ITIL - Implementation

Using the
IT Service Management for
Service-Oriented Architecture
Template to implement ITIL

The IT Service Management for SOA architecture is compliant with the latest defined ITIL and ISO 20000 standards. 

Information Technology Infrastructure Library (ITIL) is a consistent and comprehensive documentation of best practice for IT Service Management. Used by hundreds of organizations internationally, a whole ITIL philosophy has grown up around the guidance contained within the ITIL books and the supporting professional qualification scheme.

ITIL Version 3 was released in the spring of 2007 and ITIL 3.0 is structured around a core of Service.  Service Strategy Service Design Service Transition Service Operation Continual Service Improvement

The processes that are addressed in that standard are:

• Access Management
• Availability Management
• Capacity Management
• Evaluation
• Event Management
• Financial Management (aka Service Economics)
• Information Security Management
• Knowledge Management
• Problem Management
• Release and Deployment Management
• Request Fulfillment
• Service Asset and Configuration Management
• Service Catalog Management
• Service Continuity Management
• Service Level Management
• Service Portfolio Management
• Service Validation and Testing
• Supplier Management
• Transition Planning and Support

These process in turn are supported by six (6) functional areas.  Each of these areas have policies and procedures that are contained in the IT Service Management Template.

      

ITIL Standards

Service Desk - (Help Desk Policy, Help Desk Standards, Help Desk Procedures, and Help Desk Service Level Agreement)

An effective "service desk" (Help Desk) can be a great asset to any enterprise. Getting accurate feedback on issues your users are having can only benefit your development efforts and ultimately, the users themselves. The key here is to make sure that the help desk is well-prepared to accept responsibility for support calls on your applications.

Janco recommends that you start working with the help desk at least six weeks before your first application release. If the help desk is mature, they will have aids for capturing application support requests. These will provide the initial information needed for the knowledge base. The help desk personnel will augment that knowledge base over time with solutions and user work-around(s) as they come up with. Be sure to weed out the "false solutions."

There should be a complete distribution list for ticket reports from the help desk to all of the key managers and users in the enterprise. These will disclose what issues users are encountering. Commonly recurring or high-impact issues should become the focus of everyone involved. This then feeds the priority setting process in the Problem Management process.

Incident Management (Help Desk Procedures, Service Request Policy and Service Request Standard)

ITIL defines an "incident" as any disruption to the normal operation of a system or application.  This includes bugs, outages, and even user interface problems.  The Incident Management process begins with notification of an incident.  This can be logged by the  help desk in response to a user call.  It can even be automatically created by a monitoring system.  It marked as completed when normal functioning of the system is restored.

Note that this does not include root cause analysis or correction!  Incident Management is all about restoring service.

Ideally, the  help desk handles the entire Incident Management process.  In less ideal cases, development may be called on to help resolve "novel" incidents--ones that do not have a solution in the  help desk's knowledge base.

When incidents come into the development room, you have some negatives that need to be dealt with. The incident needs to be resolved expeditiously, making it both interrupt driven and urgent. Therefore, every incident will automatically take somebody off their current assignment. This is damaging to flow.

In worse cases, the entire team may get derailed and start huddling around the incident. Fire-fighting is exciting and many help desk professionals like to work them. If the entire team is chasing the incident, nobody is making forward progress on scheduled tasks. If you have a large user community or a lot of incidents, you can lose an entire day or weeks before you realize it.

This can be exacerbated if your help desk never resolves application support incidents. In such cases, Janco recommends the "Center-Post" position. Assign one member of the team to be the primary point of contact for incident resolution.

Problem Management (Help Desk Procedures, Service Request Policy and Service Request Standard)

Recurring incidents can be identified as Problems that require correction. This is the job of the Problem Management process.

Identifying a problem is often done by the  help desk, but it can also come from others. The decision about which problems require correction and which ones have top priority often becomes very slow and bureaucratic. Janco has seen teams get chewed out for fixing problems that weren't scheduled to be addressed for a couple of iterations!

Problem managers should be encouraged to communicate via status reports. There also is a need to communicate back to the user community when the status of a problem changes. Good Problem Management classifies problem states such as "known problem", "known workaround", and "known solution". A help desk team will typically move through these states pretty quickly.

Bear in mind that the ITIL definition of Problem Management is all about oversight, not the actual changes needed to fix the problem.  The actual changes are deployed as part of Release Management.

Change Management (Change Control Standard, Change Control Quality Assurance Standard, Change Control Management Workbook, Version Control Policy, and Version Control Policy)

Change Management is the most complex part of the ITIL standard.  This is the process that so easily slips into heavyweight bureaucracy or, worse, meaningless meetings.

Change Management as defined simply means tracking changes, their impact to configuration items, and ensuring that changes are applied in an orderly way.  It doesn't have to hurt.

In reality, however, help desk will spend a lot of time preparing for change management committee (CMC) meetings.

Janco recommends standardizing your change and deployment process (per the standards defined in the template). Get into a regular rhythm of releases and deployments so the CMC comes to expect that every third Tuesday (or whenever), your team will have a new release. Standardize the release mechanics and system impact statement so you can standardize and re-use your change requests. Familiarity will create confidence with the CMC.

Configuration Management (Documentation Standard, Version Control Policy, and Version Control Policy)

Configuration Management (CM) is not the act of changing configuration items. It's the process for tracking planned, executed, and retired configurations. As you plan each release, you should identify the places that will be affected by the release.

In a well-executed ITIL rollout, CM is vital for change management, incident management, the help desk, and release management. In a poorly-executed ITIL rollout, configuration management does not exist, or it only addresses servers or network devices.

CM should cover servers, network topology, applications, business processes, documentation, and the dependencies among all of them. That way, proposed changes to one area (e.g., upgrade to front-end firewalls) can be analyzed for its impact.

Release Management (Documentation Standard, Version Control Policy, and Version Control Policy)

Release Management dove tails with Information Technology's release planning cycle. Engage early.

      

ITIL News

Internet Misuse Concerns CIOs

When employees and enterprise associates misuse the Internet there are ramifications for and to your enterprise:

• Higher operating expenses and reduced productivity
• Exposure to security problems such as malware
• Exposure to legal risks due to inappropriate material  
• Wasted bandwidth to support the misuse
• Unlicensed software when users download and install software from the internet
• Reputation risk from social networking which can create opportunities for employees to leak confidential information or spread damaging rumors online

Expenditures Closely Watched by CIOs and CFOs

In today's economy, all purchases are carefully scrutinized to ensure that each new piece of hardware and software can produce a rapid return on investment (ROI). However, even attractive and accelerated paybacks are not enough to justify additional expenditures as cautious CIOs and CFOs must continue to slow their technology spending in order to ensure weathering the current economic conditions.

According to an annual survey of top CIOs from multinational Fortune 1000 companies conducted by Goldman Sachs & Co., networking equipment emerged as one of the greatest potential areas for cost reductions in 2009. The CIOs surveyed also indicated an intensified focus on projects involving total cost of ownership (TCO) reductions, such as server virtualization and server consolidation. Faced with severe budget constraints, many CIOs also are delaying product upgrades and technology refreshes, despite the fact that OEMs continue to release next-generation products in increasingly rapid-fire succession.

As a result, increasing numbers of corporations are embracing asset recovery strategies as part of their recession survival tactics. Corporate network budgets, in particular, can be willing recipients of a welcome boost from asset recovery since high-end routers and switches retain more value than many other types of hardware. The keys to maximizing the value of surplus technology in a down economy are determined by how, when and where to offload unwanted gear as well as identifying the partner that can offer top dollar for extraneous equipment along with unparalleled responsiveness and superior customer attention.

Metrics Key to CIO Success

CIOs frequently ask what IT should measure and report to business executives. The key to success is choosing a small number of metrics that are relevant to the business and have the most impact on business outcomes.  The basis for  metrics that work are that they meet the criteria for relevance and impact are investment alignment to business strategy, business value of IT investments, IT budget balance, service level excellence, and operational excellence.

Metrics should form the core of an IT performance scorecard and should center around:

• Alignment of IT initiatives, investments, and operational support to the strategy of the enterprise
• Value added that IT brings to the enterprise
• Cost of new initiatives versus the cost of maintenance of existing processes
• System availability and ease of use
• Health of systems and IT function

Easier to Cut Salaries than Lay-off Staff

Here's the good news: While companies certainly have laid off huge numbers of employees since the economy first started to implode, it appears many of them are doing everything they can to minimize the number. From the Challenger, Gray & Christmas, Inc. press release:

... employers announcing job cuts have initiated more cost-cutting measures than employers that have not cut payrolls. Companies that made permanent job cuts averaged an additional six cost-cutting measures. Meanwhile, companies that have avoided layoffs averaged less than three cost-cutting measures.

"There is a perception out there that some companies have not made sufficient efforts to avoid layoffs by making cutbacks in other areas. This perception is fueled, in part, by a handful of examples of companies announcing job cuts while, at the same time, rewarding top executives with large salaries, bonuses and extravagant perks. However, these examples represent the exception," said Challenger chief executive officer.

"It would also be a mistake to assume that companies avoiding layoffs are doing so out of kindness. While forging good will is certainly part of the decision for some companies, many have simply cut to the bone already or never fully ramped up after the last downturn. Other companies may have more workers than they need for current business levels but are reluctant to enact widespread layoffs, knowing that a recovery will mean recruiting and training all new workers.

"This may be why we have seen an increase in the number of companies cutting salaries and other perks. It is a lot easier to restore compensation and benefits than it is to re-hire and re-train workers when the economy improves."

PCI Compliance Has Benefits Beyond Mandated Requirements

PCI compliance is used as a basis for guidance on fulfilling management responsibility in relation to audits, and information on ensuring continual improvement of IT security efforts.  There is merchant confusion about all of the PCI DSS’s six main themes: Building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, monitoring and testing networks, and maintaining an information security policy.

PCI as a robust security standard has potential benefits beyond its immediate requirements. A generic application of its principles can fulfill other regulatory requirements for information security and privacy.  PCI compliance is mostly information security best practices. However, there is quite a bit of devil in the details of the PCI requirements. There are over 250 detailed testing procedures.

Penalties for noncompliance include higher transaction processing fees, fines, and, in extreme cases, denial of credit card processing capabilities. Violators also face legal fees, civil lawsuits, customer rejection and related revenue loss, and other costs and losses.  Understanding the PCI authority structure is important in maintaining control over PCI strategy and audits.

The PCI DSS security requirements apply to all "system components." A system component is defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include, but are not limited to the following: web, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (internet) applications.

Virus Targets Federal Law Enforcement

Federal law enforcement systems have been targeted by a virus. The FBI and the U.S. Marshals Service were forced to shut down parts of their computer networks after a mystery virus struck the law-enforcement. The virus' type and origin are unknown, but spokespeople for both agencies said agencies' access to the Internet and e-mail was shut down while the issue was evaluated.

The U.S. Marshals confirmed it disconnected from the Justice Department's computers as a protective measure after being hit by the virus; an FBI official said only that that agency was experiencing similar issues and was working on the problem.

In addition to their external networks, most federal law enforcement agencies have an internal-only network to prevent cyber-snoopers from sensitive data. Government regulations require agencies to report any security issues to US-Computer Emergency Readiness Team (US-CERT).

To protect networks and information against increasingly sophisticated threats, many organizations are deploying security in layers. Some are finding that an efficient way to do this is by using unified threat management (UTM) appliances. 

Office 2000 is at End of Life

Microsoft told Office 2000 users that it will discontinue security updates for the aged suite in July as it drops all support for the software.

At the same time, the company also reminded users that it's dumping the Office Update site at the end of July, part of an effort to streamline update options.

Office 2000 falls off the support list on July 14 -- which is also Microsoft's "Patch Tuesday" for that month -- as it leaves what the company calls "extended" support. From that point on, Microsoft will no issue fixes, not even ones for critical vulnerabilities; instead, it expects users to move on to a newer suite.

By policy, Microsoft supports business software such as Office for a total of 10 years, half in "mainstream" support and the second half in the more limited support. Security updates are delivered for the entire 10-year stretch.

Microsoft launched Office 2000 in June 1999.

Security Risk Faced by Business Due to Lost of Laptops

Anytime and anywhere employees, temporary employees and contractors can access and store enormous amounts of confidential data about customers, employees and their organizations’ operations on laptops. When these laptops are lost due to negligence or theft, the data is at risk if the organization has failed to use such safeguards as encryption or anti-theft technologies. Janco recommends implementing and monitoring strong Security Policies and Procedures.

Most executive managements and IT professionals believe the risk of having lost or stolen laptops will most likely increase or stay the same (i.e., not improve) over the next 12 to 24 months.

Business Record Management is Difficult at Best for Many CIOs

However, search engines are optimized to search web pages and documents and they still fall short inside the enterprise when you consider the additional IT assets stored in applications and other real-time sources of information like databases and ERP Systems. These systems remain "unsearchable" by many current search solutions and largely remain the domain of operational reporting and business intelligence software.

IT Metrics

The average company that spends about 1.5% (varies by industry) of its revenue on IT and you are spending a significant amount of money on IT personnel.  Personnel expenses account for the largest segment of your IT operational budget.  Considering both employees (43%) and outside contractors (7%), the average cost of personnel in the IT operational budget is about 50% according to Computer Economics.  The majority of the IT staff spends approximately 80% of their time on:

• Application maintenance and support
• QA and testing
• Application development and migration
• Technical and database support
• Helpdesk support

The remaining time is spent primarily on desktop, network and security support.
Moreover, the average IT operational budget for application software is about 14.5%. 70% of the average application software budget is spent on application maintenance and support, while about 30% of the application budget is spent on new development.

What you should do when you get a new job as CIO

The first few weeks on the job set the tone for your long term success or failure in your new job.  Her are some things that you may consider as "must do's" in you first 100 days.

• Develop relationships - Learn the culture - On the first few days on the job you should spend over 50 percent of your time outside of your office listening to the people who are there.  Go to lunch with your peers, direct reports, superiors, and key players in your user community.
• Get away from the IT Department  - You have replaced someone who either was a star or a "loser" understand why your predecessor succeeded or failed and why.  Your user community will tell you and at the same time you will an insight in their mind set are as well as how easy or difficult it will be to deal with them.
• Get an independent assessment of the IT function  - Everyone has their own opinion of how good (or bad) the function is, your job is to quickly gain an understanding of it.  By using a third party you can insulate yourself from calls that there are disagreements.  You in essence become a tie breaker and can show that you are in charge.
• Learn the infrastructure  - Understand how things are done, review job description, review the chage control process, and understand the prioritization process.
• Develop a plan which will let you create some wins quickly  - This will be one of the only times that you can set the agenda and at the same time you can get yourself some breathing room.  Be careful to not over commit.

Tweeter and Other Applications Put Enterprise at Risk

E-mail and instant messaging (IM) afford easy to use communication and collaboration by taking advantage of the Internet's abilities, but they require networks to allow a certain amount of un-controlled internet access in order for these applications to function. IT administrators must keep their enterprises connected, yet safe, by enacting measures that allow them to monitor what comes in and goes out via Internet protocol (IP) traffic. With good management CIO have the right tools in place so IT administrators can detect threats before malicious code can take root in the network. Securing the network does not mean removing all contact with the outside world.

Because e-mail and IM applications are operated by individual users who can make bad calls on which files are safe to open, network defenses can be circumvented. Viruses sent via e-mail spread very quickly, overcoming workers’ computers and creating unplanned Disaster Recovery activity for IT departments.

As quickly as e-mail viruses spread, IM worms spread even faster. Although an e-mail virus can send itself to entire address books, they require some action by the user before the malware is activated. IM applications, however, are open channels, and a link or file pops right into someone’s desktop from a friend or colleague.

The business world is dependent on e-mail. More businesses are starting to rely on IM in their internal and external communication strategies. These platforms are not going away anytime soon. So, to take advantage of them and stay connected, spam filters and antiviral measures that scan incoming and outgoing e-mails address part of the security risk. Add IM management software and integration with firewall, secure remote connectivity, intrusion detection and prevention, and you’re well on your way to a productive, safe network for your business.

Metrics are the key to a CIO's Success

Metrics and the other ways to measure performance are very popular among CIOs and IT Managers. Almost every aspect of a computer's performance can be and is measured, however when it comes to service metrics for IT personnel and organizations this is one area that companies pay close attention to.

Computers or machines are easier to measure since there are little to no subjective factors. But with organizations, and especially with people, the subjective factor becomes more and more important and frequently, even if the best methodology is used, the results obtained from metrics are, to put in mildly, questionable.

Who Needs IT Service Management Metrics

Metrics are used in management because they are useful. Metrics are not applied just out of curiosity but because investors, managers and clients need the data.

There is no doubt that metrics are useful only when they are true. I guess you have heard Mark Twain's quote about "lies, damned lies, and statistics" (or in this case - metrics). True metrics are achieved via using reliable methodologies. It is useless just to accumulate data and show it in a pretty graph or in animated slideshow. This might be visually attractive but the practical value of such data is null.

However, even when the best IT Service Management metrics methodology is used, deviations are inevitable. Therefore, one should know how to read the data obtained from metrics. It is also true that metrics, including IT Service Management metrics, can be used in a manipulative way, so one should be really cautious when he or she reads metrics and above all - when making decisions based on these metrics.

CIO face compliance issues with older unsecured PCs

Enterprises of all sizes are hesitant to replace f existing notebook PCs due to the reluctance to spend money, and the cost of migration.

There is substantial pressure and scrutiny on all IT expenditures. However, despite this increased attention, organizations must still comply with ever more strict privacy and audit demands. One of the areas that need the most attention is the unsecure notebook PCs population that is at high risk of theft or loss. The amount of data and the ability to access corporate systems places old notebook computers among the greatest risks that an organization faces.

With the cost of hardware plummeting, and the cost of compliance issues and breaches skyrocketing, "saving money" by running a risky end-user computing environment may not make sense. CIOs can and should make the  case for the twin benefits of meeting compliance and audit demands, while reducing operating costs by deploying new laptops for your mobile workforce.

Search Engines Part of Enterprise Infrastructure

Drivers of Strong Security Policies and Procedures

There are strong security implications and relationship between mandated compliance (Sarbanes-Oxley, HIPAA, ITIL, and PCI-DSS), sensitive information protection, and theft recovery. Organizations must consider all of these factors when defining security policies. It is no longer enough to attempt to address compliance issues without addressing data protection. Protection of sensitive information on mobile and remote computers requires an understanding of the issues surrounding computer theft and transmission interception. Having a broader understanding of how these areas inter-relate allows organizations to build a more robust security policy that addresses the issues of regulatory compliance, sensitive information protection and theft recovery.

Today, accepting the loss or theft of one laptop, PDA, SmartPhone, USB storage device, or tablet computer is simply not an option. A missing device can result in compliance and sensitive data protection issues that may be very costly to an enterprise's reputation and bottom line. Enterprises need to be able to accurately track their computers, know who is using them, what is installed on them, and be able to prove the actions taken to secure computers remain deployed and intact until the computer can be located.

Government Sites Source of Many Massive Data Breaches

The Federal Aviation Administration (FAA) was doing such a good job at protecting data in its computer systems that the Office of Management and Budget chose it in January to be one of four agencies to guide other federal agencies in their cyber security efforts.

The FAA announced the theft of personal information on employees and retirees. Two of the 48 files on the breached computer server contained personal information about more than 45,000 FAA employees and retirees who were on the FAA’s rolls as of the first week of February 2006.

The server that was accessed was not connected to the operation of the air traffic control system or any other FAA operational system, and the FAA has no indication those systems have been compromised in any way.

Challenges for CIOs

As the economic recession continues to deepen, double-digit budget cuts, hiring freezes and layoffs are becoming a fact in many IT departments. However, some CIOs are managing to keep both their staffs and their rosters of ongoing IT projects largely intact - due partly to a desire on the part of business executives to use technology to reduce corporate costs and boost revenues.

CIOs are now challenged more than any time in the past with the economic earthquake around the globe CIOs have to be smarter, creative and innovative. The only way for CIOs to survive the world economic reset in a knowledge age is to capitalize on our human capital, put their staff’s creativity to work, stoke our innovative furnace. There are many ways to fuel the creative fires - from management techniques, to team building, and effectively leveraging existing and emerging technological investments.  However, the key is infrastructure.  CIOs that have a one that address metrics, change management, version control, system development methodology, service management, and human resources have a better chance to make it through these tough times.

Secrutiy Policies to Protect Against Data Breaches

In a world driven by PDAs, laptops, and Internet connectivity, data breaches are common and costly. The cost per record of a data breach has gone from $138 in 2005 to $202 in 2009 according to the Ponemon Institute in its fourth annual U.S. Cost of a Data Breach Study. 

Privacy violation statistics indicate that the number of incidences and costs associated with data breaches are increasing steadily, proving that organizations across industries need to take a more pragmatic approach for protecting information, especially in highly vulnerable non-production (development, testing and training) environments. Data in non-production can be more susceptible to a breach when it is used in development and testing activities, accessed by mobile employees or outsourced.

There are a number of best practices action steps that should be followed:

• Define responsibilities as to who is the “center post” in security for data.
• Define privacy and security requirements for your enterprise
• Inventory data, both electronic and physical
• Implement policies, procedures, and process to secure data
• Test robustness of policies, procedures, and processes
• Review at least annually

Productivity Metrics Defined

Disengaged employees produce an average of 50% less revenue than an engaged employee. By knowing who is on board, who is not and why, you can invest in areas that have the greatest impact in the shortest period of time. Increased productivity provides a greater return on your payroll investment. 

At the heart of an improved productivity is an effective Service Level Agreement (SLA) and performance metrics process that:

• Measures the right performance characteristics to ensure that the client is receiving its required level of service and the service provider is achieving an acceptable level of profitability
• Can be easily collected with an appropriate level of detail but without costly overhead
• Ties all commitments to reasonable, attainable performance levels so that "good" service can be easily differentiated from "bad" service, and giving the service provider a fair opportunity to satisfy its client.

The Metrics for the Internet, Information Technology and Service Management HandiGuide® is over 300 pages, defines 540 objective metrics, and contains 83 metric reports that show over 240 objective metrics.  Order Now

Billions for Security in Stimulus Package

The economic stimulus package includes hundreds of millions of dollars for various IT and physical security projects.  Scattered throughout the 1,500 page Senate bill are various spending items targeting physical and IT security needs. Among them are the following:

• $400 million for a proposed headquarters complex for the DHS
• $250 million will be available to planning, design, IT infrastructure, fixtures and other costs related to the consolidation of the DHS headquarters.
• $99 million will be available to bolster the ability of the federal government to detect, respond and mitigate cyber threats.
• $120 million for designing and building new backup and disaster recovery capabilities for unspecified mission-critical operations.
• $200 million for a border security fence, infrastructure and technology for securing the nation's southwest border.
• $28 million for the purchase of tactical communication equipment and radios for border security functions.
• $100 million available to buy and deploy "non-intrusive" inspection systems at U.S. ports.
• $200 million for explosives detection systems.

Insiders are responsible for 70 percent of security incidents

Experts estimate that insiders are responsible for 70 percent of security incidents that incur losses. With the average cost of a single internal data breach estimated at $14 million, companies are looking beyond protecting network perimeters from external threats. Many enterprises are implementing solutions that guard against the insider threat by delivering unified protection of data wherever it is stored or used.

One of the first steps is to have formal policies and procedures in place on what is sensitive information and how it is to be protected.  Janco Associates has a sensitive information policy in WORD.

This policy is easily modified and defines how to treat Credit Card, Social Security, Employee, and Customer Data.  The template is 29 pages in length and complies with Sarbanes Oxley Section 404, PCI-DSS, ISO 27000, and HIPAA.  The PCI Audit Program that is included is an additional 50 plus pages in length.

This policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) and co-location providers and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals). 

The HIPAA Audit Program Guide provides you with a checklist of the must be implemented items which HIPAA mandates. 

Disaster and Business Continuity Planning Pit Fall

In these turbulent economic times, it is easy for many of us to forget the basics and fall into the trap that disaster and business continuity planning are an optional activity.  Here are some common pit falls to avoid.

• Not having an adequately documented Disaster Recovery / Business Continuity Plan - Not having a plan is fatal - having a plan that does not cover all the bases in a step-by-step manner can be worse because of a false sense of security that it would provide.
• Having your plan only in an electronic version - Be sure to store the documentation at multiple locations and verify that all key personnel have easy access to the manuals.
• Not foreseeing all of the disasters that can occur  - Focus on location and geography. Do you live on an earthquake fault, tornado belt, or in a flood zone? How stable is the power source – are there frequent interruptions from thunderstorms or rolling blackouts?
• Having a plan that only a few people are trained or know about - What if those individuals who are trained are not available? Train as many employees as possible and see that they are geographically dispersed in case of a large environmental disaster that affects all local employees.
• Depending on one communication channel to notify staff a disaster has occurred - Relying on single telephone tree to notify staff during a disaster. If the power goes out in your facility and no one is there to report it, will your disaster recovery/business continuity staff be informed?
• Not having enough backup up power to cover an outage of several days - My disasters last several days if not weeks.  Not having enough power may limit your ability to move key resources out of the disaster region.
• Not knowing what is critical to operations - What is needed to keep the enterprise running? Are there some functions and systems that you can operate without for several days?
• Not testing the adequacy of your backups - It does not matter how good your plan is if your backup data is not adequate to meet the task. Testing the media and processes regularly cannot be stressed enough.
• Not testing your plan - Regularly conduct data fire drills to test every possible scenario, from basic power failures to catastrophic events that could result in multiple months of devastation.
• Not have necessary passwords and software keys - Password protection is a key goal for data security, you need to store your system passwords and software keys in several geographically separate, secure locations. Make sure that more than one IT staff person has to these and that these passwords are promptly changed / tested when key personnel leave the company.
• Not having an up-to-date plan up to date – Have at least one individual responsible for updating your plan. Revisit the plan at least on a quarterly basis.

Lay-offs Increase Risk of Data Breaches

According to the IT Productivity Center cyber-crime rates traditionally spike during in economic recessions. Layoffs fray employee and contractor loyalty, and there certainly is money to be made selling all kinds of corporate data.  As thousands of workers and contractors being laid off or terminated each week lately, there is an incentive for laid-off employees to take intellectual property with them to bolster their chances of getting hired with a competitor, to use with a start-up company of their own, or maybe even to sell.

Laid-off employees and terminated contractors are a serious security threat in an economic downturn. In a McAfee Inc. worldwide survey of 1,000 IT decision-makers, the company found that 42% of respondents felt that laid-off employees represented the biggest IT security threat caused by the recession. That is more than were worried about outside intruders. And 36% said that they were worried about security problems caused by employees in financial stress.

Sources for data breaches include:

• USB drives - small portable and are one of the most underestimated sources of data leaks
• Printed reports - traditional file dumps of sensitive information are large but easily used by non-IT types.
• Web pages - customer and order history accessible by someone with a password and userid that provides access to anyone anywhere.
• Back-up Media - this is the pot of gold, it has everything and all person needs is a way to access it.

Mandate Goverment Data Security Regulations

Over the past decade a raft of government, regulations have introduced requirements, some more specific than others have, for protecting and retaining corporate information over time. Many address specific areas of business.

• Healthcare HIPAA (Health Insurance Portability and Accountancy Act standards) established national standards in the US in 1996 for electronic healthcare transactions.
• Government CoCo (Code of Connection) is a UK government standard to be used when connecting to government networks.
• Financial Sarbanes-Oxley Act (SOX) (passed in 2002 in the wake of the Enron and WorldCom financial scandals) introduced major changes to the regulation of financial practice and corporate governance. All US public company boards, management and accounting firms must comply.
• Banking Gramm-Leach-Bliley Act allowed commercial and investment banks to consolidate in 1999 and includes provisions to protect consumers’ personal financial information held by financial institutions.
• Information EU Data Protection Directive protects the privacy of all personal data collected for or about EU citizens, especially as it relates to processing, using, or exchanging the data.