Security

National ID - Security Nightmare Could be a Reality - March 21st, 2010 10:04 PM

Two U.S. senators met with President Obama on Thursday to push for a national ID card with biometric information such as a fingerprint, hand scan, or iris scan that all employers would be required to verify.

In an opinion article published in Friday's edition of the Washington Post, Schumer (D-N.Y.) and Graham (R-S.C.) say the new identification cards will "ensure that illegal workers cannot get jobs" and "dramatically decrease illegal immigration."

This push for a national ID is part of what the senators say is a necessary overhaul of immigration law, including additional border security, more temporary workers, and a form of amnesty for illegal immigrants already in the United States. It comes just two days before a rally in Washington, D.C. sponsored by groups including the AFL-CIO, Farmworker Justice, and the National Council of La Raza that also calls for amnesty.

Linking national ID cards to immigration reform is a popular idea in Washington political circles. After all, if every U.S. citizen has a biometric-equipped cards, the thinking goes, it's easy to order employers not to give a job to someone without one.

But concerns about privacy, security, and federalism have torpedoed each one of these proposals so far. A similar national ID plan--which also required that employers do verifications--sunk President Bush's broader proposal for immigration reform in 2007. A proposal three years earlier by Rep. David Drier (R-Calif.) to create federal ID cards with Americans' photograph, Social Security number, and an "encrypted electronic strip" with additional information was even less successful.

Then there was the controversial Real ID Act, which tried unsuccessfully to compel states to standardize their drivers' licenses. But a libertarian grassroots revolt, including an anti-Real ID vote a few weeks ago in the Utah legislature, has halted Homeland Security's plans. (Rep. Ron Paul, the former Republican presidential candidate, argued it would do little to curb legal immigration.)

Under the Schumer-Graham proposal, extracting biometric information from hundreds of millions of Americans is no trivial task. It could mean extraordinary lines at regional Social Security offices--and an inconvenience for Americans switching jobs who haven't had their retina or DNA scanned in and stored on the ID card.

"We would require all U.S. citizens and legal immigrants who want jobs to obtain a high-tech, fraud-proof Social Security card," the senators' opinion article says. "Each card's unique biometric identifier would be stored only on the card; no government database would house everyone's information. The cards would not contain any private information, medical information or tracking devices."

Securtiy basics - March 21st, 2010 04:05 AM

As the complexity of the threats increases, so do the security measures required to protect networks. Review the basics of security in order to safely deploy and manage networks today, including firewalls, network topology, and secure protocols, and network security best practices. - more information

Disaster Recovery and Business Contunity Back-up Requirements Defined by Janco - March 19th, 2010 03:08 AM

Disaster Recovery and Business Continuity require data consistency with the synchronous replication of data over long-distances and / or journal replication to protect against local and wide-area disasters. This technology provides other benefits, including:

Maintaining more efficient data currency. Using synchronous replication over a short distance in a campus or metropolitan area cluster provides the highest level of data currency without undue impact to application performance.

Permitting swift recovery. A campus/metropolitan cluster implementation allows for fast automated failovers after a local area disaster with minimal to no transaction loss.

Permitting recovery even when a disaster exceeds traditional regional boundaries. A wide-area disaster could disable both data centers 1 and 2, but with some manual interaction, operations can be shifted to data center 3 and continue after the disaster.

Shifting to staffing outside the disaster area. A wide-area disaster also affects people located within the disaster area, both professionally and personally. By moving operations out of the region to a remotely located recovery data center, operational responsibilities shift to people not directly affected by the disaster.

Janco has defined a Template with a Backup and Backup Retention policy that is a complete policy which can be implemented immediately. 

The document is provided in both Word 2003 and Word 2007 format and is easily modified.  This policy is included in the Disaster Recovery / Business Continuity Template.

Below is a table from the policy.

Sensitive Information Policy Template released by Janco - March 6th, 2010 01:45 PM

The Sensitive Information Policy Template (Version 2.4) has just been released by Janco. This policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers), co-location providers, and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals). 

New with this version are updates that specifically define the mandates of most recent federal (Gramm-Leach-Bliley) and state (Massachusetts and California).

Which skills are in high demand and low demand - March 4th, 2010 10:10 PM

IT salaries are determined by the skills that are required.  Janco has determined the following are the skills in high demand and low demand.

Skills with a high demand

• Project Management - especially large projects with short time frame for delivery
• Security -  focus on mandated compliance issues
• Network Administration - wireless and cloud administration
• Virtualization (Cloud) - new applications and management of the IT infrastructure
• Business and Operational Analysis - focus on business change
• Productivity Improvement Analysis - metrics and operational analysis
• Web 2 - interactive applications that add value
• Database Management - applications that leverage enterprise assets
• System Administration - Windows and UNIX management
• Desktop Support - standardization and change management

Skills with a declining demand

• COBOL
• HTML
• System Network Architecture - SNA
• Siebel
• Rapid Application Development - RAD
• ColdFusion
• Wireless Application Protocol - WAP
• Visual J++
• Novell NetWare
• Asynchronous Transfer Mode - ATM
  

IBM outsourcing cost 2,000 US jobs - March 2nd, 2010 03:42 PM

After shrinking its U.S. workforce by as many as 10,000 employees last year, IBM may be on its way to cutting another 2,000 workers.

As of last October, IBM employed 105,000 workers in the U.S., compared to 115,000 in 2008. In 2007, IBM had 121,000 U.S. employees. It employs about 400,000 globally.

IBM isn't commenting on its latest round of cuts and information about it comes from the Alliance union which gathers its data directly from IBM employees.

"IBM is clearly offshoring things where they can," said one IBM employee who received his notice and spoke on the condition of anonymity because he didn't want to jeopardize his severance. A 10-year veteran and UNIX administrator, this employee said his customer support team once had 15 U.S.-based workers. That staff was reduced over time to just three workers in the U.S., with other members of the customer support team now in Brazil, Argentina and India.

The employee said he was not given a good reason for his layoff. "Higher ups made a decision that a certain percentage had to be cut - it was not performance-based at all," he said. Although the employee said he's uncertain about the job market, "my sense is that it is not horrendous but I'll have to assume that I'll have to take a cut in pay."

Practical Guide for IT Outsourcing Released by Janco - February 27th, 2010 11:55 AM

Practical Guide for IT Outsourcing Released - Version 3.0 of the Practical Guide for IT Outsourcing has just been released. It includes a sample Outsourcing contract, Service Level Agreement with metrics, Risk Assessment - Business and IT Impact Questionnaire, and much more.

The guide is delivered electronically and is available in MS - Word and industry standard PDF.

CIOs are looking for more cost savings - February 25th, 2010 03:08 PM

The recession is impacting how IT is performing. Budgets for many IT organizations has been frozen for about two years, and CIO have been on this efficiency kick for about the same amount of time. IT organizations have virtualized, consolidated data centers, have cut hiring and outsourced.  There is no low-hanging fruit left.

Service level agreements are set however costs need to be reduced.

The only areas where cost savings can be made are in hardware and software maintenance.

CIO must protect critical data - February 23rd, 2010 05:10 PM

CIOs need to focus on at least four areas in order to protect critical data:

• Implement a  Business Continuity and Disaster Recovery Plan. This is the traditional solution for mitigating exposure to information loss. However it has grown more complicated as 24/7, global economy, and open source have become standard business mantras. Of paramount importance is overcoming the hurdles associated with backup window requirements, application performance, reliability and consistency, and recovery time.
• Streamline IT Infrastructure and Increase Productivity. As staff and resources become overburdened, companies are refocusing on infrastructure management. Easing critical pressure points is often the catalyst to surviving a difficult fiscal climate.
• Manage Storage and Server Costs  Closely. Controlling cost of operations has become a top priority for many organizations. With data growing at exponential rates, these costs can easily mushroom.
• Support IT Infrastructure Consolidation. Today's data protection architecture seems to be intrinsically broken - as characterized by slow backups, complex recoveries, compromised application performance, and difficult resource administration. IT infrastructure consolidation including server virtualization magnifies the problems and elevates the rearchitecture of storage and data protection as a priority. Finding high performing, easy-to-use, scalable data protection remains a key imperative. Further, system migration of production servers and critical applications to a virtual environment are likely to be costly and painful unless an easy and minimum-impact solution to migration is built into the rearchitecture.

CIO and CTO Changing Role - February 20th, 2010 04:12 PM

In a recent study of over 2,000 CIOs a major firm defined high-growth and low-growth CIOs  who work in organizations with high Profit Before TaxProfit Before Tax growth as "High-growth CIOs" and to those working in organizations with low Profit Before Tax as "Low-growth CIOs."   The characteristics of the role played in each type of firm are different.

IT Infrasturcture Policy Bundle Released - February 15th, 2010 03:50 PM

Janco has combined the policies that it has developedin concert with some of the best IT organizations around the globe into a single package. With this bundle you get a PDF file that has all of the procedures in a single document that is over 210 pages long. It would take your staff months to develop these procedures from scratch. In addition you get a separate MS-Word document for each procedure which can easily be modified.

This bundle contains the following policies:

• Backup and Backup Retention Policy
• Blog and Personal Web Site Policy
• Internet, Email, Social Networking, Mobile Device, and Electronic Communication Policy
• Outsourcing Policy
• Record Management, Retention, and Disposition Policy
• Sensitive Information Policy
• Service Level Agreement Policy
• Telecommuting Policy
• Travel, Laptop, PDA and Off-Site Meeting Policy

Blackberrys with car chargers a key component of business continuity - February 11th, 2010 05:04 PM

Business interuptions caused by the East Coast blizzard of 2010 show that BlackBerry are a must have solution.  A blizzard with whiteout conditions, warnings to stay off the roads in the Washington metropolitan area and power interruptions have proven to be no match for teleworkers with access to a BlackBerry smart phone and a car charger.

Many federal employees were 100 percent on BlackBerrys during the outage.  With power losses to homes car chargers were the only way to keep the devices charged.

This is a strategy that gained attention during the one-two punch of blizzard conditions and multiple power outages in the Washington area. For three days in a row, the federal government and many local governments are closed while a second major snowstorm blew through on the heels of a historic snowfall Feb. 8. Utility companies in Washington and Baltimore reporting about 17,000 homes without power in the afternoon.

Many federal employees are relying on their BlackBerrys haven't slowed down one bit.

Feds to increase goverment IT budgets - February 10th, 2010 03:28 PM

President Barack Obama today requested $79.4 billion in spending on information technology projects for fiscal 2011, a 1.2 percent increase from what he proposed in fiscal 2010 and a slight decrease from the $80.6 billion the 2010 budget actually allocated.

The Obama administration has proposed increasing the number of major IT projects. Last fiscal year, the administration proposed handling 781 major IT projects with $40.3 billion. In fiscal 2011, it's proposing 809 major IT projects at $40.4 billion, according to the budget proposal.

Despite modest increases in the budget request, Obama wants IT efforts related to open government and technology modernization to continue in 2011.

For example, work on the General Service Administration’s Citizen Engagement Platform would continue under the 2011 request. Designed to be a resource for all federal agencies, that platform is a collaboration between GSA and the Office of Management and Budget. It is intended to increase the government’s ability to interact and collaborate with the public and provide a cost-effective way for agencies to access tools and guidance related to engagement.

IT Metrics HandiGuide Released by Janco - February 9th, 2010 07:32 AM

Janco Associates, Inc. has just released Version 4.0 of its Metrics for the Internet, Information Technology, and Service Management HandiGuide. New with this version is an indepth presentation of  Service Level Agreements for outsourcing and best paractices.  Janco has developed metrics for enterprises worldwide and is a leader in the field.  The CEO of Janco, Victor Janulaitis said, "With these difficult times many CIOs and CEOs are asking hard questions about the value that IT is contributing to the bottom line.  Metrics are once of the tools necessary to answer those questions.

The Metirics HandiGuide is delivered electronically as a PDF document that is fully bookmarked.  It is over 300 pages in lenght and has detail definitions of metrics as well as example reprorts for over 240 metrics.  A full table of  contents and selected pages can be download at http://e-janco.com/metrics.htm.

How companies protect laptops is an issue - February 3rd, 2010 06:17 PM

More than 50% of organizations surveyed have indicated that they protected sensitive information with encryption software. A further 43% reported the use of asset tracking software. Simply knowing where all mobile computers are located is a powerful security measure, however, traditional IT asset management solutions are designed to track only those laptops that connect to a local area network (LAN) or virtual private network (VPN) connection. For a large proportion of laptop users, returning to head office is an intermittent event - allowing many laptop computers to remain below the radar of IT.

Encryption software is commonly referred to as the computer security fall back. In the event that a computer protected by organizational policy and physical deterrents is stolen, sensitive information on the laptop is made unreadable by encryption. For encryption software to be effective however, laptop users must consistently and accurately follow company encryption policy. Even more worrisome is the fact that more than 30% of companies believe employees are actively involved in the theft of company computers. Armed with the necessary passwords and encryption keys to access data, disgruntled or dishonest employees represent a threat that cannot be addressed by encryption alone.

The common failing of these laptop security measures is the fact that they are heavily reliant on the diligent action of laptop-using employees to remain effective. If a cable lock is not used, an authentication password is taped to the keyboard for convenience or a regular encryption process not completed, organizations remain unnecessarily vulnerable to public data breach. By the same token, complex, expensive and ultimately productivity-dampening security measures may be effective but greatly reduce the benefits of laptop computers. Endpoint security solutions complement other security measures by providing a final, user-independent layer of protection.

Data breaches continine to be CIO's concern - February 1st, 2010 07:41 AM

The FBI received a record number of complaints in 2008, and the associated direct cost of the frauds carried out with stolen data was $265 million versus $235million in 2007.  Adding to this is the challenge of securing personal information and intellectual property data.  Companies are granting access to more systems and information - bank customers access to account balances; workers maintain their own 401k and investment accounts; web shoppers place orders and make purchases with a single click; and business partners work on projects in a collaborative manner online.

To reduce the risk of a data breach or theft, organizations must adopt new tactics.  In addition, companies must address e-mail and Web security along with employing a functional data loss and prevention strategy.  The application of multiple security techniques is required to reduce risk. For example, there must be a way to control spam and block the downloading of malicious software from poisoned Web sites.  In today's open Web 2.0 and social networking environments, companies need a way to defend against attacks and protect secret or sensitive data.  At the same time, they must maintain a flexible and responsive infrastructure to support today's business working habits.

The Janco Security Manual Template has helped over 2,000 enterprises world-wide to  meet these requirements.

Pandemic Disaster Recovery Plans At Risk - February 1st, 2010 07:40 AM

Pandemic disaster recovery planning should consider the impact the H1N1 flu virus could have on the Internet if workers and students are forced to stay home because of the pandemic. Officials at the U.S. Government Accountability Office weighed in on the potential for clogged networks  in a 71 page preport.

Although the issue has been raised before by various ISPs and network carriers, recent worries have focused on securities firms that depend on third parties to clear trades and process payments over the Internet, according to the GAO.

"Internet congestion during a severe pandemic that hampers teleworkers is anticipated, but responsible government agencies have not developed plans to to address such congestion and may lack clear authority to act," the GAO warned.

Internet backbone congestion from a pandemic is not a major concern. The larger problem may be with the network "edge" or "last mile" in the residential portion of the Internet. Janco says that work-at-home strategies for organization may not work as advertized as residential Internet access may not be sufficient.  This is true both from a capacity and bandwidth at work at home sites.

Often many residential DSL users could share a single DSLAM connection at the carrier's switching office to reach the backbone, contributing to congestion problems. Last-mile DSL and cable modem networks are where remote access falls apart.

While the network edge impact would vary by neighborhood, the Centers for Disease Control planning guideline that assumes 40 percent of the workforce might not be in the workplace for an extended period of time during a pandemic.

Best Practices for CIOs and IT Departments - February 1st, 2010 07:40 AM

Business continuity is not just a good business practice - it can mean success or failure if data and applications on a production server are lost. Disaster recovery planning ensures organizations have the capability to continue essential functions across a wide range of situations that could disrupt normal operations. High availability is the cornerstone for most business continuity plans and is one of the reasons for evaluating and deploying data protection solutions. However, traditional data protection strategies focus on just the data and not the application.

CIOs and IT departments design the organization's infrastructure with continuity of business operations in mind. However, most organizations are not doing enough to protect mission-critical data, applications and systems from unexpected disruption and potential loss -- volatilities, such as viruses, power outages, natural disasters, corruption, human error and media failures can't always be prevented. Environments today are characterized by rapid data growth, complexity, stringent business requirements and the increasing government regulations, making it difficult for organizations to get their arms around their data protection strategies. In many cases, the focus is on just protecting data - not necessarily on recovering it. And when there is a focus on recovery, it usually involves just making data available to an application.

Audit Fatigue is Setting In for Some - February 1st, 2010 07:39 AM

(Internet Research Group) - Regulation is a part of business, regardless of company size, industry, or geography. In addition, for the most part, the larger the enterprise, the larger the potential for non-compliance risk. Non-compliance can mean a number of things - sanctions, fines, legal action, market value impact, and the cost of remediation may exceed the perceived cost of prevention. Audit program is required

The results are supportive of the term audit fatigue, that unmanaged IT Audit efforts within regulated organizations have a negative business impact on IT resources and reduce IT efficiency. However, respondents are largely aware of and interested in tools to automate audit processes and controls as a means of overcoming audit fatigue and freeing up IT budget and resources for innovation rather than compliance. This results in the following:

• Compliance impact is increasing, resulting in high audit frequency and number: As can be expected, larger organizations must satisfy a number of IT audits. Small to mid-sized enterprises (SMB’s) are also subject to an increased level of compliance requirements - resulting in higher than expected IT audit engagements. Given the lack of consistent IT standards across industries and geographies for audit criteria and reporting, compliance efforts - i.e., IT audit and remediation - are largely manual.
• Audit costs are unmanaged, resulting in increased cost: Many respondents conduct audits on an ad-hoc basis rather than as a scheduled effort of an enterprise risk-management program. Given the inability to forecast audit and remediation, spending, budgetary control is lost - exacerbating the perceived impact of compliance efforts.
• Lack of controls automation, limited process maturity: Audit fatigue can be attributed to lack of controls automation and unmanaged IT Audit processes. Limited controls maturity - i.e., repeatable and sustainable controls enforcement and audit processes -  constrains IT innovation due to uncontrolled costs associated with IT Audit and issue remediation.
• Security Policies and Procedures missing

CIOs controlling costs in the new year - February 1st, 2010 07:31 AM

As CIOs move into the New Year they are faced with reduced budgets and rising cost.  One of the first things that are doing is establishing standardized metrics to identify and control costs. Metrics are the key

As that process proceeds Janco suggests that CIO then do the following to control costs in the new year:

• Justify hardware and applications - Underutilized or old systems should be taken out, and workloads should be shifted to more-efficient hardware. Rationalization and consolidation programs can reduce the number of servers deployed.
• Consolidate data center sites and server farms - Financial savings often follow consolidation of multiple sites into a small number of larger sites.
  Manage energy and facilities cost. Tools and techniques include raising the temperature of the data center to 75 degrees Fahrenheit, using outside air when possible as an alternative to air conditioning, setting up hot aisle/cold aisle configurations and deploying server-based energy management software tools to run workloads the most energy-efficient way
• Manage the employee and contractor costs - Workers remain the single largest cost element for most IT organizations, accounting for as much as 50% of overall costs.
•  Eliminate or defer procurement of new assets - Servers' useful life often exceeds their amortized life, so monitor the condition of hardware carefully.
• Monitor energy consumption - Advanced monitoring, modeling, and measuring techniques and processes are essential to the adoption of many new technologies and going green.

Security Manual Template - January 31st, 2010 03:59 PM

As enterprises move more of their business transactions online, they face the challenge of defending a perimeter that grows increasingly porous. The network firewalls that once locked down the enterprise perimeter are ineffective against Web-based threats such as SQL, Cross Site Scripting, and DDoS attacks. By exploiting common Web application security flaws, the attacks are able to cause tremendous business disruption, particularly through the theft of sensitive enterprise information as well as customer and employee personal data.

Safety Program Updated by Janco - January 27th, 2010 05:39 PM

Effective management of worker safety and health protection is a decisive factor in reducing the extent and the severity of work-related injuries and illnesses. Effective management addresses all work-related hazards, including the potential hazards that could result from a change in worksite conditions or practices. Additionally, it addresses hazards whether or not they are regulated by government standards.

The electronic document includes proven written text and examples for the following major sections of a disaster recovery plan:

• Policy Statement
• Safety Rules - including a check list of standard proven rules
• Accident Investigation Process
• Hazard Recognition and Control
• Safety Committee including membership and procedures
• Training including guidelines for orientation, job instruction, Supervisor training as well as specialized training
• Communication including for management and employees
• Record Keeping including inspection; accident investigation; training and coordination with Safety Committee.
• Job Description for Safety Director (ADA compliant)
• Technical Appendix including definition of necessary phone numbers and contact points; and sample forms:
  • First Report of Injury
  • Safety Audit Checklist
  • Alternate Work site Safety Checklist (i.e. work at home)

There is an extensive description that shows how a full test of the Safety Program can be conducted. 

Security Manual TemplategGives CIOs one more tool - January 23rd, 2010 07:02 AM

A business-driven approach to security is differant than a technology-centric approach in that the business goals drive the requirements in securing the enterprise. Many enterprises take a bottoms-up approach to security since security solution vendors, more often than not, promote this approach to their clients. To close identified security gaps, enterprises broaden and bolster their defenses by continually building on top of or adding to their existing security investments. This technology-centric methodology often creates an excessively complex and disjointed security infrastructure. It becomes difficult to manage and prone to unseen vulnerability gaps, needlessly escalates IT costs and eventually fosters unnecessary operational inefficiencies that inhibit business growth rather than enhance it.Instead of trying to protect against every conceivable threat, organizations should understand and prioritize the security risk management activities that make the most sense for their organization. By understanding the level of risk tolerance within an organization, the IT team can more easily focus on mitigating risks that the organization can’t afford to neglect. Overemphasizing certain risks leads to wasted resources and efforts, while underemphasizing others can have disastrous consequences.

The Janco Security Manual template addresses these issues and is a quick way for CIOs to overcome these issues.

How to establish a telecommunting policy - Infrastructure - January 17th, 2010 11:16 PM

Organizations that have or want to establish a companywide telecommuting program should establish a formal, written telecommuting policy document that is regularly reviewed and updated by IT, human resources, legal, and finance. This will ensure that managers and the corporate services and technical support groups within the organization are aware of their respective role and responsibilities for enabling and supporting telecommuting. It also will help ensure that telecommuting employees know about their responsibilities too, along with new company and approved third-party applications and support services available outside company facilities. - more information

Feds peg unemployment at beyond 10% - January 9th, 2010 08:54 AM

The federal government's recent jobs report pegs unemployment at 10 percent (arguable, maybe). So, what's the outlook in IT? Two recent studies tell us that it's still the winter of our recession.

Janco Associates' most recent report shows IT hiring and spending to be as frigid as the weather fronts sweeping across the U.S. -- and salaries are just as icy. A study from Computer Economics mirrors Janco's report in IT hiring. But then it offers a ray of sunshine, predicting that those who plan to spend more has jumped from 11 percent in 2009 to 52 percent in 2010.