Security is a pipe-dream

Security Pipe Dream for many

Security is a pipe-dream,  few enterprises are fully protected from events that have occurred in the past several months.  All one has to do is to look at the recent cyber attacks at Uber and Experian. In both of those cases, the CIO and/or  CSO were blamed and left the organization.

Not many CIOs and CSOs feel they have 100% of their security risks covered. In a recent survey that was published in NetworkWorld:

  • 55% said that was the case
  • 40% said they hope the had all of their security bases covered
  • 6% said that they did

With only 6% saying they had all of their bases covered there are many opportunities for security hackers and data breachers to attack the systems in place.

Now that we know that a security breach may occur, how sure are these same CIOs and CSOs that they will be able to react in time? The first step is detection that a hack or breach has occurred. In another survey by Janco Associates, we found that in midsized and large enterprises:

  • 35% had a detection solution in place and they automatically quarantined the server(s)
  • 43% had a detection solution in place but had to “manually” quarantine the server(s)
  • 23% had to “manually” put the server(s) offline when they found out they had a problem

When you put these two sets of data together, you conclude that less than 2% of enterprises are protected adequately enough to prevent a major security hack or breach occurs.

Disaster Recovery / Business Continuity &
Security Template Bundle

ISO 27000, Sarbanes-Oxley, and HIPAA Compliant
PCI-DSS Compliant

Order DRP BCP SecuritySample DRP Security Manual

Experts Agree You Should Update Your Plan Annually

Security is a critical concern during the recovery process

It goes without saying that every company, regardless of size, needs a concise business continuity plan in case of an emergency. If you don’t have a disaster recovery plan or haven’t updated yours recently, now is the time to take this critical step to protect your business.

Security Vulnerability Analysis Tool

Security Vulnerability Analysis Tool and BIA in Template

Security Manual Template
Security Manual Template contains all of the procedures need to support a world class security infrastructure. Contain BIA and Threat assessment tools.

Security Vulnerability Analysis Tool is not included as part of Janco’s Security Manual Template.  Firewalls have become ubiquitous across enterprises over the past decade, but the combination of new and varied access methods combined with increasingly sophisticated attacks has forced network operators and security professionals to constantly evaluate their defenses. When deploying a next-generation firewall there are many  factors to consider.

The Security Manual template now includes the latest Threat Vulnerability Analysis Tools.  They are proven and ready to use.

One of the really great features are all of the electronic forms that come with the Security Manual Template.

Read on SecurityOrder Security ManualDownload Selected Security Manual Pages

Threat and Vulnerability Tool – Best in Class according to IT Productivity Center

Threat and Vulnerability Tool – Best in Class according to IT Productivity Center

Threat Vulnerability Assessment Tool Best in class
The purpose of a Threat Risk Assessment (TRA) is to categorize enterprise assets, examine the different “threats” that may jeopardize them, and identify and correct the most immediate and obvious security concerns.

Threat and Vulnerability Tool – Best in Class award concurrent with the release of Version 4.o.  Janco is proud to announce it has recieved a Best in Class by the IT Productivity Center.  This is the third time the IT Productivity Center has issued an award to Janco for this tool.

One of the added features of version 4.0 is that it now comes not only in MS Word and PDF formats, but it also comes as an ePub (eReader) document that can easily be distributed to smartphones, tablets, and desktops.

The Tool comes with a work plan that can be used to conduct the Threat and Vulnerability Assessment as well as a definition of the components of the process including:

  • Administrative Safeguards
  • Logical Safeguards
  • Physical Safeguards

One of the additional features of this template is that it can be used as the core of an enterprises compliance program.

This tool is also included with the Disaster Recovery / Business Continuity Template and the Security Manual Template.

DR/BC Plans and Security Procedures have errors

DR/BC Plans and Security Procedures errors

DR/BC Plans and Security Procedures errors – Janco has reviewed the recovery processes of 148 enterprises that were impacted by the recent hurricanes, fires, miscellaneous business disruption events and found that 53% had some significant error(s) or omission(s) in their DR/BC Plans and/or security procedures. Many were attributed to the length of the business interruption event and the lack of supporting infrastructure such as cell communication (Puerto Rico) or shortage of fuel for back up generators.

Only 17% of enterprises that had major business disruption events in the summer and fall of 2017 had no major issues with their DR/BC plan activation process and security procedures

Janco is currently in the process of determining what were the causes for these defect.  Preliminary  findings are that as a result of the slow economy enterprise cut back on the maintenance of core infrastructure.  This included updating existing DR/BC plans Security procedures with changes, training in those areas, and people being reassigned or leaving the enterprise that were critical for these processes.

Janco’s Solution

Janco has added 17 electronic forms to alleviate this problem in DR/BC plan and its Security Manual Template. Included as a bonus is an eReader format of both templates.  The forms can be completed via tablets and smartphones and stored in a remote cloud location.  With the included security and DR/BC audit programs, it now is easier to highlight those areas of existing plans and procedures which need work to guarantee compliance with security mandates and success in the recovery process.

Security and DR - BC Read onOrder DRP BCP SecurityDownload Table of Contents Security and DRP templates

10 Reasons why Chip Readers

10 Reasons why Chip Readers used by merchants

10 Reason why Chip Readers10 Reasons why Chip Readers usage will expand.

  1. Credit card chip usage improves the security landscape
  2. Required for compliance
  3. Merchants pay a lower fee
  4. Physical card is required for in-store transactions
  5. Credit card chips reduce counterfeit card fraud: Countries that have been using chip cards for many years have seen significant reductions in counterfeit card fraud. In the UK, for example, counterfeit card losses have been reduced by 70%.
  6. An increased number of chip cards in consumers’ possession: over 600 million chip cards have been issued in the U.S. as of the end of 2016.
  7. Majority of all retail outlets now accept chip cards: almost 90% of all travel, entertainment, and high-cost retail operations accept chip cards
  8. Swipe and insert versus manually keying in card information is more accuracte
  9. Daily settlement of transactions for merchants
  10. Get accurate customer information: For online transactions validate customers’ billing and address information is entered correctly.

Read on…

Order Omni Commerce Planning ToolkitDownload Selected Pages of omni commerce strategy

China Hidden Competitive Advantage

China Hidden Competitive Advantage – China Owns Key Technology Media  Firms

China Hidden Competitive Advantage
China may control reporting on Best Practices for IT Infrastructure

China Hidden Competitive Advantage – Should the US be concerned that key technology firms and publications are now owned by China?  In March of 2017, China Oceanwide completed its acquisition of IDG.  China Oceanwide is an international conglomerate founded by Chairman Zhiqiang Lu. Headquartered in Beijing, China and include operations in financial services, real estate, media, technology and strategic investment. Following the acquisition, China Oceanwide has nearly 20,000 employees worldwide.

Within two months of the acquisition, there were extensive layoffs in the IDG’s US staffs of both writers and editors.  It has been estimated that between 90 t0 100 seasoned professionals were laid off.

IDG was founded in 1964 and the publications that were included in this acquisition were CIO, Computerworld, PCWorld, and Macworld.  IDG also has its own international news agency, IDG News Service. It is headquartered in Boston and has bureaus in cities such as New York, Beijing, Amsterdam, and Brussels. It provides news, images, video and other editorial content to IDG’s web sites and print publications worldwide.

The insight that IDG has in the technology market is very high. With this level of access to the technology market, should US based corporations be concerned? Will China based enterprises get a competitive advantage over US based enterprises?

Order IT Infrastructure PoliciesDownload Selected Pages

10 step disaster recovery clean up

10 step disaster recovery clean up

Walking into an office after an event has occurred, the facility looks to be a shamble.  There are dirt, mud, and debris all over the entire facility.  Where do you start?

Here is Janco’s 10 step disaster clean up process extracted from the Disaster Recovery Business Continuity Template. In addition to this, consult a professional conservator for further treatment.

10 step program

dr/BC template
Disaster Recovery Business Continuity Template is the industry standard. Over 3,500 enterprises world wide use this as the base fore their DR/BC plan
  1. Wet objects (electronic) – Disconnect from the power source and do not turn it on. In the case of disk drives or other electronic storage devices – inventory all of them and label them.
  2. Mobile Devices – cell phones – Small items like cell phones and mobile devices can be put in rice. The rice absorbs the moisture and after a day or two, they can be turned on. In most cases, this works.
  3. Wet objects (non-electronic) – Rinse with clear water or a fine hose spray. Clean off dry silt and debris with soft brushes or dab with damp cloths. Try not to grind debris into objects; overly energetic cleaning will cause scratching.
  4. Drying Objects – Air dry objects indoors if possible and use portable fans to move the air. Sunlight and heat may dry certain materials too quickly, causing splits, warping, and buckling. If possible, remove contents from wet objects and furniture prior to drying. Storing damp items in sealed plastic bags will cause mold to develop.
  5. Mold Prevention and Cleanup – Exposure to molds can have serious health consequences such as respiratory problems, skin and eye irritation, and infections. The use of protective gear, including a respirator with a particulate filter, disposable plastic gloves, goggles or protective eye wear, and coveralls or a lab coat, is therefore essential. In order to inhibit the growth of mold and mildew, you must reduce humidity. Increase air flow with fans, open windows, air conditioners, and dehumidifiers. Moderate light exposure (open shades, leave lights on in enclosed areas) can also reduce mold and mildew. Remove heavy deposits of mold growth from walls, baseboards, floors, and other household surfaces with commercially available disinfectants. Avoid the use of disinfectants on historic wallpapers. Follow manufacturers’ instructions, but avoid splattering or contact with objects and wallpapers as disinfectants may damage objects.
  6. Broken Objects – If objects are broken or begin to fall apart, place all broken pieces and detached parts in clearly labeled, open containers. Do not attempt to repair objects until completely dry or, in the case of important materials, until you have consulted with a professional conservator.
  7. Paper Materials – Documents, books, photographs, and works of art on paper are extremely fragile when wet; use caution when handling. Free the edges of prints and paper objects in mats and frames, if possible. These should be allowed to air dry. Rinse mud off wet photographs with clear water, but do not touch surfaces. Wet books and papers should also be air dried or kept in a refrigerator or freezer until they can be treated by a professional conservator.
  8. Office Furniture – Furniture finishes and painting surfaces may develop a white haze or bloom from contact with water and humidity. These problems do not require immediate attention; consult a professional conservator for treatment. Textiles, leather, and other “organic materials will also be severely affected by exposure to water and should be allowed to air dry. Shaped objects, such as garments or baskets, should be supported by gently padding with toweling or unlinked, uncoated paper. Renew padding when it becomes saturated with water. Dry clean or launder textiles and carpets as you normally would.
  9. Art Work – Remove wet paintings from the frame, but not the stretcher. Air dry, face up, and away from direct sunlight.
  10. Metal Objects – Rinse metal objects exposed to flood waters, mud, or silt with clear water and dry immediately with a clean, soft cloth. Allow heavy mud deposits on large metal objects, such as sculpture, to dry. Caked mud can be removed later.
Read on DRP BCP TemplateOrder Disaster Plan TemplateDownload Selected Pages Disaster Plan Template

Minimize breach response cost

Minimize breach response cost with operational strategy

Minimize breach response cost
Policies and procedures need to defined and be in place in order to minimize breach response cost

While the costs of a data breach can vary widely on a case-by-case basis, CIOs who understand the drivers behind the expense will be better positioned to take steps needed to protect their organization.

Here are 6 way to minimize breach response cost:

  1. Eliminate data you do not need.
    You can potentially dramatically reduce your exposure by destroying records of past customers.  You cannot lose data if you do not save it. In 2015 one company served 69 million customers, yet when they were breached that year, they exposed 78 million records. The extra nine million records most likely come from former customers. Each of these individuals had to be notified and offered credit monitoring, driving up costs.
  • Do not store street address if there is no real business requirement.
    When a breach occurs, companies are typically required to notify affected individual via old-fashioned, handwritten “snail mail.” But they can use alternative methods of notification, such as email or public announcement if they do not have a valid mailing address. Physical, written notifications can cost up to $2 per person, and the cost quickly adds up. It may be worth asking twice what the business need for those customer addresses is and considering not capturing these addresses to reduce the exposure to notification requirements.
  • Utilize logs to prove proof a breach or data loss did not occur.
    One industry study shows that in 44% of incidents, public notification is not required. To avoid notification, companies must prove that, even if they were attacked, no records were improperly accessed. To do so, they use systems logs. Without logs, a company may be forced to assume a breach occurred because it cannot prove otherwise.
  • Follow PCI rules and protect credit card data.
    For breaches that involve credit card data, reimbursing card companies for fraudulent transactions can amount to a staggering cost, from $3-$30 or more per card. New chip cards are designed to reduce fraud, and early data show they are having the intended effect – MasterCard reported a 54% reduction in counterfeit card fraud costs at retailers who have switched to chip cards.
  • Use experts who know the breach response landscape.
    Your breach response effort is not a good time to reinvent the wheel. Missteps happen fast and have serious consequences. Credit monitoring alone can cost $5 to $30 per person. Data breach specialists, such as PR consultants or data privacy lawyers, often have seen as many as hundreds of data breaches and are highly practiced at helping you craft a genuine story that keeps confusion – and costs – down.
  • Be prepared for additional audits and compliance reviews.
    In the wake of a breach, a company may be audited and investigated by a number of regulatory agencies. While it’s not guaranteed to occur, it is likely, and there are simple steps you can take to prevent sensational fines if it does. To start, CIOs and  CFOs should be strong advocates for the implementation of the security controls recommended by external auditors or by regulators themselves.

eCommerce obsoleting traditional retail

eCommerce obsoleting traditional retail – Infrastructure needs to change

eCommerce obsoleting traditional retail
One of the best ways to communicate and understand a company and its operating culture is through its policies. Designing and writing policy and communicating it effectively is an essential skill for professionals to have. By having policy carefully developed and communicated, employees will clearly know what the organization expects from them, the degree of control and independence they will have, and what the benefits and consequences are in regard to adhering to policy.

eCommerce obsoleting traditional retail with brick and mortar businesses impacted the most.

eCommerce is changing the way both business and consumers shop. Retailing is changing at lightning speed coupled with an ever-tightening decision horizon, changing consumer expectations and an unrelenting flood of data. eCommearace is disrupting classic retail models.

Traditional infrastructure models for merchandising, supply chain, and store operations are now triggered autonomously by novel and unexpected sources that are facilitated by artificial intelligence, machine learning, and voice and IoT sensors connected to a digital core.

Consumer wearables, smart appliances and homes, driverless vehicles, drones, virtual reality headsets, and online games are becoming points of brand interactions – from demand to execution. What has served retailing well in the past now is a serious liability with it being unable to drive business success.

  • By 2020, 83% of mobile users globally will use their device to access the Internet
  • By 2020, there will be 75 billion connected devices
  • By 2025, the Internet of Things (IoT) will have potential economic impact of $4 trillion – $11 trillion a year, with impact in retail up to $1.2 trillion
  • By 2025, augmented reality (AR) and virtual reality (VR) will represent up to $182 billion market opportunity

Order IT Infrastructure PoliciesDownload Selected Pages

Employment Picture

Employment Picture not looking good

IT Employment Picture is spotty at best.  Many CIOs were optimistic at the beginning of this year, but they have pulled back on hiring.  After 5 months, there has a net loss of 7,200 jobs in the IT job market.  In addition this year is trailing IT job creation of last last year by over 18,100 jobs.IT Employment PictureIn interviews with over 100 CIOs, we found that CIOs are no longer as confident about the economic outlook as they were earlier in the year.

CIO Hiring PlansWhit this as a preamble, Janco has reduced its forecast for the number of new IT jobs to be added to be about 77,200 for the whole of 2017.  Earlier we had forecast that well over 140,000 new jobs would be created.

Number of new IT jobs to be created in 2017

 

 

10 Best Practices for managing cyber-attack

10 Best Practices for managing cyber-attack

10 Best Practices for managing cyber-attack
10 Best Practices for IT Infrastructure are contained in this bundle of policies and procedures

10 Best Practices for managing cyber-attack have never been more important than today. They are:

  1. Stay calm, prioritize and don’t point fingers
  2. Assign response responsibility to a single point of contact
  3. Have both an incident response plan and a disaster recovery plan in place
  4. Take detail backups regularly – store backups on non-connected sites
  5. Have a business continuity plan in place with solutions that do not depend on the existing networks and data
  6. Have a PR/media and legal operational plan in place before the event
  7. Immediately notify customers
  8. Manage user/customer expectations
  9. Conduct a postmortem
  10. Implement policies and procedures that focus on infrastructure security
Order IT Infrastructure PoliciesDownload Selected Pages

 

Common Security Concerns

Common Security Concerns that CSOs and CIOs have

Security Manual Template - Common Security Concersn
CIOs and CSOs often are tasked to address user and C-Level management’s common security concerns. The Security Manual Template and its associated items address each of these in detail.

When the CIOs and CSOs discuss common security concerns these five topics always seem to appear:

  1. Surfing the web anonymously is a thing of the past – As online tracking systems become more sophisticated and harder to shake, the likelihood of private, anonymous browsing is becoming a long-ago memory. Take into account the latest ISP changes, where the U.S. government allows providers to not only track, but sell your browsing history without your consent. These changes in “net neutrality rules” require users to be more vigilant about their own browsing patterns. You can guard your activity by logging out of search engines before browsing, clearing your cache and search history, and switching to a private browser to minimize the various ways your browsing history is catalogued.Order Security Policies and ProceduresDownload TOC security policies
  2. Anyone gain access your webcam – Hackers can and do target cameras by disabling the light that notifies of access, and keeping tabs in order to commit some sort of crime. Many users have responded by putting dark tape or coverings over their computer’s webcam. But as more smart devices are created and purchased, the surface area for webcam hacking only expands. Think, for example, of all the places you take your smartphone, with its built-in camera almost always pointing in your direction. The malware used to hack webcams, known as RAT (remote access Trojan), is often spread through spam email. Once clicked, the software is capable of disabling your light so you’re never made aware of anyone watching.
  3. How to protect against identity theft – Be wary of sites asking for personal information to complete a basic task, such as subscribing to a newsletter. When submitting personal information, such as your address or payment method, check for https versus http and never submit this information to a party you’re not familiar with or for a request you don’t remember making.Protecting your identity, at its core, always comes back around to common sense behavior online. Understand risks, practice careful consuming, and taking precaution to diversify passwords and watch out for phishing schemes.
  4. Free antivirus software is not free – You get what you pay for in the area of antivirus and malware protection. If it is free a lot of people use it and when there is a security hole – hackers will attack.  That is opposed to paid programs were vendors constantly update the software to address new issues as the occur.
  5. Are tablets, Smartphones and Macs safe without antivirus software? – Though the Android and Mac OS X boast of operating systems that claims they are tough to breach, they still contains weak access points. Just like any tool that surfs the web or connects to wireless routers, security is needed to scan all those items you click. (Recent research suggests Macs are now more vulnerable than PCs.)While these devices have often carried around the title of most-secure operating system, it doesn’t hurt to back up your devices with the latest antivirus security protection.

Top 10 tips to minimize wild fires

Top 10 tips

Fire season is just around the corner. With the wet winter, when the ground days out this summer the danger to life and property will be great. These are must follow tips.

Top 10 tips that business can follow to minimize the risk of wild fires around their sites and remote offices.

  1. Have a clear area of at least 100 yards around the business park.
  2. Keep lawns hydrated and maintained. Dry grass and shrubs are fuel for wildfire.
  3. Landscape with native and less-flammable plants. When landscaping, choose slow-growing, carefully placed shrubs and trees so the area can be more easily maintained.
  4. Create a ‘fire-free’ area within ten feet of the property, using non-flammable landscaping materials such as rocks, pavers and/or high-moisture content annuals and perennials.
  5. Have no tall vegetation immediately adjacent to structures.
  6. Clear leaves and other debris from gutters, eaves, porches and decks. This helps prevent embers from igniting the property.
  7. Remove dead vegetation from around the property, especially within 50 feet of the premises.
  8. Remove flammable materials from within 50 feet of the property’s foundation and outbuildings.
  9. If you have trees on your property, prune so the lowest branches are 6 to 10 feet from the ground and none overhang the structure.
  10. Don’t let debris and lawn cuttings linger. Dispose of these items quickly to reduce fuel for fire.

Order Disaster Recovery Business Continuity Template Download Selected Pages Disaster Recovery Business Continuity Template

eReader Security Template

eReader Security Template released with version 12

eReader Security Template
eReader Security Template now address SIEM with both best practices and KPI metrics in addition to identity protection

eReader Security Template has just been released by Janco with its latest update of the security manual.  This is a major update as it the template now also includes KPI metrics and best practices for Security Information and Event Management (SEIM) as well as a chapter in Identity Protection.

This security template was first release in 1999 and has been updates between 3 to 4 times each year.  Currently the template is over 250 pages and includes chapters on the following topics.

  • Security policies – scope and objectives
  • Minimum and Mandated Security Standard Requirements
  • Vulnerability Analysis and Threat Assessment
  • Risk Analysis – IT Applications and Functions
  • Physical Security
  • Facility Design, Construction and Operational Considerations
  • Media and Documentation
  • Physical and Virtual File Server Security Policy
  • Network Security
  • Sensitive Information Policy
  • Internet and Information Technology Contingency Planning
  • Insurance Requirements
  • Security Information and Event Management (SIEM)
  • Identity Protection
  • Ransomware – HIPAA Guidance
  • Outsourced Services
  • Waiver Procedures
  • Incident Reporting Procedure
  • Access Control Guidelines
  • Electronic Communication
  • Mobile Access and Use Policy

Read on SecurityOrder Security ManualDownload Selected Security Manual Pages

 

 

New IT Jobs 2017

New IT Jobs 2017 as the economy improves

New IT jobs 2017 will be driven by an improved manufacturing job market.  As of March 2017, Janco forecast that there will be a total of over 125,000 new IT jobs created.

New IT Jobs 2017
IT Job Market growth forecast from Janco Associates

Janco’s forecast is based on interviews with over 100 CIO, CFO, and HR professionals in the IT sector of the economy.

Close to 12,000 new jobs were created in the first two months of 2017.  With the model dreated by Janco, the firm believes that and additional 113K new jobs will be created in the balance of the year.

On a monthly basis Janco updates it model, forecast, an projections on its main web site at the page titled IT Job Market.

Factors driving the IT job  market in 2017 will be:

  1. The job market will be in favor of the IT professional job seaker
  2. IT will pay IT professionals to swith companies this year
  3. IT professionals will and should ask for pay raises this year
  4. There will be a labor shortage of IT professionals who are social media , programmers, security, and networking experts.
  5. More IT pros will become freelancers and contractors who prefer to telecommute and set their own hours.
Download Selected Pages
%d bloggers like this: