IT Productivity, ITSM, IT Job Descriptions, Sarbanes Oxley, IT Salary Survey, and Disaster Planning News Portal

(IDG News Service) The huge losses reported by French bank Société Générale, apparently caused by a rogue trader with inside knowledge of the bank's procedures, don't necessarily point to an IT systems failure but rather to poor management of those systems, analysts say.

The bank has accused 31-year-old employee Jerome Kerviel of creating a fraudulent trading position in the bank's computers that ultimately caused it to lose around $7.3 billion.

Kerviel achieved this by, among other things, misappropriating computer passwords, the bank said. It has revealed few other technical details of what caused the losses.

Management of passwords, including rescinding the old passwords of employees who move to different positions within the bank, or modifying the level of access those passwords allow, is often a task given to the lowest-level IT worker.

It is a dull and routine 99 percent of the time, but a vital backstop, said senior analyst at the TowerGroup. Senior IT managers should conduct more frequent reviews of password policies, he said.

In some cases, it may not have been the security of the passwords themselves that posed a problem, but rather the access those passwords allowed, said Ian Walden, professor of information and communications law at Queen Mary, University of London.

Organizations tend to think of access as being binary in nature: you get access to it all, or you don't, Walden said. In reality, there are many more levels of access. In modern, complicated systems, the granularity has to be much more sophisticated.

To make the best use of systems with advanced access controls, the IT department must have a thorough understanding of how the business works and where there is risk.

IT departments and business managers have yet to find a way to wrap security into business processes so it is not an impediment, Walden said.

The issue of power and cooling in the datacenter has become a top priority for IT executives. Working with customers and applying IDC data sets against industry standards of datacenter thermal metrics, it is apparent that the evolution of the datacenter has been outpaced by the rate of server technology advancement. Driven by demands for higher levels of compute performance, yet constrained by tight budgets, datacenters have increased in density, with smaller servers running faster processors. The resulting rise in power consumption has become a significant cost factor for the businessÂ’ operating expense, while cooling capacity has become a limiting factor in terms of IT expansion. In 2005, $26.1 billion was spent to power and cool the worldwide installed base of servers. This is more than double the cost from 10 years ago of $10.3 billion. Additional findings include:

(Computerworld) The financial services industry is confident that it would be able to continue delivering essential services to customers during an influenza pandemic, even if 50% of the employees at firms didn't show up at their offices.

That is one of the key conclusions in a report released Thursday that assesses the results of what may been the largest pandemic planning test done in the U.S. thus far.

But the report which was prepared by the U.S. Department of the Treasury and two financial services panels, one an industry group and the other made up of government regulators — does caution that even well-prepared telecommuting plans could face problems in the event of a pandemic. Specifically, it warns that increased use of the Internet by at-home workers, recreational users and other Web surfers likely would reduce residential-service throughput to just 50% of the normal rates because of bandwidth limitations in the so-called last mile — the cables that connect houses to the Net.

The report distills the main findings gleaned from the pandemic test, which was conducted over a three-week period in September and October. The test forced planners at financial services firms to consider how their operations would fare if the avian flu began spreading rapidly among humans. Questionnaires distributed as part of the test generated a total of about 400,000 responses from banks, trading firms, insurance companies and businesses that offer clearance and settlement services.

In addition to raising concerns about performance problems for remote workers, the report challenges some notions about the importance of telecommuting's role during a pandemic. For instance, many small and midsize organizations said in the questionnaires that telecommuting isn't feasible for employees because their jobs can't be done remotely. Some also said that they don't have the necessary IT equipment to support telecommuting or that they're concerned about security issues.

One of the things that could help firms deal with a pandemic is cross-training of employees, which the report noted is a "long-standing" practice in the financial services industry.

"During the height of the [simulated] pandemic, a substantial majority of organizations across the sector reported that they had a sufficient number of cross-trained employees to conduct essential operations and to meet increased online customer demand," the report said.

Another issue raised in the report, though, is the fact that most of the companies that participated in the test — 88% — either didn't have stockpiles of antiviral medications such as Tamiflu and Relenza, or else had decided not to distribute them to workers. Instead, they relied on so-called personal protection equipment, which could include gloves and face masks.

The report said that companies "may wish to consider stockpiling and distributing antiviral medications, because they may reduce morbidity and mortality, and because they may diminish the overwhelming demands that will be placed on the health care system by a pandemic." But it also warned that there could be liability issues related to the distribution of the medications.

Pandemic planners consider a range of external issues, such as rolling blackouts and brownouts in urban areas. Ground mail and overnight delivery services also likely would suffer during a pandemic. Travel would be affected, with airline flights likely being reduced and fuel prices increasing significantly. Within the financial services industry itself, large numbers of bank branches might close, and trading hours could be shortened.

There are plenty of other unknowns — for instance, how many workers would actually go to their offices? The report indicates that employers can't be certain of that. The test, it said, "didn't investigate the willingness of employees to come to work in the context of the dangers — both real and perceived — [that would be] posed by a pandemic."

Just like any other facet in a company, even IT security has to be measured. Without such measurement, the company cannot know for sure if the system incorporated by IT security is indeed as efficient as it should be. This is precisely why there is a need for IT security metrics to be implemented.  Janco has a HandiGuide , Metrics for the Internet, Information Technology, and Service Management, which has specific metrics defined for every facet of IT technology.

In its simplest form, there are a number of levels at which IT security metrics can be obtained in company or an organization. But what usually happens here is that metrics are collected right down at the system level. Depending on the need and the size of the company or organization, these metrics are then moved upwards onto higher levels. Regardless of how these detailed metrics are moved upwards, what remains here is the fact that IT security metrics should be founded on the objectives and performance goals implemented by IT security.

If you are wondering just how IT security metrics can monitor the progress of such objectives and goals being accomplished, it is actually quite pretty simple. It is through the quantifying of certain aspects entailed in the process. These aspects include the security controls implemented, as well as the efficiency of such controls, the analysis on just how adequate certain implemented activities concerning security have been, and the identification of proper courses of action geared towards improvement. All of these aspects should be quantified so that the accomplishment of said objectives and goals would be achieved in the long run. Aside from these, the objectives and goals of other facets in the organization have to be determined and added to the list of priorities as well. This should be done so that all measurable factors of security performance will be guided accordingly, with the company's operational priorities in mind. These measurable factors include the objectives and goals of legislation, federal, regulations, and both external and internal guidance.

It is very difficult to compare collected data if they are not quantifiable because it is through the use of quantifiable data that unbiased comparisons would be made. What's more, without quantifiable data, it would be very hard to utilize the appropriate formulas needed for further data analysis. Aside from the data being quantifiable, the process used in the analysis of such data should be measurable as well.

Beyond being quantifiable, IT security metrics have to be accurate in monitoring the overall performance of the company, as well as directing its funds and resources accordingly. For IT security metrics to be very beneficial, these should have the ability to determine and predict future trends in terms of performance. This way, the company can come up with the much needed solutions to address future needs that would come about.

There is no question about it that the utilization of IT security metrics is indeed very beneficial. There are many organizational benefits to this endeavor. Firstly, the data collected actually enables the members of the management to determine the specific controls that are not enforced correctly. These controls may be operational, technical, or even managerial in nature. With the implementation of IT security metrics, these are determined more easily. more info

(NetworkWorld) Data center consolidation is all the rage,  enterprises are taking geographically distributed data centers and collapsing them into one or two centrally managed locations that are less expensive and easier to operate.

But data center consolidation isnÂ’t for everyone. Analysts say there are numerous reasons to maintain a distributed model. Bucking the trend to combine locations, some companies are building new data centers or adding to their existing footprint by renting more space in co-location facilities.

Disaster recovery is one of the most common reasons that enterprise stick with multiple data centers, says an analyst of the Taneja Group. When you have multiple data centers they can act as disaster recovery sites for each other, and therein lies the value. Having one data center is never going to be enough. I am going to have to have a disaster-recovery site whether it is my own, or I borrow from somebody.

Real estate prices sometimes make building another data center the right option. Say a company in a large metropolitan area such as Manhattan has run out of data center space and capacity for power and cooling. Expanding into another floor in a Manhattan high-rise is prohibitively expensive, so it is considerably less expensive to build an extra data center in New Jersey, says a systems group marketing manager for Sun Microsystems.

(IDG News Service) -- Google Inc.'s browser tool bar is back in court on patent infringement charges, after a U.S. court of appeals overturned part of a lower court decision. Google's AdSense contextual advertising service, though, is in the clear.

Hyperphrase Technologies LLC filed suit against Google in April 2006, alleging that Google's AdSense and the AutoLink function of its tool bar infringed on four Hyperphrase patents relating to the contextual linking and presentation of information. The U.S. District Court for the Western District of Wisconsin rejected the allegations in a summary judgment in Google's favor; Hyperphrase appealed.

On Wednesday, the U.S. Court of Appeals for the Federal Circuit upheld the parts of the summary judgment relating to AdSense, and some of the claims against AutoLink, but it overturned the part of the ruling dealing with AutoLink's alleged infringement on two of the patents. It remanded the case to the district court to be re-examined.

AutoLink parses Web pages for text fragments in certain formats and then transforms them into links to Web pages it deems appropriate. For instance, it will link publication International Standard Book Numbers (ISBN) to a corresponding listing on Amazon.com Inc.'s bookstore, or it will link package tracking numbers to pages showing delivery status. It will similarly process U.S. street addresses and U.S. vehicle identification numbers.

In its ruling, the appeals court found that the district court had considered an inappropriate interpretation for "data reference," one of the terms used in the patent claims to describe the way a link is made between a fragment of text and an element in a database. The court of appeals remanded the case to the district court to determine whether AutoLink infringed on the patents under the new interpretation it suggested.

Some have likened AutoLink, introduced in early 2005, to an earlier initiative from Microsoft Corp. called Smart Tags, which sought to add links determined by Microsoft to certain keywords appearing on Web pages viewed through its Internet Explorer browser. more info

(Janco) Eventhough Microsoft owns the OS market in the commercial marketplace, the market share of Vista is still only a little over 9% after one year.  Currently almost 95% of all systems that browse the internet are some form of the Windows OS. 

In is Browser and OS Market Share study, which is to be release on January 3rd, Jancofound that most users are not really interested in the OS.  Rather they are interested in the way that they can use the systems to meet their needs.

Janco found they are basically two types of Vista users:

(Computerworld) -- TomTom International BV has teamed with Google Inc. to make it easier for users to search for and send business addresses from Google Maps to their TomTom portable navigation devices.

"The ability to search, find and send information from the Web to a TomTom is something we have been investing in for some time now," said Eric Pité, vice president for product management at TomTom, in a statement. "This cooperation represents a major step for TomTom in meeting the growing demands of our customers for personalized content for their TomTom devices."

Google has expanded the local search pages of Google Maps by adding "Send to GPS" to its "Send to" feature, according to the statement. That means TomTom users can add business addresses to their devices without having to download .zip files. After a user searches for a business address on Google Maps, all he has to do is click on the "Send to GPS" button to transfer the information to his TomTom device.

The information is transferred to the device when it is connected to the Internet via TomTom Home, the company's free software application. Once this is completed, motorists can view the location of the business on the map on the TomTom device as well as navigate to the destination. The address can also be saved on the device as a "favorite" for later use, TomTom International said.

"We are constantly working to make our maps more useful so they become a one-stop shop for finding all the local information and directions that people need," said Giorgio Scherl, a Google product manager, in the statement.

IT stands among the ranks of vital professionals (healthcare, public safety workers and government) for whom evenings, weekends and holidays are par for the workplace course.

Businesses today face new security threats such as zero day exploits, drive by downloading and phishing. Additionally, hackers are using new conduits such as instant messaging, peer to peer and wireless connections to deliver their attacks. 

At the same time, the aim of todayÂ’s attacks has also changed. There is a shift towards more financial damage due to the theft of sensitive company data.

To protect against these threats requires security products that guard against malware and intrusions. Additionally, mobile workers need a secure way to share information, retrieve e‑mail and access company applications and resources.

Increasingly, businesses are looking to integrated solutions that combine multiple forms of protection. [Unified Threat Management (UTM) appliances] enable managers to protect their networks through a single administrative interface without the burden of running multiple servers. As a result, UTM appliances offer a lower cost of ownership than traditional solutions.

With mobile workers, the challenge becomes how to ensure they:

• Keep their security software up to date
• Install new patches as they become available
• Do not tamper with their security settings and firewalls
• Keep their portable equipment safe from physical theft

Businesses need to educate their mobile workers to employ best practices and monitor their users security solutions constantly.

Have you secured you data from Smartphones?

Professionals are increasingly realizing the productivity benefits of mobile devices such as Smartphones, personal digital assistants (PDAs) and converged PDA/phones. While this mobile revolution is an advantage to professionals, it is creating a tremendous security management challenge for CIOs and other IT professionals. Proprietary and confidential data is now moving outside of the secure perimeter of the enterprise and onto mobile devices that can be located anywhere in the world. WhatÂ’s more, these devices have a variety of data communication and storage technologies, such as e-mail/PIM synchronization software, infrared data transmission, Bluetooth and removable data storage. As a result, it is easy for mobile devices to become strongholds of enterprise information.

Unless actions are taken to secure this information, the mobile device represents a potentially severe security risk to the enterprise.

Man gets two years jail for AOL spam scam

(Reuters) - A New Jersey man was sentenced to more than two years in prison on Friday for helping send spam e-mails to more than 1.2 million America Online subscribers.

Todd Moeller, 28, was sentenced 27 months in prison in a federal court in New York after he was caught making a deal with a government informant to send junk e-mails advertising a computer security program in return for 50 percent of the profits, the U.S. Attorneys Office in Manhattan said.

Moeller and Adam Vitale of New York pleaded guilty earlier this year to breaking anti-spam laws and defeating AOLs filter system by using a variety of computer servers and changing the header information on e-mails to ensure they could not be traced, court papers said.

Moeller told the informant via instant messaging he could conceal the source of the e-mails through his access to 40 different servers and had profited $40,000 a month from other spam e-mail scams that promoted stocks, prosecutors said.

Just released Disaster Recovery Audit Program Meets Sarbanes-Oxley Requirements

Disaster Recovery / Business Continuity Audit program identifies control objectives that are meet by the audit program.  There are 36 specific items that the audit covers.  The program is available as a stand alone product as well as being included in the Disaster Recovery / Business Continuity Template.

The template was created to meet the requirements of Sarbanes-Oxley, HIPAA, ISO 17799, and PCI-DSS. 

Internet Server Monitor

Download now

Automated server and network monitoring 

Internet Server Monitor is a network monitoring tool that enables systems administrators to automatically monitor the network for failures and recoveries. With Internet Network Server Monitor, you can identify issues and fix unexpected conditions before your users or managers report them to you.

Maximize uptime 

Internet Server Monitor maximizes network availability by monitoring network servers, services and applications (resources) running on your Windows and Linux servers, workstations, and devices such as routers. When a failure or recovery is detected, Internet Server Monitor can alert you remotely by email, pager or SMS, as well as on your desktop via system tray icon status and popup, sound, or message box. Failures and recoveries can optionally be logged to any Windows Event Log or your syslog server.

Performs real tests, rather than deducing status from port scans

Internet Server Monitor actually handshakes with network resources. In some cases specific functions are called enabling Internet Server Monitor to not only determine if a network resource is available, but the resource is functioning adequately.

Affordable monitoring made easy

Internet Server Monitor uses the latest user interface components, is easy to set up and use, and is priced well below our leading competition. Unlike much of our large corporate world competition, being a smaller software company enables us to quickly respond to feature requests with a typical turn around time of 2 weeks for simple requests and 1 month for significant requests. We also offer one year of software updates and free toll free phone and email technical support.

Download now

The 2007 IT Salary Survey has just been released by Janco.  The some of the summary results are:

A free copy of the summary results are available at http://www.it-toolkits.com/Salary.htm

More than Security Policies and Procedures Are Need to Stop a Security

If you the Chief Security Officer (CSO), you probably do not question whether your enterprise will experience a serious data loss, but rather when the loss will occur. It is pretty clear that the loss of trade secrets, personal employee data or confidential customer information can cause serious harm to an enterprise. It could even lead to civil litigation if the data loss breaches nondisclosure obligations.

Recent case law has proven just how much of a legal duty companies have to properly safeguard data. And states have started to pass laws requiring companies to warn those who may be affected by data security breaches.

Despite increasing security efforts, the Internet today remains the Wild West of data security, where employees and their friends often freely discuss information that may be highly confidential. An even more elusive threat may be people outside the companies who overhear or inadvertently learn confidential information. In the wrong hands, this information can circulate the globe on the Internet in a matter of hours. For the CSO, the importance of a sound data security program has never been greater.

Ban on Net Tax Extended but Not Made Permanent

A U.S. House of Representatives committee has voted to extend an Internet tax moratorium for four years, but declined to make the tax ban permanent, as some lawmakers had advocated. The House Judiciary Committee voted unanimously to approve an amendment to the Internet Tax Freedom Act.

The current ban on access and other taxes unique to the Internet expires this November. Congress first passed the Internet tax moratorium in 1998.

CIOs and CTOs that fail typically commit 3 out of the 5 fatal errors.  These errors are:

• Cutting staff without thinking about the impact on the staff that remain
• Choosing a vendor based on price without taking into consideration the quality and knowledge loss
• Eliminating contactors and 3^rd party service providers who have unique experience and knowledge of the enterprises IT functions and operations
• Waiting too long before upgrading software, network and hardware
• Consolidating space for equipment and people without considering the ramifications of the complexity of the consodidation