Security Policy and Audit Program

ISO / COBIT / HIPAA / SOX Compliant

This Security Policy Manual (policies and procedures template) is over 240 pages in length. All versions of the Security Manual template include both the Business & IT Impact Questionnaire and the Threat & Vulnerability Assessment Tool (both were redesigned to address Sarbanes Oxley compliance). In addition, the Security Manual Template PREMIUM Edition contains 16 detail job descriptions that apply specifically to security and Sarbanes Oxley, ISO 27000 (ISO27001 and ISO27002), PCI-DSS, and HIPAA. Data Protection is a priority and security myths need to addressed.

The security audit program is defined so an enterprise can identify deficiencies in existing policies, procedures and practices that exist between mandated security standards and what an organization is actually doing.

Our template is a framework which can be used to structure and perform a detailed analysis and reporting of security deficiencies. Once this audit has been completed an enterprise can be reasonably assured that everything that can be done with existing technology, policies, procedures, and practices to secure data assets has been implemented and is being followed. When an enterprise uses our Security Audit Program they not only comply with state, federal, and industry mandated security requirements but they will also minimize risks associated with data and security breaches.

Comprehensive, Detailed and Customizable for Your Business

The Security Policy and Audit Program bundle provides all the essential sections of a complete security manual and walks you through the creation of each step. Detailed language addressing more than a dozen security topics is included in 220 plus page Microsoft Word document, which you can modify as much or as little as you need to fit your business requirements. The template includes sections on critical topics like:

• Risk analysis
• Staff member roles
• Physical security
• Electronic Communication (email / Smartphones)
• Blogs and Personal Web Sites
• Facility design, construction and operations
• Media and documentation
• Data and software security
• Network security
• Internet and IT contingency planning
• Insurance
• Outsourced services
• Waiver procedures
• Incident reporting procedures
• Access control guidelines
• PCI DSS Audit Program as a separate document

The Security Manual Template a stand alone item (Standard) or in the Premium or Gold sets:

 

 

---

 

 

 

 

 

Security and Auditing News

---

Improving eMail Security

February 2nd, 2012

Several companies, including Google, Facebook, Microsoft, Yahoo, PayPal are working jointly work on a standard for blocking phishing e-mails by verifying that they come from legitimate companies

DMARC.org - or the Domain-based Message Authentication, Reporting, and Conformance – is a new white-list system will be available for use across the Internet.

The other companies in the DMARC working group are AOL, Bank of America, Fidelity Investments, American Greetings, LinkedIn, and e-mail security providers Agari, Cloudmark, eCert, Return Path, and Trusted Domain Project.

- more info

---

Will IT spending go up?

January 20th, 2012

IT spending is expected to increase in 2012. After years of budgets crimped by a bum economy, there is significant pent-up demand at companies around the globe to drop some extra cash for the products and services they have been waiting for to drive business forward. But we have heard this song before.

    

Gartner was bullish on IT spending last year, saying that it could rise somewhat significantly in 2012, yet in its latest report the research firm acknowledges that its estimates might have been too optimistic. Global spending on IT spending will still be up, the company says, but do not expect it to rise too quickly.

- more info

---

CIO success is driven by relationships

January 8th, 2012

Relationships are critical for a CIOs success.  A poor relationship with superiors and staff is the number one reason for failure of CIO.  Relationships are critical to communications and without them common goals cannot be achieved.

CIO and employees who understand each other have preferred styles .better understand how to communicate and work together effectively.  Factors that strongly predict the compatibility between a CIO and their teams are self-assurance, self-reliance, conformity, optimism, decisiveness, objectivity, and approach to learning. Assessing a CIO relationships with team members allows the CIO to use objective information about themselves and their teams so that they can work more effectively toward a common goal.

A poor relationship with one's boss is the number one reason for failure at work. Two common flashpoints adversely affect performance:

• The employee is unclear about the CIO's expectations - Goals should cascade down from the CIO to team members so that everyone understands how they contribute to the objectives of both the team and the organization. If an employee does not understand the goals given,or if they have not been given goals at all, the onus is on the employee to seek clarity. Asking a simple question such as, "What are the top three priorities in my role that you would like me to focus on?" can help everyone on the team gain clarity. Employees should also ask, "Why is this so important?" as the answer will give them a lot of good clues for developing the relationship with their CIO.
• CIOs fail to adapt their styles to the employees' preferred styles - Every employee/CIO relationship is unique and requires a different management approach. For example, the approach taken by highly decisive boss working with a highly decisive employee should be significantly different from the approach taken by this same boss when working with a less-decisive employee. The decisive employee thrives on quick decisions, while the other employee will be more methodical in thier decision-making approach. The less-decisive employee will potentially enter into conflict with the faster-paced CIO.  

- more info

---

Burnout of key employees

December 17th, 2011

In these troubled times employee burn-out is a reality.  There are a number of impacts on the employees that negatively impact the organization that they work for.  They are:

   

• Withdrawal - Employees want to avoid what discomforts them, and those organizational conditions that can cause burnout are certainly discomforting.  Signs to watch for are that employees leave work early, arrive at work late, take long breaks, and stay away from the workplace as much as possible.
• Interpersonal friction - Employees strike back at what they do not like.  Signs are employees begin being cynical and callous toward others, small differences lead to monumental arguments, work assignments begin to seem like insurmountable challenges, and friends begin to look like foes.
• Performance declines - When employees are not happy they do not perform well.  The quantity of the employee’s may not be reduced, but the quality will.  Signs are clients say that service quality is poor and interrelationships been the burned out employee, their peers, their customers is a low point.  There are few smiles and jokes - it is all work and no play.
• Family life and personal space negative - Just as burnout leads to behaviors that have a negative impact on the quality of one's work life, it can also lead to behaviors that cause a deterioration of the quality of home life and personal space. Burned out individuals are often described by their wives as coming home tense, anxious, upset, angry, and complaining about the problems they faced at work. These individuals are also more withdrawn at home -preferring to be left alone, instead of sharing time with their families.
• Declining health and gaining weight - Burnout often leads to health-related problems. Burnout victims are more likely to suffer from insomnia, excessive drinking or smoking,  and to use medications of various kinds.
  

- more info

---

Top priorities for 2012

November 7th, 2011

Five projects to tackle in the short term will make you a hero to upper management while enabling the organization to move forward:

• Streamline company data storage and access
• Master mobile devices to meet
• Become a efficient development organization
• Implement crisis management response processess
• Gain control of social media

- more info

---

Facebook most popular social network

October 27th, 2011

 Facebook is leading all social networks in U.S. mobile traffic. While access through the browser still trumps application access, apps are gaining.

More than 72.2 million Americans, or nearly one-third of the country, accessed Facebook, LinkedIn, Twitter, or some other social network or blog from a mobile device in August, up 37 percent from the same time last year.

Nearly 40 million of those U.S. mobile users access these sites almost every day, according to new research from comScore. Smartphone users proved to be the heaviest social media users, with 3 in 5 of those users using social media software every month.

Facebook, which claims it has over 200 million mobile users, enjoyed more than 57 million mobile users in August, up 50 percent from the previous year. Twitter and LinkedIn have far fewer mobile users. Twitter's mobile audience rose 75 percent to 13.4 million people, while LinkedIn's audience grew 69 percent to 5.5 million users.

- more info

---

Backup service providers an expanding DRP resource

October 16th, 2011

Online backup and recovery service providers have emerged from different market spaces and have different product focuses and business drivers. These providers can be grouped into three categories:

• Service providers leveraging existing core business resources to expand into adjacent markets to look for new revenue opportunities
• Service providers concentrating on server backup in niche markets: backup and recovery only, single verticals, regional boundaries
• Service providers whose backup and recovery service forms an integral part of a broader spectrum of information management and data protection services

The scope, strengths, and weaknesses of each type of online backup and recovery service provider are characterized with respect to the current and forward-looking requirements of companies looking to protect their server data. Such requirements range from full system (versus data only) backup and restore to comprehensive business continuity best practices and support. Understanding these strengths and weaknesses can help businesses clarify their server protection requirements and better align their selection criteria and focus with their business goals.

- more info

---

New technique offers enhanced security for sensitive data in cloud computing

October 10th, 2011

Researchers from North Carolina State University and IBM have developed a new, experimental, technique to better protect sensitive information in cloud computing - without significantly affecting the system's overall performance.

Under the cloud-computing paradigm, hypervisors are programs that create the virtual workspace that allows different operating systems to run in isolation from one another - even though each of these systems is using computing power and storage capability on the same computer. A longstanding concern in cloud computing is that attackers could take advantage of vulnerabilities in a hypervisor to steal or corrupt confidential data from other users in the cloud.

The NC State research team has developed a new approach to cloud security, which builds upon existing hardware and firmware functionality to isolate sensitive information and workload from the rest of the functions performed by a hypervisor. The new technique, called strongly isolated computing environment (SICE), demonstrates the introduction of a different layer of protection.

"We have significantly reduced the 'surface' that can be attacked by malicious software," says  a professor of computer science at NC State. "For example, our approach relies on a software foundation called the Trusted Computing Base, or TCB, that has approximately 300 lines of code, meaning that only these 300 lines of code need to be trusted in order to ensure the isolation offered by our approach. Previous techniques have exposed thousands of lines of code to potential attacks. We have a smaller attack surface to protect."

SICE also lets programmers dedicate specific cores on widely-available multi-core processors to the sensitive workload - allowing the other cores to perform all other functions normally. A core is the 'brain' of a computer chip, and many computers now use chips that have between two and eight cores. By confining the sensitive workload to one or a few cores with strong isolation, and allowing other functions to operate separately, SICE is able to provide both high assurance for the sensitive workload and efficient resource sharing in a cloud.

In testing, the SICE framework generally took up approximately three percent of the system's performance overhead on multi-core processors for workloads that do not require direct network access. "That is a fairly modest price to pay for the enhanced security," the professor says. "However, more research is needed to further speed up the workloads that require interactions with the network."

- more info

---

Mobile devices change the way companies infrastructure

October 1st, 2011

Mobile devices and new user interfaces change everything. Leading edge enterprise managers have been using mobile devices for phone, e-mail, and Web communications since the inception of these products. Further, laptop devices have enabled employees to travel and to manage how employees or sell to customers.

However, consumers' rapid adoption of the Apple iPhone, iPad, and Android-based personal digital assistants (PDAs) and tablet PCs is causing lending IT innovators to quickly create new capabilities that will transform most enterprises’ interactions with their customers. An excellent example is an iPhone application for consumer automobile lending where a customer can compare car prices, apply for a car loan, and receive onsite loan approval at a car dealer.

A tablet device is never going to fit into a jeans pocket like a smartphone, but it is still mobile and its screen size add new usability and utility of its apps over a mobile phone. For example, in many retail operations will eventually use a table PC to replace the clipboard, pencil, and paper forms for one-time electronic information capture.

- more info

---

Disaster Plan - Business Continuity Template Meets Sarbanes-Oxley Mandated Requirements

September 12th, 2011

The Disaster Recovery / Business Continuity Template version 4.3 has just been released.  Janco contiues to update its templates to meet the ever changing requirements of the business environment.

With this new version a fully indexed PDF copy of the template is now provided in addition to the two versions of WORD (2003 and 2007). 

The updates to the template included:

1.      Defined generic metrics for DR/BC success

2.      Business & IT Impact Analysis Questionnaire Updated

3.      Updated references to DRP card

4.      Updated formatting to meet WORD 2007 requirements

 

The version history for updates to template can be seen at http://www.e-janco.com/drpversion.htm and the full Table of Contents with sample pages can be downloaded at http://www.e-janco.com/Register_drp.asp .

- more info

---

Mobile devices put confidential data at risk

September 8th, 2011

The average cost to an organization every time a corporate secret is revealed to unauthorized parties, especially agents and their competitors, is
$1.3 million. Forty three percent of CIOs believe this occurs about once every month and 29 percent believe it happens annually. Eighty percent believe that the organization would not discover the wrongful interception of a smartphone conversation that revealed valuable corporate secrets.

Other vulnerabilities these devices face include attacks by viruses, spyware, malicious downloads, phishing and spam. It also has been found that Androids and iPhones have emerged as popular platforms for attack. There also has been a consistent degree of evolution in the sophistication and execution of these threats.

- more info

---

Compliance Management

September 5th, 2011 Regulatory requirements have made log management & analysis one of the two fastest growing areas of security. In fact, nearly every major regulation affecting cyber security now demands or implies the need for continuous logging and effective log management HIPAA, SOX, ISO 27001, COBIT. Even the Payment Card Industry (PCI) standard appears to demand it. And regulations governing information security technology are evolving as fast as the technology itself. - more info

---

Internet may be a source of future tax revenue

August 30th, 2011

As local municipalities and states seek to find additional revenue in this down economy, they now have their sights on the emerging market of cloud computing. As more companies use cloud services, the traditional rules of taxation based on physical presence no longer fit.

For example, a New York-based company may purchase server space and cloud-based software from a Texas-based company. That's relatively straightforward, except that the Texas company may have servers in North Carolina and California, while the New York company may have satellite offices in Illinois, Florida, and Kentucky that use the server space. Who gets the tax bill, and who gets the revenue? Good luck with that one.
 
States recognize the shift in buying patterns from boxed software and hardware to computing services delivered over the Internet. Thus, they want to position or reposition tax laws to make sure they get their traditional share as purchases shift venues.

Amazon and others are supporting a bill  that would impose a streamlined national sales tax for e-commerce, avoiding the complexity of figuring out hodgepodge of state and local tax rates. As online sales have grown dramatically, states have challenged the catalog sales-based exemption, some imposing sales taxes.

Many established interests want to shape this movement. Accountants, lawyers, state tax officials, and companies such as Google, Apple, and NetSuite are looking to develop new guidelines for taxing the use of cloud computing. Amazon.com has exited more than a dozen states that changed their laws to consider such affiliates as equivalent to taxable physical presence for distributors. Instead, Amazon is pulling affiliate arrangements to avoid collecting taxes and trying to get a ballot initiative in front of voters to exempt it from a recent decision to tax online retailers' in-state sales.
 
Now the federal government is chiming in with federal legislation that would limit the states' ability to tax "digital goods and services." As you may recall, this was the same type of law that limited the taxation of the then-emerging Internet-based e-commerce industry in the 1990s, and it's based on an old Supreme Court decision that exempts catalog sales from having to collect sales taxes when the customers are in a different state than the retailer.

- more info

---

Backup and Retention a DRP issue

August 14th, 2011

Traditional storage environments have many of the same problems as distributed server farms: applications are tied to physical devices, making any response to changing needs both disruptive and time-consuming; capacity utilization is low; and many maintenance activities require application downtime. The simple and straightforward solution is storage virtualization, which decouples applications and data from the underlying physical devices. Storage virtualization simplifies storage management, as only a single set of tools are required for a given virtualized set of similar devices, such as managing a set of disk systems.

For IT departments charged with delivering greater business value in the face of unprecedented data growth, storage virtualization is a very attractive way to control costs, improve performance and maximize resource utilization.

- more info

---

Advanced Persistent Threats (APT) change security landscape

August 8th, 2011

The Security for Business Innovation Council, a group of 16 security leaders from companies that include eBay, Coca-Cola Company, SAP, FedEx Corp., Johnson & Johnson, and Northrop Grumman, summed up their thoughts on "advanced persistent threats" (APT) in a report, saying this type of attack is forcing IT to rethink network security. "Tackling advanced persistent threats means giving up the idea it's possible to protect everything. This is no longer realistic."

Focusing on fortifying the perimeter is a losing battle. Today's organizations are inherently porous. Change the perspective to protecting data throughout the lifecycle across the enterprise and the entire supply chain. Now CSOs and CIOs have to be on working with business managers to identify the crown jewels of the organization and protect these core assets, while also moving away from a perimeter-centric view.

The definition of a successful defense has to change from 'keeping attacks out' to 'sometimes attackers are going to get in; detect them as early as possible and minimize the damage.' Assume your organization might already be compromised and go from there.

- more info

---

Outsourcing is becoming a commodity service

July 29th, 2011

Outsourcing is becoming a commodity as more enterprises adapt to standardized infrasructure policies and procedures.  This in turn will accelerate the move towards outsourcing for the following reasons:

   

• Large backlog of IT projects and IT organizations may not have enough human resources to effectively deploy cloud-driven systems. IT managers, analysts, and architects will need to become business analysts, and spend a good deal of their time working with business units. They will either turn to third party firms either for assistance with cloud providers, or to take on IT-centric tasks to free up IT to better pursue cloud service provisioning.
• Infrastructures based on cloud principles will lower the barrier of entry for outsourcing providers, which will in turn multiply their numbers, heightening competition and lowering prices. This will energize the outsourcing market.
• Growing standardization and "hot-swappability" of cloud services such as business continuity management and components makes it easier to outsource pieces of the IT infrastructure. This may make outsourcing less of the onerous either/or business decision it has been, as chunks of applications or services can be outsourced or brought in house as the situation fits, with minimal disruption to IT operations and priorities. As a result, we’ll see more "micro-outsourcing" and less big-ticket-turn-the-whole-operation-over types of deals.

- more info

---

Job market improves for some IT Pro

July 19th, 2011

The market for IT audit and governance risk-management and compliance professionals continues to show strong signs of recovery. We have finally crossed back over into at least the low end of a normal market. Accordingly, we see several very encouraging trends. Overall, the number of open positions for IT audit and GRC professionals continues to increase. Hiring freezes are virtually nonexistent, the number of open positions has increased substantially, and we see more positions being put out to search, which is a signal of shifting supply and demand.

Public accounting and consulting firms are in a hiring mode -- some aggressively so. I have also spoken with many chief audit executives who are anticipating openings in their departments caused by auditors moving out into the business. This is a trend that abated the past several years as there was a dearth of open positions to move into.

   

It has become common again for high-caliber senior IT auditors or consultants to receive multiple offers. Similarly, we are seeing more openings for manager-, director- and vice-president-level positions.

In other IT career areas, according to the Bureau of Labor Statistics, employment of computer network, systems and database administrators is expected to increase by 30 percent from 2008 to 2018, much faster than the average for all occupations.

- more info

---

Business Continuity and Disaster Recovery Defined

July 12th, 2011

Business Continuity and Disaster Recovery Planning are the way an organization can prepare for and aid in disaster recovery. It is an arrangement agreed upon in advance by management and key personnel of the steps that will be taken to help the organization recover should any type of disaster occur. These programs prepare for multiple problems. Detailed plans are created that clearly outline the actions that an organization or particular members of an organization will take to help recover/restore any of its critical operations that may have been either completely or partially interrupted during or after (occurring within a specified period of time) a disaster or other extended disruption in accessibility to operational functions. In order to be fully effective at disaster recovery, these plans are fully defined and are tested regularly.

A Business Continuity Plan  (BCP) and Disaster Recovery Plan (DRP) are how an organization guards against future disasters that could endanger its long-term health or the accomplishment of its primary mission. BCPs and DRPs take into account disasters that can occur on multiple geographic levels-local, regional, and national-disasters like fires, earthquakes, or pandemic illness. BCPs and BCPs should be live and evolving strategies that are adjusted for any potential disasters that would require recovery; it should include everything from technological viruses to terrorist attacks. The ultimate goal is to help expedite the recovery of an organization's critical functions and man-power following these types of disasters. This sort of advanced planning can help an organization minimize the amount of loss and downtime it will sustain while simultaneously creating its best and fastest chance to recover after a disaster.

- more info

---

Patriot Act allows feds access to data stored overseas

June 30th, 2011

The U.S. is home to the world's largest technology companies, offering cloud services from simple storage to complex web applications to users across the world. But data held even in European datacenters, protected by strict European data laws, may still be vulnerable to inspection by U.S. authorities.

User and corporate data can be accessed without the need of a warrant, the implications of user privacy and businesses, and how to ensure a secure European cloud.

- more info

---

IT Policy Templates - 2011 Version

June 7th, 2011

Documenting a clear set of IT policies is a resource-intensive process for IT managers due to the research and writing time involved. And once policies are created, the next step is to communicate and gain acceptance for those policies throughout the organization. Wouldn't it be nice to start with boiler plate templates that require only minor customization?

Policies and Procedure Bundle -- JUST UPDATED

• CIO IT Infrastructure Policy PDF (All of the policies below which come as individual MS Word files)
• Backup and Backup Retention Policy
• Blog and Personal Web Site Policy
• Incident Communication Plan Policy (Updated to include social networks as a communication path)
• Internet, e-Mail, Social Networking, Mobile Device, Electronic Communications, and Record Retention Policy
• Mobile Device Access and Use Policy
• Outsourcing Policy
• Record Management, Retention, and Destruction Policy
• Sensitive Information Policy (HIPAA Compliant)
• Service Level Agreement (SLA) Policy Template with Metrics
• Social Networking Policy
• Telecommuting Policy
• Travel and Off-Site Meeting Policy

- more info

---

Tape backup for disaster plans is very costly

June 2nd, 2011

Enterprises around the globe have made significant investments in their tape-based backup and recovery infrastructure with tape drives, removable media, automation, software licenses, and support. In addition, they have invested in people and processes. These investments have made it difficult for firms to change their approach to backup and recovery. However, unabated data growth and the inability to cost effectively manage backup and recovery functions now are forcing many firms to reevaluate or abandon their tape investments altogether.

According to a study by a major research firm, large enterprises saved on average nearly $230,000 annually by eliminating upgrades to tape libraries and drives. Organizations that abandoned tape also realized annual savings of more than $71,000 in transportation costs and more than $77,000 in costs associated with a decreased reliance on contractors.

Disaster recovery and business continuity planning are processes that help organizations prepare for disruptive events - whether those event might include a hurricane or simply a power outage caused by a backhoe in the parking lot. The CIO's involvement in this process can range from overseeing the plan, to providing input and support, to putting the plan into action during an emergency.

- more info

---

Protect IT Act put on hold

May 29th, 2011

A U.S. senator has blocked a controversial bill that would enlist ISPs, search engines and other businesses in blocking access to alleged Websites infringing copyright.

Critics of the bill have said it would lead to hundreds of court cases brought by copyright owners against online businesses. The legislation would lead to a blacklist of Internet sites and compromise the Internet's Domain Name System, critics have said.

But backers of the bill have said new methods are needed to combat copyright infringement by foreign websites. The bill would target the worst foreign websites trafficking in digital piracy and counterfeit goods and would dry up their business by focusing on user traffic, advertising and payments, proponents said.

On Thursday, just two weeks after the bill was introduced, the Senate Judiciary Committee unanimously voted to move the PROTECT IP Act to the Senate floor. Under Senate rules, a single senator can place a hold on a bill, although the block can be overridden by a 60-vote majority.

The PROTECT IP Act would allow the U.S. Department of Justice to seek court orders requiring search engines and ISPs to stop sending traffic to websites accused of infringing copyright. The bill would also allow copyright holders to seek court orders requiring payment processors and online ad networks to stop doing business with allegedly infringing websites.

- more info

---

Android - a force in the SmartPhone arena

May 19th, 2011

Google's Android was the top smartphone operating system in the United States in the first quarter of 2011, overtaking the market share of Research in Motion's BlackBerry and keeping Apple's iPhone in the third position.
 
Android runs 34.7 percent of the 72.5 million smartphones in the United States in the first quarter, a market research company said. Android-based smartphones accounted for 28.7 percent of the market at the end of the fourth quarter in 2010, when fewer smartphones -- 63.2 million -- were in use.

BlackBerry's share of the smartphone market dropped from a 31.6 percent share at the end of 2010 to 27.1 percent at the end of March.
 
Apple's iPhone share increased slightly from 25 percent to 25.5 percent over the first three months of 2011.
 
Meanwhile, the market share for Microsoft's new Windows Phone 7 and older Windows Mobile products dropped 0.9 percentage points, from 8.4 percent in December to 7.5 percent in March. Palm and the WebOS under Hewlett Packard dropped from 3.7 percent to 2.8 percent over the period.

- more info

---

Data security missing with many SMBs

May 19th, 2011

Data security can be somewhat of a "blind item" for SMBs, meaning it's out of their area of expertise. But most won't be hiring consultants to guide them through the process of assessing security issues and finding answers. That will be up to their vendors, their VARs and themselves. In many situations, file-level encryption is the right solution for these companies.

In an article on SearchSMBStorage.com, "Secure data storage strategies and budget-friendly security tools for SMBs," Kevin Beaver lays out the security issues facing SMBs. He says that storage security for most SMBs can be a challenge for a number of reasons. There are typically too few people in IT to begin with, but often there are too many parties getting involved with the security decision, leading to an accountability problem. And, mobile devices are exacerbating the situation, enabling users to carry company data around in an easily lost and easily stolen package called a smartphone, PDA or tablet.

Web Security Threats

- more info

---

Apple rules the SmartPhone market

May 4th, 2011

Apple is poised to own three-quarters of the major $3.8 billion mobile application market this year, according to the research company IHS Screen Digest, and will continue to own as much as 60 percent of that sumptuous pie through 2014.

Google, meanwhile, has gained ground on Apple and is poised to knock beleaguered RIM into the third-place slot. Bringing up the rear in the ranking of the top four purveyors of mobile apps is Nokia. Perhaps Microsoft will place next year, now that it has a handle on cut and paste in Windows Phone Mobile.

Steve Ballmer is likely kicking himself for Microsoft fall so far behind in the extraordinarily lucrative mobile space. Revenue from mobile app sales have skyrocketed since 2008, according to IHS. Back then, the Apple Application Store was the only game in town, and the market was worth a mere $206 million and change. That figure leaped to $830.6 million in 2009, then to $2.1 billion in 2010, as more competitors entered the fray. Looking ahead, we see the market continuing to rise in billion-dollar increments up to $8.3 billion come 2014.

- more info