Technology Management  -  IT Management - News Portal

Nearly one-third of organizations reported they have had to implement part of their DR plan. However, in the past year there was a significant decrease in executive involvement on DR committees. And, while there appears to be improvement in successful disaster recovery testing, one-third of respondents indicate testing will impact their customers, and one-fifth admit such testing could negatively affect their organizationÂ’s sales and revenue.

There has been a rapid increase in mission critical applications combined with the continued growth of stored data – both physical and virtual – it is crucial that enterprises incorporate a comprehensive disaster recovery and business continuity plan into the overall business strategy. This helps to ensure the successful recovery of data and applications with the least amount of impact to business operations should a disaster – natural disaster, human error or system failure – occur.

Sharp increase in applications considered mission-critical

On average respondents indicated that 56 percent of applications were deemed mission critical – significantly up from 36 percent in 2007. With the increase in the number of mission critical applications, it becomes difficult for organizations with flat IT budgets to maintain the availability of a greater number of mission critical applications. As a result, companies should look at more cost effective ways to protect applications including reducing spare servers, increasing server capacity, looking at physical to virtual configurations, and more.

More than one-third of organizations have executed DR plans

The data from the Symanatic survey concurs with the data from the Janco Associates survey of its clients.

According to Symanatic, In the past year, one-third of organizations surveyed had to execute their disaster recovery plans due to a variety of factors including: Hardware and software failure (36 percent of organizations); external security threats (28 percent of organizations); power outage/failure/issues (26 percent of organizations); natural disasters (23 percent of organizations); IT problem management (23 percent of organizations); data leakage or loss (22 percent of organizations); and accidental or malicious employee behavior (21 percent of organizations). Given the regularity of events that cause downtime, IT organizations should expect that their DR plans will be tested at some point in the future.

Service is now the life-blood of most IT organization.  Enterprise operations are now run with the aid of IT applications, hardware, and structure.  Productivity and revenue now depend on  the level and quality of service that the IT function provide

As businesses  have become more dependent on technology traditional service level management has been proven to be woefully inadequate. Many executive are dissatisfied, IT organizations feel pressured and overworked, and the CEO wonders why IT is not delivering better value for the money being spent.  Turnover is over 20% within IT and the CIOs job is at risk

Add to all this the need for IT to satisfy corporate governance objectives, leverage technology to provide a competitive advantage and meet ever-increasing user demands, and itÂ’s easy to see why most corporate IT organization are in trouble.

Most security incidents and data breaches are caused by employees, contractors, and company who provide critical services to the enterprise.  Many believe that non-employees with access to sensitive information committed the most incidents of data breach in their organization. Non-employees such as temporary contractors pose a significant challenge for IT managers, because they often are not required to comply with company policy and they often are authorized to access and digitally store sensitive information.

Contractors are also much more likely to work oncomputers that are not protected by corporate data security solutions like encryption software. It is no surprise then, that IT professionals are seeking endpoint security solutions that provide protection for sensitive information regardless of employee action. Many IT professionals are interested in an endpoint security solution that would help recover their PDA or Smartphone in the event that it was lost or stolen.

• Risks and Costs Associated with email, Electronic Communication, and Mobile Devices
• Appropriate use of Equipment
• Internet Access
• Electronic Mail
• Retention of Email on Personal Systems
• Email Forwarding Outside of ENTERPRISE
• Email User Best Practices
• Email and Business Records Retention
• Copyrighted Materials
• Ownership of Information
• Security
• Forms

1. Internet & Electronic Communication - Employee Acknowledgment Form
2. Email - Employee Acknowledgement Form
3. Internet Use Approval Form
4. Internet Access Request Form

The scam was found by scanning chat rooms, sites and message forums frequented by cybercriminals which uncovered a stash of records on a server that hackers use to house stolen information.  Discovered were 20 different files parked on servers and with each file were up to 20, profiles.  The profiles included full names, mailing addresses, credit card numbers, card security numbers, birth dates, mother's maiden names, and e-mail addresses and passwords.

There were about 300 profiles collected in one day.

The attackers took advantage of the recent migration Apple conducted for subscribers from its older .Mac online service to MobileMe.  The message was convincing. Some of the users who we talked to were very sophisticated users -- but they still fell for this attack.

Security Policies need to be in place with a clear understanding as to whether the enterprise wants to allow their users to access Web sites like Facebook and MySpace with computers and PDA that are linked to corporate data. If workers are allowed to be given access to these sites then it's vital that they do not put their personal and corporate data at risk.

All personal data on social networking sites can be manipulated by attackers plus with applications linked data is also at risk.

A common hack is Facebook users' "walls" that urge them to view a video that portends to be hosted on a Google Web site. Clicking on the link leads users to a site that tries to entice them into downloading an executable to watch the movie. The executable is a Trojan horse.

On the Operating System front, Microsoft's Vista has just under 15% (14.94%) of the market after almost 20 months since Vista's first release (RC1).  Victor Janulaitis, the CEO of Janco said, "Both Vista and Netscape show that large companies make huge blunders in technology.  In the case of Microsoft, they no longer can count on moving users to new products as quickly as they want.  Time-Warner's short sighted decision to abandon Netscape shows technology decisions are long term ones and companies that want to create value in that market need to look beyond quarter to quarter earnings. But the real story is the continued erosion of MicrosoftÂ’s market share."

A summary of JancoÂ’s white paper can be found on the JancoÂ’s web site (http://www.e-janco.com/browser.php) and the IT Productivity CenterÂ’s web site (http://www.itproductivity.org/browser.php). 

• Personal electronic equipment carried abroad is vulnerable to installations of malicious software that can steal or manipulate data well after the traveler returns.
• The use of cell phones, laptops, and PDAs in foreign countries exposes these devices to unauthorized access and theft of data by criminal or foreign government elements.
• Travelers should assume they cannot protect electronically stored data and should not transmit sensitive government, personal, or proprietary information on the Internet or through telecommunications equipment.
• Globe-trotters should be aware that foreign governments often place visitors under surveillance, and that hotel rooms, telephones, computers and other possessions may be searched without the consent or knowledge of the traveler.

JancoÂ’s recommended security strategy if you must travel with a laptop is:

• If a WiFi connection is open do not use it to access or transmit any data unless it is encrypted.
• Assume that all communications are being monitored and take precautions against snooping.
• Use a strong passphrase that will used to encrypt and secure data.  The passphrase should NOT be written down anywhere – memorize it.
• Use this passphrase to protect any other passwords/passphrases you might need in a Password Safe file  Do not save your passwords in your browser.
• Assume your cellphone will be compromised or lost.

On your laptop install:

Maintaining more efficient data currency. Using synchronous replication over a short distance in a campus or metropolitan area cluster provides the highest level of data currency without undue impact to application performance.

Permitting swift recovery. A campus/metropolitan cluster implementation allows for fast automated failovers after a local area disaster with minimal to no transaction loss.

Permitting recovery even when a disaster exceeds traditional regional boundaries. A wide-area disaster could disable both data centers 1 and 2, but with some manual interaction, operations can be shifted to data center 3 and continue after the disaster.

Shifting to staffing outside the disaster area. A wide-area disaster also affects people located within the disaster area, both professionally and personally. By moving operations out of the region to a remotely located recovery data center, operational responsibilities shift to people not directly affected by the disaster.

Janco has defined a Template with a Backup and Backup Retention policy that is a complete policy which can be implemented immediately. 

The document is provided in both Word 2003 and Word 2007 format and is easily modified.  This policy is included in the Disaster Recovery / Business Continuity Template.

Below is a table from the policy.

The following myths about compliance and validation with security statdards can expose companies to significant risk:

• Compliance Equals Security - Complying with a standard is not the same as having well-rounded security. A compliant company can still experience a security breach.
• Compliance Today Equals Compliance Tomorrow - Being compliant at a point in time (e.g., at the time of assessment) does not guarantee ongoing compliance. Companies - or independent business units within them - continually introduce, update, or change network components in order to support business growth. Change control is a complex process, and it is not always executed consistently. Lapses in security and compliance often occur because change management processes fail.
• Compliance Validation Equals Compliance - Being validated compliant is not necessarily the same as being compliant. In one of the most serious credit card breaches this year, the merchant had been validated compliant; yet, a recent statement by the PCI Security Standards Council (SSC) reinforces its stance that the standard is a preventative against the type of breach that occurred. Up to 4.3 million unique accounts were stolen.