Proactive Document Management

As organizations review their business processes and make them more efficient, document management solutions help automate the process of electronically capturing, storing, and securely managing business information.

Benefits of electronic document management solutions include:

• Centralized storage of information leads to increased employee productivity
• Enhanced levels of customer service through improved access to information
• Reduced costs by instantly locating documents

Document management solutions do have their risks. If documents are not filed using a formal methodology, document management solutions can reduce employee productivity and increase your costs. In addition, failure to manage and secure your documents may increase your liability to lawsuits.

A proactive approach to managing electronic files protects your documents and helps meet compliance requirements. Many firms are using security audits to help them identify, manage, and reduce their document management risks.

Security During Tough Economic Times

Employee risks. Although many decision makers are focused on getting through tough economic times, security experts say that management needs to be weary of employees, who fearful that their jobs could be on the cutting block, could take actions that potentially jeopardize the physical and logistical security of the company. As companies automate manual processes and adapt to the changing economic environment, merge IT departments, and cut back on controls, organizations face greater threats.

Risk assessments can help identify sensitive and proprietary information, risks to the data, and relevant state and federal compliance requirements. Everyone is concerned about security and protecting sensitive information. Once sensitive data and compliance requirements have been identified, the organization can leverage the information from the risk assessments to build in security structures that protect against IT, people, and process threats.

Network and security assessments help protect your sensitive information and provide peace of mind.

Automated Scans Aren't Sufficient

Automated scanners. If automated vulnerability scanners caught all security risks, hackers would be out of business and security personnel wouldn't have much to do. In reality, automated vulnerability scanners are only one tool used in the process of identifying and managing security risks.

For many organizations, web applications are a vulnerable element of an organization’s IT infrastructure. As your organization uses the Internet for customer, supplier, employee, and vendor interactions, Internet technologies and database interfaces become complex and require additional security.

Automated web site scans provide little defense against knowledgeable hackers and full scale web attacks. Hackers don’t rely exclusively on automated scanners and neither should you. Organizations should use manual tools and experienced professionals to find technical vulnerabilities as well as identify risk areas created during the design, programming, installation, and maintenance phases of a software development lifecycle.

By emulating the approach used by hackers, organizations can better protect themselves and the sensitive information stored on servers. Altius IT recommends network and security audits that can assess internal network security, firewalls, and web application vulnerabilities.

Small Business Security Quiz

Take this quiz to determine your Security Quotient. Preparation is the key to protecting your company’s information assets. Take this security quiz to determine your Security Quotient.
1) We have recent off-site computer backups. Yes/No
2) We have updated anti-virus software on all computers/servers. Yes/No
3) We restrict employee access to confidential information. Yes/No
4) All of our policies are documented and in written form. Yes/No
5) We have a firewall to protect us. Yes/No
6) We encrypt confidential documents/E-mail. Yes/No
7) We have a formal electronic document archiving procedure. Yes/No
8) We monitor and restrict Internet access. Yes/No
9) We performed a security assessment of our IT systems. Yes/No
10) We can distinguish an intruder from normal Internet traffic. Yes/No

Score one point for each Yes answer.
8 or more points - You are well on your way to securing your IT systems.
6 to 7 points - keep working, you may need assistance to reduce risks.
5 or fewer points - you need to make security a priority and get assistance as soon as possible.

Network and security assessments help protect your sensitive information and provide peace of mind.

Managed Security Services

Leading firms are taking a proactive approach to security and using managed security services to reduce their IT related risks. Managed security services typically provide traditional forms of security protection:

• Network Infrastructure - Physical access to servers, system backups with off-site rotation, encrypting the backup media, and protecting wireless networks.
  Internet Connectivity - protection can include firewalls & Virtual Privacy Network (VPN), intrusion detection and prevention, and remote connectivity.
• Management - incident response plans, patch management, and change management processes.
• Employee Management - policies and procedures, passwords, protection against social engineering, locking down USB thumb drives, handheld PDA's, encrypting laptop hard drives, etc.
• Document Management - protection includes access privileges, document retention and archiving, encryption, etc.
• Electronic threats - protection from anti-virus, anti-spyware, anti-popup, etc.
• E-mail & Communications - anti-spam, e-mail archiving, instant messaging (IM), and archiving.
• Risk Management - risk evaluation, business continuity planning, testing, etc.

While managed security services provide the initial layers of protection against IT related threats, they should be supplemented with security assessments and audits. Assessments and audits help ensure the organization's security expenditures are properly allocated to the most important areas. In addition, assessments and audits help protect the organization's intellectual property and its image and reputation.

Security Assessments – A Subscription Service

A matter of priority. Not every security risk is created equal. Some risks have a greater impact than others. In addition, some threats are more likely to occur than others. Security assessments help organizations allocate their budget to the areas that reduce risks.

Security is an on-going process and leading organizations are taking a subscription approach to security assessments. With new vulnerabilities discovered on a daily basis, a system that is secure one day may be completely wide open the next. Much like regular anti-virus updates, subscribing to recurring security assessments helps your organization identify weaknesses before they can be exploited. Security assessments provide specific knowledge about your system, allowing you to more effectively allocate your security budget.

Don’t wait for an unwanted intruder to discover your network vulnerabilities. A comprehensive network security assessment helps:

• Protect your image and reputation
• Reduce your costs by cost effectively allocating your security budget to the most important areas

Mitigating Risks

Organizations are finding that IT systems are a double edge sword. Not only do they increase employee productivity and reduce costs, they also increase risks as intellectual property and sensitive information are stored in a central location. Assessments can help organizations identify and manage risks. Once risk areas have been identified, organizations have a number of ways to mitigate or reduce their risks.

• Risk Assumption. Accept the potential risk and continue operating the IT system or implement controls to lower the risk to an acceptable level. Administrative, physical, and technical controls help lower the organization's risks.
• Risk Avoidance. Avoid the risk by eliminating the risk and/or consequence. For example, bypass or eliminate certain functions of a system or shut down the system when risks are identified.
• Risk Limitation. Limit the risk by implementing controls that minimize the adverse impact of the risk. For example, implement preventive controls such as Intrusion Prevention Systems (IPS) that actively identify and restrict access to information.
• Risk Planning. Manage risks by developing a risk mitigation plan that prioritizes, implements, and maintains controls. Implement managed services to minimize risks.
• Risk Research. Lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability.
• Risk Transference. Compensate for the loss by transferring the risk to another party. In addition to securing systems,organizations have the option to insure against security breaches. For example, insurance can cover the cost of regulatory mandated notifications that a security breach has occurred as well as fines, fees, or penalties arising from privacy or consumer protection errors.

Database Regulatory and Compliance Issues

Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley (GLB) Act were all enacted to help protect information. These acts require internal controls to protect information integrity, confidentiality, availability, and accountability. While accountants and auditors are familiar with internal controls, many IT departments lack the the knowledge and controls needed to safeguard information. Even sophisticated databases, managed by Database Administrators (DBAs), lack secure controls and and connectivity to information.

Many DBAs have complete access to all of your organization's data. While complete access helps manage and minimize downtime, it also puts your organization at risk as the DBA has access to all information and log files. Your management must determine the minimum amount of access needed to allow the DBAs to perform job duties. For example, must the DBA have access to confidential or sensitive data such as payroll, protected health information (PHI), or other types of confidential information?

Assessments help ensure your internal controls provide the appropriate reporting and procedures, detect unauthorized use of systems, and meet compliance requirements.

FACTA Identity Theft Red Flags Rule

FACTA - the Fair and Accurate Credit Transactions Act of 2003 requirement, known as the “Identity Theft Red Flags Rule”, became effective January 1, 2008, with compliance mandatory by November 1, 2008. It requires certain organizations to adopt a written identity theft prevention program approved by the Board of Directors.

The Identity Theft Prevention Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft. The regulation requires an institution to have:
1) An established written Identity Theft Prevention Program approved by the Board
2) Initial Risk Assessment
3) Policies and procedures for detecting, preventing, and mitigating identity theft. This includes identifying patterns of activity that are signals for possible identity theft, monitoring and detecting “red flags”, responding appropriately to any red flags, policies and procedures to verify address changes
4) Regular compliance reporting
5) Oversight of service providers
6) Mandatory staff training
7) Ensure the Program is reviewed and periodically updated to reflect changes

Find out more information on complying with FACTA and the initial risk assessment.

Cloud Computing – Thunder and Lightening on Your Horizon?

Cloud Computing
As organizations automate more and more of their manual processes, the Internet is increasingly becoming an important tool in the delivery of IT services. Several years ago, organizations purchased software on CD-ROMs and DVD media. Today, users have the choice of downloading software from the Internet or using their browser to access software that runs outside the organization on Internet servers. The use of external software on Internet servers is called Software as a Service (SAAS).

Instead of writing software for a workstation, software developers are now writing software programs that run on Internet servers. This software may run on servers outside the organization on other companies’ data centers. Familiar examples include web sites such as Amazon.com and Salesforce.com.

In the past, individual applications ran in the Internet cloud. Now, entire data centers are moving to the cloud, accessible by a wide range of users. Cloud computing describes a grouping of service offerings that includes application software, data storage, and computing. The computing can be delivered over the Internet (public cloud computing) or within an organization (private cloud computing).

Cloud advantages over desktop software
Many SAAS applications are available at little to no cost. In addition to lower software costs, IT administration labor costs are reduced as software does not need to be installed and constantly patched. SAAS applications tend to be supported by paid advertisers, thus subsidizing the cost to the software user.

Another benefit is group collaboration. In the past, software was loaded on many distributed devices. With the Internet cloud, software and data can be stored on centralized servers facilitating access to data by a large group of users.

Cloud computing offers almost unlimited storage of applications and data. No longer must users and IT staff be concerned about collecting and archiving volumes of data.

Mobile applications
Employees want functionality and access to data from a number of different locations. The Internet cloud allows hand held Personal Digital Assistants (PDAs) and laptop users to access applications and data from a variety of locations. Internet cloud computing allows information to be accessed by a number of different devices (desktop, laptop, mobile phone, GPS, etc.) since the applications and data are stored at Internet data centers.

Mobile computing will drive more applications to the Internet cloud. The cloud is an ideal way of supplying software and data to small computing devices that don’t have the storage and processing power to hold volumes of applications and information.

Application interfaces
Internet applications leverage the power of end user devices by introducing to browsers features commonly found in the graphical interfaces on desktop applications. Better software development tools support applications that can run on a wide range of devices from desktop browsers to smart phones.

Pubic cloud computing risks
As with any other form of technology, organizations must address a wide range of cloud computing risks:

• User traffic – in the past, applications and data were stored locally. With Internet cloud information accessed via Internet lines, connectivity and bandwidth usage may become a critical issue if Internet users create Internet access bottlenecks.
• Internet connectivity – connectivity to the Internet increases in importance. If Internet connectivity is down for an extended period of time, employee productivity will drop. Redundant high speed Internet lines may be needed to help mitigate this risk.
• Employee productivity – applications and data that are stored on user hard drives tend to have fast response times with little impact on the employee. Internet applications may experience delays and not be able to manage volumes of data. Service Level Agreements (SLAs) with the cloud computing vendors can provide response time, throughput, and other metrics that help protect the organization.
• Lack of availability – there are risks related to having a critical software application programmed and managed by an outside entity. If a vendor’s software application ceases to function, the organization may experience financial losses as well as damage to its image and reputation.
• Confidentiality – SAAS vendors may store data in a central repository. This repository may hold data from many different businesses, even competitors. The organization should determine if it is appropriate to store the type of information (client lists, pricing, intellectual property, etc.) on external servers.
• Integrity – since data is stored on outside servers, the organization must ensure information integrity. Balancing controls, managing information stored on external servers, monitoring, and other controls must be used to protect the organization.
• Compliance – information collected, stored, archived, and secured must meet regulatory requirements.

Privacy issues
In exchange for lower cost service delivery, users may have to provide personal information. This information is often used to deliver custom advertisements. The cloud model may require sharing of information with other marketing alliances in exchange for the convenience and low cost of using Internet cloud applications.

Many SAAS vendors focus on one area of specialty, storage, e-mail applications, on-line backups, etc. Organizations must rely on the vendor’s security solutions to protect their information. Unfortunately, for many SAAS vendors, their focus is on service functionality, not security.

Private cloud computing
Organization data centers adopting the technologies and practices of public cloud infrastructures can be considered private clouds. Private clouds are data centers within the corporate perimeter, within the firewall.

Software applications can be designed for both the public and private cloud infrastructure. Tools such as systems management software, clusters, grid technology, and load balancing permit private clouds to employ utility like environments with computing resources and applications provisioned with greater efficiency.

Cloud computing service delivery considerations
IT managers should take professional care and due diligence when evaluating cloud computing applications:

• Service levels - your organization should determine if the outsourced provider has professional, high performance infrastructures that can guarantee levels of performance delivery.
• Support – user and technical support must be determined up front. Will first level user support be provided by their staff or yours?
• Redundancy – organizations should have redundant solutions that allow systems to continue operating even during single component failure. This includes the Internet software application as well as the organization’s connectivity to the Internet.
• Contingency plans – business continuity and disaster recovery plans must be updated and tested on a regular basis.
• Private clouds – IT departments have the administration costs and responsibilities of acquiring, installing, managing, and securing data centers.
• Security – public and private clouds must ensure information availability, confidentiality, and integrity.

Summary
While outsourcing software applications to the Internet cloud isn’t for every organization, many firms have found that cloud computing can be a simple, reliable, and cost effective solution.

Both the Internet cloud vendors (SAAS) and the organization should have audits performed on a periodic basis.

• SAAS vendors - audits help ensure system availability, information confidentiality, and data integrity.
• Organizations - audits ensure organization management that the firm is managing its cloud computing risks.

Risk assessments and audits help organizations identify, manage, and reduce their risks.