Chief Technology Officer Tools (CTO)

Latest News

Business ontinuity planning becomes more critical

10/27/2009 -

The more your business relies on its IT systems, the more you need to consider how unexpected disruptions might affect your business. These disruptions could come in many forms, from fire and floods to theft or malicious attacks on your systems, such as viruses or hacking.

Business continuity planning improves your business' ability to react to such disruptions. It describes how you will restart your operations in order to meet your business-critical requirements.

The business continuity template can be used for any sized enterprise. The Disaster Recovery template and supporting material have been updated to be ISO 27000, Sarbanes-Oxley, PCI-DSS, and HIPAA compliant. The Template explains the importance of business continuity plans to the success of your business, and how best to develop them.

- more information

Access Control Lists - ACL - continue to evolve

10/17/2009 -

As computers and network access to data evolve, the meaning and application of of access control has changed. Access Control Lists (ACLs) came into the market and created a new security model that has proven to be very useful. In an ACL-based security model, when a subject requests to perform an operation on an object, the system first checks the list for an applicable entry in order to decide whether to proceed with the operation. A key issue in the definition of any ACL-based security model is the question of how access control lists are edited.

For each object; who can modify the object's ACL and what changes are allowed. ACL models are assigned to individual objects, or to a collection of objects, and correspond to what may or may not be permitted to "access" the object to which they have been assigned. Taking things even further, the access control model progressed into providing authentication, authorization, and audit solutions to oversee any given user during a session. For authentication, digital certificates, security tokens, smart cards, biometrics, and ID/Password functionality are all examples of the tools available.

For authorization, several access control methods can be implemented across a network. However, role-based access control (RBAC) has proven to be the best approach to ensure effective security policies are in place. RBAC enforces access control policies that are determined by the system and not the application or information owner.

- more information

DuPont has another security breach according to lawsuit

10/11/2009 -

In recent lawsuit, DuPont pointed it finger at a telecommuting worker and Peking University in Beijing in a data theft case. This is the second time in recent years that DuPont has been involved in an incident involving an alleged compromise of its trade secrets. In February 2007 a former research scientist at DuPont, admitted to stealing proprietary company information valued at $400 million.

DuPont in September filed a lawsuit in Delaware Chancery Court accusing and employee of stealing data on a new, thin-computer display technology called "organic light emitting diode" or OLED. DuPont claimed that the employee planned to use the stolen information to commercialize OLED products in conjunction with Peking University in Beijing, which is developing similar technology.

The employee had extensive access to cutting-edge OLED research information that DuPont considered a trade secret. The OLED research data was stored by DuPont in three separate Lotus Notes databases and could only be accessed by a limited number of employees using two-factor authentication. In June, the employee informed DuPont officials that he was resigning from the company and planned to join DuPont in China.

During a meeting with his supervisor, the employee asked for permission to transfer files from his company laptop to systems in DuPont China. Though he was denied permission to do so, the employee allegedly went ahead and copied over 500 files from his company-issued computer onto an external storage device.

Over 550 of those files were later found on his home computer, which DuPont investigators inspected with the employeeÂ’s permission. A forensic analysis of the home computer also showed that more than 175 of the DuPont files had been opened using the Internet Explorer browser, suggesting that the employee had accessed or sent the documents using a personal e-mail account, according to court documents.

The employee is also alleged to have downloaded a Microsoft Word document with information on a specific procedure invented by DuPont to improve the stability and performance of organic electronic materials, court documents said. According to court papers, DuPont has spent millions of dollars and put more than 17 years of research into developing OLED technology.

DuPont investigators also found evidence on the employeeÂ’s computers that he had accepted a position at the department of advanced materials and nanotechnology at Peking University's College of Engineering.

- more information

Google and Microsoft in seach engine war

10/05/2009 -

Google is as entrenched in the search engine market as Microsoft is in the browser market. It is hard to underestimate just how entrenched Google is as the default Internet search engine. It is not just top of mind for the vast majority of users; it is also built into many of the automated searches that are embedded into other Web sites. After gaining market share every month since its June unveiling, Microsoft's Bing search engine slipped a bit last month for the first time.

While Bing did not show a dramatic fall by any means, this latest report is its first shift in momentum. Web metrics firm Net Applications this week reported that Bing's share of the global search engine market slipped from 3.52% in August to 3.39% in September. The market share of the dominant search engine, Google, also dipped slightly between August and September, going from 83.33% to 83.13%, according to the latest Net Applications report. comScore Inc. said its research found that Bing increased its share of the competitive market by 4.5% between July and August to 9.3%. In addition, The Nielsen Co. last month said its survey found that Bing's share of the search market grew between July and August.

- more information

Outsourcing issues CIOs need to address

09/30/2009 -

CIOs need to avoid issues associated with their businesses as they operate in a crisis mode. Outsourcing decisions will be made in haste and be too simplistic and sudden to deliver real business advantage.

CIO should start their sourcing endeavor by building a solid sourcing strategy that focuses on creating short and long term value. This strategy should be aligned with the organization's sourcing management maturity and include business value scenarios, open options and a road map of value creation with a timeline of expected results.
CIOs must take a long-term view of the developing global presence of countries that can provide high-quality resources at the right price point. If your geographic presence is diverse, seek providers that are not exclusively focused on single country, so that you can mitigate risks (such as geopolitical instability) and also take advantage of the benefits of alternative countries, which may offer opportunities close to your own growth markets.
CIOs should actively monitor the market to determine the best combination of software and IT services and service provider options to meet their requirements and specify their appetite for risk.

- more information

Data Encryption a CIO and IT Manager Issue

09/27/2009 -

Encryption continues to be the topic on every CIO and IT person's lips nowadays. No one wants to end up in the news as the next victim of a privacy breach or the next company that didnÂ’t protect its customersÂ’ information. If you conduct a news search using the words personal data breach, you wll be alarmed at the number of instances where personal information such as social security and credit-card numbers have been exposed to possible theft. In a recent breach, a state government site allowed access to hundreds of thousands of records, including names, addresses, social security numbers and documents with signatures.

Security Manual - Sarbanes-Oxley

Whether it is government agencies, research facilities, banking institutions, credit card processing companies, hospitalsÂ–or your company's computers - the risk of compromising private information is very high. Since business relies so heavily on technology today, business risk becomes technology dependent. The possibility of litigation is part of business. It has always been a risk of doing business, but because technology and today's business are so intertwined, business risk has a higher threat level. This has prompted many to encrypt workstations and mobile computers in order to protect critical business data.

If you have rolled out encryption, how do you maintain your IT service quality when the hard disk drive fails? How do you plan and prepare for a data loss when the user's computer is encrypted? These are all issues that should be considered when putting together a data disaster plan. In addition, data recovery, one of the more common missing elements of a disaster recovery plan, should also be factored in because it can serve as the last ditch solution when all other options have been exhausted.

Data Recovery and Encryption

Business continuity and disaster planning are critical for businesses regardless of their size. Most archive and backup software have key features to restore user files, database stores and point in time snap-shots of usersÂ’ files. Software is becoming more automated so users donÂ’t have to manually backup their files. Some computer manufacturers have built-in backup systems that include dedicated hard disk drives for archive storage. Most external USB hard disk drives have some sort of third party software that provides data archiving during a trial time period. Such solutions, while solving the data backup need, create questions regarding how effective the systems are with respect to user data. What are your options when a userÂ’s computer has a data disaster and the hard disk drive is fully encrypted?

Most IT security policies require a multi-pronged approach to data security. For example, when setting up a new computer for a user, the IT department will require a BIOS (Basic Input/Output System) password for the system before the computer will start. BIOS password security varies in functionality. Some are computer system specific, meaning that the computer will not start without the proper password. Other BIOS passwords are hard disk drive specific, meaning that the hard drive will not be accessible without the proper password. Some computer BIOS employ one password for access control to the system and the hard disk drive. To add a second level of protection, new IT security policies require full hard disk drive encryption. The most common of full hard disk encryption software operates as a memory resident program. When the computer starts up, the encryption software is loaded before the operating system starts and a pass-phrase or password prompt is required. After a successful login from the user, the software decrypts the hard disk drive sectors in memory, as they are needed. The process is reversed when writing to the hard disk drive. This leaves the hard disk drive in a constant state of encryption. The operating system and program applications function normally, without having to be aware of any encryption software.

- more information

Small Businesses expose consumers to virsuses

09/26/2009 -

Payment card companies mandate compliance, and most merchants are supposed to be compliant by now, according to information on the PCI Security Standards Council's Web site.

PCI DSS is in the process of being updated, and the survey will be used as input. The PCI Security Standards Council, which was set up by major credit card companies in 2006, is collecting feedback through Oct. 31 on changes to a new version of the standard, due for release in September 2010.

Around 10% of the respondents who said they were PCI DSS compliant said they weren't using basic security software such as antivirus, firewalls and SSL (Secure Sockets Layers), Shulman said.

PCI doesn't prescribe the use of specific software products but instead promotes practices and general advice, such as using a firewall and antivirus. In recent years, vendors have developed products to make the implementation of PCI DSS easier. Still, the result was surprising and indicative of perhaps continuing confusion or difficulty some businesses are having with PCI DSS.

Consumers face a greater risk of losing control of their data when doing business with smaller retailers, as many haven't made investments to comply with the Payment Card Industry's Data Security Standard (PCI DSS), according to a new survey.

The survey, which covered 560 U.S. and multinational organizations, asked respondents a variety of questions about their investments and deployment of technology to comply with PCI DSS, which was introduced in 2005. It's an industry standard created by major credit card companies that's designed to protect customer payment data.

- more information

Positive economic news on the hardware sector

09/18/2009 -

Enterprises and individual purchasers are snapping up new desktop and laptop PCs long before the launch of Windows 7, a sign of strong demand in the market.

Demand for PCs improved in July and August, which is good economic sign as the expectation was many enterprises and individuals would delay purchases until after Windows 7 came out in October. Consumers often wait until after the launch of a major new operating system to buy a new PC for fear of having to pay for the upgrade and to avoid the hassle of loading the new software themselves. This time, strong marketing free or discounted Windows 7 upgrades for new PC buyers ahead of the official launch of the OS appears to be working.

- more information

USB ports are a major security breach

09/11/2009 -

USB ports provide an overly convenient bridge for malware to creep from a portable media device onto an unsuspecting user's system. In many enterprises, computers have USB-infecting malware -- even trusted clients with otherwise stellar security histories.

The primary culprit are Microsoft Windows' autorun and autoplay features for portable media devices (USB keys, USB hard drives, camera memory flash cards, and so on). To make users' lives easier, Microsoft coded Windows to seek and deploy autorun and autoplay files on removal media. A user connects his or her device, and the program it contains launches automatically, if so designed by the software developer. It is what allows a CD or DVD to start playing the moment it is inserted or new software programÂ’s install routine to automatically commence.

- more information

Wi-Fi on Planes Coming - Slowly

09/01/2009 -

U.S. airlines are adding Wi-Fi to more of their planes, but it could still be years before the biggest carriers have their fleets fully equipped with the wireless technology and passengers can expect to have access to e-mail and the Internet when they board any flight.

Only one major airline, AirTran Airways, has equipped its entire fleet with Wi-Fi using a service called Gogo, which relies on ground-to-air gear over the 3 MHz spectrum from Aircell. AirTran has a fleet of 136 aircraft, and Aircell said Gogo is available on more than 500 aircraft on six U.S. airlines, including all 28 planes flown by Virgin America.

But AirTran's fleet is smaller than those of the biggest carriers, such as American Airlines, Delta Air Lines and United Air Lines. This week, American said it had nearly 115 planes equipped with Gogo. It also expects to have 300 more planes in its 500-plane fleet equipped with Gogo within two years.

In late July, Delta said it had 219 aircraft with Gogo and expected 330 of its planes to be have the technology installed this year. United has said it will only have Wi-Fi on 13 long-distance flights in the second half of 2009. US Airways has yet to roll out Gogo on its planes, saying it plans to do so early next year.

Some airlines, including Southwest Airlines and Alaska Airlines, are relying on Wi-Fi technology that connects planes to satellites from a vendor known as Row 44 Inc. Westlake Village, Calif.-based Row 44 is also working with two other unnamed airlines.

Both Southwest, which has more than 500 planes, and Alaska Airlines will move forward quickly to roll out service to their entire fleets. The two airlines recently concluded successful tests on several planes. Row 44 received authorization from the Federal Communications Commission for the Wi-Fi service in early August.

- more information

Cybercrime not being prosecuted

08/28/2009 -

Professional organized cybercrime started with the "king of spam" corporate giants in the late 1990s. These organizations often made millions under the guise of legitimate Internet marketing while sending billions of illegal e-mails. Many of the owners became and remained rich. They bought large houses and outrageous cars, got new beautiful wives, and sent their kids to expensive private schools. Heck, spammers aren't even considered in the top 200 spammers unless they are sending out hundreds of millions of illegal e-mails per day.

Crimeware gangs that steal tens (if not hundreds) of millions of dollars from unsuspecting Internet victims each year. We have not prosecuted a single person from any of these big online cybercrime syndicates, and have no reason to believe that will change over the next few years. We are getting better at prosecuting cybercriminals in countries such as the United States, but these large organizations are based in other countries, protected by those nations' political leaders.

- more information

Microsoft earnings at risk

08/24/2009 -

Microsoft Corp.warned lthat an injunction preventing it from selling Word in the U.S. after Oct. 10 would cause "massive disruptions" to sales of its Office software, as well as to key partners like Best Buy Co., Dell Inc. and Hewlett-Packard Co.

A U.S. District Court Judge has issued an injunction and ordered that Microsoft pay $290 million in damages and interest to Toronto-based i4i Inc. for infringing on that company's patent for a document system that uses XML custom formatting.

The i4i technology allows users of Word 2003, Word 2007 and Word for Mac 2008 to create custom XML documents.

In its emergency motion filed Aug. 18 with the U.S. Court of Appeals, Microsoft warned of the business disruption and asked that the injunction be stayed during the appeal.

"Even if Microsoft ultimately succeeds on appeal, it will never be able to recoup the funds expended in redesigning and redistributing Word, the sales lost during the period when Word and Office are barred from the market, and the diminished goodwill from Microsoft's many retail and industrial customers," Microsoft argued.

- more information

Microsoft to continue to support IE 6

08/14/2009 -

Microsoft responded to critics who have called for the death of Internet Explorer 6 (IE6), saying "dropping support is not an option" for the eight-year-old browser.

While acknowledging that Microsoft is eager for users to upgrade to a new version of IE, General Manager of the browser group, said the decision is out of its hands. "The choice to upgrade software on a PC belongs to the person responsible for the PC," said the General Manager.

And Microsoft has no intention of putting IE6 to sleep before its already-scheduled 2014 termination. "Dropping support for IE6 is not an option because we committed to supporting the IE included with Windows for the lifespan of the product," Hachamovitch said, referring to Windows XP, the operating system that included IE6 when the former shipped in October 2001.

- more information

Salaries continue to be cut

08/06/2009 -

Computerworld - Hewlett-Packard Co., the parent company of IT services firm EDS, has cut salaries for some EDS workers by more than 30%, media reports say.

The Dallas Morning News and the local NBC affiliate, near where EDS is headquartered in Plano, Texas, are reporting the news of pay cuts based on interviews with unidentified employees.

IT Salaries Decline

The cuts, which could be as high as 50% once previous wage cuts by HP are tallied, may affect longtime workers in particular.

HP isn't releasing any details of the size of the cuts or numbers of employees affected.

An HP representative issued a statement saying that the action is aimed at bringing EDS salaries in line with those at HP.

A project "was undertaken to ensure that employees in both EDS and HP, holding the same roles, receive comparable compensation based on market rates," HP said in the statement. "While pay will not be impacted for the majority of employees as a result of this process, some employees will receive pay reductions while others will benefit from salary increases. We understand that these changes personally impact our employees and we are working closely with them during this transition."

HP acquired EDS last fall for $13.9 billion. EDS employed 140,000 people at the time of the acquisition.

Many U.S. firms have cut wages over the last year, but there could be other factors influencing any decision to cut wages at EDS, in particular, competition from offshore vendors.

- more information

Pandemic Planning a Must for CIOs

08/03/2009 -

As at August 1, 2009, the number of confirmed cases was over 100,000 in the UK alone rising rapidly, with the virus present in over 120 countries. Since that date, the WHO has stopped producing global figures for the spread.

However, what must be acknowledged is that the virus itself, although extremely contagious, is at this stage only a Â“moderateÂ” one, with infection in most cases resulting in relatively mild flu-like symptoms. According to a number of market commentators and viral specialists, expectations are that we are facing potentially the mildest pandemic in living history. While it cannot be ignored that H1N1 has the potential to mutate into a more virulent strain, at present there is no evidence that this evolution has yet taken place.

With infection levels predicted to peak in the northern hemisphere between October and November, all organizations should be taking full advantage of what is essentially the calm before the storm. Each company should be putting their pandemic plans through their paces, stress testing each component, from communication strategies, to containment procedures, to HR policies. Organizations should be particularly aware of the fact that as well as having to tackle the spread of the disease itself, they will also have to tackle the spread of fear among healthy workers, as absentee levels will undoubtedly rise as people seek to limit the risk of infection.

- more information

CIOs and CSOs versus Social Networks

07/21/2009 -

There continue to be persistent reports of hacker attacks, compromised privacy and phishing scams, social networks can be scary places. But that does not mean the corporate world should avoid social networks. CIOs and CSOs can establish policies that protect corporate network and data security without shutting out social networks altogether. Here are some of the issues IT managers should keep in mind when dealing with social networks.

Social networking sites are an important part of the lives of many Web surfers. After people get home from work, they go to their computers, see what their friends are up to on Facebook, MySpace and Twitter and go about their lives.

However, social networks are hit hard with some serious attacks. There are a variety of privacy issues impacting most social networks. Some have been the targets of phishing scams, hijacking and other security issues.

All the while, those users who enjoy social networks are bringing that love to work. They're now accessing their profiles from their enterprise laptops and desktops.

Many enterprises companies are not pleased that that is happening. Over 63 percent of the companies have said that they fear social networks can put the company's security at risk.

What can the CIO and CSO do?

Do not get emotional - Most social networks do not pose the kind of security threats browsing the Internet does. Is there are a danger? But it is not the biggest danger CIOs and CSOs face.
Understand the value social networks have - Companies that give employees access to them can use employee profiles to promote their business. Happy employees will talk about their employers in a good light. It makes the company look good. And it might eventually bring in better talent.
Social networks are promotional tools - Think of social networks more as a public relations arm, rather than a security hole.
Blocking only makes it worse - Blocking social networks only makes employees want to find ways to access their profiles through other means that have a higher likelihood of causing security issues in the enterprise. They will look for holes in security.
Education users on your security protocols - security software and hardware mean nothing without education.
Create and use functional policies - CIOs and CSOs need to develop a corporate policy governing access to social networks. The policy should also remind employees not to divulge sensitive information and keep corporate data safe.
Block limited networks - CIOs and CSOs should block "fringe" social networks that have a limited community.
Listen to employee requests - CIOs and CSOs should be willing to have an open door policy with employees who want advice or answers to social networking questions.
Stay current - CIOs and CSOs need to be know what and how social networks can are being used for. If CIOs and CSOs have an understanding of the features they can make more easily address issues.
Use social networks - CIOs and CSOs who embrace social networking become part of the community and can understand and communicate the difference between safety and danger.

- more information

Insider Data Security Issues Identified

07/18/2009 -

Insider data theft, and information leaks caused by carelessness and human error, are a growing problem in businesses of every size and in every industry. Whether through e-mail or IM, unauthorized copying or Web use, sensitive data and intellectual property are escaping from corporate networks and causing millions of dollars in losses.

Data is the lifeblood of every company, and often, it IS the only thing that differentiates one organization from another. Who has the most loyal customers, the best service, and the most innovative strategies all boils down to information residing on the company's IT systems.

For companies that deal with product designs and prototypes, it is easy to understand how closely their information must be guarded. Strategic plans, corporate roadmaps, and notes from a brainstorming session could also be valuable to competitors. Personal information - of employees and customers - can be used for identity theft and other types of fraud, if it falls into the wrong hands.

The problem is, many companies devote resources to IT security assuming that the thieves and threats are on the outside, attempting to gain access to the network via malware and hack attempts. They ensure anti-malware and intrusion detection/prevention systems are in place, and restrict network access.

What happens, however, when the internal worker becomes the threat?

Every employee that uses e-mail and the Internet may become a leak, either purposely or - more commonly - inadvertently. A worker who was passed up for a raise or laid off may, in a fit of anger, share some embarrassing information with the press or forward sensitive plans to a competitor.

Even instant messaging exchanges can be used to sneak files or secrets to outsiders. Employees often retain their "buddy lists" as they move from one department to another, or from one employer to the next. Colleagues who IM one another every day could be working for competing firms, and a careless response to "what are you working on?" can be disastrous.

In addition, many hack attempts use social engineering to infiltrate corporate networks. An e-mail that seems to be from your IT admin and requests your login info seems harmless enough, until the hacker at the other end gains entry. The issue is one of education and awareness, and unsuspecting employees become, in essence, potential threats.

- more information

Web Forums a Source of Data Leakage

07/14/2009 -

Monitoring postings to forums from the enterprise network can help to identify potential data leakage. Web-based forums are a popular means of trading stolen information. Some reasons for this are that posted advertisements are visible to anyone visiting the website until they are removed, most forums are organized chronologically and can be easily searched, and joining is usually open to anyone, often entailing registration with only a username.

Various forums have differing levels of membership. Some allow members to immediately post advertisements and interact with other members, while other forums restrict member privileges until certain criteria are met. Many forums conduct a peer-review process for potential sellers before they are endorsed. To establish a reputation and prove themselves, potential sellers are often required to provide samples of their goods for validation and verification. Many of the sites often provide a range of active forums, including tutorials, how-to guides, credit card frauds, or even specialized venues for goods from specific countries or regions.

- more information

Will Wireless Networks Change -- DOJ Holds the Key

07/09/2009 -

When a closed architecture company (Apple - iPhone) signs a an exclusive deal with a closed wireless network (AT&T) to lock its customers into a long-term contract you would think that the government trust busters would take notice. It has been well over two years maybe they have finally woken up.

According to the Wall Street Journal, the Department of Justice is contemplating the launch of an investigation into the exclusivity agreements that device manufacturers often sign with big incumbent telecom carriers. The issue they are addressing is whether having exclusive rights to certain high-profile wireless devices such as the Apple iPhone and the Palm Pre gives larger carriers an unfair competitive advantage over smaller wireless carriers that cannot afford to pay what is necessary to get top devices on their networks.

When you look at Europe, every device works on every network. There is doubt as to whether the Justice Department has a firm legal standing to try to bar companies from signing exclusivity agreements.

If carriers like AT&T, Verizon, and Sprint cannot secure big-name devices for their networks, how would that change the ways they compete for customers?

The company most immediately affected by ending exclusivity agreements is AT&T, as its recent success has been helped largely by the fact that it is the only mobile network in the U.S. to offer the Apple iPhone.

There have been rumblings from iPhone users recently that suggest AT&T could lose a good number of its smartphone customers if the iPhone were available on other networks. Complaints over the company's pricing policies and its data speeds mean that some iPhone users would gladly shift over to companies such as Sprint Nextel Inc. or Verizon Wireless if given the chance.

- more information

What Should CIOs do Today to Meet Future Needs

06/29/2009 -

CIOs face some of its greatest challenges they have ever had. All IT Managers are under intense pressure to cut costs, and that pressure is significantly increased by the current grim economic outlook. Everywhere CIOs look there is study after study indicating that IT organizations are looking at reducing headcount, as well as their overall spending in 2009. In addition, many business areas are relying on IT more than ever before to help them deal with the increased competition and reduced funding. This budget crunch creates a greater need for improved efficiency and higher productivity.

IT Median Salaries January 2008 vs. June 2009

It seems counterintuitive in a time of budget tightening; companies must continue to make strategic investments in IT. It is contrarian to think of investing in IT when normal reflexes would cause a CIO to consider hunkering down and focusing on survival until business conditions improve. Survival is clearly important, but by making survival your primary focus, you risk missing opportunities.

CIOs and IT organizations that position themselves for the eventual upturn will look at IT as an enabler of business efficiency and growth. In fact, in this turbulent economy, it becomes more critical to invest differently in IT. The key is to invest in areas that really improve IT efficiency and discipline. This focus will enable IT not only to survive this difficult financial period, but also to quickly shift its profile toward enabling true business growth.

- more information