Security lacking at SEC

Security lacking at SEC according to GAO

Security is  not as good as it should be at the Securities and Exchange Commission (SEC).  The SEC needs to strengthen its information security and better control access to one of its financial systems, according to a report by the Government Accountability Office (GAO).

The GAO said financial data became vulnerable during a migration to a new production environment because the SEC did not appropriately monitor the company handling the transfer.

Specifically, SEC did not consistently provide adequate contractor oversight and implement an effective risk management process during the migration to the new production environment at its data center in June 2013,” the report states. “SEC relied on a contractor to migrate the key financial system to a new production environment, which included the completion of critical security-related tasks.

However, “SEC officials did not review the system’s security and project migration plans to verify that security-related roles, resources and responsibilities were identified,” the GAO report states.

Order DRP BCP SecuritySample DRP Security Manual

The GAO also said the system has weaknesses in access controls, configuration and patch management, separation of duties, and disaster recovery planning. Although GAO proposed two recommendations in its public report, a separate report with limited distribution outlined 49 actions SEC officials need to take to address the weaknesses.

At the time of the migration, our new automated system compliance oversight tools were not yet fully deployed to that particular environment,” SEC officials wrote in response. “The appropriate level of attention was not applied to a contractor oversight during the migration of the financial system identified in your report. As a result, that particular system was deployed without meeting our configuration requirements.

They went on to say the new system was immediately shut down and access reverted to the properly configured environment as soon as GAO alerted them to the issues.

SEC officials agreed that their risk management process needs to be strengthened but said the missteps during the migration were not a true indicator of their approach to security.

While we regret the lack of contractor oversight of the system migration, we remain confident that our layered defense architecture would have allowed us to detect and respond to attempted intrusions in a timely fashion, and our forensic investigation yielded no evidence of compromise to that system,” they wrote.

Posted in Disaster Recovery, Infrastructure, Security & Compliance | Tagged , , , | Leave a comment

Password Requirements and Management Issues

Password Requirements and Management IssuesPassword Requirements

  1. The passwords should not be reused across many accounts, but should preferably be unique to each account. (single-sign-on services & password management tools – should be used very carefully in a decentralized formation in view of the single point of failure that comes with them.)
  2. The passwords written on a memo should be hidden in a safe place. (It may be practicable indoor, but not outdoor where there is no such safe place since both the memo and the mobile device can be found on the user at the 100% probability.)
  3. Whether with multi-factor authentications or with biometric solutions or with ID federations, a reliable password that confirms the volition of the user remains a fundamental prerequisite or essential condition.

Limitations against the many password resets are

  • Humans can firmly remember only 5 textual passwords on average.
  • Existing password authentication systems are still all text-based, even though it is easily possible to break the above (4) limitation by expanding the password systems to include pictures of episodic/autobiographic memory in addition to the conventional textual passwords.

Examples of invalid or poorly chosen passwords:

  • Your login ID.
  • Names of co-workers, pets, family, etc.
  • Phone numbers, license numbers, or birthdays.
  • Simple passwords like “asdf” (adjacent keys on a keyboard).
  • Words, which can be found in a dictionary.

Examples of strong passwords (the following are for example purposes only; do not use any of these examples as your actual password):

  • Use a name, modified slightly, like “b0b$mith” or “M@ryL0ng”.
  • Use a phrase you can remember, like “hello world” modified to “hel10@World”.
  • “tL*5i?wu” (contains letters, special characters, and numbers).

Even though it is not a rule, it is strongly recommended that you use a combination of both upper and lower case letters.

Posted in Infrastructure, Security & Compliance | Tagged , , , , | Leave a comment

H-1B extension stuck due to Senate Democrat’s Immigration Reform Plans

H-1B extension stuck due to Senate Democrat’s Immigration Reform Plans

In a letter to the CEOs of Accenture, Amazon, Cisco, Deloitte, Facebook, Google, IBM, Intel, Microsoft and Oracle, Durbin said an H-1B cap increase can only come as part of a comprehensive immigration reform bill.

Durbin’s letter is a response to concerns from comprehensive immigration reform proponents that House Republicans, at the urging of the tech lobby, may try to push a standalone H-1B hike.

In June last year, the Senate approved a comprehensive immigration bill that raises the base 65,000 H-1B cap to 115,000. The bill also includes an escalator that can raise it to 180,000. The visa limit for advanced degree graduates of U.S. universities would rise from 20,000 to 25,000 and be restricted to STEM grads.

On the same day the Senate took its final vote on immigration reform, the House Judiciary Committee approved a standalone H-1B bill, the Skills Visa Act which would raise the base H-1B cap to 155,000, and the advanced degree cap to 40,000.

The Skills bill was approved without Democratic support, and the ability of the Republicans to get standalone legislation approved in the full House is in doubt. But even if Republicans succeed in getting something passed, Durbin is telling them that such a bill would go nowhere in the Senate.

Compete America, a major industry lobby group on immigration, earlier this month sent out a statement urging the House to approve the Skills bill. That statement seems to have angered Durbin.

The Senator thought that high tech was committed to supporting comprehensive immigration reform because the industry’s top priorities are addressed in that legislation.

Comprehensive immigration reform proponents have long believed that their path to success means linking an H-1B increase to the legalization of millions of undocumented people.

Offshore firms have been adding employees by the thousands as their revenues increase. Infosys (India based) led the list in 2013 with 6,298  visas approved, just edging out Tata (India based) which had 6258 visas approved last year.  Cognizant, a New Jersey-based IT services provider with major operations overseas, led the list in 2012 but dropped to 3rd. The company had 5,186 visas in 2013 versus 9,281 visas approved in 2012 versus 5,095 in 2011.

H-1B Visas

Posted in Career, Infrastructure | Tagged , , , | Leave a comment

H-1B Visas taken up by outsourcers

H-1B Visas are used by outsources who move US jobs overseas

Offshore outsourcing companies continued to make up the majority of the top H-1B visa users in 2013. This is based on the latest government data.

These offshore firms have been adding employees by the thousands as their revenues increase. Infosys (India based company) led the list in 2013 with 6,298  visas approved. They just edged out Tata (another India based) which had 6258 visas approved last year.  Cognizant, a New Jersey-based IT services provider with major operations overseas, led the list in 2012 but dropped to 3rd. The company had 5,186 visas in 2013 versus 9,281 visas approved in 2012 versus 5,095 in 2011.

H-1B Visas

Order Salary Survey    Free Salary Survey
Posted in Career, Infrastructure | Tagged , , , , , | Leave a comment

Employee Recognition as a Motivator

Employee recognition should be a critical component of a company’s culture and employee motivator. On average 1-2% of payroll is spent on awards and programs for employee recognition and reward.

It is much more cost effective to keep a good employee than to hire a new one, train them, and hope they perform as well.

Salary Survey Job Descriptions IT Hiring Kit Interview Guide

Studies show that companies with traditional employee recognition programs have 31% lower voluntary turn-over than companies without a program at all. Additionally, only 17% of HR professionals in this survey believed their company strongly supported and recognized outstanding employee performance anyway.

On the negative side, many employees view traditional employee recognition programs as just another “top-down” management scheme. They see it as a public judgment, by management, of a small handful of employees, without peer input or opinion. Unrewarded employees often feel the system is bias or unfair. Some rewarded employees feel manipulated or targeted (by management) and the whole process creates an “Us versus Them” environment. Very counterproductive!

By contrast, organizations giving regular or routine “employee thanks” (Microsoft, Google, and Facebook) have been found to out-perform their traditional counterparts, giving  those employers a better ROI and improve retention of high performing employees. These ‘new generation’ approaches include drives to:

  • Recognition is easy and frequent. Recognizing outstanding achievements during regularly scheduled conference calls within departments or business units.
  • Awards for specific, results driven successes. This isn’t a typical “employee of the month” award, rather an award for a specific action or service during a specific time or event.
  • Rewards for all employees based on company performance.
  • Allow peers to nominate or drive rewards program.
  • Story-tell about great employees by highlighting their achievement via an internal newsletter or your company blog (such that your customers see the value your employees are bringing to them!).
  • For a better boost in employee engagement in their employee recognition program, tie recognition to your company’s mission, vision, purpose or goals.

 

Posted in Career, Infrastructure, Policies & Procedures | Tagged , , , | Leave a comment

Working long hours is not healthy for employees

A recent Forbes.com article discussed the health concerns of employees working in excess of 8 hours per day and 60+ hours per week. Medical experts are seeing the signs of stress in employees who “binge work.” Heart disease and psychological stress are the leading causes of employees’ medical problems.  Further, binge-working can also have a disastrous effect on your family and social life away from work.

Salary Survey Job Descriptions IT Hiring Kit Interview Guide

Employees logging excessive hours also fall into unhealthy traps of over-eating, binge drinking (caffeinated and alcoholic beverages) and not following any type of exercise routine. Often, these unhealthy habits lead to employees with symptoms of exhaustion and depression, which in turn, increases their requests for sick leave. In some cases, binge working leads to poor(er) work performance than if the employee had simply worked a regular 40 hour work week.

You might believe technology is to blame – with employees accessing email and instant messages all hours of the day and night; responding to colleagues 24-7.
But is it really the root cause?

Younger employees, determined to make certain their future is secure with their current employer, often take to social media to document (brag about) their long hours. We’ve already seen news reports of deaths from working excessive hours in young banking and marketing professionals in Indonesia, China and the UK.

CIO Issues


CIO Career


Top 10 Interview Questions
Interview questions you cannot ask
Top 10 Interview Best Practices
Employment Contract
Why CIOs and IT Managers are Terminated

Posted in Career, Job Descriptions, Policies & Procedures | Tagged , , , | Leave a comment

Study Shows Demand for IT Job is Down

Demand for IT jobs down for key positions in the IT Infrastructure

In a recent article in Computerworld they showed the top 11 demanded positions in IT organizations.  That data (source BLS) also showed that the demand for only 4 of the 11 positions was down in year to year comparisons.  The chart below is extracted from the data presented in the article.

Granted the data is only thru 2012, but it agrees completely with what Janco Associates has been reporting for the last several quarters.

See these historical press releases and clipping for 2013 and 2014:

Salary Survey Job Descriptions IT Hiring Kit Interview Guide

Posted in Career | Tagged , , , | Leave a comment

Foreign students getting around H-1B visa requirements

In 2008, the U.S. government changed the rules on student visas and allowed foreign science, technology, engineering and math (STEM) students to work in the U.S. for up to 29 months without an H-1B visa. Students could previously only work for 12 months before they had to get an H-1B visa.

President George W. Bush approved the Optional Practical Training (OPT) program extension for STEM students and the U.S. approved 28,500 OPT applications.

The following year, the number of approved OPT applications more than tripled to 90,900, and has increased every year since.  President Obama also backed the program and expanded the number of fields included.

In 2013 the U.S. approved 123,000 Optional Practical Training (OPT) applications, according to a report titled “Student and Exchange Visitor Program” issued in February by the U.S. Government Accountability Office (GAO). The report states that in the last six years, a total of 560,000 students have received OPT approvals.

The GAO said they found officials who said the program “is at risk for fraud and noncompliance, in part, because it enables eligible foreign students to work in the United States for extended periods of time without obtaining a temporary work visa.” In addition report raises some concerns and the title of page says “DHS needs to access risks and strengthen oversight of foreign students with employment authorization.”

Without the OPT program, students would need to seek a temporary work visa, an H-1B visa. Interestingly, When the OPT extension was first approved, critics attacked it as nothing more than a backdoor expansion of the H-1B program. At the time the OPT was expanded in 2008, the H-1B cap was being exhausted rapidly.

The GAO report recommends that U.S. immigration officials do more to ensure that colleges and employers are complying with OPT rules.

To Read the full report go to http://gao.gov/assets/670/661192.pdf

Salary Survey Job Descriptions IT Hiring Kit Interview Guide

Posted in Career, Infrastructure | Tagged , | Leave a comment

Disaster Recovery and Business Continuity Template Update Released

Janco released Version 8 of its Disaster Recovery Business Continuity Template. It now includes 17 electronic forms and a new Business Impact Analysis tool

Janco Associates has just released version 8.0 of its industry standard Disaster Recovery Business Continuity Template.

Over 3,000 companies from 150 countries have selected the Janco Disaster Recovery Business Continuity Template as their product of choice.

Included with this version are 9 specific electronic forms to help create and keep the plan up to date and 8 electronic forms that can be used during the execution of the plan which will aid in compliance with a company’s safety program during a recovery process.

Many of the best features of the template are newly created electronic forms and best practices that are clearly defined within the product. Also included is a Business Impact Analysis updated for mobile devices and BYOD.

The Disaster Recovery and Business Continuity template is delivered electronically and comes as an easily modifiable Microsoft WORD document.  The template is over 250 pages long and includes everything needed to customize the Disaster Recovery Plan to fit an organization’s specific requirements. The document includes proven written text and examples. Included are: Business Impact Analysis – including a sample impact matrix ;  Organization Responsibilities pre and post disaster – DRP checklist; Backup Strategy for Data Centers, Departmental File Servers, Wireless Network servers, Data at Outsourced Sites, Desktops (In office and “at home”), Laptops, PDA’s and BYOD; Recovery Strategy including approach, escalation plan process and decision points;  Disaster Recovery Procedures in a check list format; Incident/Media Communication Plan; Plan Administration Process; Technical Appendix including definition of contact points; Job Description for Disaster Recovery Manager (3 pages long) – entire disaster recovery team job descriptions are also available in the premium version of the offering; and,  a Work Plan to modify and implement the template.

 Order Disaster Plan TemplateDisaster Plan SampleDR BC History

Posted in Disaster Recovery | Tagged , , | Leave a comment

CIOs are looking for security professionals

Security professionals are in high demand

Security ManualAccording to recent data, 25% of enterprise (i.e. more than 1,000 employees) and mid-market (i.e. 250 to 999 employees) organizations claim that they have a “problematic shortage” of IT security skills. In addition, of those organizations planning to add IT headcount in 2014, 42% say they will hire IT security professionals. This is also the highest percentage of all. In other words, more organizations plan to hire IT security professionals than any other role within IT.

Clearly, organizations are under-staffed when it comes to cybersecurity, but that’s not their only problem. Many firms employ security professionals who lack the right skills to get the job done. When surveyors asked enterprise security professionals to identify their biggest challenges around incident detection/response, 39% said that they lacked an adequate staff while 28% claimed that they lacked the adequate analytic skills. Alarmingly, many organizations are under-staffed AND under-skilled.

Job Description Bundles

Posted in Career, Security & Compliance | Tagged , , , , | Leave a comment

Top 10 Data Security Risks for Cloud Storage

There is tremendous anxiety about security risks in the cloud. CIOs and CSOs worry whether they can trust their users (both internal and external to the enterprise)  or need to implement additional internal controls in the private cloud, and whether third-party providers can provide adequate protection in multi-tenant environments that may also store competitor data.

Security RisksThere are ten data security challenges in the cloud:

  1. Protection of confidential business, government, or regulatory data
  2. Detection of data breaches
  3. Coordination with the enterprise record management for document retention and destruction
  4. Cloud service models with multiple tenants sharing the same infrastructure
  5. Viability of the service provider in case of a business disruption or financial failure
  6. Data mobility and legal issues relative to such government rules as the EU Data Privacy Directive
  7. Lack of standards about how cloud service providers securely recycle disk space and erase existing data
  8. Auditing, reporting, and compliance concerns
  9. Loss of visibility to key security and operational intelligence that no longer is available to feed enterprise IT security intelligence and risk management
  10. An insider who does not even work for your company, but may have control and visibility into your data

Order Security ManualTable of Contents

Posted in Infrastructure, Security & Compliance | Tagged , , , , , , , | Leave a comment

Google kill switch could kill your disaster recovery

When you are in the process of doing trying to restore you operations you do now want to have things in your way that could make you fail. Google is one such thing that you may not want to have to deal with.

Disaster Recovery

With Google’s latest Chrome upgrade did just that. Now only extensions or add-ons that originate from the Chrome Web Store, Google’s official distribution channel, can be installed. The new policy currently affects only users of the Windows version of Chrome.

Chrome automatically throws a “kill switch” on extensions that had been installed previously from sources other than the Chrome Web Store. Google called this a “hard-disable,” or one that prevents the user from re-enabling the add-on.

Now, if you have a mission critical application, and for whatever reason Google can kill the application. You now do not have complete control of your environment.

Order Disaster Plan TemplateDisaster Plan Sample

Comments

Posted in Disaster Recovery | Tagged , , | Leave a comment

10 hot new jobs in IT

10 Hot New Jobs in IT

As technology changes new jobs titles are appearing in IT.  The 10 hot new jobs that have high demand are:

IT Hiring IT Job Descriptions IT Salary SurveyIT Salary SurveyJob Descriptions
Order IT Hiring Kit
  1. Chief Digital Officer – The Chief Digital (CDO) helps a company drive growth by converting traditional “analog” businesses to digital ones, and over sees operations in the rapidly changing digital sectors like mobile applications, social media and related applications, virtual goods, as well as web-based information management and marketing.
  2. Chief Mobile Officer – The Chief Mobility Officer (CMO) is responsible for overall direction of all mobility issues associated with Information Technology applications, communications (voice and data), and computing services within the enterprise.
  3. Manager Vendor Management – A Manager Vendor Management is a key player when it comes to an IT department’s interactions with its suppliers of hardware, software, and services. The Manager Vendor Management is the person that provides product and service purchasing guidance for the department.
  4. Manager Video and Web Content – The Manager Video and Website Content is responsible developing the voice for all aspects of the organization’s online presence. In addition to writing, editing, and proofreading site content, this person also works closely with the technical team to maintain site standards with regard to new development. The Manager Video and Website Content is responsible for crafting site promotions, email newsletters, and online outreach campaigns.
  5. Project Manager ERP – The Project Manager Enterprise Resource Planning (ERP) is responsible for overseeing the Enterprise Resource Planning (ERP) project team.  This group is responsible for the enterprise database systems and transaction processing.  This responsibility includes transaction processing security, resource monitoring and reporting, and the development of specialized programs.  The Project Manager Enterprise Resource Planning (ERP) coordinates transaction processing software issues with other IT organizations including applications and operations.
  6. Supervisor BYOD Support – The Supervisor BYOD Support is responsible for the overall coordination, control and maintenance of personal mobile devices within the enterprise to insure compatibility and integration with enterprise strategies.
  7. BYOD Support Specialist – The BYOD Support Specialist is responsible for the overall coordination, control and maintenance of all BYODs within the enterprise to insure compatibility and integration with enterprise strategies.
  8. Cloud Computing Architect – The Cloud Computing Architect provides the technical leadership and direction in implementing virtualization related architectural projects and issues, working through the prioritization process with the appropriate groups.
  9. ERP Architect – The Enterprise Resource Planning (ERP) Architect provides the technical leadership and direction in implementing ERP – related architectural projects and issues, working through the prioritization process with the appropriate groups
  10. Audio Visual Technician – The Audio Visual Technician operates, schedules, and maintains audiovisual services for the enterprise. In addition the technician is responsible for the audio and visual aspects of the company’s external presence including company websites and blogs.
Posted in Career, Job Descriptions | Tagged , , | Leave a comment

Top 10 interview best practices

Top 10 interview best practices for recruiting

Top 10 best practices that every interviewer should follow — even in a bad employment market candidates still need to say yes when they are offer a position.  It is up to the company and its recruiters to create a situation that will assure that when they provide an offer it is accepted. Here are the top 10 things that recruiters need to do when they are hiring.

Salary Survey Job Descriptions IT Hiring Kit Interview Guide

  1. Make the right first impression — Job candidates know to put their best foot forward, but companies in hiring mode can forget to do the same. That includes everything from seeing that the office receptionist greets the candidate and treats them with respect, to company employees smiling and saying hello as the candidate walks to and from the interview.  Creating a recruitment-friendly atmosphere is the job of the whole company. You should never underestimate how important a compelling company culture is to the overall hiring process.
  2. Have complete and accurate job description – If the position is not clear to the hiring manager, they will not be able to explain it to the candidate.  The description should have a good summary that is posted or placed in the ad in addition to the full one which would be understood before the interview starts.
  3. Have the candidate review the job description before the interview – if the candidate knows the roles and responsibilities of the position they will be much more likely to provide a better picture of how they could fill the role.
  4. Communicate to the candidate what the interview will entail – Let the candidate know that they will be spending x time in the interview.  If there is any testing of any sort they should be aware of that especially if there is a personality or physiological testing process.
  5. Be prompt – if the interview is scheduled for 3:00, start it at that time. Have a replacement interviewer ready in case the scheduled recruiter is called away for any reason.
  6. Allow no interruptions – Focus on the candidate.  Turn off your cell phone and email notifications.  Put your office line on Do Not Disturb. Do not have anything between you and the candidate like a computer display.
  7. Prepare for the interview – Know who the candidate is and have a set of questions ready to be asked.
  8. Have materials to be provided to the candidate available – If the recruiter is going to provide any materials see that it is on hand.  Put a post-it note on the materials with the candidate’s name on the materials.  That will show the candidate that they were important enough to cause the company to have materials pre-prepared.
  9. Be enthusiastic – The recruiter should be positive and enthusiastic not only about the job that is being filled but also about the company.
  10.  Provide a set of next steps at the end of the interview – Tell the candidate what will happen next and when.  Do not take too long to make a decision and or schedule a follow-up interview.
Posted in Career, Job Descriptions | Tagged , , | Leave a comment

Mobile data traffic is poised to explode

Janco Associates predicts a tidal wave and explosion  of mobile data traffic. There will be more mobile users, nearly 5 billion by 2018 (up from 4.1 billion in 2013) and more than 10 billion mobile-ready devices, including machine-to-machine connections by then (up from 7 billion in 2013).  Mobile video will account for 69% of all mobile data by 2018, up from about 53% in 2013.

 Blog Policy BYOD Policy Google Glass Policy  Electronic CommunicationMobile Device UseRecords Management Sensitive Information Social Networking PolicyTelecommuting  Text Messaging Policy  Travel Laptop PDA

Mobile data is expected to grow by 11 times in the next four years, reaching 18 exabytes per month by 2018. An exabyte is 1 billion gigabytes.

Mobile data traffic is expected to grow by 61% annually into 2018, with the extra traffic from just one year — 2017 — expected to be triple the entire mobile Internet in 2013.

Cisco forecasts that average global network speeds will almost double from 1.4Mbps in 2013 to 2.5Mbps by 2018. Speeds will be higher in the U.S. where LTE often gives users more than 1Mbps for downloads. Cisco added wearables to its annual study of mobile traffic for the first time this year. In all, there were 21.7 million wearable devices in use globally in 2013, a number expected to reach 176.9 million by 2018, Cisco said.

Most of this wearable device traffic will continue to be channeled through smartphones, using the smartphone as a hub, The amount going through smartphones is now about 99%, and will drop to 87% by 2018.

Cisco conducted a test using Google Glass to look at the traffic it generated. Over 16 days, the total data moved wirelessly via cellular or Wi-Fi was 263MB, with 101MB moved from the Google Play, about 29MB from Google Play Music and 28MB from YouTube. MyGlass took 24MB, while Maps took 17MB.

The demands for a device like Google Glass might not be all that dramatic in terms of total data traffic imposed on a wireless network, but there will be general demands on connections from each app or service and how well a network will be able to handle those the demands at once, even to a single user.

IT Infrastructure PoliciesInfrastructure Policy Sample
Posted in Infrastructure, Policies & Procedures, Security & Compliance | Tagged , , , , , , | Leave a comment