Disaster Recovery Planning News   ---  

The report's findings concerning pay indirectly challenge beliefs about the H-1B program held by its backers.  In a recent column in the Financial Times, it was argued that restrictions on the H-1B program protect "many high earners from skilled migrant competitors." He called the H-1B program "a subsidy for the wealthy," meaning well-paid IT workers.

But according to this study, the conclusion U.S. IT workers are a "privileged elite is wrong." The study found that the average annual earnings of H-1B workers are about 10% higher than the average annual earnings of U.S. workers, after adjustments for age, occupation and education.

The study is drawing reaction from those who see current H-1B policies as a detriment to U.S. workers.

Anonymous distributed links to specially crafted Web pages via its Twitter feed which was re-tweeted widely, and links also popped up on Internet Relay Chat rooms, Facebook, Tumblr and other social networking sites. Some of the links led to PasteHTML.com, a site that looks a little like the popular text-sharing site Pastebin frequently used by Anonymous to issue statements. A variation of this method allowed users to type in the IP address of target Web servers before the JavaScript code began executing.

Most of the links were obscured using URL shortening services such as bit.ly. Several Anonymous Twitter accounts have thousands of followers, and some gained "hundreds of thousands of new fans overnight" during the course of the campaign, according to Cluley.

The new method appears to have helped knock Universal Music and other sites offline during last week's Megaupload-revenge attacks

FedRAMPÂ’s unified risk management process will evaluate IT services offered by vendors on behalf of Federal agencies, saving agencies from conducting their own risk management programs. By reducing duplicative risk management efforts, FedRAMP will enable Federal agencies to focus their evaluations of IT services on their agencyÂ’s specific needs, as well as their privacy and security requirements. In the coming month, GSA will release the FedRAMP Concept of Operations, further detailing the processes for Federal agencies and CSPs to meet FedRAMP requirements.

Internet and Information Technology Position Descriptions HandiGuide®

243 Job Descriptions and Organization Charts Sensitive Information Policy Compliance Agreement

The IT job descriptions contained within the Internet and Information Technology Position Descriptions HandiGuide^® were completed in 2012 and contains over 700 pages; in a new easy to read format; and, includes sample organization charts, a job progression matrix, and 243 Internet and Information Technology (IT) job descriptions.   The book also addresses Fair Labor Standards and the ADA, and sexual harassment.  Each job description meets ADA standards and the position description is delivered in electronic format - word which is editable and PDF which is printed.

More... 

Employees aged 18-30 tend to have lax attitudes about computer security and are more likely than their older ounterparts to ignore IT policies, according to a recent Cisco report.

About 61 percent of young employees surveyed by Cisco researchers feel corporate IT security isn't their responsibility and should be handled by their employer or the device manufacturer, the researchers wrote in the third installation of Cisco's "Connected World Technology" report. "Young employees" in this report included 1,400 college students polled between the ages of 18 and 23 and 1,400 professionals polled under the age of 30.

Seven out of 10 young employees polled also frequently ignore IT policies and 67 percent feel the IT policies on social media and device usage are outdated and need to be modified to "address real-life demands for more work flexibility," according to Cisco. The younger workforce has "different" expectations of what should be allowed at work, and over time these policies and restrictions may become a deciding factor in where they choose to work.

The Security Manual for the Internet and Information Technology is over 240 pages in length.  The template is compliant with ISO 27000 (formerly ISO 17799), Sarbanes-Oxley, Patriot Act and HIPAA and includes a PCI DSS Audit program. All versions of the Security Manual template include both the Business & IT Impact Questionnaire and the Threat & Vulnerability Assessment Tool (both were redesigned to address Sarbanes Oxley compliance).   In addition, the Security Manual Template PREMIUM Edition contains 16 detail job descriptions that apply specifically to security and Sarbanes Oxley.

• Have agendas with goals objectives. It's considered bad business manners to send a meeting request without providing an agenda. When calling a meeting focus agenda on expressly stating the goal(s) of the meeting.
• Replace the default 60-minute meeting time slot with a 20-minute meeting unit. For some inexplicable reason, people seem to naturally default to 60 minutes as the amount of time needed for a meeting. And while that may be the case in certain circumstances, it should not be the default position. In place of a 60-minute default time slot, adopt the 20-minute meeting unit. If a particular topic needs more time than that, it is up to the meeting organizer to convince the participants that two (or three, or four) meeting units of 20 minutes are necessary.
• Have people stand during meeting.  It is too easy to "waste time" when everyone is sitting. 
• Orient the meeting toward follow-ups and actions. Meetings produce lots of ideas and discussion. That's wonderful. But the real purpose of most meetings is to agree on next steps and actions. Keep a focus on targeted actions and your meetings will be productive. Allow them to become discussion forums for "important issues," and they will feel long and painful.

Users have dozens of logins and passwords spread out across an equal number of sites and applications and it's no wonder the average user tends to forget their secret info. Even with a tried and true system for generating memorable but complex passwords, the formula could easily fall apart if you just can't remember it.

So rather than continually clicking the "Forget Your Password?" help link, folks are readily hiding login information around their computer station.

And given that there's little variety in those secret locations, "hiding" might be a stretch. Typically user passwords was somewhere on their desk in one of these easy-to-find locations.

The most common locations where folks hide their login information are:

• Under the keyboard
• Under the phone
• Under the mouse pad
• On the monitor
• In the top drawer
• Under the desk

In other words, you're not doing yourself any favors if your entire system is compromised by a casual, passing glance from someone outside your office window.

Instead of the highly visible Post-It note on the monitor, Janco Associats recommends secure password aggregators to keep your login information secure.

At the same time there continue to be reported problems with Adobe Flash with IE in the 64 bit environment along with the frustration of users with the Adobe Update process.

Adobe has been working on mobile Flash for years, but shipped an Android version only a year ago and on both HP WebOS and the RIM BlackBerry PlayBook tablet this summer. Apple has adamantly refused to allow Flash on iOS over performance concerns (though it does allow AIR), and Flash has also not appeared in the BlackBerry smartphone OS or in Microsoft's Windows Phone 7 despite Adobe's promises to do so.

Plan for the termination meeting  - Winging a meeting with an employee you are firing is a bad idea. If you don't prepare what you're going to say to the employee, you could speak out of turn, and your comments could be the basis for a lawsuit.

• What they're going to say during the meeting

  

• What's going to happen after the meeting
• Whether the employee will be allowed to collect his belongings from his desk, or whether the company will pack them up and send them to him
• If the employee has company files at home, the manger needs to figure out how to get those files
• Have in hand the employee's final paycheck and include pay for any unused vacation
• Provide the employee with a COBRA notice so he knows how much it will cost to continue his health insurance.

Planning the details of the termination helps demonstrate respect for the employee. It shows you care enough about the employee to think about the questions and issues the employee will face.

Have two people present in the meeting other than the individual being fired. That way  if you end up in litigation, it's not one person's word against the other. It's better to have a second person from the company who can indicate exactly what was said.

Be serious and do not joke about what is going to happen and do not treat it like a cattle call. Some employers who have to do large layoffs round up employees like cattle in a conference room and tell them all at once that they're getting pink slips. This disrespectful tactic breeds ill will among the affected employees toward their former employer.

Get to the point quickly - Managers should never start a meeting with an employee in which they're going to be terminated with pleasantries. It's cruel to mislead the person about the conversation," she says. Instead, managers should cut to the chase. "We're meeting today because your position has been eliminated' or 'because we need to let you go.'"

• If the termination is due to the employee's poor performance, managers should have a line and stick to it, such as, 'We've discussed your performance several times. This job is no longer a good fit.'
• If the employee is part of a layoff motivated by economic or financial circumstances, it's best to say something simple such as, 'Your employment is being terminated due to a necessary reduction in force. The reason we have to do a reduction in force is because of the tough economic climate,' and leave it at that.

Be truthful about the reason for the termination  Managers who feel badly about having to lay off staff will sometimes try to soften the blow to the employee during the termination meeting. The manager might say, "We have to cut you, but it has nothing to do with your performance. You were a great employee, but I need to let you go, and it's completely and solely related to cost reasons".
Such non-truths become problematic when the decision to lay off the employee was in fact performance related. If that individual decides to file a lawsuit alleging he was fired because of his age, the company will respond to the claim by saying, 'You weren't fired for your age. You were fired because your performance was the lowest among the people we chose.Â’ The plaintiff will in turn respond, 'During my termination meeting, you told me my performance was great and that it had nothing to do with the reason for my termination.' That alone can make an employer liable.

Do not broadcast the termination news over social media. Today there are lawsuits and legal claims related to updates managers have posted to Facebook, Twitter or LinkedIn, in which they disclose details of employee terminations.

Offer employees a severance agreement in return for a release of all legal claims It helps the employee because it aids in their transition and doesn't preclude them from seeking unemployment insurance. From the employer's perspective, the severance agreements are important because the employee will release the employer of all claims related to or arising out of the employment  -- if they accept the severance package. That will take care of tort claims, contract claims, discrimination claims and wrongful termination claims.

Network security basic protection rules:

• Don't grant your users local administrator rights. This is cumbersome, but it ensures that the local hash database resists compromise, keeping other users' hashes away from prying eyes.
• Use domain administrator credentials only on machines with domain controller roles installed. Use delegated administrator accounts with fewer rights to perform privileged actions on other machines like client computers and member servers.
• Don't grant junior administrators local administrator rights on servers. Avoid granting anyone local administrator access on servers.
• Consider setting up a whitelist of known-good applications. For some organizations, this is a trivial task, but it will prevent the operation of the utilities  used in attacks and any other utilities that may come out to make this attack easier to execute.
• Never use the domain administrator account to grant privileges to service accounts.

One bad customer experience can cost you that customer for life. Hospitality, travel, retail, healthcare, and financial services are especially prone to losing customers who have a negative experience. It does not take much for a customer to decide that you and your company are not worth his time, effort, or money.

Customers like to feel loved, and they are turned off very quickly when they sense that you do not care about the pain they are feeling. Even if you cannot help them because the situation is beyond your control, acknowledge that you understand both the situation and their frustration.

 No customer wants the person serving her to be distracted or preoccupied. Ever go to the local mall and try to get help from a teenager focused more on texting her friends than helping you find what youÂ’re looking for? On the other hand, being too focused can be a bad thing. Have you ever asked an innocent question out of curiosity and then found yourself stuck for an eternity while a customer support person hunts endlessly for an answer? This person is likely so focused on getting the answer that he does not realize that you really do not care that much about it and would rather not wait for an answer to an inessential question. Be sure your people understand the degree of focus required for the job.

Even if the employee has the right skill set and experience, his odds of being successful and remaining on the job are low if his core behaviors and tendencies do not line up with those needed for success in that particular role. This is especially true for customer-facing roles in which your frontline employees act as extensions of your brand and heavily influence the customer experience.  

This trend is driving more organizations to support personally owned devices in the work environment, allowing employees anytime, anywhere access to business resources. In North America And Europe more than 50% of firms support employee-owned mobile and smartphones. This empowered workforce uses groundswell technologies such as mobile devices to drive increased productivity, innovation, and improved customer services.

The business tasks both IT operations and security professionals with making sense of the complexities of supporting personal devices in the corporate environment. Depending on the industry that you are in, consumerization can present challenges to your security, compliance, and legal requirements. Determining what these challenges are is the first step when crafting a strategy to manage these new endpoints in your corporate network.

•  Finding out what's in place. Organizations have historically had a rather laid-back approach to data governance, in large part because the (relatively primitive) native security controls havenÂ’t offered any other option. Moving forward, a critical first step is to find out exactly whatÂ’s in place to begin with.
• Minimizing IT's role as gatekeeper. Because the IT team has historically been the only group of people who could modify resource access permissions, theyÂ’ve been thrust into the role of deciding who permissions are given to. ThatÂ’s inappropriate, since IT rarely has the information needed to properly govern access to resources. While IT may continue to be responsible for implementing access controls, moving forward we need to remove them from the role of actually governing, and instead put that burden on the people within the organization who actually own the data.
• Improving consistency. Inconsistent application of permissions and inconsistent configuration of file servers are leading contributors to downtime, lost productivity, security breaches and more. Organizations seek to create a single, consistently configured and consistently governed environment that provides users with access to exactly the resources they need - no more and no less. An example would be during a merger when bringing in another directory and permission system very similar to the existing.

It is no longer the case that PCI DSS is too hard for companies to comply to. Howerver, as the year progresses, and then they end out of compliance for the rest of the year.

Many firms continue to have problems with protecting card holder data, tracking and monitoring access to sensitive data, and regularly testing system security and processes. These are PCI DSS requirements 3, 10, and 11, respectively.

The problem is that companies are treating PCI compliance as a goal to reach and not a state to maintain.

The relationship of PCI compliance to actual security has been debated. However, many security experts argue that the regime is a good starting point for implementing a data protection process within businesses. In its annual Data Breach Investigations Report 89 percent of companies that suffered a breach in 2011 were out of compliance with the standard.

Updataing IT infrastructure and closing some federal government computer data centers could save $.2 Billion dollars. The government could realize major cost savings in the management of its IT workforce. Better technology enables computers to run at far higher levels of efficiency and utilization than in previous years, doing more tasks with fewer employees, computers, and fewer data centers.

In support of the Select CommitteeÂ’s work, the minority staff of the Subcommittee on Oversight of Government Management, the Federal Workforce, and the District of Columbia found more than $1.4 trillion in savings over 10 years in areas under the subcommitteeÂ’s jurisdiction. More than half of these recommendations had been identified previously elsewhere, and the subcommittee is pleased to commend these good ideas of others to the attention of the Select Committee.

Janco has found several places where users can compromise a secure network and organizational data.  The  security holes are:

• Users let others use their corporate devices
• Users access personal email accounts from their corporate devices
• Users find ways around filters for sites they visit or email they get
• Users leave their corporate device unattended in a hotel room, restaurant or a bar when they are away from the office
• Users access corporate data on an open or unprotected network
• Users install unapproved software on their corporate device
• Users access a link their personal social network site
• Users copy files off of a corporate device

The arrival of Cloud as a technologically viable alternative to on-premise or traditionally-hosted enterprise applications can make for some interesting discussions, but if you are unable to compare costs between applications - typically a per-user per-month per-application calculation - how can you assess whether a particular Cloud offering is low cost compared to its equivalent on-premise system? 
 
It's those putative lower costs, of course, that make most CFOs sit up and pay attention. But if the primary driver behind your Cloud initiatives is to reduce IT costs, then you need to take a second and third look at your financial assumptions.
 
The Cloud vs. traditional on-premise computing cost argument can be clouded by the way organizations structure and report their IT spend. Those organizations that report IT expenses in the form of the standard chart of accounts, typically broken down into staff costs, depreciation, utility, maintenance, and so on, may not be able to state accurately the actual total cost of a specific application. So if you are looking to replace one of your on-premise applications with a Cloud equivalent because you think it will be cheaper, then you better be sure that that is indeed the case.

The TCO exercise for Cloud applications needs to factor in all costs. For example, there are outgoing system exit costs such as write-off's associated with the depreciated value of associated IT assets on the balance sheet and early contract termination penalties for existing services. Also, if you need the Cloud application to talk to any other systems, you may also need to subscribe to yet another Cloud application (or hire consultants) to manage data integration, authentication, and so on. 

Once you have developed a full cost profile for the Cloud system, due diligence requires you assess the TCO over the expected life of the system. Large enterprise systems typically are in use for at least three years - many for much longer. By subscribing to Cloud, however, there may be an undue emphasis (at the expense of the full life-cycle TCO) on short-term costs associated with the monthly or annual subscription renewal periods.

At the very least, doing the cost due diligence with some rigor you will let you know with a greater degree of confidence that the Cloud's promised benefits are realizable.The key message here is not to assume that just because Cloud  based applications are always going to be cheaper than an in house equivalent. If you own IT applications and infrastructure that still have some life in them, your switching costs may be far from trivial. If, however, your existing IT is at the end of its life, the Cloud may indeed be a viable, cost-efficient way to go.

More than half of all business users  use their own personal mobile devices such as Android phones and iPads for work, with most of them connecting them to their employerÂ’s IT systems. There is widespread failure to comply with organizational security policies, leaving work systems vulnerable to cyber-attacks and security breaches. Despite this, most workers still expect to have full unfettered access to all their personal online accounts and social networking sites throughout their working day.

There is a widespread mob culture that's building up in the workplace as people's personal and work lives merge through technology. Workers expect their employer to foot the bandwidth costs for their personal devices, enabling them to do online banking, or access Facebook, for example, but flatly refuse to conform to their work security measures. This behavior is exasperating business owners and senior management.

Research reveals that equipping workers with the latest smart devices improves makes employees feel valued and increases company loyalty.
Businesses are increasingly reliant on platforms such as twitter and LinkedIn to improve business efficiencies and strengthen communication, business owners welcome the news that most  current workers use their own devices to keep in touch with work outside of office hours, meaning they are more likely to maintain focus on their jobs from one day to the next.

During the last few years there has been a rapid increase in the number of people using social media, and it is now a fixture of our everyday work and personal lives. Today, social networks connect people to the world around them and employees expect to be able to access their personal online accounts in the workplace. What is alarming is that, despite this, some companies have established formal processes for handling social networking tools in the workplace. Even fewer have expanded this to mobile workers, or personal devices, compromising any previous investment that they may have made to secure their network or corporate image.

Banning the use of social media or access to personal online accounts in the workplace seems like an archaic approach and one that could compromise productivity. The good news is that as a result of ever developing technologies there are a range of solutions available to help businesses safeguard themselves against security threats.