CTO and CIO Toolkits

BYOD impacts mobile device policy

webmaster — Sat, 12 May 2012 18:31:05 -0600

CIOs are looking into a wide range of devices. Most published data shows that the most capital expenditures are related to mobile devices - tablets (rising), laptops (declining), and smartphones (rising). A "post-laptop" era many not necessarily mean that laptops will disappear from the workplace. Rather smartphones and tablets can perform certain functions more efficiently than a laptop. Asides from communication, smartphones are mostly used for very light work, such as checking email or quick web browsing. Tablet users find a broader variety of applications, including note-taking and presentations.

One implication is that CIOs will need to manage a suite of three devices for those workers who require flexibility in their computing options. Many CIOs are exploring mobile device management (MDM) tools, while others are adopting Bring Your Own Device (BYOD) policies by giving workers device stipends and transferring the liability and support away from the IT department.

Infrastructure focus of IT Budgets

webmaster — Sun, 29 Apr 2012 01:37:26 -0600

Mobility and wireless network infrastructures are the big takers when it comes to IT budget planning for 2012, according to a research study. Organizations are moving to the next stage of the IT infrastructure build-out across multiple budget areas, and the 2012 IT Investment Patterns Study shows how the strategy trends of innovation, integration and reversion are having a significant impact on 2012 spending patterns.

The IT environment is too complex to rely on outmoded ways to keep the business functioning and thriving flawlessly. To balance the many crucial and changing enterprise demands to move the organization forward, an IT governance process is required. This increases risks in expectations of IT --- the growth of the Internet, compliance concerns, mobile computing and advanced security risks as reasons for the critical need for IT governance. Instituting a governance process can serve as a catalyst that can effectively bring together the dynamics of cross-enterprise communication and summarize key, relevant data to provide critical metrics to make informed decisions.

Cloud becomes more robust

webmaster — Fri, 13 Apr 2012 06:45:08 -0600

CloudOn does several things right. First, it uses your Dropbox or Box cloud storage to save and access the files you are working on, and you can use both services, such as to separate personal and work projects. That means no messy file transfers before you go or when on the road, as OnLive requires. Your files are accessible from a variety of devices, including your iPad for access by other apps. If you use Box's enterprise service offering, you can even take on files in a workgroup setting and under IT management policies.

Second, CloudOn uses native iOS capabilities where it makes sense. For example, when working with text, you get the iPad's own onscreen keyboard or you can use a Bluetooth keyboard, if you have one -- not the funky, too-small Windows 7 floating keyboard. CloudOn even adds to the standard oscreen ipad keyboard Windows-specific keys: the Ctrl, Alt, Del, and Esc keys, the F1 through F12 function keys, and the four cursor keys. You also get file sharing via email using the standard iOS Share facility.

[New Topic]

webmaster — Thu, 05 Apr 2012 09:04:56 -0600

With the advent of user owned device and the ever increasing mandated requirements for record retention and security CIO are challenged to manage in an ever more complex and changing environment.

Before you start the process of implementing BYOD policies the CIO needs to ensure that what is created meets the an enterprises compliance, culture and operational requirements. This requires defining the scope and objectives of the policy:

Cost - Who will pay for the data plan? Will rewards will you provide to get people to buy in?
Agree to Acceptable Use - What terms will you include in your Acceptable Usage Policy, and how will you ensure your employees understand and agree to it?
Mandated requirements : You will have to account for factors such as open source variables for Android implementations for different devices and any security or regulatory requirements that relate to your industry (i.e. Healthcare HIPAA compliance)
Security: Will the policy state how you enforce passwords? Encryption? Do you want to blacklist any applications?
Management: How will you manage the devices connected to your network?

Major data breach

webmaster — Mon, 02 Apr 2012 14:07:06 -0600

Global Payments: Data breach is contained but is removed as a credit card processor by Visa and MasterCard.

Security incidents are rising at an alarming rate every year. As the complexity of the threats increases, so do the security measures required to protect networks and enterprise critical data. CIOs, Data center operators, network administrators, and other IT professionals need to comprehend the basics of security in order to safely deploy and manage data and networks today.

It was first reported that Global Payments suffered a security breach, where as many 50,000 cardholders may have had their information exposed. Then after some investigation that number escalated to over 1,500,000.

Global Payments processes card payments between merchants and banks, sitting in the middle-ground directing where payment data should go.

Global Payments, a third-party payments processor to Visa and MasterCard credit and debit cards, said that while customer data may be at risk, the data breach has been "contained to the best of our ability."

Apple uses bogus number to mis-direct media attention

webmaster — Thu, 08 Mar 2012 14:10:18 -0600

Apple says that it has created or supported more than 500,000 jobs. Phishing attacks cost the economy $234 billion a year. And giving social and mobile CRM tools to salespeople makes them 26.4 percent more productive. This is all PR hype

Apple's attempt at statistical flimflammery is offensive because it is a transparent attempt to change the public conversation about Apple from the question of poor labor practices in the Chinese factories that make iPhones and iPads to job creation.

Older workers are not retiring

webmaster — Thu, 01 Mar 2012 07:26:07 -0600

Few mature professionals are planning to retire soon, according to CareerBuilder. Fifty seven percent of workers age 60 plus surveyed said they would look for a new job after retiring from their current company. Some continue working to compensate for the hit personal and retirement savings took during the recession. But it's not all about money.

Many still feel they have too much to contribute to even consider retirement. And many employers agree; several said they plan to hire older employees this year. Whether mature workers are motivated by financial concerns or simply enjoy going to work every day, we're seeing more people move away from the traditional definition of retirement to seek employment in new jobs. At the same time, employers are seeing the value these mature workers can bring to an organization, from their intellectual capital to their mentoring and training capabilities.

Cloud management for DOD won by a small business

webmaster — Fri, 24 Feb 2012 18:51:50 -0600

Data Computer Corporation of America has won two Defense Department task orders worth roughly $4.3 million for cloud computing services.

Under the terms of the task orders, which will be completed over a two-year time period, the company will provide the DOD with cloud computing design and development, as well as operations and maintenance support services.

The company, a small business, will provide expertise in cloud computing architecture design and development, as well as software analysis, design, integration and testing.

In addition theywill perform cloud architecture integration, including map-reduce processing, application management, and data visualization.

Cybersecurity Act of 2012 gives DHS control of Internet

webmaster — Wed, 15 Feb 2012 15:07:17 -0600

The Cybersecurity Act of 2012 calls for the Department of Homeland Security (DHS) to assess risks and vulnerabilities of computer systems running at critical infrastructure sites such as power companies and electricity and water utilities and to work with the operators to develop security standards that they would be required to meet.

Senators are taking another crack at pushing a broad cybersecurity bill three years in the making, once again stripping a controversial Internet "kill switch" and making other concessions in a bid to find an elusive bipartisan majority in an election year.

The DHS would determine which companies fit the definition of critical infrastructure as defined by systems "whose disruption from a cyber attack would cause mass death, evacuation, or major damage to the economy, national security, or daily life." Companies would have the right to appeal the designation, under the measure introduced by Sens. John D. (Jay) Rockefeller IV, (D-West Virginia), Joe Lieberman (I-Connecticut), Susan Collins (R-Maine) and Dianne Feinstein (D-California).

Owners or operators of critical infrastructure systems would need to determine how to best meet performance requirements and to verify that that they were doing so, with owners having the ability to either "self-certify" compliance or use a third-party assessor.

Hiring trend up for IT Pros

webmaster — Wed, 08 Feb 2012 07:58:49 -0600

Demand for IT professionals is steadily increasing, confidence is rising once again. The latest IT Employee Confidence Index reveals that optimism levels have climbed.

CIO and HR executives are seeing great demand for project managers, analytics professionals and .NET application developers, demonstrating that companies are opening their budgets and embracing technology implementation. And one-quarter of all employers are actively looking for new staff, meaning CIOs and other tech managers must focus on the needs of IT teams to avoid unnecessary hiring and re-training costs.

iPhone5 to make remote computing easier

webmaster — Sat, 28 Jan 2012 09:54:14 -0600

According to the Jan. 25 reports "reliable source at Foxconn in China," the various prototypes circulating around that production facility share some common features, including a 4-plus-inch display and a casing that no longer follows the design aesthetics of the iPhone 4 and iPhone 4S. "No teardrop-shaped devices, as rumored in the lead up to the iPhone 4S," related 9to5Mac. "Samples so far have been symmetrical in thickness (also longer/wider)."

Scuttlebutt concerning a larger iPhone 5 screen has circulating for some time, as the blog points out. That being said, variations between the prototypes suggest that Apple has yet to settle on a release version. If Apple follows the release cadence it established with previous iPhone iterations, this newest smartphone could make its debut in either the summer or early fall timeframes.

IT Hiring Trends

webmaster — Mon, 16 Jan 2012 07:56:49 -0600

If you've been promising your loyal IT staffers that you'll take care of them with raises when the economy turns around, 2012 is unlikely to be the year you get to make good on those promises. While employees in some roles will see increases this year, raises will be held in check, according to the most recent annual salary survey and forecast from Janco Associates. And CIOs and other executive-level IT managers will be in the same boat, likely to see level compensation from last year.

Find out what it's all about. See the IT 2012 IT Salary Survey

Factors to Consider in a Disaster Recovery & Business Continuity Plan

webmaster — Sun, 08 Jan 2012 16:40:55 -0600

The Janco Disaster Recovery Plan & Business Continuity Template takes into consideration all of the items related to various layers of operations that most enterprises need to consider if they want to continue after a disaster occurs. These include:

Strategy - Items related to the strategies used by the business to complete day-to-day activities while enabling continuous operations. Examples include financial, manufacturing and disaster recovery strategies.
Organization - Items related to the structure, skills, communications and responsibilities of your employees. Examples include human resources, training, and internal and external communications.
Applications and data - Items related to the software necessary which enable business operations, as well as the method used to develop that software. Examples include customer relationship management (CRM) applications, enterprise resource planning (ERP) applications, databases and transaction processors.
Processes - Items related to the critical business processes necessary to run the business, as well as the IT processes used to ensure smooth operations. Examples include accounts receivable, accounts payable, change management and problem management.
Technology - Items related to the systems, network and industry-specific technology necessary to enable your applications and data. Examples include host systems, workstations and Internet Protocol (IP) networks.
Facilities- Items related to the buildings, factories and offices necessary to house your organization and your production or service technologies. Examples include data centers, office buildings and physical security operations.

Patch Management Policy Released

webmaster — Tue, 13 Dec 2011 03:37:35 -0600

With the ever rising availability of enterprise data to mobile users there has been a significant increase in security exposure for information and network assets. The CEO of Janco Associates said, "As many as 90 percent of successful attacks are against vulnerabilities in which a patch already exists. Despite this statistic, many computers do not have the latest security patches installed, putting organizations at serious risk from a variety of malware threats. Patches are time-consuming to track and administer, and it is often difficult to see which computers actually have critical patches installed correctly. Without this visibility, IT managers have no simple method of identifying computers most at risk." He added, "To meet this requirement Janco has added a Patch Management Policy to its popular CIO Infrastructure Policy Bundle."

Microsoft's IE follows FireFox spell check to be added

webmaster — Wed, 09 Nov 2011 17:26:39 -0600

Firefox has had spell check implemented for several versions. Microsoft is now trying to catch up.

Microsoft is adding a commonly requested feature - spell-checking - to Internet Explorer (IE) 10. The feature is part of the already-released IE 10 developer previews, but Microsoft called it out and explained it in detail on the IEBlog.

IE 9 doesn't include spell-checking. That lacking feature is cited by more than a few users as one reason they aren't using IE 9. But because IE 10 will be the version of IE bundled with Windows 8, which will be optimized for touch input, spell checking is no longer taking a back seat.

Healthcare IT jobs are plentiful

webmaster — Tue, 08 Nov 2011 17:12:12 -0600

Many IT expertise pros have lost jobs, however healthcare is hiring to fill an expected shortage of 50,000 workers to support implementation of electronic health records and health information exchange. HIMSS and ASHHRA want to let technology professionals know and they want to have access to each other's knowledge.

Health Care vs. Financial Services Job Growth

Employment is on the rise in Healthcare IT and spending will reach $40 billion by the end of this year. Much of that growth will come from spending on electronic health record (EHR) systems, mobile health applications and efforts to comply with new government standards. Boosted by increased spending on healthcare software -- which is needed for the rollout of EHR systems -- the U.S. healthcare IT market is expected to grow at a rate of about 24% per year from 2012 to 2014, the study said. Spending on healthcare software rose 20.5% in the past year, from $6.8 billion in 2010 to a projected $8.2 billion this year. Recent mergers and acquisitions in the healthcare IT market also point to growing private-sector interest in software, which will see sales grow at rate of more than 30% annually from 2012 to 2014.

The federal government is devoting $116 million to health IT workforce training in the form of grants to community colleges and graduate medical informatics programs, as well as curriculum development, but that alone won't be enough to make up the entire labor shortage.

Malware attacks increase

webmaster — Sat, 05 Nov 2011 07:53:03 -0600

Malware is complex and seemingly everywhere and is often difficult to stop. It knows how to find your data - even on your mobile device and Mac. You can't ignore your "safe" devices any longer: you need to recognize and stop the threats before they do harm.

Malicious software can take the form of a computer virus or worm and disrupt or deny computer operations, steal private or sensitive information or gain unauthorized access to system resources. Since January 2011, serious malware attacks have hit many high-profile organizations who suffered damaging data loss. Some attacks were for kicks, some for money, some for political hacktivist reasons and some for reasons unknown.

One of the best ways to communicate and understand a company and its operating culture is through its policies. Designing and writing policy and communicating it effectively is an essential skill for professionals to have. By having policy carefully developed and communicated, employees will clearly know what the organization expects from them, the degree of control and independence they will have, and what the benefits and consequences are in regard to adhering to policy.

The policies that Janco has created are a must have that every enterprise needs. They can all be accessed by going to the Policy Master Page or the individual policies can accessed directly by clicking on the links below.

The policies have just been updated to comply with all mandated requirements and include electronic forms that can be Emailed, filled out completely on the computer, routed and stored electronically. A totally solution that uses technology at its best.

CIO IT Infrastructure Policy PDF (All of the policies below which come as individual MS Word files)
Backup and Backup Retention Policy
Blog and Personal Web Site Policy (Includes electronic Blog Compliance Agreement Form)
Incident Communication Plan Policy (Updated to include social networks as a communication path)
Internet, e-Mail, Social Networking, Mobile Device, Electronic Communications, and Record Retention Policy (Includes 5 electronic forms to aid in the quick deployment of this policy)
Mobile Device Access and Use Policy
Outsourcing Policy
Record Management, Retention, and Destruction Policy
Sensitive Information Policy (HIPAA Compliant and includes electronic Sensitive Information Policy Compliance Agreement Form)
Service Level Agreement (SLA) Policy Template with Metrics
Social Networking Policy
Telecommuting Policy
Travel and Off-Site Meeting Policy

Tax liability impacted by disaster recovery plan

webmaster — Thu, 27 Oct 2011 07:14:13 -0600

Keeping track of a tax liability among multiple states can get complicated. If you have three servers in three states, software could be running in any one at any time, so youd have to consider presence in all three states. For example, if you have disaster recovery site in Pennsylvania, and that establishes presence in that state. A third party runs it; you many never have people going there and no one touches it, but you have a tax liability in that state. For customers who buy services, even though they're buying from a provider in California, they have to pay sales tax in Pennsylvania because they have a presence there.

Sales and use tax boils down to where a business has a physical presence that opens it up to tax liability within that jurisdiction. But when it comes to the cloud - where services are sold to customers who may access them anywhere from servers located who-knows-where by companies that may be headquartered anyplace - determining presence, and the liabilities that go with it, is anything but straightforward.

The state of New York has ruled that presence is determined by where an application is used, not where it is hosted. The location of the software code, according to the 2009 opinion of the New York Commissioner of Taxation and Finance, was deemed irrelevant. . .because the software could be used just as effectively by the customer even though the customer never received the code on a tangible medium or by download. (Meaning, the customer accessed the software through a browser, as is the case with cloud services.) The fact that the cloud contract provided no grant of license to use software was not found controlling. In other words, the cloud provider should be collecting sales and use tax just as if it were mailing disks to the customer, and the customer should be paying whether or not it receives a perpetual license.

Many states are moving toward an economic presence standard whereby out-of-state businesses establish presence when making sales through an agreement with a person located in that state and the in-state person refers customers to the out-of-state business through a website link.

Record Retention for the long-term

webmaster — Sun, 16 Oct 2011 15:24:53 -0600

A whopping 80 percent of the organizations studied have reported a need to retain electronic records for more than 50 years. Can your enterprise store 50 years of electronic records given current technology? Without data loss? Do you think that you can do more than three migrations of archival data from one storage media to the next without data loss?

How many consumers using Internet photo services sites think that your digitized images will still be there 50 years from now?

To address those questions the 100 Year Archive Task Force (100YrATF), operated by the SNIA's Data Management Forum, is as a global, multi-agency group working to define best practices and storage standards for long-term digital information retention.

The 100 Yr ATF was created by SNIA because of the pending crisis in long-term preservation of digital information in the IT datacenter. The crisis has two principle challenges:

Losing information that is stored digitally due to corruption, loss of access, loss of discoverability, or loss of readability
Losing control of the ability to keep up with migrating the overwhelming volume of information to new media and into new logical formats.

What role does the CEO have in the CIOs success

webmaster — Sun, 09 Oct 2011 16:21:28 -0600

Why should senior management care about their CIOs' problems? Knowing what concerns the CIO could be a first step toward building what could be a more effective IT organization.

CIOs are hired to be strategic, but spend most of their time in the weeds
Infrastructure uses up 80% of the IT budget, it's no wonder they have difficulty getting to the value-added projects. There is no easy solution to the tension between strategic expectations and operational exigencies, but outsourcing much of what is a commodity, and focusing on competitive differentiators, is a good place to start.
CIOs are stewards of risk mitigation and cost containment, yet they need to drive innovation
How do you build a culture in which you both tightly control costs yet allow for the failures that everyone knows come with innovation? How do you maintain a locked-down, high-security armored tank of an infrastructure while allowing for the openness that experimentation requires? The problem of securing an organization's data while supporting the innovation that springs from creative employees demanding to use their own devices, build their own applications, and choose their own platforms grows more intense by the day.
Technology is a long-term investment, but many companies think in quarters
Ten years ago, CIOs had to convince the purchasing group that automating reverse auctions was better than paper RFPs, and that took time. Today, CIOs do not have to convince the business of anything. They assume it will work and they want the payout within a quarter. While CIOs face constrained budgets, the demands on technology only increase. This paradox has plagued the IT organization for 30 years and is heating up now that software-as-a-service (SaaS) vendors increasingly are selling directly to business leaders, promising quick ROI. Then it falls to the CIO to make sure these apps integrate smoothly and securely with the organization's core systems.
IT pervades and serves every part of the business, yet the IT organization is often removed from it
You would think the word and would function as a connector, a word that implies togetherness. Yet the phrase "IT and the business" does not work that way. Rather, it connotes separateness and difference, creating an us-versus-them culture that belies the actual isolation of IT. The language people use to describe a group has a powerful impact on how it's perceived. If you can manage it, CEOs and senior management should stop using that phrase themselves and encourage others to drop it from their lexicon. But changing language is only one step. Today, CIOs are hiring business relationship executives in the hope of eliminating a useless distinction and a distracting divide.
CIOs are accountable for project success, but the business has to own the project
Most CIOs proudly proclaim that in their organization, "There are no IT projects, only business projects." This is a wonderful sentiment, but it often becomes a problem during the last mile when the business has to pony up resources to complete an IT implementation. CIO often say, "How do you drive something you cannot really own? If you drive it yourself, people will say, 'Why is this guy doing things to us?'" So, yes, all IT projects should be business projects, but the business needs to be a good faith partner with IT.

The best CIOs have figured out how to manage up, around, and through these contradictions, but it is harder without the awareness and support of an enlightened CEO and executive committee.

Security holes continue to be identified

webmaster — Mon, 03 Oct 2011 17:32:32 -0600

Security researchers say they've uncovered a flaw in several smartphone models produced by HTC that gives any application that has Internet access the keys to a trove of information on the phone, including e-mail addresses, GPS locations, phone numbers, and text message data.

Phone models claimed to be affected by the vulnerability are the EVO 3D, EVO 4G, Thunderbolt, and possibly HTC's Sensation line.

The researcherssay they informed HTC of the vulnerability, but after HTC failed to respond to their warning for five days, they went public with their knowledge.

The security gap in the HTC phones stems from modifications the company made in versions of the Android operating system in EVO and Thunderbolt models. Those changes add a suite of logging tools to the system. If a company plants those information collectors on a device, they need to be sure the information they collect is secured and only available to privileged services or the user, after opting in.

CIO IT Infrastructure Policy PDF (All of the policies below which come as individual MS Word files)
Backup and Backup Retention Policy
Blog and Personal Web Site Policy (Includes electronic Blog Compliance Agreement Form)
Incident Communication Plan Policy (Updated to include social networks as a communication path)
Internet, e-Mail, Social Networking, Mobile Device, Electronic Communications, and Record Retention Policy (Includes 5 electronic forms to aid in the quick deployment of this policy)
Mobile Device Access and Use Policy
Outsourcing Policy
Record Management, Retention, and Destruction Policy
Sensitive Information Policy (HIPAA Compliant and includes electronic Sensitive Information Policy Compliance Agreement Form)
Service Level Agreement (SLA) Policy Template with Metrics
Social Networking Policy
Telecommuting Policy
Travel and Off-Site Meeting Policy

Social networking adds new security concerns

webmaster — Sat, 01 Oct 2011 14:19:30 -0600

CIOs all agree that social networking and endpoint information are a potential liability. The big question is, where does a CIO find a non-intrusive way to protect and classify social network data to minimize risk, all while making sense economically?

Almost half of all enterprises have been victims of social networking attacks, experiencing 25 or more such attacks in the past few years at an average cost of over $27,000 per incident.

The most common sources of threats are phishing emails (47%) and social networking sites (39%). New employees (52%) and contractors (44%) were cited as the most susceptible to social engineering techniques, emphasizing that hackers target staff that they suspect are the weakest security links in organizations, using social networking applications to gather personal and professional information on employees to mount spear phishing attacks.

According to the global survey of over 850 CIOs, IT managers, and security professionals, 86% of all businesses recognize social engineering as a growing security concern. A majority of respondents (51%) cited financial gain as the primary motivation of attacks, followed by competitive advantage and revenge. The highest rate of attacks was reported by energy and utility organizations (61%) with non-profit organizations reported the lowest rate (24%), reinforcing gain as the key reason for attacks.

With compliance requirements and external threats on the rise, no business can afford to leave its data unprotected, especially at the endpoint. Fortunately, IT leaders understand the risk: Fifty-nine percent of recent survey rate backup and protection of desktop and laptop data as crucial or high priority. Unfortunately, even though the majority of survey respondents have something in place, many fall short in terms of meeting needs for identification, classification and discovery. As a result, these firms leave themselves in a position of vulnerability - especially those in highly regulated industries.

61% currently using or planning to use a desktop and laptop backup solution consider improving the accessibility and availability of user data a critical or very important objective.
50% rate the ability to quickly find endpoint data for discovery and compliance purposes a critical or high priority.
47% expect an improvement in the ability to improve compliance with industry and government regulations as a result of the efforts their companies are making to effectively backup, protect and manage endpoint data.

CIOs Become Pessimistic

webmaster — Wed, 14 Sep 2011 07:13:47 -0600

CIOs say they expect to continue hiring, although they plan to increase their IT head counts by meager amounts.

Three quarters of the CIOs interviewed by Janco say they have not pushed back existing hiring plans amid the market volatility of the past three months. But almost one third of these same CIOs have delayed hiring plans, citing economic uncertainty, insufficient demand, and pressure from executive management to keep costs down.

Indeed, comments from IT executives about their companies' different staffing situations reveal some of the factors depressing employment. Some companies are making some layoffs plans despite thier strong performance as they continue to outsource and cut back on applications that no longer are cost effective.

However, attracting and retaining qualified employees still ranks as one many CIOs' top concerns. One CIO said that he has 4 open positions that he has been trying to fill for eight months. The CIO says the company is "doing fairly well" and hiring, but he can't find enough of the digital and social-media experts he needs. "We have to mint these people," he says. "We want to bring new people in but the good ones do not want to move." He adds, "We're kind of moving sideways."

Data breach notification processes are costly

webmaster — Mon, 12 Sep 2011 06:00:12 -0600

Businesses, government agencies, and educational institutions reported 50 percent more data breaches in this year than last, exposing the personal records of at least 35.7 million Americans.

The financial consequences of such breaches can be severe. Many organizations lose customers and revenue because of the violation of trust incurred from a breach. Due to the growing number of state privacy laws, most breaches require that thosewhose information is compromised must be notified.Most organizations now pay for credit monitoringservices for several years for all those impacted by a breach these services typically cost about $100 per person per year. And in some cases, organizationsare subject to fines for revealing personal information.

A new bill in California's (SB-24) updates current data breach notification laws by requiring organizations to include in the breach notification letters the specifics of the security incident and advice on steps customers should take. The bill also includes provisions mandating that if the security breach affected 500 or more people, the organization must submit a copy of the letter to the state attorney general's office. The bill was signed into law Aug. 31 by Gov. Jerry Brown and will take effect on Jan. 1, 2012.

The breach notification letters must include information such as the type of personal information exposed, a description of what happened, time of the breach, and toll-free telephone numbers and addresses of major credit reporting agencies in California, according to the new law. The original law did not specify what information had to be included in the letters. The new law also requires the letters to be sent "in the most expedient time possible and without unreasonable delay."

CIO and IT departments are blamed for user shortfalls

webmaster — Mon, 05 Sep 2011 13:32:08 -0600

Now the CIO not only must be politically correct, but he must also be clairvoyant and understand what can go wrong, be misused, or be abused. The IT Infrastructure must be robust to address this.

When systems are abused the easiest scapegoat is the IT Department. In the recent school webcam case at the Pennsylvania school district the IT department was blamed because they not only failed to inform school officials and administrators of the tracking capabilities of the software, but argued that telling students about the software's ability to remotely trigger notebook Webcams would "defeat its purpose" as a way to recover lost or stolen computers.

Salaries fall according to one suvey

webmaster — Thu, 18 Aug 2011 16:15:04 -0600

According to Foote Partners, the average market value for 265 noncertified skills dipped slightly (-0.2 percent) from April to June following consistent gains in the previous five calendar quarters, while pay premiums for 237 IT certifications continued their abysmal performance" for the 18th time in the last 19 quarters, posting an overall loss in market value of nearly 2 percent for the quarter.

Only one category of certifications - database - grew in overall market value (+2.6 percent) in the latest quarterly benchmark update from Foote, bolstered by gains in three Oracle certifications. For noncertified IT skills, four of eight skills categories showed improvement: management, methodology and process skills (+2.4 percent in pay premiums), messaging and communications skills (+1.7 percent), database skills (+0.6 percent) and SAP & enterprise business applications skills (+0.3 percent).

Declines were more widespread, with IT certifications taking the biggest hit, such as entry-level and training certs (-5.9 percent in pay premiums), Web development (-4.0 percent), IT security (-2.9 percent), systems administration and engineering (-2.5 percent), applications development and programming languages (-2.3 percent), and networking certifications (-0.2 percent). Only four of eight categories of noncertified skills recorded losses in market value, though these losses were not as steep as those recorded in the certifications groups.

Security Policies Required to Stop SPAM

webmaster — Sun, 14 Aug 2011 16:20:31 -0600

Security policies and audit procedures are required if enterprises look towards stopping spam. Courts and lawsuits do not help.

For example, spammers allegedly obtained the login credentials for Facebook accounts. The accounts were then used to send spam to those users' friends. The spam either linked to other phishing sites that sought to collect more Facebook account credentials or linked to other commercial Web sites that paid spammers for referrals.

The same spammer was found guilty of violating the CAN-SPAM act and was ordered to pay $230 million for spamming and phishing on MySpace. The spam led to gambling, ringtone and pornography sites.

Facebook may choose to close the file once the default judgment is entered against the spammer, the court filing said.

Why Disaster Recovery Plans Fail

webmaster — Mon, 08 Aug 2011 04:15:18 -0600

Because of their complexity and lack of standardization, traditional disaster recovery infrastructures often fail to meet enterprise requirements for recovery speed and integrity at a reasonable cost.

Downtime, whether planned or unplanned, often translates into lost opportunities and increased costsand for many enterprises today, any amount of downtime is unacceptable. Having an effective recovery strategy and a set of coherent disaster recovery plans is essential to helping avoid downtime during a crisis.

The need for enhanced quality, efficiency, and predictability for disaster recovery and business continuity has increased significantly, highlighting the necessity of a well-defined set of recovery plans and regular testing. However, as the required scope of critical processes, production applications, and enterprise demands increases, sustaining the timeliness and effectiveness of a recovery plan can become increasingly difficult. For most organizations, disaster recovery is extremely labor intensive, often requiring the manual coordination of hundreds of recovery tasks. So although the importance of having an effective disaster recovery plan is clear, organizations often find it difficult to achieve the level of protection they need.

Disaster recovery plans suffer in recession

webmaster — Fri, 29 Jul 2011 09:07:17 -0600

According to a HP survey of IT managers at small businesses across the United States, 93 percent of companies have placed cost concerns over the best IT solutions, leading 89 percent of those companies to experience IT-related problems.

The study found that the top three IT problems reported by cost-conscious companies are low-performing hardware (46 percent), out-of-date hardware (37 percent) and unreliable hardware (23 percent), leading to suboptimal computing efficiency and an overall loss of productivity.

The survey also revealed that 54 percent of small businesses cite summer as the peak season for working remotely. With 58 percent of IT managers stating that they have not invested in network security this year, companies will find they are adding pressure and potentially greater security risks to their already stressed IT networks.

The survey was conducted among 500 IT managers at small businesses, between May 31 and June 6, 2011, using an email invitation and an online survey.

Hackers attack "secure" servers

webmaster — Wed, 13 Jul 2011 08:13:36 -0600

The Anti Security hacking campaign announced July 11 that it has broken into an unsecured server at government contractor Booz Allen Hamilton, copied about 90,000 military e-mails and password hashes, and made them available for downloading.

The announcement gave no details of the exploit used to enter the system, but saidt, "we infiltrated a server on their network that basically had no security measures in place. We were able to run our own application, which turned out to be a shell and began plundering some booty."

The incident is the latest in a list of embarrassing and possibly connected breaches of government and contractor IT systems and Web sites, including the Senate, CIA, the Atlanta chapter of InfraGard and others.

Using its pirate-themed language, it described other "booty" as "maps and keys for various other treasure chests buried on the islands of government agencies, federal contractors and shady whitehat companies. This material surely will keep our blackhat friends busy for a while."

Who are the Million Dollar CIOs

webmaster — Wed, 13 Jul 2011 07:31:41 -0600

The numbers are in! Janco Associates has released its mid-year 2011 IT Salary Survey. The company uses information from submitted survey forms and public sources (SEC filings and the like), and while the overall mean for IT jobs is up a mere 1.13 percent over 2010, the survey reveals a baker's dozen CIOs who are doing just fine, thank you.

Million-Dollar CIOs

Name	Company	Salary	Total Compensation
Timothy Shack	PNC Financial Services	$510,000	$5,942,093
Gregor Bailar	Capital One Financial	$466,667	$4,522,681
Steven Sadoff	Knight Capital Group	$250,000	$1,993,434
Mahvash Yazdi	Edison International	$364,247	$1,878,848
Kenneth Tye	Total Systems Services	$375,000	$1,849,341
Byron C. Vielehr	Dun & Bradstreet	$325,000	$1,633,033
Karen Austin	Sears Holding Corp.	$454,744	$1,557,136
John J. Sullivan	Liz Claiborne	$491,666	$1,499,176
Gregory Tranter	Hanover Insurance Group	$330,385	$1,294,731
Richard Connell	Selective Insurance Group	$375,385	$1,268,134
Larry Thomas	Landstar System Inc.	$200,000	$1,251,925
Bruce Marcus	McGraw-Hill	$350,000	$1,239,883
Bobby Spaid	Beckman Coulter	$304,881	$1,100,079

Source: Janco Associates' Mid-Year 2011 IT Salary Survey

Cloud computing deploment

webmaster — Thu, 07 Jul 2011 14:18:30 -0600

Cloud computing is a flexible, cost-effective, and proven delivery platform for providing business or consumer IT services over the Internet. Cloud resources can be rapidly deployed and easily scaled, with all processes, applications, and services provisioned "on demand", regardless of user location or device. As a result, cloud computing gives organizations the opportunity to increase their service delivery efficiencies, streamline IT management, and better align IT services with dynamic business requirements. In many ways, cloud computing offers the "best of both worlds", providing solid support for core business functions along with the capacity to develop new and innovative services.

In addition to the usual challenges of developing secure IT systems, cloud computing presents an added level of risk, because essential services are often outsourced to a third party. The "externalized" aspect of outsourcing makes it harder to maintain data integrity and privacy, support data and service availability, and demonstrate compliance.

Who gets paid what?

webmaster — Wed, 06 Jul 2011 14:21:20 -0600

Different groups get paid differently and have different experiences at work. A survey from CareerBuilder shows wide disparities in pay, although it does not fully address the reasons for such disparities. Workers with disabilities, for example, make considerably less than their colleagues, while lesbian/gay/bisexual/transgender (LGBT) professionals are earning more than any other group.

The survey reveals other disparities with respect to career advancement and perceived discrimination, among other topics. "The U.S. workplace has experienced fundamental shifts over the last two decades," said a senior director of talent intelligence and consulting at CareerBuilder. "While companies have made strides in creating an inclusive workplace for all workers, there is still work to be done." Six diverse segments served as the prime focus of the research: African Americans, Hispanics, Asians, women, workers with disabilities and LGBT. More than 1,300 employees representing these groups took part.

Infrastructure impacted by globalization

webmaster — Sat, 18 Jun 2011 08:13:47 -0600

Implementing a cost effective IT Infrastructure that aligns with your organization's business strategy is essential to ensuring the success of the Information Technology function. For many IT professionals, the amount of time it takes to develop and implement such a infrastructure, and the unknown process required to complete it, makes infrastructure design and implementation a daunting task. Globalization makes it even more difficult.

Globalisation has stretched companies' supply chains and made them much more vulnerable to problems created by crumbling infrastructure around the world.
The cost worldwide of developing and maintaining infrastructure to meet growing demand over the next 20 years has been put at more than US$41 trillion. But to meet this target would require an enormous jump in spending on transport to 2030, which at the moment amounts to only $1 trillion globally each year.
It isn't only land links that are under increasing strain. In Brazil, ports are struggling to cope with the countrys increase in exports. Bottlenecks have caused goods to pile up on the quayside, while ships have to wait to be unloaded.
It is important for companies that export globally or rely on key raw materials and parts from overseas that they include infrastructure risk in their strategic planning.
The simplest way to assess your vulnerability is to ask how much would it cost in lost sales if one of your key suppliers fails to deliver or if your goods were held up in transit. You might be surprised by the results.

Sony Hacked Again - 1 Million Passwords Exposed

webmaster — Sat, 04 Jun 2011 10:27:00 -0600

A group of hackers behind the recent PBS website breach said they've now hacked into a Sony website. The hackers, who call themselves LulzSec or the Lulz Boat, said they exploited the Sony Pictures website via a SQL injection attack.

The group released 150,000 records gleaned during its attack, saying it didn't have time to copy more. Those records also include material taken from exploited databases for Sony BMG in the Netherlands and Belgium, which contained further information about website users as well as employees.

The takeaway for the average Internet users is clear. Don't trust that your password is being securely stored and be sure to use a unique password for every website to limit your exposure if hacks like these occur.

Businesses should likewise be prepared, by ensuring that they can't be breached via the types of vulnerabilities that have scuttled Sony websites. Sony seems to have been compromised in such a negative and severe way, I'm concerned that other organizations won't use this as a warning sign to analyze their defenses, and will instead adopt an 'it won't happen here' mentality. Many CIOs offer excuses that explain-away why Sony's issues don't affect their customers or employees--which is very alarming.

PCI 2 not a big change

webmaster — Tue, 31 May 2011 17:15:07 -0600

The Payment Card Industry Data Security Standard (PCI DSS) has developed into a workable approach for protecting the handling and processing of payment card transactions. Yet, there are also shortcomings in the PCI DSS, and like all standards, the PCI DSS periodically goes through updates. The latest version - PCI 2.0 released at the end of October 2010 - provides updates on virtualization, monitoring and other areas. Other than the explicit inclusion of virtualization (which had been sorely missing in the 1.2 version of the standard), there are no dramatic changes in PCI 2.0. The remainder of this new version should really be called an adjustment or refinement to policies and processes already in place.

However, the adjustments in PCI 2.0 do show that the PCI DSS can keep up with modern technologies. By explicitly allowing the use of virtualization, this resource-saving technology will no longer be called "out of compliance" simply because it is used in payment card applications. Another area in which the standards council is catching up is with payment application networks, which are now required to plug into a centralized logging solution under the simultaneously released Payment Application Data Security Standard (PA DSS).

Google lets 35 million profiles out with no security check

webmaster — Sun, 29 May 2011 16:52:41 -0600

A security researcher has assembled a single database containing 35 million people's Google Profiles information, including Twitter feeds, real names, and email addresses, among other data points.

Google builds profiles as a way to "decide what the world sees when it searches for you.

The resulting database contains whatever people have added to their own Google Profile, which potentially includes their real name, aliases, Twitter conversations, work experience and educational background, and links to Picasa photos. In addition, about 15 million profiles also have a username, which is the same as a person's Gmail address. Interestingly, he was able to assemble the data "without Google throttling, blocking, CAPTCHAing" or encountering any other form of security protection.

You can download the Table of Contents and some sample pages by clicking on the link below.

This policy is easily modified and defines how to treat Credit Card, Social Security, Employee, and Customer Data. The template is 34 pages in length and complies with Sarbanes Oxley Section 404, ISO 27000 (17799), and HIPAA. The PCI Audit Program that is

In the most recent update to this template, the Massachusetts and California mandated requirements were specifically included as part of the policy.

IT Jobs on the upswing

webmaster — Wed, 25 May 2011 08:11:53 -0600

eWeek - There are more technology job openings in a single day on Dice's career site than there are computer science grads ready to join American businesses, according to a report from Dice Holdings, which runs a career site for technology and engineering professionals. In California, that ratio is 3-to-1, the company noted, and the number of computer-related bachelor's degrees conferred has plummeted in nearly every state, creating a pipeline problem that leads from corporate America through college campuses to primary schools nationwide.

As outlined in their recent report "America's Tech Talent Crunch," 18 states and Washington, D.C., have shortages of local graduates when comparing job openings to associate's and bachelor's degrees conferred. Those states overlap critical tech markets, including Silicon Valley, Seattle, Dallas, Boston, New York, Washington, D.C., Los Angeles and Chicago.

These gaps have created a competition for talent, Dice said. Ann Hunter of the Massachusetts Institute of Technology explained there are easily two or three jobs for every computer science grad. Likewise, Dr. Tim Lindquist, a professor of computer science and engineering at Arizona State, said, "I can't tell you the last time I had a student, even some of our poorer students, tell me they had trouble finding a job."

Among the "shortage states," only Delaware, Virginia and Washington, D.C., awarded more computer-related bachelor's and associate's degrees in 2009 than they did in 2005. In the other "shortage states," degrees conferred have dropped anywhere from 14 to 68 percent, according to the report.

Now, an opportunity is upon the IT jobs market with technology recovering faster than the broader economy. An up cycle typically encourages more students to enter the field, similar to what was seen in the dot-com era, the report noted. The question is, can corporations, universities and K12 educators fulfill the long-term ambitions of America's budding technology professionals? the report questioned. 'America's Tech Talent Crunch' is a snapshot of how businesses, educational institutions and employees are dealing with palpable shortages in real time, the report stated.

An earlier report from Dice found technology professionals endured a second straight year of nearly flat salaries: Tech workers, on average, garnered salary increases of about 1 percent (0.7 percent) to $79,384 from $78,845 in 2009, after receiving a similar increase the previous year.

Tech professionals expressed slightly more satisfaction over pay than last year, with 50 percent "somewhat" or "very satisfied," an increase from 46 percent of respondents who felt that way last year. Still, nearly four out of 10 technology professionals anticipate they could make more money if they change employers in 2011. Those professionals (24 percent) who felt switching employers would not increase their pay earned, on average, nearly $13,000 more than those who anticipate finding higher salaries elsewhere.

"Companies can no longer get away with paltry salary increases for their technology staffs based on the demand we are seeing for talent," said Tom Silver, senior vice president of North America at Dice. "The moderate increases in satisfaction levels indicate that tech professionals concerns are being heard by some companies, but certainly not all. Retention is the key to driving additional contributions to the business from technology staffs. Employers that are reluctant to increase compensation or step up retention efforts will likely pay for their unsatisfactory ways."

Requirements for a fast recovery

webmaster — Thu, 19 May 2011 17:14:02 -0600

The best way to ensure a fast recovery is to have replacement equipment standing by at an off-site location with the necessary software and configuration to quickly transfer users and data. The best practice includes a remote data center with servers, storage, networking equipment, and Internet access. Restoring to this remote data center from backup tapes will likely take too long, assumes that the tapes were not affected by the original problem, and still leaves the risk of recovering only old data. Instead, replication software can be used to keep the backup systems constantly updated.

A four-hour RTO and RPO requires:

Off-site hardware and infrastructure to run servers and applications
Data updates to the DR site more often than every four hours, preferably real-time
Continual updates of the application and OS configuration (without this, recovery may fail after a patch or an upgrade)
A method to deal with any hardware differences between production and recovery environments

Protect IP Act - Goverment death sentence for web sites

webmaster — Fri, 13 May 2011 04:49:39 -0600

The U.S. Department of Justice would receive the power to seek a court order against an allegedly infringing Web site, and then serve that order on search engines, certain Domain Name System providers, and Internet advertising firms--which would in turn be required to "expeditiously" make the target Web site invisible. If that is done in error, the question is how does a company get its web site back into the search engines. And we all know that the goverment never is wrong is.

In the final version (PDF) refers instead to "information location tool." That's defined as a "directory, index, reference, pointer, or hypertext link," which would certainly sweep in Google, Yahoo, and search engines, and may also cover many other Web sites.

The Protect IP Act says that an "information location tool shall take technically feasible and reasonable measures, as expeditiously as possible, to remove or disable access to the Internet site associated with the domain name set forth in the order." In addition, it must delete all hyperlinks to the offending "Internet site."

In other words, the targeted Web site would start to vanish from the Internet in the United States.

Any copyright holder also could file a lawsuit and seek to levy a less dramatic form of Internet punishment, blocking only "financial transactions" and "Internet advertising services" from doing business with the suspected infringer.

This proposal permits law enforcement to "crack down on rogue Web sites dedicated to the sale of infringing or counterfeit goods." The actual bill text, however, doesn't require that the piratical Web site sell anything--meaning, for example, if WikiLeaks were accused of primarily distributing copyrighted internal bank documents, access from the United States could be curbed.

The Protect IP Act is a successor to last fall's bill known as COICA, for Combating Online Infringement and Counterfeits Act. That bill used different procedures, but also allowed the government to pull the plug on Web sites accused of aiding piracy.

Another bill introduced would make the illegal streaming of copyrighted works a federal felony, a proposal that follows a earlier White House recommendation.