Are you prepared for an office disaster? If a fire, flood, or robbery irrecoverably damages your computer equipment, will you be able to get up and running again? The first requirement, of course, is that you have all essential data backed up, but that’s not necessarily enough by itself. One business in four that closes because of a disaster never opens again; some estimates are even more pessimistic. Those that do may suffer significant loss of business, with some customers never returning if restoration of service takes too long. A good recovery plan needs to include concrete steps for recovering all data and resuming operation, with a realistic estimate of how long it will take. To be useful in case of a disaster, at least one backup copy has to be offsite. A backup drive in your office is useful for recovering corrupted files, but if your computers burn or are stolen, it’s very likely the backup will be too. Use a reliable backup service and make sure you know how to get files back from it. Choose a service that has a good reputation and encrypts all data in transit and in storage. You should also keep a disk image backup of your primary drive. Simply restoring files to a new drive won’t necessarily replicate your original operating environment. Keep the image backup stored offsite in a secure place. Encrypt this backup too, as with anything important that you store offsite. Make sure that you have the passwords and keys that you’ll need to perform the recovery in a safe place. If you keep them on the premises, put them in a locked, fireproof box that can’t easily be stolen. If they’re off the premises, make sure they’re stored securely. Plan for how you’ll inform your employees, customers, and business partners of the situation. If their contact information was all on the lost computers, this could be difficult. Keep a copy of it in another place. Make a realistic estimate of how long it will take to restore your data and resume operation. First you have to set up a new computer and copy your saved disk image to it. After that, you need to restore all your data from the backup; this might take days, depending on how much you have and how fast your connection is. If you have to restore multiple computers through the same Internet connection, it could take a long time. Finally, you’ll need to verify that everything is working properly before going live. You’ll need to consider what it takes to catch up with lost time. If you send out reports on the first of the month and a disaster brings your systems down on that day, you need to get those reports out as soon as you recover, not on the first of the next month. Make sure it’s possible to do this. Estimate what the process will cost. You’ll have to buy new computers, replace furniture and supplies, and weather an interruption in revenue. Hopefully insurance will cover most of the loss, but you need enough money in the meantime to get through. However good your plan sounds, you need to test it to make sure it works. A full test, including failover and restoration of data, may not be feasible, but you […]
As technology takes an increasingly important role in many businesses, the role of a Chief Information Officer (CIO) becomes more central to the core operation of the business. The CIO answers directly to the board of a corporation, the CEO, or the CFO and, as such, has a wide influence over internal issues that go beyond IT management. Governing of information goes beyond governing simply information technology. Most companies that have a heavy investment in information technology create a Chief Technology Officer (CTO) to play the role of visionary leader in the area of technology and product architecture. CIOs are not always technology managers by background. They can be technology aware business managers able to bridge the cultural and process differences between technology delivery and business users. According to recent surveys, a majority of IT leaders report a shortage of high-level personal skills among their management. CIOs are often the people who reduce the gap between IT professionals and non-IT professionals in order to make these relationships productive. The organizational and personal development skills of the CIO are increasingly valued in organizations that meld technology with other business organizational functions. The CIO must balance roles in order to integrate technology into the organization and work toward competitive advantages for the company. The CIO has responsibilities in the area of finance, professional recruitment, policy and strategy development. Many CIOs have especially strong management skills. In many, business acumen and strategic perspectives take precedence over technical background. Many CIOs are appointed from the business side of the organization. Many have MBA or MS in Management level training. As information gains greater importance in organizations, the prominence of the CIO as a key person in formulating strategic goals for organizations as grown. Many CIOs are adding additional executive titles to. This trend is often referred to as “CIO Plus.” As the role of the CIO broadens, and responsibility increases, the risk in the job also increases. The CIO takes responsibility for a lot of the errors and breakdowns that cause company losses. In 2014, when 40 million credit card details and 70 million customer details were stolen by hackers at Target, it was the CIO who took responsibility and had to resign. Much of the burden on CIOs is risk management. The CIO must be knowledgeable about their industry so they can adapt and reduce the chance of error. Many companies are changing from product development and sales to an emphasis on services. The models of increasing numbers of former software and technical companies are changing to Software as a Service, Infrastructure as a Service, and Business Processing Outsourcing. In those companies, the role of the CIO has been changing toward that of a third-party manager for the organizations. The CIO has to possess the business skills to relate to organizations as a whole, more than just a limited set of technical skills. The CIO role is changing to include anticipating trends in the marketplace and insuring that the business navigates these trends. The evolution of the CIO followed the evolution of IT. When the main frame was king, the CIO (or whatever they called them then) were strictly back office. CIOs worked to automate office functions to reduce head counts. They tightly supervised programmers who were busy writing home-grown software. This generation of CIOs had technical backgrounds. They were most often recruited from outside […]
Where is your company headed, and what kind of IT system does it need to reach its goals quarter by quarter, year after year? Many businesses don’t know how to address this question with the appropriate depth and strategic thinking. CEOs, executives, managers, and small business owners may know where they want to take their company, but may not have a clear idea of the IT decisions they’ll need to make along the way. Companies are also facing a plethora of technological changes that affect everything from marketing to cyber security, and they need to decide which tech solutions to adopt and how to prioritize them within their budget. Without strategic IT planning, companies face various disadvantages: Wasted money on unneeded hardware and software. IT decisions that don’t align with business needs and objectives. A lack of focus and organization, and an emphasis on short-term thinking. A failure to anticipate technological developments and their effects on the company. An inability to prioritize projects and expenditures that are most necessary at any given point. Poor communication between IT personnel and the rest of the company. How can an IT road-map help? Your company’s IT road-map is a master plan for how you’ll use technology to support your business operations and goals over the coming three to five years. The document clearly spells out your strategic IT planning, providing a detailed overview of the projects you wish to undertake and the decisions you’re prioritizing. Employees holding leadership positions in your company can use this document as a basis for discussing, planning, and guiding decisions. It’s an excellent collaborative tool, ensuring that everyone is on the same page. It helps your IT personnel work closely with employees in other departments to make the decisions best suited for your company. How can you create an IT road-map? Creating the road-map will involve input from company leadership and from your IT team (which includes your managed services provider and any in-house personnel). As for the content of the road-map, start by answering the following questions:What are your company’s top priorities? Make a list of the important goals and milestones you want to reach, and the ways in which you envision your company developing. Even though this list isn’t specific to IT, but applies to your company more generally, it will give your IT road-map coherence and remind you of the purposes underlying various IT decisions. What IT projects or major tasks do you wish to undertake in the coming months and years? Organize these into a timeline that includes estimated start and end points and other information about the resources required (e.g. budget and personnel, including the employees overseeing each project). You can also categorize the projects by different IT areas. For instance, one category can be anything pertaining to your network architecture, and the modifications you want to make to it; another area can involve your e-commerce platform and how you want to develop it and keep it secure. What are your justifications for each project? Spelling out the specific reasons for each project will help you prioritize them, position them appropriately in the timeline, and identify projects that you may want to delay, modify, or scrap. Especially for projects scheduled in the coming year, the justifications should be well-developed and detailed. For example, if you’re planning to adopt a new kind […]
The National Institute of Standards and Technology has issued a draft document on “Digital Identity Guidelines,”and it contains some surprises if you follow traditional password practices. Section 5.1 is the relevant section on ?memorized secret authenticators,? more commonly known as passwords or PINs. The advice is based on the latest research, so it’s worth paying attention to even if it’s a change from current practice. The National Institute of Standards and Technology has issued a draft document on “Digital Identity Guidelines,”and it contains some surprises if you follow traditional password practices. Section 5.1 is the relevant section on ?memorized secret authenticators,? more commonly known as passwords or PINs. The advice is based on the latest research, so it’s worth paying attention to even if it’s a change from current practice. The minimum length for user-selected passwords should be 8 characters, and ones with 64 characters or more should be allowed. The number of possible passwords goes up exponentially with their length, so a long one is a strong one. Letting the user store a hint about the password is a really bad idea. It makes it easy to remember, but also easy for someone who sees the hint to guess. A service should check the user’s chosen password against a list of easily guessed ones. If there’s a match, the user should be required to pick another one. Too many people will pick obvious ones like ?123456? (which is also too short) or ?password.? Passwords should never be stored directly on the server. Instead, it should store a hash of the password that meets certain minimum requirements. A hash is a value which is algorithmically derived from the password but doesn’t allow the password to be regenerated from it. This way, even if someone gets the password data from the server, the actual passwords aren’t compromised. The number of login attempts in a session should be limited. Password entry should use a secure connection. Those requirements shouldn’t surprise many people, but now it gets interesting: The service shouldn’t ?impose other composition rules.? That means it shouldn’t require, for instance, digits and special characters. NIST says that ?users respond in very predictable ways to the requirements imposed by composition rules.? Adding a digit to the end of a password or replacing ?o? with ?0? doesn’t do much good. The service shouldn’t require periodic password changes for their own sake. It just makes people choose easier passwords or write them down next to the computer. Users should have the option of seeing their password as they’re entering it. Hiding it is good if others might see the screen, but it makes it hard to enter complex passwords, especially on a mobile phone keyboard where typing errors are easy. Information theory says that a strong password is one with high entropy. Entropy, roughly speaking, is a measure of randomness. When applied to passwords, it’s measured in bits. The idea is that the number of possible passwords someone would have to guess from is the number of alternatives you can express in that many bits. Each additional bit doubles the amount of work needed to guess the password. The NIST document, though, finds this concept too vague to be useful and says that methods of calculating entropy aren’t very accurate. A known password has just one […]
