Security Software, IT Infrastructure and Business Continuity

Home / Logon / About this Site

Security Software, IT Infrastructure & Continuity

glossary

Introduction

Best-Practice Guides

Management Briefings

Case Studies

Search this Area

Call us now to become a certified vendor

Click here to access a vendor Evaluation Report

Management Briefings

Security: manage or muddle?: David Booth (March 2010)

A good information security management service (ISMS) is essential to protect your business information. It provides a practical framework for any organisation seeking to manage or improve the security of its information. There are standards and other guidance in putting an ISMS together, but it must also be part of the business in which it is to operate. For while the information security standards tell you what you should do, they don’t tell you much about how to integrate security management into your organisation. Standards can be dry and prescriptive. And having had the privilege of designing an ISMS for a major UK government department, I know only too well how hard it is to turn standards into something that really has a benefit to the organisation. Unless you are able to demonstrate benefit to the business in a tangible way, frankly nobody will want an ISMS; and if you can’t deliver the benefit after it’s been built, it will collapse into an expensive white elephant.

Controlling the super-powers: Richard Hunt, Turnkey Consulting (January 2010)

In a post-Enron and Barings world, the way we work has changed significantly – and nowhere is this more apparent than in the audit and control arena. The primary concern for IT project managers used to be implementing a secure solution and working to ensure business continuity. Now organisations have woken up to a world where things can and will go wrong – either inadvertently or by deliberate design. However, whilst the security landscape may have altered, necessity dictates that it is still essential to have system ‘super-users’. These people have almost unlimited access to company data in order to successfully implement and launch an IT software project, as well as ensure it runs smoothly in the critical early days. But super-users are not CEOs and CFOs, responsible for the overall success of the company. These are typically people with no vested interest other than a monthly salary and the motivation to do a good job – and yet their level of system access makes them supremely powerful. So how can organisations maintain and develop super-user access in a controlled and auditable manner?

Safety in numbers: Fran Howarth, Quocirca (October 2009)

Computer usage today is pervasive in many parts of the world, with the number of computers in use said to have exceeded 1 billion by 2002, according to the World Bank. Computers have come a long way since the launch of the first commercial PCs in the 1980s, which were large and clunky, with limited capabilities. Today, laptops and notebooks sell in greater numbers than desktop computers, allowing their users to connect to networks from wherever they happen to be. But there is a downside: a portable PC means portable data, which means insecure data. Recent headlines such as ‘Home Office prisoner data breach: blunder bigger than first thought’ or ‘Lost data total nears 30 million records’ are just the tip of the iceberg. According to the Privacy Rights Clearinghouse, more than 262 million data records containing personally identifiable information have been compromised through security breaches in the US alone since 2005.

Making knowledge work: Colin Ashurst, Durham Business School (July 2009)

The European Union has a goal to become the most competitive and dynamic knowledgebased economy in the world by 2010. In many UK regions, such as the North East of England where I’m based, there is also a strong emphasis on the knowledge economy. Management guru Peter Drucker describes knowledge workers as: people with a high degree of formal education who apply knowledge to work, rather than manual skill or brawn. In his 1999 article in California Management Review, he also writes: ‘The unique contribution of management in the 20th century was the 50-fold improvement in the productivity of manual workers. The most important contribution management needs to make in the 21st century is to similarly increase the productivity of knowledge work and knowledge workers.” So who are these knowledge workers? The definition encompasses many roles – from financial experts, to doctors to a very wide range of manufacturing, creative and administrative roles where workers have discretion as to how they go about the job and their success depends on the application of knowledge and experience.

Future of the desktop: Nick Martin & Rhys Sharp, SCC (May 2009)

The desktop is a major area of investment and change for corporate technology users. Decisions around which direction to go are influenced by many factors. A year to 18 months ago, an overriding driver was the need to simplify desktop technology and provide a better level of support to the end user. More recently, cost of ownership has come strongly to the fore, along with the need to improve flexibility and remote connectivity. Today’s challenges fall broadly into three categories. They relate to the operating system (OS), the device and/or the applications. By focusing on these areas, companies can put in place a more optimised and dynamic desktop. However, with the trend towards virtualisation and increased mobility, the impact on the data centre, back-end services and connectivity must also be taken into account.

So what's different this time around?: P Boggis & V Merlyn, nGenera (March 2009)

Anyone old and unlucky enough to remember the last major economic recession of the late 1980s will immediately recognise that this one is deeper and dangerously different. In the world of IT – especially in large global companies – the challenges faced right now are an order of magnitude different from a couple of decades ago. For example: cost leadership and alignment. Today there is nowhere near the same level of opportunity for cost containment and reduction that there was two decades ago. Most IT houses have long ago cleaned up their operations and so the existence of ‘low-hanging fruit’ is very rare. Increasing cost efficiency beyond current levels is therefore going to be a lot harder; business and IT operating models. In both these areas, businesses are going to have to look somewhere different for achievable and sustainable improvements in efficiency and cost-effectiveness.

Software and security: a burning issue: Prof Howard Schmidt, (ISC)2 (January 09)

Chances are that when companies are scoping a software development project, one of their key concerns will be to optimise the sourcing strategy – to determine how much can be bought offthe- shelf and how much has to be custom built. With the custom-built element, the project managers will also need to determine whether internal resources are the most appropriate or if there are advantages to be gained by outsourcing/offshoring. They will then make their recommendations based on striking the balance between cost and quality assurance. But rarely will security considerations be included in this process. In fact, according to Gartner Group, over 70% of security vulnerabilities exist at the application layer – presenting a significant immediate threat to users worldwide. So while businesses and consumers push for more and more connectivity from products and programs, the criminals who target them are more focused on the users and the software that they directly access.

Perils of under-performance: Michael Talalay, IT Risk Manager (September 2008)

Under-performing IT systems pose a substantial risk to any business – to its productivity, to its profitability, and eventually even to its survival. However, unlike failure or non-performance, under-performance is not necessarily easy to recognise. It can be subtle; it can be hidden; it can be disguised. This article addresses four questions. What is under-performance? Why does it matter? How can you recognise it? And what should you do about it? IT systems need to support the business. They need to be fast, they need to be effective and they need to be appropriate. If they under-perform in any one of these areas, the business will suffer. If they under-perform in all three, the business may be in serious difficulty. Let’s start with the importance of speed of processing – the most obvious of the three areas of potential under-performance.

Reining in the mainframe: John Regan, BluePhoenix Solutions (June 2008)

Virtually every large company in the UK has an IBM or equivalent mainframe to run its enterprise-wide applications. Mainframes make a lot of sense. Having one central store of corporate business data on a very fast machine which is accessible from anywhere on the company’s network is an effective approach. The problem is that, like anything big, without active management, a mainframe can soon become inefficient and its running costs can quickly rocket. The costs associated with operating a mainframe increase in line with its capacity as periodic upgrades are applied. However, most companies find that the speed of this increase is far in excess of what’s needed to meet the growth in business volumes. So why is this – and what action can companies take to remedy the situation? Any mainframe is a finite size. The two ways this is normally defined is how much disk storage space it has (known in mainframe speak as DASD) and how powerful it is.

Dissing discontinuity: Brian Davey, Teed Business Continuity (April 2008)

There are five common mistakes or false assumptions organisations can make when implementing their business continuity management programme. These are the problems and how to avoid them. When you implement a business continuity management (BCM) system according to the lifecycle advocated by BS25999, the incident management team is not appointed until after the ‘Understanding the organisation’ and ‘Developing BCM strategy’ stages are complete. This assumes you won’t have an incident in the meantime – which is a very brave assumption and could have serious consequences should an adverse situation arise. Instead, form your incident management team upfront, with a senior manager/director as team leader to provide the team with authority. Include a senior representative from each of operations, IT, finance, legal, public relations and facilities management/safety (or their equivalents in your organisation). Appoint a deputy for each role to allow cover for the absence of the primary role holder.

Why enterprise architecture comes first: Martin Sharp, MEGA Int (February 2008)

Hands up how many ‘C’ level executives really know what their organisation looks like or how it all works, enough to consistently make the right, fully informed decisions? Many technologies are available to provide data and information such as enterprise resource planning (ERP) and business intelligence (BI), but these systems won’t help anyone understand the structure of the organisation, how departments and people interact, the key processes, and the IT systems employees use. Organisations are sophisticated structures, so besides seeing the big picture, management also want to focus down on details. Many factors are interdependent and to make improvements these dependencies and interactions must be understood. In general, without a suitable means, it is hard to see the entire structure and its components from one viewpoint, especially in large organisations.

Creeping under the security blanket: Ian McGurk, Plan-Net Services (November 07)

Information security has always traditionally been deemed to be an IT issue. However, in today’s business climate of more and more legal and sector regulation, attitudes are changing. The acceptance that information is a key business asset which is fundamental to the survival and growth of a business has brought with it the recognition that security of information must be a business problem. The quality of information and the way it is processed and presented are often key differentiators between competitors – representing intellectual property in the form of research, design, development or formulae. So there is an obligation on a business and its executives to take efforts to protect this valuable information. The methods companies use to control access to their information are typically a combination of process, procedure, training and technology. However, there is one overwhelming weak point that is often overlooked. Once it has been deemed necessary to grant a person access to information, their primary work tool – the PC – can be used as a gateway for siphoning information that will generally not be audited and not be detected.

WAN to watch: Luke Hetreed, Bitech Systems (September 2007)

All sizes of enterprise are now running applications over a WAN that they would not have dreamt of running five years ago. Some work well, others do not make the transition – and where there are problems, everyone’s favourite culprit is the WAN. Where companies can afford to, the usual response is to throw bandwidth at the problem – but all too often they are perplexed when no improvement is forthcoming. A 2Mbps leased line is an obvious bottleneck when your LAN runs at 100Mbps, but closer inspection will often reveal that the 2Mbps line is running significantly below 100% utilisation. The reality is that WAN performance is not a simple issue and it is hardly surprising that a number of vendors have entered the market offering various approaches to the problem. But before you can start to fix the issue, you have to know if you’ve got one in the first place. For companies with inhouse networking skills and SNMP management platforms, this is relatively easy, but it can be very confusing for those without such resources.

Security's top 10: David Lacey (June 2007)

‘You can’t manage what you can’t measure’ is a frequently cited quote, usually attributed to W Edwards Deming. It’s not precisely what he said and it’s not completely true – because there are many things in life which simply cannot be known or measured. The important point, however, is that you can’t manage a business process effectively and efficiently without reliable intelligence of costs and events. What Deming was actually saying is that it is fatal to rely on the visible figures alone. You have to probe below the water level of the iceberg to understand what is really happening. Nowhere is this more important than in security risk management, because of the invisible nature of many of the most dangerous threats, exposures and events. Sometimes this is by deliberate design: espionage and fraud, for example, are intended to be covert, untraceable activities. But it is also because of the silent and unseen nature of electronic transactions, which cannot be observed without the aid of a suitable software monitoring device.

Back from the brink II: Martin Mellor, PPT Consulting (March 2007)

Operational staff and technical support staff are generally the main employee groups affected by a decision to implement a disaster recovery project. Affected third parties include customers and technical suppliers – in particular those suppliers to whom the implementation and support of a disaster recovery capability is outsourced. Operations staff are the front-line of any business and, as such, face the customer. The customer’s perception of the business is based on their experiences in interfacing with the operational staff, so it is essential that any interruptions during the project do not compromise the customer experience. Surprisingly, many customers are not asked to contribute to the disaster recovery project. Many companies forget the impact of a disaster on their customers’ businesses. But if you only consider the impact on your own business, you’re neglecting the fact that what might be a relatively minor application for you may well be critical to their organisation. Staff therefore worry about the impact on their customers.

Back from the brink: Martin Mellor, PPT Consulting (February 2007)

Most advice about disaster recovery projects tends to focus on the process – especially the financial, technical and delivery issues – rather than the key people problems. This article explores some of the impacts on managers during the lifetime of a disaster recovery project. The impact on staff is discussed in a later article. In any business, it’s the managers who are responsible for the delivery of products and services and for ensuring that the day-to-day work within the business is managed and controlled. In a disaster recovery project, it’s vital to define which business processes are critical – and therefore within its scope – and those which are not. This is because the impact of DR on those managers whose processes are selected will differ from those whose processes are not.

Embracing BPM: David Longworth, Loosely Coupled (November 2006)

If SOA, as some would have it, stands for ‘same old architecture’, then it begs the question: what is different this time around? Indeed, the IT community has sought to build re-usable IT architectures in the past, with only limited success. And the fact that today’s service oriented architectures are built around a whole raft of commonly agreed standards with significant momentum behind them in most parts of the vendor community is only part of the difference. The key to today’s SOA projects is that they are being built in line with changing business requirements. The IT community is waking up to the fact that architecture is not something that can be hard-coded to meet a particular pain point, or built once in isolation from the business problem and deployed many times over – the traditional packaged software model.

Virtual reality: Alan McSweeney (September 2006)

In IT, server virtualisation involves using software to allow physical servers to be encapsulated into a virtual machine. This virtual machine is unaware that it is not running directly on physical hardware. Virtualisation has been in existence for some time, with the likes of the IBM VM mainframe operating system and the LPAR feature on the iSeries (AS/400), pSeries (AIX) and zSeries (mainframe) systems. It contrasts with the traditional server deployment model (Figure 1), which involves a single application per server – thereby avoiding the effort associated with resolving the conflict between running multiple applications on the same server. There is typically a one-to-one correspondence between applications and servers. But this leads to low server utilisation and a proliferation of physical servers. In turn this makes testing and development cumbersome and disaster recovery difficult to implement.

How more can be less: Graham Perry, Profis (July 2006)

Look around any IT department and you will see a smattering of legacy applications, internal developments, applications acquired through mergers, and any number of third-party packages. Offshore development is also becoming more popular as it offers the promise of significant cost reductions and access to a limitless pool of development talent. The applications developed by the different channels in this complex picture are usually tested by the same channels. This approach throws up a conflict of interest between delivering on time and quality – rather like an aircraft manufacturer issuing its own certificate of airworthiness. Given this background there are two increasingly important issues that have to be addressed if high costs and failures are to be avoided.

Building your IT assets: Stuart Brown, 3net (May 2006)

Today’s business climate demands that operational efficiencies are increased and operational costs reduced. This is only possible if you understand where your assets are located, what they are contributing towards the business and the support costs associated with them. Increasingly, senior IT managers and business leaders understand the need to provide IT systems that effectively manage their assets. Most understand that they have a duty to provide the board with accurate and up-to-date asset information, in a form that can be relayed to shareholders. Corporate governance initiatives, like Sarbanes-Oxley, have increased the importance of maintaining accurate asset information.

Running down the risks: Paul Jacob, Atos Origin (March 2006)

The ability to provide highly available services has become a business-as-usual requirement for many organisations. This has come about partly as a result of the consolidation of business processes by implementing shared service centres to reduce operating costs, as well as the requirement to deliver 24x7 services through the internet and call centres. Senior management are also increasingly aware of the need to plan for the unexpected, as a result of: high-profile in-extremis events such as terrorist acts; increases in adverse weather conditions as a result of climate change; and the potential disruption that would result from pandemics such as bird flu. Many organisations, particularly those operating in the financial services sector, are also subject to regulatory requirements which demand that they regularly assess operational risk and put in place plans to mitigate these risks.

Don't damage the evidence: Andrew Sheldon, Evidence Talks (January 2006)

As a professional organisation, you should already have a clear understanding of the basic requirements to protect your data from loss or corruption and have procedures in place to deal with e-disclosure and e-discovery requests. Likewise, data backup and disaster recovery procedures should be top of the list for ensuring your business does not suffer when a computer fails. However, as a digital forensics specialist, I speak to companies almost daily who have relied on these security, disaster recovery or backup procedures when responding to issues of computer abuse and have found that their actions have caused more problems than they solve. When investigating computer abuse – even a seemingly trivial event – it is essential that the procedures and methods used are suitable for the task. In more than 90% of the cases we are asked to investigate, the client has already damaged or tainted the evidence that they are seeking.