Security Software, IT Infrastructure & Business Continuity
| |
|
|
|
|
|
Security: manage or muddle?: David Booth
|
|
|
|
|
|
A good information security management service (ISMS) is essential to protect your business
information. It provides a practical framework for any organisation seeking to manage or
improve the security of its information.
There are standards and other guidance in putting an ISMS together, but it must also be part of
the business in which it is to operate. For while the information security standards tell you what
you should do, they don’t tell you much about how to integrate security management into your
organisation.
Standards can be dry and prescriptive. And having had the privilege of designing an ISMS for a
major UK government department, I know only too well how hard it is to turn standards into
something that really has a benefit to the organisation. Unless you are able to demonstrate
benefit to the business in a tangible way, frankly nobody will want an ISMS; and if you can’t
deliver the benefit after it’s been built, it will collapse into an expensive white elephant.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Strength through unity: Robin Hollington, Peapod Consulting
|
|
|
|
|
|
A few years ago, I wrote an article for Evaluation Centre on reducing the cost of regulatory
compliance. In it I said: “The cost and impact of regulatory compliance is rising. Even conservative
estimates predict that compliance expenditure will rise by 22% year-on-year for the next five years.”
Well, the cost has indeed continued to rise – whether by 22% or not is difficult to tell as few
organisations can extract this data from the overall IT budget, and the credit crunch has skewed
budgets. But IT projects have been cut and vendor pricing squeezed, whilst security and
compliance costs have remained pretty static, thereby increasing the proportional expenditure
from a single IT budget. Until recently, corporate governance oversight was largely a matter for public companies, with
the focus primarily on broad topics such as leadership, financial reporting, ethics and
operational risk management.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Controlling the super-powers: Richard Hunt, Turnkey Consulting
|
|
|
|
|
|
In a post-Enron and Barings world, the way we work has changed significantly – and nowhere is
this more apparent than in the audit and control arena. The primary concern for IT project
managers used to be implementing a secure solution and working to ensure business
continuity. Now organisations have woken up to a world where things can and will go wrong –
either inadvertently or by deliberate design.
However, whilst the security landscape may have altered, necessity dictates that it is still
essential to have system ‘super-users’. These people have almost unlimited access to company
data in order to successfully implement and launch an IT software project, as well as ensure it
runs smoothly in the critical early days.
But super-users are not CEOs and CFOs, responsible for the overall success of the company. These are typically people with
no vested interest other than a monthly salary and the motivation to do a good job – and yet their level of system access
makes them supremely powerful. So how can organisations maintain and develop super-user access in a controlled and
auditable manner?
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Cutting your coat and tightening your belt: Cliff Mills, NCC Research
|
|
|
|
|
|
Technology marches on, the economy continues to provide a challenging environment and IT departments need to become leaner and more efficient. It’s not an easy time in most business sectors, and many companies are looking to the IT function to cut costs and play a more strategic role in the business. The available options have never been greater – and IT management need to clearly understand the range of possibilities to provide a fully optimised technology infrastructure. It’s reassuring, then, that our latest user survey finds 95% of organisations have an IT infrastructure management strategy in place, providing a framework for planning their future development. What’s more, infrastructure issues are obviously being taken seriously, with 68% of companies reviewing the decisions at board level. However, this still leaves 27% where this is not the case.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Safety in numbers: Fran Howarth, Quocirca
|
|
|
|
|
|
Computer usage today is pervasive in many parts of the world, with the number of computers in
use said to have exceeded 1 billion by 2002, according to the World Bank.
Computers have come a long way since the launch of the first commercial PCs in the 1980s,
which were large and clunky, with limited capabilities. Today, laptops and notebooks sell in
greater numbers than desktop computers, allowing their users to connect to networks from
wherever they happen to be.
But there is a downside: a portable PC means portable data, which means insecure data.
Recent headlines such as ‘Home Office prisoner data breach: blunder bigger than first thought’
or ‘Lost data total nears 30 million records’ are just the tip of the iceberg.
According to the Privacy Rights Clearinghouse, more than 262 million data records containing personally identifiable
information have been compromised through security breaches in the US alone since 2005.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Looking to the long term: Farhan Mirza, A.T. Kearney
|
|
|
|
|
|
To cope with the financial pressures put on them by the current economic downturn, businesses
are increasingly looking at their IT operations for cost savings. In fact, according to a recent
survey of 50 organisations by management consultancy A.T. Kearney, a massive 78% of IT
executives are under ‘severe pressure’ to cut costs, with a third seeking double-digit cost savings.
The report examines whether the cost-cutting measures corporate IT are taking are likely to be
effective or even sustainable, when faced with the possibility of a prolonged recession.
It finds that 75% of organisations are relying on short-term tactical measures to deal with the
downturn – such as deferring spend or cutting back on discretionary expenses – to contain
expenditure rather than cut costs that stem from inefficient ways of working.
But A.T. Kearney warns that, as business revenue, number of users and transaction volumes
continue to fall during the downturn, IT costs will need to reduce even further to track efficiency
benchmarks. And while the economic outlook is still unclear, the downturn could, many
forecasters predict, be slow and prolonged and last until 2011.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Making knowledge work: Colin Ashurst, Durham Business School
|
|
|
|
|
|
The European Union has a goal to become the most competitive and dynamic knowledgebased
economy in the world by 2010. In many UK regions, such as the North East of England
where I’m based, there is also a strong emphasis on the knowledge economy.
Management guru Peter Drucker describes knowledge workers as: people with a high degree of
formal education who apply knowledge to work, rather than manual skill or brawn.
In his 1999 article in California Management Review, he also writes: ‘The unique contribution of
management in the 20th century was the 50-fold improvement in the productivity of manual
workers. The most important contribution management needs to make in the 21st century is to
similarly increase the productivity of knowledge work and knowledge workers.”
So who are these knowledge workers? The definition encompasses many roles – from financial
experts, to doctors to a very wide range of manufacturing, creative and administrative roles
where workers have discretion as to how they go about the job and their success depends on
the application of knowledge and experience.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Room for a (new) view: Richard Williams & Gordon Miller, Procertis
|
|
|
|
|
|
Managing IT service delivery doesn’t look like it should be all that hard. After all, this is one of the best codified and
constrained areas of activity in contemporary business. The goals, standards and penalties of service delivery are enshrined in
service level agreements (SLAs) which spell out the obligations of each party in the relationship, while quantifying the costs
and benefits accruing to each.
Sadly, despite this structure, service delivery as viewed by the business is notoriously difficult to achieve, while SLAs prove to
be a focus for conflict rather than partnership. Why is this so? And what can business leaders do about it?
Experience suggests that the underlying problems with IT service delivery can be traced to an incomplete appreciation of what
exactly service delivery is, and what it is for.
By building a more complete vision, leaders can create service relationships that are more valuable and harmonious. More
importantly, they can align themselves with the evolution of the enterprises they serve, ensuring that the business can grasp
new opportunities without being held back by IT.
This article examines how this can be achieved, while also showing how SLAs might be re-invented to serve the real needs of
the people they are meant to benefit.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Future of the desktop: Nick Martin & Rhys Sharp, SCC
|
|
|
|
|
|
The desktop is a major area of investment and change for corporate technology users.
Decisions around which direction to go are influenced by many factors.
A year to 18 months ago, an overriding driver was the need to simplify desktop technology and
provide a better level of support to the end user. More recently, cost of ownership has come
strongly to the fore, along with the need to improve flexibility and remote connectivity.
Today’s challenges fall broadly into three categories. They relate to the operating system (OS),
the device and/or the applications. By focusing on these areas, companies can put in place a
more optimised and dynamic desktop. However, with the trend towards virtualisation and
increased mobility, the impact on the data centre, back-end services and connectivity must also
be taken into account.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Doing more for less: Jon Leary, CSA Waverley
|
|
|
|
|
|
Given the economic recession, an inevitable focus for many organisations at the moment is
working out how to do more with less.
This imperative, combined with growing demands to tackle disaster recovery and security more
effectively – not least in light of the seemingly endless stream of data breach stories hitting the
headlines lately – means that the pressure is now on to sort out these key IT infrastructure
issues despite progressively limited budgets.
But for once, there is a straightforward way to kill all of these birds with a single stone. Rising
numbers of organisations are recognising that backing up their valuable corporate data on tape
is no longer adequate and are instead turning to disk-to-disk backup as the answer.
As a result, uptake of this tried and tested digital technology has already jumped to an
estimated 21% of the total market this year from a mere 8% last year – and the pace of
adoption is expected to increase.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
So what's different this time around?: P Boggis & V Merlyn, nGenera
|
|
|
|
|
|
Anyone old and unlucky enough to remember the last major economic recession of the late
1980s will immediately recognise that this one is deeper and dangerously different. In the world
of IT – especially in large global companies – the challenges faced right now are an order of
magnitude different from a couple of decades ago. For example: cost leadership and alignment. Today there is nowhere near the same level of opportunity for
cost containment and reduction that there was two decades ago. Most IT houses have long ago
cleaned up their operations and so the existence of ‘low-hanging fruit’ is very rare. Increasing
cost efficiency beyond current levels is therefore going to be a lot harder; business and IT operating models. In both these areas, businesses are going to have to look
somewhere different for achievable and sustainable improvements in efficiency and cost-effectiveness.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Virtual's a reality: Martin Banks, Bloor Research
|
|
|
|
|
|
Virtualisation technologies – coupled with what Bloor Research is now calling the ‘information
exostructure’ – are seriously changing the rules for managing disaster recovery.
This is still one of those areas where a large percentage of users seem to believe that it simply
cannot happen to them, so there is no need to either plan for it or make any specific provision
for it. Now, though, the information exostructure is making planning and implementing disaster
recovery strategies a far easier prospect.
The key questions that business managers must ask themselves, if they do care to consider the
potential for disaster for their businesses and how they might recover from it, is – what would be
the impact on the business if something serious did go wrong with our information management
environment, and how long could we survive without it?
Such obvious questions have little to do with the specifics of the IT infrastructure being used, but they are the bedrock on
which a disaster recovery management strategy is built.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Software and security: a burning issue: Prof Howard Schmidt, (ISC)2
|
|
|
|
|
|
Chances are that when companies are scoping a software development project, one of their key
concerns will be to optimise the sourcing strategy – to determine how much can be bought offthe-
shelf and how much has to be custom built. With the custom-built element, the project
managers will also need to determine whether internal resources are the most appropriate or if
there are advantages to be gained by outsourcing/offshoring.
They will then make their recommendations based on striking the balance between cost and
quality assurance. But rarely will security considerations be included in this process.
In fact, according to Gartner Group, over 70% of security vulnerabilities exist at the application
layer – presenting a significant immediate threat to users worldwide.
So while businesses and consumers push for more and more connectivity from products and
programs, the criminals who target them are more focused on the users and the software that
they directly access.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Are you a vulnerability?: Daniel Dresner, NCC
|
|
|
|
|
|
The biggest threat to information confidentiality, integrity and availability is its unacceptable use by staff, contractors, partners
and former employees. That’s the conclusion of a recent National Computing Centre (NCC) ‘survey of surveys’ – reviewed by
members and scrutinised by experts. In other words, information security or assurance is, as so many like to announce, a
people problem.
But it’s not just people! There seems to be a tendency in security to grab at ‘silver bullets’ and focus on the kind of single,
limited-vector threats that silver bullet solutions are needed for. But there’s a danger that this attenuates risks to information
security into a model that’s too simple to be helpful.
Confident slogans that look good in headlines and on T-shirts help us to model complex challenges – but they do not abrogate
our responsibilities to maintain a comprehensive view of a problem. This means dealing with people, processes, and
technology. Keep models in their place; be tough on both risk and the causes of risk.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Perils of under-performance: Michael Talalay, IT Risk Manager
|
|
|
|
|
|
Under-performing IT systems pose a substantial risk to any business – to its productivity, to its
profitability, and eventually even to its survival. However, unlike failure or non-performance,
under-performance is not necessarily easy to recognise. It can be subtle; it can be hidden; it
can be disguised.
This article addresses four questions. What is under-performance? Why does it matter? How
can you recognise it? And what should you do about it? IT systems need to support the business. They need to be fast, they need to be effective and
they need to be appropriate. If they under-perform in any one of these areas, the business will
suffer. If they under-perform in all three, the business may be in serious difficulty.
Let’s start with the importance of speed of processing – the most obvious of the three areas of potential under-performance.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
When disaster strikes: Chris Potter, PwC
|
|
|
|
|
|
Disasters have shaped history since the birth of mankind. As Homer once put it, the man who runs from disaster does better
than he who is caught by it. Saint Anselm observed that disasters teach us humility, while Germaine Greer has speculated that
catastrophe is the natural human environment and that we are all programmed for survival amidst it.
But within the business and technology context, two things are clear. Firstly, catastrophe is not the natural environment for
delicate computer systems. Secondly, computers are not very good at running. So contingency planning is vital to ensure that
IT systems can be recovered if they are knocked out by a disaster.
You only have to look at world events over the last year to see how fragile our way of life can be. Whether it is the cyclone in
Burma, the earthquake in China or last summer’s flooding in Tewkesbury, the news is often dominated by disaster stories.
Most scientists believe that the climate is changing and this will make natural calamities more frequent and more severe. So,
disaster recovery has never been more important.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Reining in the mainframe: John Regan, BluePhoenix Solutions
|
|
|
|
|
|
Virtually every large company in the UK has an IBM or equivalent mainframe to run its
enterprise-wide applications. Mainframes make a lot of sense. Having one central store of
corporate business data on a very fast machine which is accessible from anywhere on the
company’s network is an effective approach. The problem is that, like anything big, without active
management, a mainframe can soon become inefficient and its running costs can quickly rocket.
The costs associated with operating a mainframe increase in line with its
capacity as periodic upgrades are applied. However, most companies find that the speed of this
increase is far in excess of what’s needed to meet the growth in business volumes. So why is
this – and what action can companies take to remedy the situation?
Any mainframe is a finite size. The two ways this is normally defined is how much disk storage
space it has (known in mainframe speak as DASD) and how powerful it is.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Unseen enemy: Steve Nimmons, Atos Origin
|
|
|
|
|
|
I recall (approximately eight years ago) reading an interesting poster on social engineering at a
well-known electronics company in California. This wall-chart communicated sensible advice for
dealing with unsolicited phone calls, ‘chance’ conversations and the importance of discretion
when discussing corporate matters on planes, trains and automobiles.
Topics such as tail gating, the ‘risk of gallantry’, the social and psychological tricks used by
experienced practitioners to project ‘belonging’, the need for discretion and vigilance in public
spaces and of course ‘clear desk policies’ were explained in concise, relevant and accessible
language.
In this way, workforces across this and other enterprises were equipped to deal with the primary
aspects of corporate social manipulation. Using inhouse and industry standards, they shared
the wisdom of primary threats, expected behaviours and above all encouraged staff training and
awareness.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Dissing discontinuity: Brian Davey, Teed Business Continuity
|
|
|
|
|
|
There are five common mistakes or false assumptions organisations can make when
implementing their business continuity management programme. These are the
problems and how to avoid them. When you implement a business continuity management (BCM) system according to the
lifecycle advocated by BS25999, the incident management team is not appointed until after
the ‘Understanding the organisation’ and ‘Developing BCM strategy’ stages are complete.
This assumes you won’t have an incident in the meantime – which is a very brave
assumption and could have serious consequences should an adverse situation arise.
Instead, form your incident management team upfront, with a senior manager/director as team leader to provide the
team with authority. Include a senior representative from each of operations, IT, finance, legal, public relations and
facilities management/safety (or their equivalents in your organisation). Appoint a deputy for each role to allow cover for
the absence of the primary role holder.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Working the web: Cliff Mills, PMP Research
|
|
|
|
|
|
Web analytics is the process of analysing the behaviour of
visitors to a website. The aim is to help organisations
maximise the value of their internet marketing and improve
the design of their website. By understanding visitor
behaviour, organisations can tailor their marketing initiatives
to attract, retain and grow the value of customers.
To see how companies are progressing in using this relatively
new marketing tool, PMP Research surveyed a cross-section
of leading organisations for their opinions on the use of web
analytics software.
For the majority of organisations (80%), the analysis and
activity monitoring of their websites is undertaken by
inhouse staff, with only 6% selecting an external company
and 14% using a mixture of internal and external
resources.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Why enterprise architecture comes first: Martin Sharp, MEGA Int
|
|
|
|
|
|
Hands up how many ‘C’ level executives really know what their organisation looks like or how it
all works, enough to consistently make the right, fully informed decisions?
Many technologies are available to provide data and information such as enterprise resource
planning (ERP) and business intelligence (BI), but these systems won’t help anyone understand
the structure of the organisation, how departments and people interact, the key processes, and
the IT systems employees use.
Organisations are sophisticated structures, so besides seeing the big picture, management also
want to focus down on details. Many factors are interdependent and to make improvements
these dependencies and interactions must be understood.
In general, without a suitable means, it is hard to see the entire structure and its components
from one viewpoint, especially in large organisations.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Sword of insecurity: John Walker, Secure-Bastion
|
|
|
|
|
|
Within a small timeframe, business has evolved to embrace the delivery channels of the
internet. Companies increasingly have a globalised footprint, generating vast profits from online
e-trade and adding much to the gross national product (GNP) of their respective countries and
continents. We also see a wide utilisation of offshore service providers, supporting remote
systems and applications and the development of code.
The lower running costs offered by the internet are also attractive to business. Many
corporate and mid-sized companies are deploying lower-cost IP communications, ranging
from pure VoIP to the more popular technology of choice within the mid-sized community,
Skype.
Overall, in many respects business is doing very well indeed, notwithstanding a downturn in some areas of the global
economy.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Creeping under the security blanket: Ian McGurk, Plan-Net Services
|
|
|
|
|
|
Information security has always traditionally been deemed to be an IT issue. However, in
today’s business climate of more and more legal and sector regulation, attitudes are changing.
The acceptance that information is a key business asset which is fundamental to the survival
and growth of a business has brought with it the recognition that security of information must be
a business problem.
The quality of information and the way it is processed and presented are often key
differentiators between competitors – representing intellectual property in the form of research,
design, development or formulae. So there is an obligation on a business and its executives to
take efforts to protect this valuable information.
The methods companies use to control access to their information are typically a combination of process, procedure, training
and technology. However, there is one overwhelming weak point that is often overlooked. Once it has been deemed necessary
to grant a person access to information, their primary work tool – the PC – can be used as a gateway for siphoning information
that will generally not be audited and not be detected.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Putting in storage: Peter Williams, Bloor Research
|
|
|
|
|
|
The near-exponential rise in data storage requirements is an escalating problem, and it
manifests itself in soaring costs, degraded performance for backup and retrieval, slower access,
and more complex storage management.
Storage equipment producers are delighted to sell more systems but even they are beginning
to see the spectre of systems becoming unmanageable or unusable, so crippling their
customers.
This has concentrated minds, and a number of technologies have emerged which counter the
effects of the storage explosion (although not its causes). A few companies have patented
some aspect of their software but mostly they have adapted existing techniques.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WAN to watch: Luke Hetreed, Bitech Systems
|
|
|
|
|
|
All sizes of enterprise are now running applications over a WAN that they would not have
dreamt of running five years ago. Some work well, others do not make the transition – and
where there are problems, everyone’s favourite culprit is the WAN.
Where companies can afford to, the usual response is to throw bandwidth at the problem – but
all too often they are perplexed when no improvement is forthcoming. A 2Mbps leased line is an
obvious bottleneck when your LAN runs at 100Mbps, but closer inspection will often reveal that
the 2Mbps line is running significantly below 100% utilisation.
The reality is that WAN performance is not a simple issue and it is hardly surprising that a
number of vendors have entered the market offering various approaches to the problem.
But before you can start to fix the issue, you have to know if you’ve got one in the first place.
For companies with inhouse networking skills and SNMP management platforms, this is
relatively easy, but it can be very confusing for those without such resources.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Phishing, pharming and other cyberspace scams: John Hookham, Adrelia
|
|
|
|
|
|
Throughout history, confidence tricksters and their scams have always existed. In the age of the
internet the old classics are alive and well and new ones have been invented. And despite
warnings that con men and fraudsters out there are after your money, millions of normal
computer users and many businesses still fall victim to cyber crimes.
Some scams are easy to avoid and some are fairly obvious, but others are more subtle, some
are downright fiendish and a few are quite simply despicable – preying on the most vulnerable
and often desperate members of society.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Security's top 10: David Lacey
|
|
|
|
|
|
‘You can’t manage what you can’t measure’ is a frequently cited quote, usually attributed to W Edwards Deming. It’s not
precisely what he said and it’s not completely true – because there are many things in life which simply cannot be known or
measured. The important point, however, is that you can’t manage a business process effectively and efficiently without
reliable intelligence of costs and events.
What Deming was actually saying is that it is fatal to rely on the visible figures alone. You have to probe below the water level
of the iceberg to understand what is really happening.
Nowhere is this more important than in security risk management, because of the invisible nature of many of the most
dangerous threats, exposures and events. Sometimes this is by deliberate design: espionage and fraud, for example, are
intended to be covert, untraceable activities. But it is also because of the silent and unseen nature of electronic transactions,
which cannot be observed without the aid of a suitable software monitoring device.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Business risk: the bigger picture: Martin Atherton, Freeform Dynamics
|
|
|
|
|
|
Many organisations spend a lot of time and money chasing regulation and compliance. But taking a step back and revisiting
information management strategies in the context of the broader landscape of business risk could help them address multiple,
critical challenges.
In fact, many businesses are beginning to adopt a more formal approach to risk management. The more forward-thinking
among them are taking a co-ordinated, executive-led approach and appointing a chief risk officer (CRO) – particularly in
financial services, where 48% of firms have a CRO in place compared to the overall average of 36%.
Organisations are also striving for more co-ordination at a practical level – between physical and IT security, and across
security and information management.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
As safe as houses: Allan Cooke, Akubra
|
|
|
|
|
|
Most of us are familiar with the concept of domestic security. We understand the value of our possessions, the threats
to our home and family, and take appropriate measures.
But in the business world, with an intangible asset such as information, how do you achieve similar confidence in your
security measures? Do you know what the threats to your information are, and how to protect against them?
Security product vendors have a vested interest in casting fear, uncertainty and doubt over the levels of protection
organisations have implemented, and would prefer you to solve problems through the deployment of costly solutions.
Without the ability to assess the value of information, organisations risk having an expensive and possibly ineffective
information security policy.
Whether or not their security expenditure is appropriate depends on the specific nature of each business. Organisations
therefore need a mechanism for establishing which information assets need protection, and a way of assessing the
cost-effectiveness of security measures.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Back from the brink II: Martin Mellor, PPT Consulting
|
|
|
|
|
|
Operational staff and technical support staff are generally the main employee groups affected
by a decision to implement a disaster recovery project. Affected third parties include customers
and technical suppliers – in particular those suppliers to whom the implementation and support
of a disaster recovery capability is outsourced.
Operations staff are the front-line of any business and, as such, face the customer. The
customer’s perception of the business is based on their experiences in interfacing with the
operational staff, so it is essential that any interruptions during the project do not compromise
the customer experience.
Surprisingly, many customers are not asked to contribute to the disaster recovery project. Many
companies forget the impact of a disaster on their customers’ businesses. But if you only
consider the impact on your own business, you’re neglecting the fact that what might be a
relatively minor application for you may well be critical to their organisation. Staff therefore
worry about the impact on their customers.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Back from the brink: Martin Mellor, PPT Consulting
|
|
|
|
|
|
Most advice about disaster recovery projects tends to focus on the process – especially the
financial, technical and delivery issues – rather than the key people problems. This article
explores some of the impacts on managers during the lifetime of a disaster recovery project.
The impact on staff is discussed in a later article.
In any business, it’s the managers who are responsible for the delivery of products and services
and for ensuring that the day-to-day work within the business is managed and controlled.
In a disaster recovery project, it’s vital to define which business processes are critical – and
therefore within its scope – and those which are not. This is because the impact of DR on those
managers whose processes are selected will differ from those whose processes are not.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Mind the gap: Colin Butcher, XDelta
|
|
|
|
|
|
We have a support ‘time bomb’ waiting to explode. It has been created by the widespread loss
of experienced business continuity staff, the lack of new people coming through to take their
place, and across-the-board cost cutting initiatives such as outsourcing and offshoring to the
cheapest supplier. Getting good value is important, but cutting costs to the point that quality of
service is impacted at the front line will cause long-term damage.
In practice, an ‘expertise gap’ is growing between the necessary level of skill required to support
companies’ technical infrastructure, the immediately available level of skill with end-user
organisations and, crucially, the immediately available level of support from manufacturers and
suppliers. This is creating a major risk to the survival of businesses when they have problems
with their technology infrastructure or with their external communication mechanisms.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Embracing BPM: David Longworth, Loosely Coupled
|
|
|
|
|
|
If SOA, as some would have it, stands for ‘same old architecture’, then it begs the question:
what is different this time around? Indeed, the IT community has sought to build re-usable IT
architectures in the past, with only limited success. And the fact that today’s service oriented
architectures are built around a whole raft of commonly agreed standards with significant
momentum behind them in most parts of the vendor community is only part of the difference.
The key to today’s SOA projects is that they are being built in line with changing business
requirements. The IT community is waking up to the fact that architecture is not something that
can be hard-coded to meet a particular pain point, or built once in isolation from the business
problem and deployed many times over – the traditional packaged software model.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
21st century IT: B Challinor/I Barnes, Intelligent Network/ProsolveIT
|
|
|
|
|
|
In today’s challenging environment, businesses are being asked to respond faster to competitive and customer challenges; and
they are looking to IT to be a differentiator, providing flexibility and speed as they address complex business issues. IT
managers are seeking solutions that provide both agility and reduced cost – and service oriented architecture (SOA) is being
characterised as the next big thing in IT infrastructure development by both industry analysts and the IT press.
Gartner is predicting that by 2007, most companies will adopt SOA frameworks for new applications and will have the
infrastructure required for wrapping legacy applications and integration across processes.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Virtual reality: Alan McSweeney
|
|
|
|
|
|
In IT, server virtualisation involves using software to allow physical servers to be encapsulated into a virtual machine.
This virtual machine is unaware that it is not running directly on physical hardware.
Virtualisation has been in existence for some time, with the likes of the IBM VM mainframe operating system and the
LPAR feature on the iSeries (AS/400), pSeries (AIX) and zSeries (mainframe) systems.
It contrasts with the traditional server deployment model (Figure 1), which involves a single application per server –
thereby avoiding the effort associated with resolving the conflict between running multiple applications on the same
server. There is typically a one-to-one correspondence between applications and servers. But this leads to low server
utilisation and a proliferation of physical servers. In turn this makes testing and development cumbersome and disaster
recovery difficult to implement.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Horses for courses: Paul Mellings, Xantus
|
|
|
|
|
|
The term virtual private network (VPN) is well-established in IT parlance, though it can mean
different things to different people. For some, it is intimately linked with the internet, whilst
confusingly for others it is a way of avoiding all that is bad about the internet. Muddying the
waters further, the term also has connotations in the voice networking arena. This article seeks
to clarify the differences between various VPNs and discuss the features, benefits and
applications of each.
So what is a VPN? What is true of all VPNs is that they provide connectivity between two or
more places using a previously established shared network infrastructure – rather than having
to deploy new, dedicated hardware specifically for this purpose. By ‘overlaying’ new secure
logical links or channels on top of an existing physical network infrastructure, it is possible to
emulate a dedicated private network without the expense, time and trouble of building one.
Hence the term ‘virtual private network’ – it looks and acts like a private network but by being
built on shared infrastructure, fundamentally is not.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
How more can be less: Graham Perry, Profis
|
|
|
|
|
|
Look around any IT department and you will see a smattering of legacy applications, internal developments, applications
acquired through mergers, and any number of third-party packages. Offshore development is also becoming more popular as it
offers the promise of significant cost reductions and access to a limitless pool of development talent.
The applications developed by the different channels in this complex picture are usually tested by the same channels. This
approach throws up a conflict of interest between delivering on time and quality – rather like an aircraft manufacturer issuing its
own certificate of airworthiness.
Given this background there are two increasingly important issues that have to be addressed if high costs and failures are to
be avoided.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In the frame: Alan Calder, IT Governance
|
|
|
|
|
|
If information is the lifeblood of the modern enterprise, information technology provides its
circulatory and nervous systems. In a ruthlessly competitive business environment, IT makes
possible the move from a tangible asset-based business model to an intangible intellectual capital
based one. Information and IT provide competitive advantage, improve productivity, reduce costs,
support communication and operational capability, and are essential for financial reporting. This
should put information and IT near the top of the board agenda: IT should be a governance issue.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Building your IT assets: Stuart Brown, 3net
|
|
|
|
|
|
Today’s business climate demands that operational efficiencies are increased and
operational costs reduced. This is only possible if you understand where your assets are
located, what they are contributing towards the business and the support costs
associated with them.
Increasingly, senior IT managers and business leaders understand the need to provide
IT systems that effectively manage their assets. Most understand that they have a duty
to provide the board with accurate and up-to-date asset information, in a form that can
be relayed to shareholders. Corporate governance initiatives, like Sarbanes-Oxley, have
increased the importance of maintaining accurate asset information.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IT yesterday and today: Terry Critchley, TAC Associates
|
|
|
|
|
|
The IT world today is far more complex than it was 15-20 years ago when the internet, data warehousing and
knowledge engineering were relatively rare. As a result of this complexity, systems migration and consolidation have
become key management issues.
Back in the 80s the mainframe, under centralised control, still ruled the roost but Unix was being considered for new
applications which may have been on a backlog in the mainframe environment. In addition, there was a surge in the
availability of application packages, a thing unknown on the mainframe – where nearly all applications were bespoke
and very organisation-specific. Many of these programs still exist today as core business applications, often because
they do the required job and there is a massive investment in the software.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Running down the risks: Paul Jacob, Atos Origin
|
|
|
|
|
|
The ability to provide highly available services has become a business-as-usual requirement for many organisations. This has
come about partly as a result of the consolidation of business processes by implementing shared service centres to reduce
operating costs, as well as the requirement to deliver 24x7 services through the internet and call centres. Senior management
are also increasingly aware of the need to plan for the unexpected, as a result of: high-profile in-extremis events such as terrorist acts; increases in adverse weather conditions as a result of climate change; and the potential disruption that would result from pandemics such as bird flu.
Many organisations, particularly those operating in the financial services sector, are also subject to regulatory requirements
which demand that they regularly assess operational risk and put in place plans to mitigate these risks.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Building a security awareness 'matrix': John Walker, Experian
|
|
|
|
|
|
It would seem the penny has finally dropped about the threats faced by internet users
that could impact both the business and end users alike. The problem for most security
professionals is that their non-security colleagues tend to view them as semi, if not
totally, paranoid, with a tendency to read far too much John le Carre. In other words,
they appreciate the necessity for much of what the specialists have introduced, or wish
to introduce, but feel that it simply gets in the way of the real world of business.
However, this attitude appears to be changing.
In mid-2004, I attended a meeting with an external specialist group to consider the
threats posed by online vulnerabilities. At the meting, we discussed the dangers posed
by ‘phishing’ attacks and I suggested this would be a
significant risk as we moved into 2005/6. In my opinion then, phishing should not have been considered a passive
threat, but one with very real potential to damage online confidence.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Don't damage the evidence: Andrew Sheldon, Evidence Talks
|
|
|
|
|
|
As a professional organisation, you should already have a clear understanding of the basic requirements to protect your
data from loss or corruption and have procedures in place to deal with e-disclosure and e-discovery requests. Likewise,
data backup and disaster recovery procedures should be top of the list for ensuring your business does not suffer when
a computer fails.
However, as a digital forensics specialist, I speak to companies almost daily who have relied on these security, disaster
recovery or backup procedures when responding to issues of computer abuse and have found that their actions have
caused more problems than they solve. When investigating computer abuse – even a seemingly trivial event – it is
essential that the procedures and methods used are suitable for the task. In more than 90% of the cases we are asked
to investigate, the client has already damaged or tainted the evidence that they are seeking.
|
|
|
|
|
|
|
|
|
|
| |
|
|
|
