and security policy auditors.
  Users with access to data that is not material to their jobs constitute a security risk for organizations. Most users only need access to a small fraction of the data that resides on file servers. It is important to review and then remove or revoke permissions that are unused.
• Align Security Groups to Data - Whenever someone is placed in a group, they get file system access to all folders that list the group on its ACL. Unfortunately, organizations have completely lost track of what data folders contain which Active Directory, LDAP, SharePoint or NIS groups. This uncertainty undermines any access control review project, any Role Based Access Control (RBAC) initiative. In Role Based Access Control methodology, each role has a list of associated groups into which the user is placed when they are assigned that role. It is impossible to align the role with the right data if the organization cannot verify to what data a group provides access.
• Audit Permissions and Group Membership Changes - Access Control Lists are the fundamental preventive control mechanism in place to protect data from loss, tampering, and exposure. IT requires the ability to capture and report on access control changes to data - especially for highly sensitive folders. If access is incorrectly assigned or changed to a more permissive state without good business reason, IT and the data business owner must be quickly alerted, and be able to execute remediation.
  Directory Groups are the primary entities on Access Control Lists (Active Directory, LDAP, NIS, etc.); membership grants access to unstructured data (as well as many applications, VPN gateways, etc.). Servers also have their own - local groups that should be audited. Users are added to existing and newly created groups on a daily basis. Without an audit trail of who is being added and removed from these groups, enforcing access control processes is impossible. Ideally, group membership should be authorized and reviewed by the owner of the data or resource to which the group provides access.
• Lock Down, Delete, or Archive Stale, Unused Data - Much of the data contained on unstructured and semi-structured platforms is stale. By archiving stale or unused data to offline storage or deleting it, IT reduces risk that stale data will be accessed by inappropriate parties, and makes the job of managing the remainder simpler and easier while freeing up expensive resources.
• Clean Up Legacy Groups and Access Control Artifacts - Unneeded complexity slows down performance and makes mistakes more likely. Organizations create so many groups that they often have as many as they do users - many are empty, unused or redundant. Some groups contain other groups, which contain other groups, with so many levels of nesting (that they sometimes create circular a reference when they contain a group that contains itself). Access control lists often contain references to previously deleted users and groups (also known as - Orphans). These legacy groups and misconfigured access control objects should be identified and remediated.

1. Limit access to information to those who need to have it -- People can't misuse information that they don't have.
2. Conduct frequent and deep security audits – Identify who has access to what – and how their actions could weaken the protection of valuable data/information.
3. Set limits to information access – do not exclude all information from access – data exclusion locks down access and limits set authorizations so specific people can do specific things under specific circumstances.
4. Limit admin to as few individuals as possible -- very few individuals need them to do their jobs.
   Ignore organizational hierarch when setting access capabilities – access and authorization should be based upon responsibilities, not
5. position.
6. Make Security Invisible -- Minimize extra commands, screens, pop-ups  for employees; if an action is allowed, just let it happen.
7. Analyze Security End back doors -- Compliance logs reveal threat patterns, and show how security steps are hurting productivity.
8. Monitor information access and updates-- User-initiated app updates can invite vulnerabilities.
9. Educate everyone on security policies and procedures – The more that people know about the rules the better
10. Make security best practices the watch word for everyone -- IT and the general workforce must address the constantly changing nature of security breaches.
    

• Distribute the disaster recovery and business continuity plan or a HandiGuide'® to all decision makers and key operating employees who will need access to it when the event occurs.
• Define the chain of command with single leader but do not limit the people who would have to implement the disaster recovery business continuity plan when the event occurs if that leader is unavailable.
• Conduct frequent tests and address all areas where shortcomings are found.
• Conduct the tests in an unannounced mode
• Validated that mission critical data is at sites other than the primary data center
• Establish a communication plan that can be implemented after the disaster.

HandiGuide is a Janco Associates registered trademark

The scope of an e-discovery effort can include any form of ESI, but the overwhelming majority of e-discovery is performed against email systems and data. In fact, email data has quickly become the de facto standard for prima facie evidence and affirmative defense in litigation or investigative matters. Unfortunately, searching against email systems often results in enormous amounts of data, which must then be processed and reviewed for relevance, typically by paralegals and attorneys who charge by the hour. Therefore, email processing and review is typically the most costly part of an e-discovery project.

With compliance requirements and external threats on the rise, no business can afford to leave its data unprotected, especially at the endpoint. Fortunately, IT leaders understand the risk: Fifty-nine percent of recent survey rate backup and protection of desktop and laptop data as crucial or high priority. Unfortunately, even though the majority of survey respondents have something in place, many fall short in terms of meeting needs for identification, classification and discovery. As a result, these firms leave themselves in a position of vulnerability - especially those in highly regulated industries.

• Sixty-one percent currently using or planning to use a desktop and laptop backup solution consider improving the accessibility and availability of user data a critical or very important objective.
• Fifty percent rate the ability to quickly find endpoint data for discovery and compliance purposes a critical or high priority.
• Forty-seven percent expect an improvement in the ability to improve compliance with industry and government regulations as a result of the efforts their companies are making to effectively backup, protect and manage endpoint data.

• Who is responsible for backing up critical records, including tax, accounting, payroll, and production? Store these records, including a copy of the business-continuity plan, site maps, insurance policies, and bank-account information, both on-site and at a second site at least 100 miles away.
• How will the company protect its computer hardware, software, and databases?
• How will the company communicate with employees during an emergency?
• Has the CFO or risk-management chief met with the company's insurance providers to review coverage? Most policies do not cover flood damage, for instance.
• Does the company have a shelter-in-place plan to protect employees in the event they need to remain inside the building during an emergency? Do employees know the plan?

Policies that you could use include:

• CIO IT Infrastructure Policy PDF (All of the policies below which come as individual MS Word files)
• Backup and Backup Retention Policy
• Blog and Personal Web Site Policy (Includes electronic Blog Compliance Agreement Form)
• Incident Communication Plan Policy (Updated to include social networks as a communication path)
• Internet, e-Mail, Social Networking, Mobile Device, Electronic Communications, and Record Retention Policy (Includes 5 electronic forms to aid in the quick deployment of this policy)
• Mobile Device Access and Use Policy
• Outsourcing Policy
• Record Management, Retention, and Destruction Policy
• Sensitive Information Policy (HIPAA Compliant and includes electronic Sensitive Information Policy Compliance Agreement Form)
• Service Level Agreement (SLA) Policy Template with Metrics
• Social Networking Policy
• Telecommuting Policy
• Travel and Off-Site Meeting Policy

According to an AT&T Survey of 100 Chicago firms (revenues <$10M), 81 have DR plans, but only 43% have fully tested their plans within the last 12 months and 12% admitted they have never tested their business continuity plans.

Next to personnel, data is your most irreplaceable asset.  Networks, application hosting platforms, and end user computing environments can be replaced quickly.  However, without your customer lists, product catalogs, inventory, financial records, and other operational data your business cannot recover.

A disaster recovery is a response to a declared disaster or a regional disaster. It is the restoration or recovery of an entire Agent computer. A disaster recovery plan describes how an organization is to deal with potential disasters. Just as a disaster is an event that makes the continuation of normal functions impossible, a disaster recovery plan consists of the precautions taken so that the effects of a disaster will be minimized, and the organization will be able to either maintain or quickly resume mission-critical functions. Typically, disaster recovery planning involves an analysis of business processes and continuity needs; it may also include a significant focus on disaster prevention.

Mobile Device Management

Mobile Device Management within organizations becomes more complex and important as both the number of devices and the amount of sensitive data stored on the devices increases. A lost or stolen device may compromise the critical data stored on it, unless there are processes and tools in place to protect it.

Mobile Device Asset Discovery and Inventory

The first step in securing your mobile organization network is the identification of the current inventory of mobile devices and OS clients that exist within your infrastructure. Next, you must integrate the mobile devices that have been identified in this process into your existing asset inventory database. Consider the following as you develop or update your mobile device asset inventory:

• How will you identify the mobile assets?
• What are the related assets to this mobile device, for example, additional memory cards?
• How do you identify the asset owner and the business purpose of each device?

Initially, tapes were the media of choice. Even today, many businesses rely on this old workhorse of storage. Tapes, however, are unwieldy in a recovery scenario and ultimately unreliable. With a failure rate exceeding 70 percent for data restorations from delicate tape systems, the standard media gradually became disk arrays.

More recently, however, flexible cloud storage and responsive virtual servers have emerged as the new, high-speed contenders in the storage medium space. This option brings significant advantages such as scalability and restoration speed to a disaster recovery - business continuity plan.

One positive sign: participants in the research recognize the need to do better, often the first step to building a reasonable nest-egg. “People are recognizing the level of savings realistically needed for a comfortable retirement,” says the research director for the institute and co-author of the report. “We know that far too many people had false confidence in the past. People's expectations still need to come closer to reality, so they will save more and delay retirement until it is financially feasible."

IT professionals who wish to recover from failure just need to know how to address suboptimal work experiences in their job searches and during job interviews.

• Admit and acknowledge the failure -  Don't ever try to hide failure; you won't get away with it. If an employer doesn't already know about, say, the ERP catastrophe at your previous employer, they will find out about it eventually. Better you be the source of that information than someone else.
• Anticipate prospective employers' concerns - When framing how you discuss your failure, put yourself in your prospective employer's shoes and think about the concerns they'd have with your candidacy.
• Focus on the positive and lessons learned - One failed project among 10 successful ones is no big deal, rather what was learned is more importants.
• Offer references who make you shine- Make sure your references will corroborate your explanation of events when employers and recruiters call them.

While users can select strong passwords and control their reuse, the only gatekeeper that can force the requirement of password strength is the provider. User have some control over their own fates, but the online service provider has more, says Per Thorsheim, a researcher who has organized two conferences on the subject of passwords. After all, it's the service provider that sets the policy of what is an acceptable password.

• The link within the email can be a fake (phishing or spear phishing)
• The email can contain a worm disguised as a Facebook link
• The specific Facebook server could be subject to a DNS redirection attack,sending the user to a false server
• The Facebook page could be compromised and hosting a browser‐based attack
• The advertisements on Facebook could be compromised and hosting Flashbased attacks

Network security is a primary line of defense. The task at hand for CIOs today is to provide world-class firewall, virtual private network (VPN), intrusion prevention, anti-spam, anti-virus and Web filtering technologies to secure the network perimeter. But this doesnÂ’t mean a piecemeal approach. Rather, network security should be integrated so no threats are missed or overlooked. At the same time network security must also be flexible to allow a business to run seamlessly.

Data Security and Protection are a priority and Janco's Security template is a must have tool that every CIO and IT department must have. Over 3,000 enterprise worldwide have acquired this tool and it is viewed by many as the Industry Standard for Security Management and Compliance.