CIO Tools and IT Salary Data

IT Job Descriptions

The job descriptions contained within the Internetnd Information Technology Position Descriptions HandiGuide® are all in a standard format -- PDF and MS WORD 2007 formats.

Disaster Recovery Plan

IT Salary Survey

Security

IT Service Management

IT Outsourcing

IT Metrics

XML Feeds

Janco

Latest 50 items
Latest 25 items
Latest 10 items
Latest 5 items
Historical Feed

Other Feeds

IT Productivity Center
eJobDescription
psrinc
IT-Toolkits
Disaster Planning

PSRINC.com is the resource site for Information Technology management. This site contains the tools that the CIO, CSO, and CFO can use for Sarbanes Oxley, Disaster Recovery, Security, Job Descriptions, IT Service Management, Change Control, Help Desk, Service Requests, SLAs - Service Level Agreements, and Metrics.

PSRINC.com supports a wide range of industries and enterprises of all sizes. Our clients include over 2,500 premier corporations from around the world, including over 250 of the Fortune 500.

CIO - CTO - CSO News

Anonymous implements social media hacks

Anonymous distributed links to specially crafted Web pages via its Twitter feed which was re-tweeted widely, and links also popped up on Internet Relay Chat rooms, Facebook, Tumblr and other social networking sites. Some of the links led to PasteHTML.com, a site that looks a little like the popular text-sharing site Pastebin frequently used by Anonymous to issue statements. A variation of this method allowed users to type in the IP address of target Web servers before the JavaScript code began executing.

Most of the links were obscured using URL shortening services such as bit.ly. Several Anonymous Twitter accounts have thousands of followers, and some gained "hundreds of thousands of new fans overnight" during the course of the campaign, according to Cluley.

The new method appears to have helped knock Universal Music and other sites offline during last week's Megaupload-revenge attacks

FedRAMP to drive cloud solution providers

The Federal CIO Council released the security control requirements for the Federal Risk and Authorization Management Program (FedRAMP) - the new, innovative IT risk management program created to foster the adoption of cloud computing by the Federal government. FedRAMP provides a standardized approach to the security authorization process for cloud products and services, adopting requirements agreed upon by all Federal agencies and approved by the FedRAMP Joint Authorization Board (JAB). The security controls baseline is the basis for FedRAMPsstandardized approach to the security authorization process for cloud products and services. The release of the FedRAMP controls is the critical first step that to successfully launching FedRAMP.

FedRAMPs unified risk management process will evaluate IT services offered by vendors on behalf of Federal agencies, saving agencies from conducting their own risk management programs. By reducing duplicative risk management efforts, FedRAMP will enable Federal agencies to focus their evaluations of IT services on their agencys specific needs, as well as their privacy and security requirements. In the coming month, GSA will release the FedRAMP Concept of Operations, further detailing the processes for Federal agencies and CSPs to meet FedRAMP requirements.

IT job descriptions updated to meet all compliance requirements

Internet and Information Technology Position Descriptions HandiGuide®

243 Job Descriptions and Organization Charts Sensitive Information Policy Compliance Agreement

The IT job descriptions contained within the Internet and Information Technology Position Descriptions HandiGuide^® were completed in 2012 and contains over 700 pages; in a new easy to read format; and, includes sample organization charts, a job progression matrix, and 243 Internet and Information Technology (IT) job descriptions. The book also addresses Fair Labor Standards and the ADA, and sexual harassment. Each job description meets ADA standards and the position description is delivered in electronic format - word which is editable and PDF which is printed.

Security ignored by younger employees

Employees aged 18-30 tend to have lax attitudes about computer security and are more likely than their older ounterparts to ignore IT policies, according to a recent Cisco report.

About 61 percent of young employees surveyed by Cisco researchers feel corporate IT security isn't their responsibility and should be handled by their employer or the device manufacturer, the researchers wrote in the third installation of Cisco's "Connected World Technology" report. "Young employees" in this report included 1,400 college students polled between the ages of 18 and 23 and 1,400 professionals polled under the age of 30.

Seven out of 10 young employees polled also frequently ignore IT policies and 67 percent feel the IT policies on social media and device usage are outdated and need to be modified to "address real-life demands for more work flexibility," according to Cisco. The younger workforce has "different" expectations of what should be allowed at work, and over time these policies and restrictions may become a deciding factor in where they choose to work.

The Security Manual for the Internet and Information Technology is over 240 pages in length. The template is compliant with ISO 27000 (formerly ISO 17799), Sarbanes-Oxley, Patriot Act and HIPAA and includes a PCI DSS Audit program. All versions of the Security Manual template include both the Business & IT Impact Questionnaire and the Threat & Vulnerability Assessment Tool (both were redesigned to address Sarbanes Oxley compliance). In addition, the Security Manual Template PREMIUM Edition contains 16 detail job descriptions that apply specifically to security and Sarbanes Oxley.

Meeting productivity improvement

Ideas to improve meeting productivity

Have agendas with goals objectives. It's considered bad business manners to send a meeting request without providing an agenda. When calling a meeting focus agenda on expressly stating the goal(s) of the meeting.
Replace the default 60-minute meeting time slot with a 20-minute meeting unit. For some inexplicable reason, people seem to naturally default to 60 minutes as the amount of time needed for a meeting. And while that may be the case in certain circumstances, it should not be the default position. In place of a 60-minute default time slot, adopt the 20-minute meeting unit. If a particular topic needs more time than that, it is up to the meeting organizer to convince the participants that two (or three, or four) meeting units of 20 minutes are necessary.
Have people stand during meeting. It is too easy to "waste time" when everyone is sitting.
Orient the meeting toward follow-ups and actions. Meetings produce lots of ideas and discussion. That's wonderful. But the real purpose of most meetings is to agree on next steps and actions. Keep a focus on targeted actions and your meetings will be productive. Allow them to become discussion forums for "important issues," and they will feel long and painful.

Security risk from easy access to user logon information

Users have dozens of logins and passwords spread out across an equal number of sites and applications and it's no wonder the average user tends to forget their secret info. Even with a tried and true system for generating memorable but complex passwords, the formula could easily fall apart if you just can't remember it.

So rather than continually clicking the "Forget Your Password?" help link, folks are readily hiding login information around their computer station.

And given that there's little variety in those secret locations, "hiding" might be a stretch. Typically user passwords was somewhere on their desk in one of these easy-to-find locations.

The most common locations where folks hide their login information are:

Under the keyboard
Under the phone
Under the mouse pad
On the monitor
In the top drawer
Under the desk

In other words, you're not doing yourself any favors if your entire system is compromised by a casual, passing glance from someone outside your office window.

Instead of the highly visible Post-It note on the monitor, Janco Associats recommends secure password aggregators to keep your login information secure.

Is the death knell for Adobe Flash sounding

Adobe Systems is ending development of its Flash plug-ins for mobile browsers, the company confirmed today. Instead, Adobe will focus on HTML5 and, to a lesser extent, its AIR runtime environment. Adobe says it will work on tools that convert Flash content and apps to HTML5 and AIR versions for use on mobile, rather than continue to develop its mobile Flash Player.

At the same time there continue to be reported problems with Adobe Flash with IE in the 64 bit environment along with the frustration of users with the Adobe Update process.

Adobe has been working on mobile Flash for years, but shipped an Android version only a year ago and on both HP WebOS and the RIM BlackBerry PlayBook tablet this summer. Apple has adamantly refused to allow Flash on iOS over performance concerns (though it does allow AIR), and Flash has also not appeared in the BlackBerry smartphone OS or in Microsoft's Windows Phone 7 despite Adobe's promises to do so.

How to terminate an employee

When you are going to terminate an employee and have prepared property then you should follow these best practices. Terminations are one of the most difficult personnel issues managers have to deal with; it's easy to bungle them. Avoiding the following pitfalls will reduce your risk of a wrongful termination lawsuit.

Plan for the termination meeting - Winging a meeting with an employee you are firing is a bad idea. If you don't prepare what you're going to say to the employee, you could speak out of turn, and your comments could be the basis for a lawsuit.

What they're going to say during the meeting
What's going to happen after the meeting
Whether the employee will be allowed to collect his belongings from his desk, or whether the company will pack them up and send them to him
If the employee has company files at home, the manger needs to figure out how to get those files
Have in hand the employee's final paycheck and include pay for any unused vacation
Provide the employee with a COBRA notice so he knows how much it will cost to continue his health insurance.

Planning the details of the termination helps demonstrate respect for the employee. It shows you care enough about the employee to think about the questions and issues the employee will face.

Have two people present in the meeting other than the individual being fired. That way if you end up in litigation, it's not one person's word against the other. It's better to have a second person from the company who can indicate exactly what was said.

Be serious and do not joke about what is going to happen and do not treat it like a cattle call. Some employers who have to do large layoffs round up employees like cattle in a conference room and tell them all at once that they're getting pink slips. This disrespectful tactic breeds ill will among the affected employees toward their former employer.

Get to the point quickly - Managers should never start a meeting with an employee in which they're going to be terminated with pleasantries. It's cruel to mislead the person about the conversation," she says. Instead, managers should cut to the chase. "We're meeting today because your position has been eliminated' or 'because we need to let you go.'"

If the termination is due to the employee's poor performance, managers should have a line and stick to it, such as, 'We've discussed your performance several times. This job is no longer a good fit.'
If the employee is part of a layoff motivated by economic or financial circumstances, it's best to say something simple such as, 'Your employment is being terminated due to a necessary reduction in force. The reason we have to do a reduction in force is because of the tough economic climate,' and leave it at that.

Be truthful about the reason for the termination Managers who feel badly about having to lay off staff will sometimes try to soften the blow to the employee during the termination meeting. The manager might say, "We have to cut you, but it has nothing to do with your performance. You were a great employee, but I need to let you go, and it's completely and solely related to cost reasons".
Such non-truths become problematic when the decision to lay off the employee was in fact performance related. If that individual decides to file a lawsuit alleging he was fired because of his age, the company will respond to the claim by saying, 'You weren't fired for your age. You were fired because your performance was the lowest among the people we chose. The plaintiff will in turn respond, 'During my termination meeting, you told me my performance was great and that it had nothing to do with the reason for my termination.' That alone can make an employer liable.

Do not broadcast the termination news over social media. Today there are lawsuits and legal claims related to updates managers have posted to Facebook, Twitter or LinkedIn, in which they disclose details of employee terminations.

Offer employees a severance agreement in return for a release of all legal claims It helps the employee because it aids in their transition and doesn't preclude them from seeking unemployment insurance. From the employer's perspective, the severance agreements are important because the employee will release the employer of all claims related to or arising out of the employment -- if they accept the severance package. That will take care of tort claims, contract claims, discrimination claims and wrongful termination claims.

Core network security protection best practices

Network security basic protection rules:

Don't grant your users local administrator rights. This is cumbersome, but it ensures that the local hash database resists compromise, keeping other users' hashes away from prying eyes.
Use domain administrator credentials only on machines with domain controller roles installed. Use delegated administrator accounts with fewer rights to perform privileged actions on other machines like client computers and member servers.
Don't grant junior administrators local administrator rights on servers. Avoid granting anyone local administrator access on servers.
Consider setting up a whitelist of known-good applications. For some organizations, this is a trivial task, but it will prevent the operation of the utilities used in attacks and any other utilities that may come out to make this attack easier to execute.
Never use the domain administrator account to grant privileges to service accounts.

Service-Oriented Architecture and IT Service Management Are Keys To Success in the Recovery

SOA and ITSM drive success and productivity

One bad customer experience can cost you that customer for life. Hospitality, travel, retail, healthcare, and financial services are especially prone to losing customers who have a negative experience. It does not take much for a customer to decide that you and your company are not worth his time, effort, or money.

Customers like to feel loved, and they are turned off very quickly when they sense that you do not care about the pain they are feeling. Even if you cannot help them because the situation is beyond your control, acknowledge that you understand both the situation and their frustration.

No customer wants the person serving her to be distracted or preoccupied. Ever go to the local mall and try to get help from a teenager focused more on texting her friends than helping you find what youre looking for? On the other hand, being too focused can be a bad thing. Have you ever asked an innocent question out of curiosity and then found yourself stuck for an eternity while a customer support person hunts endlessly for an answer? This person is likely so focused on getting the answer that he does not realize that you really do not care that much about it and would rather not wait for an answer to an inessential question. Be sure your people understand the degree of focus required for the job.

Even if the employee has the right skill set and experience, his odds of being successful and remaining on the job are low if his core behaviors and tendencies do not line up with those needed for success in that particular role. This is especially true for customer-facing roles in which your frontline employees act as extensions of your brand and heavily influence the customer experience.

Security for mobile devices is a major issue for CIOs

With the proliferation of smartphones and tablets, workers can now process business emails, produce work content, and conduct meetings straight from these devices. They can also perform personal financial transactions, shop online, and even file our taxes with the IRS from the same device and at the same time. Mobile devices are the future credit cards and identity carriers, as well as our portals into the digital world.

This trend is driving more organizations to support personally owned devices in the work environment, allowing employees anytime, anywhere access to business resources. In North America And Europe more than 50% of firms support employee-owned mobile and smartphones. This empowered workforce uses groundswell technologies such as mobile devices to drive increased productivity, innovation, and improved customer services.

The business tasks both IT operations and security professionals with making sense of the complexities of supporting personal devices in the corporate environment. Depending on the industry that you are in, consumerization can present challenges to your security, compliance, and legal requirements. Determining what these challenges are is the first step when crafting a strategy to manage these new endpoints in your corporate network.

Data governance and record managment objectives

The objective of for records management and data governance falls into three major areas:

Finding out what's in place. Organizations have historically had a rather laid-back approach to data governance, in large part because the (relatively primitive) native security controls havent offered any other option. Moving forward, a critical first step is to find out exactly whats in place to begin with.
Minimizing IT's role as gatekeeper. Because the IT team has historically been the only group of people who could modify resource access permissions, theyve been thrust into the role of deciding who permissions are given to. Thats inappropriate, since IT rarely has the information needed to properly govern access to resources. While IT may continue to be responsible for implementing access controls, moving forward we need to remove them from the role of actually governing, and instead put that burden on the people within the organization who actually own the data.
Improving consistency. Inconsistent application of permissions and inconsistent configuration of file servers are leading contributors to downtime, lost productivity, security breaches and more. Organizations seek to create a single, consistently configured and consistently governed environment that provides users with access to exactly the resources they need - no more and no less. An example would be during a merger when bringing in another directory and permission system very similar to the existing.

Some good news on the job front

From March 2010 to March 2011, employment increased in 256 of the 322 largest U.S. counties, according to the U.S. Bureau of Labor Statistics. Elkhart, Ind., posted the largest percentage increase, with a gain of 6.2 percent over the year, compared with national job growth of 1.3 percent. Within Elkhart, the largest employment increase occurred in manufacturing, which gained 5,125 jobs over the year (12.4 percent). Sacramento, Calif., experienced the largest over-the- year percentage decrease in employment among the largest counties in the U.S. with a loss of 1.6 percent.

The U.S. average weekly wage increased over the year by 5.2 percent to $935 in the first quarter of 2011. Among the large counties in the U.S., Peoria, Ill., had the largest over-the-year increase in average weekly wages in the first quarter of 2011 with a gain of 18.9 percent. Within Peoria, professional and business services had the largest impact on the countys over-the-year increase in average weekly wages. Williamson, Texas, experienced the largest decline in average weekly wages with a loss of 3.8 percent over the year. County employment and wage data are compiled under the Quarterly Census of Employment and Wages (QCEW) program. - more info

Businesses are failing to maintain PCI compliance

It is no longer the case that PCI DSS is too hard for companies to comply to. Howerver, as the year progresses, and then they end out of compliance for the rest of the year.

Many firms continue to have problems with protecting card holder data, tracking and monitoring access to sensitive data, and regularly testing system security and processes. These are PCI DSS requirements 3, 10, and 11, respectively.

The problem is that companies are treating PCI compliance as a goal to reach and not a state to maintain.

The relationship of PCI compliance to actual security has been debated. However, many security experts argue that the regime is a good starting point for implementing a data protection process within businesses. In its annual Data Breach Investigations Report 89 percent of companies that suffered a breach in 2011 were out of compliance with the standard.

IT is targeted in goverment budget cuts

IT cuts are amoung the recommendations that are on a list of proposals sent to the deficit super committee from the GOP side of the Senate Subcommittee on Oversight of Government Management.

Updataing IT infrastructure and closing some federal government computer data centers could save $.2 Billion dollars. The government could realize major cost savings in the management of its IT workforce. Better technology enables computers to run at far higher levels of efficiency and utilization than in previous years, doing more tasks with fewer employees, computers, and fewer data centers.

In support of the Select Committees work, the minority staff of the Subcommittee on Oversight of Government Management, the Federal Workforce, and the District of Columbia found more than $1.4 trillion in savings over 10 years in areas under the subcommittees jurisdiction. More than half of these recommendations had been identified previously elsewhere, and the subcommittee is pleased to commend these good ideas of others to the attention of the Select Committee.

User security weaknessess

As much as CIOs and CSOs would like to, they know it is impossible to monitor and control every single thing your company's workers are doing with the corporate devices and technology they have available to them. Chances are, CIOs and CSOs have too many people to look after, and when it comes to monitoring the organization's network, these IT executives have to focus on the truly alarming activities at the expense of some of the more mundane, but at times equally dangerous, behaviors that are going on. It's unfortunate, since many cyber-attacks come in by way of common human error.

Janco has found several places where users can compromise a secure network and organizational data. The security holes are:

Users let others use their corporate devices
Users access personal email accounts from their corporate devices
Users find ways around filters for sites they visit or email they get
Users leave their corporate device unattended in a hotel room, restaurant or a bar when they are away from the office
Users access corporate data on an open or unprotected network
Users install unapproved software on their corporate device
Users access a link their personal social network site
Users copy files off of a corporate device

True Total Cost of Ownership (TCO) of Cloud Based Applications Not Clearly Defined

Today's Cloud feeding frenzy has been fuelled by heady promises of low costs, almost instant functionality and, ultimately, IT Nirvana.

The arrival of Cloud as a technologically viable alternative to on-premise or traditionally-hosted enterprise applications can make for some interesting discussions, but if you are unable to compare costs between applications - typically a per-user per-month per-application calculation - how can you assess whether a particular Cloud offering is low cost compared to its equivalent on-premise system?

It's those putative lower costs, of course, that make most CFOs sit up and pay attention. But if the primary driver behind your Cloud initiatives is to reduce IT costs, then you need to take a second and third look at your financial assumptions.

The Cloud vs. traditional on-premise computing cost argument can be clouded by the way organizations structure and report their IT spend. Those organizations that report IT expenses in the form of the standard chart of accounts, typically broken down into staff costs, depreciation, utility, maintenance, and so on, may not be able to state accurately the actual total cost of a specific application. So if you are looking to replace one of your on-premise applications with a Cloud equivalent because you think it will be cheaper, then you better be sure that that is indeed the case.

The TCO exercise for Cloud applications needs to factor in all costs. For example, there are outgoing system exit costs such as write-off's associated with the depreciated value of associated IT assets on the balance sheet and early contract termination penalties for existing services. Also, if you need the Cloud application to talk to any other systems, you may also need to subscribe to yet another Cloud application (or hire consultants) to manage data integration, authentication, and so on.

Once you have developed a full cost profile for the Cloud system, due diligence requires you assess the TCO over the expected life of the system. Large enterprise systems typically are in use for at least three years - many for much longer. By subscribing to Cloud, however, there may be an undue emphasis (at the expense of the full life-cycle TCO) on short-term costs associated with the monthly or annual subscription renewal periods.

At the very least, doing the cost due diligence with some rigor you will let you know with a greater degree of confidence that the Cloud's promised benefits are realizable.The key message here is not to assume that just because Cloud based applications are always going to be cheaper than an in house equivalent. If you own IT applications and infrastructure that still have some life in them, your switching costs may be far from trivial. If, however, your existing IT is at the end of its life, the Cloud may indeed be a viable, cost-efficient way to go.

Mobile Computing a plus or a minus?

The rapid emergence of a mobile culture is leaving businesses around the globe vulnerable to security breaches.

More than half of all business users use their own personal mobile devices such as Android phones and iPads for work, with most of them connecting them to their employers IT systems. There is widespread failure to comply with organizational security policies, leaving work systems vulnerable to cyber-attacks and security breaches. Despite this, most workers still expect to have full unfettered access to all their personal online accounts and social networking sites throughout their working day.

There is a widespread mob culture that's building up in the workplace as people's personal and work lives merge through technology. Workers expect their employer to foot the bandwidth costs for their personal devices, enabling them to do online banking, or access Facebook, for example, but flatly refuse to conform to their work security measures. This behavior is exasperating business owners and senior management.

Research reveals that equipping workers with the latest smart devices improves makes employees feel valued and increases company loyalty.
Businesses are increasingly reliant on platforms such as twitter and LinkedIn to improve business efficiencies and strengthen communication, business owners welcome the news that most current workers use their own devices to keep in touch with work outside of office hours, meaning they are more likely to maintain focus on their jobs from one day to the next.

During the last few years there has been a rapid increase in the number of people using social media, and it is now a fixture of our everyday work and personal lives. Today, social networks connect people to the world around them and employees expect to be able to access their personal online accounts in the workplace. What is alarming is that, despite this, some companies have established formal processes for handling social networking tools in the workplace. Even fewer have expanded this to mobile workers, or personal devices, compromising any previous investment that they may have made to secure their network or corporate image.

Banning the use of social media or access to personal online accounts in the workplace seems like an archaic approach and one that could compromise productivity. The good news is that as a result of ever developing technologies there are a range of solutions available to help businesses safeguard themselves against security threats.

Recovery Point and Recovery Time Metrics

Recovery point objective (RPO) refers to the amount of data loss a customer can tolerate, specifically the point in time to which your enterprise must be able to recover the data. Some enterprises require an RPO of ZERO. That means the enterprise cannot lose a single committed transaction in the event of a site failure; they must be able to recover the data back to the zero minute of the time of the disaster. There are implications to setting up an RPO of zero. The replication solution will require synchronous replication (explained in detail later in this section) and may impact performance of the application being replicated.

An RPO of greater than zero, for example 30 minutes, can be handled differently. An RPO of 30 minutes means the customer can tolerate losing the last 30 minutes of transactions in the event of a site failure. If the disaster occurrs at 12:00, the customer must be able to recover the data to at least 11:30 (30 minutes prior to the disaster). This can most likely be accomplished with asynchronous replication with minimal performance impact to the application. In this situation, careful planning and monitoring of the write-history log is essential to support the expected RPO.

A RPO can only be determined by their business rules and other governances of their environment. The customer must weigh the risk of data loss in a higher RPO against the cost and performance impact of a zero RPO.

Recovery time objective (RTO) refers to the amount of time it takes a customer to get their backup site up and running after a complete failure at the primary site. Most customers have an RTO of anywhere from 15 minutes to 8 hours, though the average is about 2 hours. This includes the time to failover the replicated LUNs (logical Unit Number) to the backup EVA (Enterprise Virtural Array) , recover the backup database and bring it online, and redirect any applications to the backup database server. A faster RTO can usually be accomplished by prestaging the backup site to the greatest extent possible.

Mobile Device Policy

Every organization needs to identify and develop mobile security policies to be deployed which will provide adequate protection. The level of protection has to be aligned with the level of risk that your organization is willing to accept. These policies should ensure that the many regulatory or compliance concerns that might be applicable are addressed. The mobile security policy should be integrated within your overall information security policy framework. Key elements to address in the mobile device security policy are:

Physical security of the device
Address lost or stolen devices
Acceptable uses of the device
Encryption
Password protection
Storage
Backup
Access Control
Authentication
Monitoring

The purpose of this policy is to define standards, procedures, and restrictions for end users who have specific and authorized business requirements to access enterprise data from a mobile device connected via a wireless or unmanaged network outside of ENTERPRISEs direct control. This policy applies to, but is not limited to, all devices and media that fit the following device classifications:

Smartphones
PDAs
USB applications and data
Laptop/notebook/tablet computers
Ultra-mobile PCs (UMPC)
Mobile/cellular phones
Home or personal computers used to access enterprise resources
Any mobile device capable of storing corporate data and connecting to an unmanaged network

When IT certifications are required, explore distance programs like e-learning at kalliance.com