Feed Description

 

  HTML News Feed     ---     Current IT News    ---  Links  --- WAP Mobile Feed

Individual Policies

All of the policies that are provided here are contained within one or more of the templates that are on this site. These policies have been added as individual documents in WORD format for those clients who just need this particular policy.  All policies are Sarbanes-Oxley compliant.

Electronic Information PolicyInternet, E Mail,
and
Electronic Communication Policy

 

 

This policy is is compliant with all recent legislation (SOX, HIPAA, Patriot Act, and Sensitive information), and covers:

  • Appropriate Use of Equipment

  • Mobile Devices

  • Internet Access

  • Electronic Mail

  • Retention of Email on Personal Systems

  • E-mail and Business Records Retention

  • Copyrighted Materials

  • Banned Activities

  • Ownership of Information

  • Security

  • Sarbanes-Oxley

  • Abuse

Included are these ready to use forms:

  • Internet & Electronic Communication Employee Acknowledgement

  • E-Mail - Employee Acknowledgement

  • Internet Use Approval Form

  • Internet Access Request Form

  • Security Access Application Form

Sensitive Information Policy
 

This policy covers the treatment of Credit Card, Social Security, Employee, and Customer Data.  The policy is 15 pages in length. This policy complies with Sarbanes Oxley Section 404.

 

The policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) and co-location providers and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals).  CLICK on image to get the full table of contents and a sample page

 

 

Travel and Off-Site Meeting Policy - Protection of data and software is often is complicated by the fact that it can be accessed from remote locations. As individuals travel and attend off-site meetings with other  employees, contractors, suppliers and customers data and software can be compromised.  This policy is four page in length and covers:

  • Data and application security

  • Minimize attention

  • Shared public resources

  • Off-site meeting special considerations

Outsourcing Policy - This policy is seven page in length and covers:

  • Outsourcing Management Standard

    • Service Level Agreement

    • Responsibility

  • Outsourcing Policy

    • Policy Statement

    • Goal

  • Approval Standard

    • Base Case

    • Responsibilities
       

    Note: Look at the Practical Guide for Outsourcing over 110 page document for a more extensive process for outsourcing

 

Security

IT Salaries Fall According to Janco - June 28th, 2009 12:30 PM

Janco released its 2009 Mid Year IT Salary Survey which shows that overall pay has declined for IT Professionals in the past 18 months. Janco also found that demand is down for IT Professionals.  The CEO of Janco, Victor Janulaitis stated, "The current economic climate with its cost cutting mindsets, business closures, and extensive outsourcing has put such great pressure on the IT job market that overall pay has been impacted.  Added to that many 'baby-boomers' who had planned on retiring in the next few years are not leaving the job market and you have more potential employees than positions available."

IT Salaries

Janco has captured IT compensation statistics since 1996 and publishes its IT Salary Survey semiannually. The IT Salary Survey is based on Janco Associates, Inc. IT Professionals compensation database.  Compensation benchmark hiring and salary ranges are established for each position surveyed. In analyzing the study data, the upper and lower quartiles are eliminated to determine benchmark ranges. The benchmark ranges are then used to assess the alignment of a company's actual compensation to the marketplace for each job function. A summary of the most recent salary survey can be downloaded by visiting Janco IT Salary Survey at http://www.e-janco.com/Salary.htm.

   -  more information

Cutbacks Impact Fringe Benefits for IT - June 20th, 2009 08:53 AM

Fringe Benefits Fall for IT Professionals

In preliminary results for the Janco 2009 Mid Year Salary Survey, Janco has found that fringe benefits like insurance, 401Ks, flexible hours, bonuses and stock options are being reduced by enterprises as they struggle to contain costs.  Janco has tracked this trend for several quarters.  The CEO of Janco, Victor Janulaitis said, "Over the first two quarters there has been a noticeable reduction in costs associated with employees.  Companies of all sizes freezing salaries, laying-off staff, making employees pay a larger portion of their insurance cost, decreasing bonuses, and cutting other benefits."

The 2009 Mid Year IT Salary Survey will be released at the end of June and more information can be gotten at JancoÂ’s websites.

  -  more information

Change Management Issue for Measuring IT Success - June 4th, 2009 01:41 PM

change management(HP) A significant number of service disruptions are due to poor change processes including flawed impact assessment. The cost to the business of these self inflicted wounds is high. Poorly managed change results in many negative outcomes including:

  • poor quality of service
  • dissatisfied business customers
  • unnecessary rework
  • missed deadlines
  • higher operating costs
  • poor employee morale and infighting
  • downtime of business critical services

It is no surprise to anyone associated with IT management that along with the increase in the rate and complexity of change has come a corresponding increase in the interest associated with using a best practice approach to change management. ITIL v3 says that changes should be managed to:

  • Optimize risk exposure (supporting the risk profile required by the business)
  • Minimize the severity of any impact and disruption
  • Be successful at the first attempt
    While many

firms are investing in change management as a best practice, doing it well remains difficult. There are many hurdles that must be overcome to implement a change management process that not only follows a best practice approach but also yields outstanding results. The challenge becomes obvious when you consider that many changes within a large enterprise span multiple geographies, involve multiple teams and organizational units and include infrastructure elements that cross multiple domains—network, servers, storage, and applications.

   -  more information

Where to Start with Security - June 1st, 2009 04:33 PM

Security Policies & ProceduresThe keys to sound security are often considered deployment of a sensible security risk analysis approach, compliance with a recognized standard such as ISO17799 or ISO27000 or BS7799, development of comprehensive information security policies and deployment of a detailed security audit program.

But where to start? The answer is easy -  Janco Security Policies and Procedures Template and the Janco Audit Security Program.  Risk analysis is often presented in a confusing and over-complicated manner, ISO 17799 or ISO27000 or BS7799 compliance can seem a daunting task, security policies can be totally ignored in practice, and security audit is sometimes less effective than it should be due to over-stretching of busy audit professionals.

http://www.e-janco.com/SecurityAudit.html is intended to provide a launch pad to help alleviate these difficulties. Janco has an approach that works.

Whether you need a security risk analysis method/product, guidance on how to achieve compliance with ISO 17799, ISO27000, BS7799 or your own IT security policies, or whether you simply wish to increase the productivity of your security audit team, the resources at Janco should help.

The IT Security Manual Template provides all the essential sections of a complete security manual and walks you through the creation of each step. Detailed language addressing more than a dozen security topics is included in a 220 plus page Microsoft Word document, which you can modify as much or as little as you need to fit your business requirements.

   -  more information

Get US IT Salary Data - May 26th, 2009 03:26 AM

IT Salary SurveyParticipate in IT Salary Survey and get a free copy of the study when it is released in July. 

The Janco Associates, Inc. salary survey draws on data collected throughout the year by extensive interviews, internet-based survey data, and survey forms completed by businesses throughout the United States and Canada.  The database contains over 50,000 data points for each reporting period.

Are you paying too much or too little to your IT staff? Do you have IT job descriptions? Are you earning what you're worth? Whether employer or employee, it is important to know what other companies are paying in total compensation for a similar position in your area. Learn how your company compares in the area of compensation.

   -  more information

CIOs Cost Control - May 20th, 2009 11:27 AM

IT Service Management - Cost ControlIn order to manage IT costs' effectively CIOs need to review their existing IT operations with an eye towards doing more for less.  The first areas to review are:

  • Utilization (Equipment and Personnel) - IT utilization typically measures the capacity of the physical hardware that an organization is using to support its business. Generally, the most common metric is server utilization.  Despite only using a portion of the server resources, organizations are still paying for and supporting the entire device. The same is true of personnel.  Charge back systems should be set to cover 100% of the cost of all resources.  If a CIO sees that only 10% of a resource is utilized then that can be a candidate for consolidation.
  • End-user support - Enterprises typically have an internal help desk. Generally, this internal help desk is responsible for supporting end users' client devices. When IT budgets get cut, one area that usually comes under investigation is the internal help desk. However, the internal help desk can be essential to providing support for the end users and marinating employee productivity.
  • Maintenance and support budget - By far the largest component of the IT operations budget is for external support services. In many cases, organizations are either under or over supporting their IT environments and adding additional costs.
   -  more information

H-1B Visas are Under Fire - May 18th, 2009 10:45 PM

H-1B program is under fire in Washington.  The economy has finally gotten to the point that Congress is listening to the concerns of laid-off technology workers.  U.S. Department of Homeland Security Secretary Janet Napolitano told a congressional committee that ensuring that U.S. workers have jobs is one of her "top obligations," and she said that her agency is stepping up its enforcement of the H-1B program.

Napolitano said that the department has added fraud prevention tactics that were not being used previously in the H-1B program. Those measures include visits to work sites. Napolitano was responding to a question from Senators who have introduced legislation called the H-1B Visa Fraud and Abuse Protections Act (S.887). The reform bill includes a number of restrictions and enforcement provisions, including audits of employers.

   -  more information

Microsoft's IE Loses Almost 6.5% of the Browser Market in the Last 12 Months - May 13th, 2009 09:29 AM

Park City, UT - Janco and the IT Productivity Center have just released its May 2009 Browser and Operating System Market Share White Paper. The major findings are that Microsoft's IE browser market share has has fallen to 66.81% versus 73.23% in May 2008 and 76.40% in March 2008; Firefox has maintained its number 2 browser position and is used by almost 19.55% of all users; Google, with its Desktop and Chrome offerings, has just over 5.4% of the market; and acceptance of Vista continues to be below Microsoft's expectation.

Victor Janulaitis, the CEO of Janco said, "The major browser findings of the study are: Microsoft's Internet Explorer's market share has stabilized and GoogleÂ’s Chrome is a non-event." He added, "... IE 8 has been released but its acceptance is slow at best." The White Paper has a detailed historical analysis of browser market share since 1997. The findings are supported by data which is provided both graphically and in spreadsheet format.

Browser Market Share

On the Operating System front, Microsoft's Vista is installed on just under 1 in 5 desktops (17.34%) after over 30 months since Vista's first release (RC1). Janulaitis added, " Vista proves that large companies like Microsoft can and do make huge blunders in technology. Microsoft can no longer count on moving users to new products like Vista as quickly as they want."

A summary of Janco's white paper can be found on the JancoÂ’s web site (http://www.e-janco.com/browser.php) and the IT Productivity CenterÂ’s web site (http://www.itproductivity.org/browser.php).

   -  more information

CIOs Need to Have Programmers Who Are Experts in Multiple Programming Languages - May 4th, 2009 04:51 PM

CIOs need to hire programmers who know more than one programming language.  Americans have a reputation for only speaking one language. Small surprise, then, that the same is often true for American programmers. Today's computer science graduate often leaves school with a strong knowledge of only one programming language -- typically a major systems language, such as Java or C++ -- and goes on to a career based almost exclusively on that language.

On the surface, this makes sense. C++ and Java are both highly versatile, complex tools. Just learning the syntax of either one is nothing compared to the amount of study it takes to become familiar with the whole ecosystem of associated libraries and frameworks. Not to mention that both languages are widely used; if the CIO does not staff with programmers who know both they cut their enterprisesÂ’ capabilities dramatically.

   -  more information

Best Practices For the Resume Review Process - April 20th, 2009 02:55 AM

Best Practices for Screening Resume

  • Define job requirements clearly for recruiters and electronic posting - You do not want to waste your time looking at resumes of individuals who are clearly not qualified.  In current job market, some active job applicants apply for anything even when they are not remotely qualified for the position that you are trying to fill.  If a recruiter sends you candidate resumes that fall into this category - warn them and then stop using them if they continue.  A full job description with specific accountabilities, authority, and position requirements should be part of the materials that are used in communicating the needs of your enterprise. "Must have led an ecommerce Internet development team that implement a customer WEB 2.0 application" is much different than "5+ years experience as lead developer."
  • Use consistent rules to select and reject resumes - Communicate so that the screeners/recruiters and hiring manager have the same understanding of the job requirements before the screening process starts. For example, screeners/recruiters should review a sample of several real resumes - real time - with the Hiring Manager, who should  defined the "must-haves" and "nice to haves." Why a resume goes in the yes pile, while this similar one goes in the no pile?
  • On the first pass spend no more than 20 seconds on any resume - In the current job market, it is typical to get 100 to 200 resumes for a single position.  Given that volume, it will take one to two hours to get through the first pass.  You want to get through all of the resumes that you have and with luck you should be able to find between 10 to 15 individuals that can be phone screened.
  • Create a scorecard with the must have requirements - Create simple, 10-question-or-less checklist to help you stack rank your applicants. Define items for the checklist that highlight your requirements for the key experience, skills, and technology. Use this tool in the resume and in the phone screening. For example, "How many years of commercial web ecommerce experience do you have writing HTML and XML?"  or "What specific application development and version control  tools have you used"
  • Eliminate resumes that are too long and filled with acronyms and  buzzwords - Many candidates have figured out that if they load up their resumes with more acronyms and buzzwords (i.e. technologies) hoping to win an interview. Rather accept resumes that communicate the hands-on experience using the technologies listed in your job requirements. Focus on resumes that show where and when the technology was used on the job. Keywords that show up in the bullets under job history summaries are better than keywords that show up at the top or bottom of tech resumes in the skills summary section.

Best Practices for Phone Screening

  • Before starting see if anyone knows the potential candidate - There are many candidates in the market who have either a great reputation or a poor one. Time is precious and if someone is not "hirable" by your enterprise then do not waste your time.
  • Rank the candidates before they are phone screened - Use the scorecard to rank the resumes and any know history about the candidates and then budget your time to spend enough time on a phone screen to find the candidates that are hirable.
  • Know what the deal breakers are for the hiring manager - The focus of a phone screen is to weed out the unqualified applicants while selling the enterprise to the top candidates so that you invest time with onsite interviewees who are most likely to get offers. Validate that each candidate you pass on to the interview has the required capabilities, meets the salary and eligibility requirements, and wants to do this type and level of work.
  • Experience counts - Focus on the on-the-job skills and job-specific accomplishments. What have they done, in what industry, with which technologies, on what kind of resources and team, over what kind of timeline?
  • Motivation and mind set are important - In this economy, there is a greater risk of having candidates who just want or need a job and will say or do anything to get a position. Gain an understanding into what they loved about their current and past jobs and what they hope to find if they join your enterprise.  Ask this before you tell them all about your culture and resources.
  • Protect your enterprise reputation - Just because there may be hundreds of applicants for every opening you have, build your reputation as an employer - one candidate at a time. Maybe several years from now you will be interviewing with the canidate or working with them in another compay. Even though you may be in the driver's seat, treat every candidate with respect. Follow the basics: start your phone interviews on time, ask fair, relevant questions, let them ask you a few questions, and always follow up.
   -  more information

Unlimited Web Access Puts Companies at Risk - April 16th, 2009 10:15 AM

When enterprises allow their employees to have uncontrolled free access to the web they run a serious risk that there will be misuse of the web. Web misuse has serious implications for your enterprise and its employees.  The implications are:

  • Reduced productivity - If employees spend their time on social networking sites such as Tweeter they are not spending it doing their job.
  • Data Leakage – Confidential and sensitive information could be transmitted to unauthorized individuals and competitors.  In addition, data that is covered by mandated privacy and security requirements (HIPAA and PCI-DSS) could be exposed.
  • Security problems - Malware hides on websites and can install itself as users browse infected pages. One company reports that the number of new, malicious websites blocked each day by it nearly doubled (91 percent) in just one month.
  • Legal risks - When users download inappropriate material to their computers, other employees may take serious offense. This in turn can create legal liabilities for enterprise and its managers.
  • Wasted bandwidth - Internet connections cost money. If half of an enterpriseÂ’s bandwidth is taken up with non-work related traffic, the enterprise could be paying than they need to and the enterprise-critical communications could be running at half their speed capacity.
  • Unlicensed software - When users download and install software from the internet, they create a legal risk. If an organization uses unlicensed copies of software, it may face a civil suit and company directors risk criminal penalties.
  • Reputation risk - Social networking can create opportunities for employees to leak confidential information or spread damaging rumors online. Bad behavior by a single employee can reflect on the reputation of the whole organization.
   -  more information

Which IT Metrics are Important? - April 14th, 2009 11:41 AM

IT Metrics are not understood by many business executives.  What non-IT business execurives often focuses on is the one metric that they understand - the cost of IT.  This in turn leads to a continuous cycle of IT budget reductions.

Most IT metrics efforts lack relevance to the business and are not well linked to business outcomes. They tend to be IT focused, such as WAN availability or server downtime. It is difficult for the business to understand how these measures relate to its objectives, and they provide little insight into the value that IT delivers.

CIOs must create a scorecard that is:

  • Relates to the enterprise and its management team. Server availability, network throughput, help desk call volumes, capacity utilization, and other IT operational metrics are not relevant to business executives. These types of metrics need to be translated into something enterprise management understands, such as availability of business applications or the cost to support a business area. The IT-operational metrics should be kept within IT unless they can be put in enterprise terms.
  • Relates to the enterprise strategic and tactical objectives. Enterprise executives are concerned with introducing new products and services, improving customer loyalty and satisfaction, increasing gross margins, and growing market share. IT metrics must be linked directly to these enterprise objectives, specifically demonstrating how IT initiatives contributed favorably to improving them.

 

   -  more information

Can-Spam to be followed by m-Spam - April 5th, 2009 02:59 PM

A bill, the M-Spam Act, was just introduced in the US Senate aimed at attacking unsolicited commercial text messages sent to cell phones, also known as mobile spam.

The m-Spam Act would strengthen the powers of the Federal Communications Commission and Federal Trade Commission to fight mobile spam. The measure also would prohibit commercial organizations from sending text messages to cell phone numbers that are listed in the National Do-Not-Call Registry.

There is also increasing concern that mobile spam will become more than just an annoyance - the viruses and malicious spyware that are often attached to traditional spam will most likely be more prevalent on wireless devices through m-spam.  Mobile users in the U.S received about 1.1 million spam text messages in 2007, up 38% from the year before. In some cases, mobile subscribers have to pay up to 20 cents for each text message sent or received, although some mobile service providers allow their customers to block text messages in order to avoid spam.

   -  more information

Is Outsourcing the Right Thing to do? - March 31st, 2009 11:06 PM

Despite the anti outsourcing backlash, benefits from outsourcing are very tangible. The very fabric of American success lies in opportunity and innovation, making it very difficult for anyone or anything to paralyze its workers or its economy.  It does not matter to which industry an enterprise is in, outsourcing can bring tremendous benefits to any type of business.

Every minute your employees spend on an activity that does not directly add value to your enterprise's business strategy is a cost that can be saved.

CIOs must analyze their organizations' needs and find out if their businesses can outsource.  Questions that need to be asked and answered are:

  • Is the enterprise finding it difficult to meet its customer needs?
  • Does the enterprise want to maximize its impact in the marketplace
  • Does the enterprise's IT function have managers who are not sure about what makes and what loses money?
  • Is the enterprise experiencing constant challenges based on operational issues?
  • Does enterprise lack the expertise to survive and grow?
  • Does the enterprise have important nonrecurring project requirements but no resources to handle them?

If the answer is 'yes' to more than one question, then outsourcing may be in order for the enterprise. Outsourcing can help CIOs to efficiently deal with the challenges of todayÂ’s business climate. Outsourcing can help you to meet your customer needs on time, increase market presence, make the right decisions about product lines, overcome operational challenges, get access to expert services and benefit from professional resources who can competently handle your projects.

Some of the benefits of outsourcing are:

  • Better performance and management
  • Process maturity and scalability
  • Efficiency and productivity
  • Reduced capital and labor costs
  • Operational efficiencies without capital investment
  • Professional and skilled services
  • Improved processes bring about improved customer satisfaction
  • Gain a competitive edge with sophisticated technology and people
  -  more information

Cost of Certification to Meet Mandated Requirements - March 28th, 2009 09:41 AM

What is the cost of compliance to mandated security standards is a question that many CIOs need to answer as they adjust their budgets.  The cost fall into four areas:

  • Internal resources - these costs include all business functions - management, HR, IT, facilities & security. These resources will be required during the implementation of the compliance requirements.
  • Implementation costs - these costs include both hardware and software required to meet the mandated requirement.
  • Consultancy and outsourced resources - these costs include all outside contractors, consultants, and service providers
  • Certification costs - these costs include the ongoing costs that the business will incur after the implementation of the compliance requirements.  These costs will include internal resources as well as things like annual or quarterly certification verification services.

 

   -  more information

Challenges CIOs and CTOs face - March 24th, 2009 05:39 PM

With today's economic uncertainty, CIOs is faced with many new challenges including how to manage.  Janco has compiled a list of issues that are keeping may CIOs up at night.  They are:

  • Economic uncertainty and management ambiguity on strategic direction are crimping the ability of CIO to plan effectively.
  • Economic stakes are higher in many enterprises and there is significant conflict and competition for the limited resources that CIOs have at their disposal
  • R&D, training, and certification programs have been at least cut if not all together eliminated limiting the ability of CIOs to understand the implications of new technologies and train staff in their application.
  • Risk aversion has gotten hold and limits have been placed on many CIOs in their ability to implement new and innovative solutions - no longer are CIOs able to say they want to have a competitive advantage.  Rather they need to focus on survival of the enterprise.
  • CIOs now are being told by senior management that they have to deal with what is "good-enough" versus what really will solve provide the right long term solution.
  • CIOs do not know if the last cost-cutting directive or reduction in force program has been presented.  They are all asking, "Will there be another lay-off next month?" Staff morale is low, as IT professionals understand that their professional destinies are no longer in their own hands. 
  • Best practices are now  "dirty words" in the executive suite.  Many senior executives do not want to hear about long term ROI, rather they want to know how short term expenses can be reduced.

With this as an operating environment, CIOs now have the most challenging environment to manage since the early 1980's.  

   -  more information

Most Security Breaches Caused by Lost or Stolden Devices - March 19th, 2009 05:09 AM

Most enterprises face data security breaches because of lost or stolen laptops, PDAs, SmartPhones, and USB storage devices.  Industry experts have found that:  

   -  more information

Infrastructure Management is the Key to Recovery - March 15th, 2009 10:42 AM

Infrastructure management (IM) is the management of essential operational components, such as policies, processes, equipment, data, human resources, and external contacts, for overall effectiveness. Infrastructure management includes systems management, network management, and storage management.

Infrastructure management seeks to:

  • Reduce duplication of effort
  • Ensure adherence to standards
  • Enhance the flow of information throughout an information system
  • Promote adaptability necessary for a changeable environment
  • Ensure interoperability among organizational and external entities
  • Maintain effective change management policies and practices

All business activities depend upon the infrastructure, planning and projects to ensure its effective management. Investments in infrastructure management have the largest single impact on an organization's revenue.

  -  more information

Lost PCs Equal Security Breach - March 8th, 2009 04:57 PM

As the amount of information stored digitally on company servers, stationary computers and mobile devices such as laptops continues to escalate, protecting that information from public data breach is becoming a priority for IT and compliance departments.

A recent survey found that 75% of all corporate users were very concerned about the possibility that confidential information would be exposed and potentially misused. A further 60% were very concerned that the theft of a laptop computer would result in identity theft and nearly 25% said they would be willing to pay between $10,000 and $50,000 to have a stolen executiveÂ’s laptop returned to their organization. Despite the widely acknowledged link between laptop theft and nearly 50% of data breaches, the corporate users reported that a surprising number of mobile computers continue to go missing.

  -  more information

CIO Abilities Showcased - March 4th, 2009 05:07 PM

Successful CIO have the ability to providing an attractive environment, to improve recruiting and retention, to create a bias toward learning that adapts well to new business demands, to aligning the organization to the strategic goals, and to having a cadre of strong leaders are the elements of the desired culture.

 IT Salary Survey IT Job Descriptions 

Expanding business demand meets a constrained workforce. According to published research, IT is seeing increasing demand from the businesses it supports. Overall budgets are expected to increase by 8% in 2008, and this translates into a much greater increase into project investments.  At the same time, demographics are resulting in a shrinking labor pool. This is creating a supply/demand imbalance that is making it harder to hire and meet this expanding business demand, especially in the more sought-after skill areas.  Driving this is:

  • The rate of change is increasing and accelerating. Both business and technology change continues to increase at accelerating rates. This requires an adaptable workforce and expectations that IT staff has business, technology, and communications skills to meet its strategic priorities.
  • IT too frequently is not perceived as a viable career. The dot-com bust coupled with a shift toward more outsourcing and off shoring has led to a lower perception of IT as a viable career. The number of university students pursuing a computer science or related degree has dropped by a third since the beginning of the decade.  The reality is that for many skills there is significant demand. There is a need to change this image and reverse the trend.  Key to these efforts is creating a positive culture to get the most out of people, encouraging them to recruit others, retaining the best, and developing positive relationships.
   -  more information

IT Service at Risk - March 2nd, 2009 12:47 PM

IT Service ManagementIT Service Management has increased importance, as more organizations are requiring CIO to do more for less.  Best practices are followed by successful CIOs and IT organizations as they continue to address infrastructure issues with reduced staffs and budgets.  Their focus is:

1. Have an IT Infrastructure that supports IT Service Management. Customers (users) evaluate Information Technology based on their perception of the service provided and its associated costs. This perception of service quality depends upon a number of soft factors such as timeliness of responses, impact of service outages, and quality of communications and between IT and users. Best practices include:

  • Metrics for aimed to show productivity of IT Service Management function
  • Service Level agreements that are tied to enterpriser operational performance
  • Documented policies and procedures which are followed
  • Diagnostic processes and tools to provide early warnings when things start to go wrong

2. Have a cost tracking (chargeback) system that is understood. While reliability is a key measure of IT Service Management, cost is a close second.  In addition to understanding the cost structure of IT, CIO must be able to explain the cost drivers and what you are doing to improve productivity and reduce costs while maintaining quality and reliability.  Best practices include:

  • Defined system development and operation methodology which includes change control and version control
  • Quality assurance function and responsibilities defined
  • Change and version control management tools

IT Infrastructure3. Have the ability to change the organizational and application infrastructure while continuing to provide quality service.  IT operations must provide consistent stable operations – networks, servers, applications, workstations, email, and telephony systems must be up, functional, and be invisible to the operation of the enterprise.  Best practices include:

  • Clear organizational responsibilities and accountabilities
  • Review processes (meeting and reports) with IT and users to discuss performance
  • Published service level definitions with expectations

4. Have defined policies and procedures in place for change management and service management.  Users need a clear and understandable set of rules of how to work with IT: how to request services, who is responsible for the quality of the services, and what information and status they should expect from you? Best practices include:

  • Documented policies and procedures which are followed
  • Feedback loops which highlight strengths and weaknesses
  • Open approach that allows for changes to policies and procedures and unlocking new ways to get thing accomplished

5. Have a courteous and well trained IT staff.  In these troubled times it is easy to overlook the quality of your staff as a factor in your continuing success.  Best Practices Include:

  • Formal training program for both users and IT staff that has as its focus change control, version control, IT Service Management
  • Adequate staffing levels during periods required by users
  • IT staff that can communicate effectively with users using user terms not IT scripts

 

   -  more information

Definition of a Strong CIO - February 23rd, 2009 06:29 AM

IT Job DescriptionsCIOs that have successfully save strategic projects and  survive in these difficult economic times are realistic about what is strategic and what is not. Typically, these CIOs have the following characteristics.

  • They have credibility with their organizations. These CIOs are good stewards of their resources, work well with other executives, and demonstrate a willingness to make sacrifices for the common good.
  • They are smart about the design and structure of the project. In addition, they are willing to adjust timing, scope or costs to fit the economic environment.
  • They are assertive. They can make a case to convince others of the merits of keeping a project.

Even having these characteristics, they often have a fight on their hands.  However, they can build a strong business case.

 

   -  more information

Cost of Data Breaches Continues to Increase - February 17th, 2009 04:12 PM

Data Breach Tools

The cost per record of a data breach has gone from $138 in 2005 to $202 in 2009 according to the Ponemon Institute in its fourth annual U.S. Cost of a Data Breach Study. 

Data Breach Cost

Other key findings from the study include the following:

  • Average total per-incident costs in 2008 were $6.65 million, compared to an average per-incident cost of $6.3 million in 2007.
  • Healthcare and financial services companies experienced the highest churn rate - 6.5 percent and 5.5 percent respectively, on a total average of 3.6 percent, which reflect the sensitivity of the data collected and the customer expectation that information will be protected.
  • Third-party organizations accounted for more than 44 percent of all cases in the 2008 study and are also the most costly form of data breaches due to additional investigation and consulting fees.
  • More than 84 percent of 2008 cases involved organizations that had had more than one data breach in 2008 - meaning that companies are becoming more experienced in managing breaches over time.
  • More than 88% of all cases in this year's study involved insider negligence.
  • More than half of respondents believe that training and awareness programs assist in preventing future breaches and 44 percent have expanded their use of encryption.
  • The most significant cost decrease was seen in activities relating to post-breach response, which indicates that organizations are becoming more cost effective in managing data breaches.  
   -  more information

Massachusetts Data Protection Deferred - February 14th, 2009 12:53 PM

Data Breach ProtectionMassachusetts has deferred the deadline for compliance with it latest data security and breach legislation (download PDF) which protects the personal data of Massachusetts residents until January 2010.  The rules apply at all companies that handle the personal data of Massachusetts residents, whether they are based in the state or not.  The rules require companies to

  • Limit the amount of data they collect
  • Have written security policies
  • Maintain a detailed inventory of all personal data, whether it is stored in computers, archived on tapes or kept in paper files.
  • Have in place adequate physical and technical security controls for safeguarding protected data and properly authenticating users who are given access to the information.

Included with the latest deferral, Massachusetts regulators also removed a requirement mandating that companies get third parties with access to customer data to attest that they were compliant with the regulations as well. The old provision also required third-party services providers to include language in their contracts specifying that they were willing and able to comply with Massachusetts security rules.  With this latest revision, companies only have to take "reasonable steps" to verify that any third-party providers with access to personal data have the ability to protect the information through measures that are comparable to the ones spelled out the Massachusetts regulations.

   -  more information

Record Managemet Policy - February 8th, 2009 01:47 PM

The Record Management, Retention, and Destruction is a detail policy template which can be utilized on day one to create a records management process.  Included with the policy are forms for establishing the record management retention and destruction schedule and a full job description with responsibilities for the Manager Records Administration.

Record Retention Requirements

   -  more information

© 1999 - 2009 Janco Associates, Inc. - ALL RIGHTS RESERVED  -- Revised: 12/19/08.