IT Security Info

Current Trends

2011-02-03T14:47:00.000-08:00

We hope that you have found this blog to be useful. New postings and updates can now be found on Altius IT's Information Security and Network Security Blog.

Thank you for visiting,
Jim

Are you Managing your E-mail Risks?

2011-01-06T14:04:00.000-08:00

E-mail is critical to the success and operation of most organizations. Without e-mail, organizations are less efficient and can’t compete against larger, and more established firms.

Computer users are critical to the success of an organization’s security platform. E-mail threats such as spam, viruses, and phishing specifically target users and their end point devices. Hand held devices put data "on the move" and the same users that are critical to the success of an organization’s security framework now present security related risks.

E-mail systems require on-going IT management and monitoring. Not only must e-mail hardware and software be periodically upgraded, these same systems must be patched on a regular basis.

Security response
IT departments are responding to known security threats by implementing traditional security measures:

Employee awareness - security education and training.
Anti-malware - anti-virus, anti-spam, anti-spyware, and anti-pop up software.
Patch management – keeping software and firmware patched and up-to-date.

However, organization management must be aware of other types of risks including risks related to transmitting information:

Confidentiality - e-mail attachments can include confidential information such as customer lists and pricing that should not be sent to recipients outside of the organization.
Clear text – sensitive information can inadvertently be sent in clear text.
Traffic – e-mailing large documents creates bottlenecks and uses up valuable network bandwidth.
Compliance – meeting regulatory requirements related to information as it is collected, stored, archived, and secured.

Risk Assessments
IT risk assessments can help organizations evaluate additional risks such as service level performance, support (technical and user), redundancy and availability, as well as fail over and contingency plans.

IT Risk Management

2010-12-06T11:26:00.000-08:00

IT risk management includes all of the activities that an organization carries out to manage information technology related risks. IT risk management is a formalized process and includes:

Risk Assessment
Risk Analysis
Risk Treatment
Risk Mitigation
Risk Review and Evaluation

1. Risk Assessment (Identify Risks)
Risk Assessments identify possible sources of risk. They identify threats or events that could have a meaningful impact on the organization.

2. Risk Analysis (Impact)
Risk Analysis considers the probability and magnitude of each event. Risk evaluation compares the estimated risk with a set of risk criteria to determine the significance of the risk.

3. Risk Treatment (Risk Response Action Plan)
Risk Treatment identifies how each risk is to be addressed. Residual risk is the risk left over after implementing risk treatment steps that avoid the risk, transfer the risk, reduce the risk, or accept the risk.

4. Risk Mitigation (Risk Control)
Risk mitigation plans propose applicable and effective security controls that manage the risks. The plan should contain a schedule outling the tasks to be performed, individuals responsible for the actions, estimated dates, etc.

5. Risk Review and Evaluation (Risk Effectiveness)
Risk management plans change over time as the business evolves, as new threats emerge, as losses are incurred, and as management changes. Review the effectiveness of your approach and revise as necessary.

Risk assessments help organizations identify, manage, and reduce risks to acceptable levels.

Start with Policies

2010-11-03T09:51:00.000-07:00

Executive management knows that they need security controls to protect the organization's sensitive information and intellectual property. Unfortunately, many businesses use an ad-hoc approach to securing information, installing firewalls, anti-virus software, and other controls without a top down planned approach to managing risks.

An Information Security Management Systems (ISMS) is a systematic approach to managing sensitive information so that it remains secure. An ISMS includes policies, procedures, plans, processes, practices, roles, responsibilities, resources, and structures used to protect and preserve information. It includes all of the elements that organizations use to manage and control their information security risks.

ISMS security controls include administrative, management, technical, and legal approaches to managing risks. Policies, procedures, programs, techniques, technologies, guidelines, and organizational structures help organizations comply with industry standards and requirements by addressing information confidentiality, integrity, and availability.

Security policies are essential to an effective security system and express management’s direction and guidance to implementing, maintaining, and improving an ISMS. Security policies include access controls, managing passwords, patch management, monitoring systems, business continuity, compliance, and many other areas.

Security policy templates provide a top down planned approach to information security, helping organizations implement and improve their controls.

IT Strategy and Security

2010-10-20T13:58:00.000-07:00

Information Technology (IT) strategy and security alignment ensures cohesive goals and results throughout the enterprise. IT strategy helps align IT to the organization, improve efficiencies, reduce costs, enhance customer service, and help the organization achieve a competitive edge in its market place.

To ensure IT and enterprise alignment, analyze the organization’s markets, target audiences, products, services, and locations where the business competes. Review the critical success factors that determine the organization’s success and core competencies that provide the organization with a niche and competitive edge. Don't forget to review government regulations and analyze your organization's relationships and alliances with strategic partners.

IT strategy should consider important information applications and technologies. Analyze important competencies to create and achieve the organization’s vision and strategy. Review your resources, risks, conflict resolution, responsibility, business partners, IT management, service providers, and project selection processes.

IT strategy should include quality control and network security audits that help provide IT and executive management with appropriate feedback mechanisms.

Top 10 Windows Vulnerabilities

2010-09-09T11:31:00.000-07:00

By understanding Windows based vulnerabilities, organizations can stay a step ahead and ensure information availability, integrity, and confidentiality. Listed below are the Top 10 Windows Vulnerabilities:

Web Servers - misconfigurations, product bugs, default installations, and third-party products such as php can introduce vulnerabilities.
Microsoft SQL Server - vulnerabilities allow remote attackers to obtain sensitive information, alter database content, and compromise SQL servers and server hosts.
Passwords - user accounts may have weak, nonexistent, or unprotected passwords. The operating system or third-party applications may create accounts with weak or nonexistent passwords.
Workstations - requests to access resources such as files and printers without any bounds checking can lead to vulnerabilities. Overflows can be exploited by an unauthenticated remote attacker executing code on the vulnerable device.
Remote Access - users can unknowingly open their systems to hackers when they allow remote access to their systems.
Browsers – accessing cloud computing services puts an organization at risk when users have unpatched browsers. Browser features such as Active X and Active Scripting can bypass security controls.
File Sharing - peer to peer vulnerabilities include technical vulnerabilities, social media, and altering or masquerading content.
E-mail – by opening a message a recipient can activate security threats such as viruses, spyware, Trojan horse programs, and worms.
Instant Messaging - vulnerabilities typically arise from outdated ActiveX controls in MSN Messenger, Yahoo! Voice Chat, buffer overflows, and others.
USB Devices - plug and play devices can create risks when they are automatically recognized and immediately accessible by Windows operating systems.

Security assessments help organizations identify, manage, and reduce their risks.

Top 10 Hacker Tools

2010-08-03T15:20:00.000-07:00

By understanding how hackers gain access to systems, organizations can stay a step ahead and ensure information availability, integrity, and confidentiality. Listed below is Altius IT's list of the Top 10 Hacker Tools and Techniques:

Reconnaissance. Hackers use tools to get basic information on your systems. Tools like Netcraft and PCHels to report on your domain, IP number, and operating system.
Network Exploration. The more information the hacker knows about your system the more wanys he can find vulnerabilities. Tools such as NMap identify your host systems and services.
Probe Tools. Some tools were initially designed to be used by system administrators to enhance their security. Now, these same tools are used by hackers to know where to start an attack. Tools like LANguard Network Scanner identify system vulnerabilities.
Scanners. Internally, sniffer tools analyze network performance and applications. Hacker reconnaissance tools such as AET Network Scanner 10, FPort 1.33, and Super Scan 3 scan your devices to determine ports that are open and can be exploited.
Password Cracker. Password tools are used by security administrators to find weak passwords. These tools may also be used by hackers. Password crackers include LC5, John The Ripper, iOpus Password Recovery XP, and LastBit.
Remote Administration Tools. Tools such as AntiLamer and NetSlayer are used by hackers to take partial or complete control of the victim's computer.
Backdoor. Backdoor tools and Trojan Horses exploit vulnerabilities and open your systems to a hacker. KrAIMer and Troj/Zinx-A can be used by hackers to gain access to your systems .
Denial of Service (DoS). Denial of service attacks overload a system or device so it can't respond or provide normal service. Hackers use tools such as Coldlife and Flooder overload a system.
Recover deleted files. Once hackers are inside your perimeter, they can use tools like Deleted File Analysis Utility to scan your hard drive partitions for deleted files that may still be recoverable.
Web Site Tools. Hackers use tools such as Access Diver and IntelliTamper to index your web site pages and directories. These tools can download your site to the hacker's local hard drive. Once on his system, the hacker analyzes the web site to identify and exploit security vulnerabilities.

Security Assessments help organizations identify, manage, and reduce their risks from hackers and their emerging tools.

Top 10 Wireless Network Risks

2010-07-01T13:40:00.000-07:00

Many organizations are installing and implementing wireless networks. To help business managers make informed decisions, Altius IT provides this list of the Top 10 wireless network risks:

Bandwidth Stealing – Outside intruders can connect to wireless access points. By using the Internet connection to download music, games, and other software, they reduce employee productivity.
Criminal Activity - An unauthorized user can use the Internet connection for malicious purposes such as hacking or launching Denial of Service Attacks.
Masquerade – By using the Internet line, an intruder “hides” under protective cover and appears to be a part of your organization.
Litigation Risks – Organizations are at risk if the intruder is doing illegal activity such as distributing child pornography. If the criminal activity is discovered and investigated, the origin of the attack will be traced back to the organization.
Reputation - An organization’s image and reputation is at stake if the wireless network was used as the initial access point to hack into restricted government networks.
Financial risks - Most ISP's not only reveal customer information to the authorities to assist with legitimate criminal investigations, but also hold the organization responsible for any and all activities related to the Internet connection.
Confidentiality – Wireless networks tend to be connected to in-house private networks. This may allow an intruder to completely bypass any hardware firewall protective devices between the private network and the broadband connection.
Evil Twins - Most new laptops include the ability to connect to wireless networks. Laptop computers may accidentally connect to fake (“evil twin”) networks. Employees believe they are connected to the authentic network however they are actually connected to a fake network that steals ids, passwords, and other confidential information.
Clear text – Some network information is transmitted in clear text and is not encrypted. Once inside your network, an intruder can install a network sniffer and gain access to confidential information without the victim’s knowledge.
Information Sensitivity – Not all data has the same sensitivity. Due to the risks involved with wireless networks, confidential data such as client lists, trade secrets, etc. should not be stored on or accessible by wireless networks.

Security Assessments help organizations identify, manage, and reduce their wireless network risks. For more information please visit us at http://www.altiusit.com/.

Suite or Best of Breed?

2010-06-08T15:15:00.000-07:00

When choosing an enterprise security solution for your organization is it better to choose an all encompassing security suite from one vendor or select the best software in each class even if it means using a number of different vendors?

Security software tends to come in modules with each module protecting against a specific type of threat. Different types of Internet threats include:

Viruses, worms, Trojans
Spyware
Adware
Spam

Organizations such as Symantec, Trend Micro, McAfee and others offer security suites that protect against a wide range of threats. By using a security suite from one vendor your organization:

Reduces IT time - dealing with one vendor reduces IT time to install and maintain the software.
Reduces administrative time - by purchasing from one vendor, your organization reduces your number of vendors, checks produced, approvals needed, etc.
Reduces conflicts - in theory, by purchasing a security suite from one vendor, the vendor has tested its code and has fewer software conflicts.

There may be downsides, however, to limiting your security software to one vendor:

Single point of failure - should the security suite not function as designed (software expires, not licensed, bug or error in the code, etc.), your organization may be vulnerable to a wider range of threats.
Best of breed - by choosing a security suite, software modules from the chosen vendor may not be up to par with competing packages. For example, a security suite from a specific vendor may offer overall protection, however one component, say anti-spyware, may not offer the same level of protection as a best of breed anti-spyware software package.

Risk assessments help provide answers to questions such as "Should we purchase a security suite from one vendor or purchase security software modules from a number of different vendors?" Risk assessments identify an organization's assets, threats to the assets, vulnerabilities that exist as a result of the threats, and the resulting impact on the organization. The risk assessment helps priortize risk areas so that the organization can make an informed decision when deciding between one vendor's security suite or electing best of breed software packages from a variety of vendors.

Don't Forget Physical Security

2010-05-19T09:41:00.000-07:00

Many business executives are concerned about protecting their sensitive data and intellectual property. They ask IT to address threats to these assets by implementing firewalls and anti-virus solutions to protect the organization's electronically stored information. What many executives don't know is that their major risks come from internal threats.

Employees already have a sign-on ID and password to the network. By having this basic information, your staff already has access to resources such as customer data and email. However, the greatest risk may be physical access to IT systems.

By having physical access to data centers, servers, backup tapes, laptop computers, flash drives, etc., employees can inadvertently, or on purpose, damage or destroy sensitive data. Contractors, service providers, and other personnel may also be granted physical access to sensitive data.

Altius IT recommends that a physical security review be performed on a regular basis:

The first step in the physical security review is an inventory of your assets.
Then determine who has physical access to the assets.
Evaluate access and the risk to the organization.
Make changes as appropriate.

In many cases, it may make sense to bring in an outside consultant who specializes in this area, both to protect your sensitive assets plus ensure that your organization is minimizing its legal liability risks. The International Association of Professional Security Consultants (www.iapsc.org) has many members that can assist you. Or, contact us and we'll refer you to someone who can help.

Penetration Test - Do you Know the Question?

2010-04-08T13:08:00.000-07:00

An information security penetration test (pen test) is a systematic probing of a system for vulnerabilities. In most instances, the penetration test is performed externally, from a remote location, testing your systems much like a hacker would, looking for weakpoints.

Penetration tests are used to evaluate network entry points such as a firewalls, routers, and other equipment for mis-configurations and other issues that can allow hackers access to internal systems. In some cases, testing can evaluate web servers and web site code for risks. Since web sites tend to have a lot of custom code, they are subject to a variety of risks including SQL injection attacks, cross site scripting, and many other vulnerabilities.

Security risks develop on a daily basis. A system that is secure one day may be wide open the next. Penetration tests are a means of evaluating your systems to ensure information remains secure and your systems are available when they are needed.

Penetration tests can range from simple automated tools that look for the most basic issues to more comprehensive approaches that rely on the expertise of the person performing the test. These higher end approaches typically emulate the process used by hackers, scanning systems for vulnerabilities, evaluating the results, running other tools to make additional inroads into the network, evaluating and responding as necessary to get deeper and deeper into the system being evaluated.

The approach you use should consider the sensitivity of the information you are collecting and storing, the nature of your business, and the size of your organization. Most of all, the approach taken should answer your most basic question.

The lowest cost approach typically answers the question "Are there any major security holes?" A comprehensive approach takes more time and relies on the knowledge and experience of the person performing the penetration test. The comprehensive approach answers the question "Is our information secure from hackers?"

Before you choose your approach, make sure you know your question. It will help you properly align the right penetration test with your specific needs.

Penetration tests help protect your intellectual property, reduce your risks, improve your competitive position, and enhance your image and reputation.

Cloud Computing - Top 10 Threats

2010-03-04T12:40:00.000-08:00

With 24x7 availability and accessible by almost any device with a browser, cloud computing allows organizations to scale their IT infrastructure and software applications as needed. However, like any technology, cloud computing has its risks.

#1) Changes the business model. Cloud computing changes the way IT services are delivered. No longer delivered from an on-site location, servers, storage, and applications are provided by external service providers. Organizations need to evaluate the risks associated with the loss of control of the infrastructure.

#2) Abuse. Initial registration with a cloud computing service is a pretty simple process. In many cases, the service provider even offers a free trial period. Organizations should consider their risks due to anonymous signup, lack of validation, service fraud, and ad-hoc services.

#3 Insecure interfaces. Application programming interfaces (API) are used to establish, manage, and monitor services. These interfaces may be subject to security vulnerabilities that put your users at risk.

#4 Malicious insiders. One of the benefits of cloud computing is that your organization doesn't need to know the technical details of how the services are delivered. The provider's procedures, physical access to systems, monitoring of employees, and compliance related issues are transparent to the customer. Without full knowledge and control, your organization may be at risk.

#5 Shared technology. Cloud computing allows multiple organizations to share and store data on the servers. However, the original server hardware and operating systems were most likely designed for use by a single tenant (one organziation). Organizations should ensure the appropriate controls are in place to keep your data secure.

#6 Data loss and leakage. With shared infrastructure resources, organizations should be concerned about the service provider's authentication systems that grant access to data. Organizations should also ask about encryption, data disposal procedures, and business continuity.

#7 Account hijacking. Organizations should be aware that account hijacking can occur. Simple Internet registration systems, phishing and fraud schemes can allow a hacker to take over control of your account.

#8 Risk profile. For many service providers, the focus is on functionality and benefits, not security. Without appropriate software updates, intrusion preventation, and firewalls, your organization may be at risk.

#9 Users. When using cloud services, your users' activities such as clicking links in e-mail messages, Instant Messaging, visiting fake web sites, etc. can download malware to a local workstation. Once installed, the malware can launch attacks against your internal network.

10# Browsers. Several years ago, hackers used to attack software operating systems. More recently, hackers have shifted their attacks to target user browsers. By exploiting browser vulnerabilities, hackers have access to the same applications and data that your users access.

Internet cloud computing services provide both business and technical benefits. Risk assessments help organizations identify, manage, and reduce their cloud computing risks so that they may achieve the greatest benefits at the lowest level of risk.

Justifying a Security Audit

2010-02-02T10:08:00.000-08:00

How do you justify hiring an outside, independent security auditor to perform an assessment of your organization's technology systems? It is an easy decision if you've been hacked and you want the peace of mind knowing that your systems are now secure. It is also an easy decision if you are in a compliance related industry that mandates annual security audits. What do you do if you don't fall into one of these categories? How do you justify bringing in an outside auditor?

In many instances, security audits provide both tangible and intangible benefits. For example, an outside security audit of your systems demonstrates to prospects your commitment to protecting their data. By being proactive, you gain a competitive edge which helps you close more deals. If, in talking with your prospects, you find you can close 5% more deals, you can quantify the benefit of the security audit as it relates to your sales and marketing activities.

Security audits can also help protect your intellectual property (IP). For example, if you have a staff of programmers and estimate the value of your custom code at millions of dollars, you'll want to ensure that the proper controls are in place and working with sufficient effectiveness to protect your IP assets. A loss of your IP could result in significant damage to your company, resulting is a drop in revenues of 25% or greater.

Many organizations are only worried about hackers and external threats. However, studies have shown that your employees are your greatest risk since they already have access to your systems. By reducing your internal security risks, you lower your costs and increase employee efficiency. Management also has the peace of mind knowing that your information is secure from both internal and external threats.

Security audits provide a bottom line return on the investment by increasing your revenues, protecting your intellectual property, reducing your risks, and enhancing your image and reputation.

Information Security Tip #1: Inventory Your Assets

2010-01-13T11:14:00.000-08:00

Understanding your information assets and access to information is essential to assessing security vulnerabilities. Whether you are an industry giant or a lean-and-mean one-person shop, here are some tips on conducting your own internal investigation:

Inventory. Inventory all servers, computers, flash drives, disks, and other equipment to find out where your company stores sensitive data. Also include laptops, employees’ home offices, cell phones, and e-mail. No security audit is complete until you check everywhere sensitive data might be stored.
Interview. Track personal information through your business by talking with your technology staff, human resources office, accounting personnel, and outside service providers. Get a complete picture of who sends your company sensitive data. Do you get it from customers? Call centers? Credit card companies? Banks or other financial institutions? What about affiliates and contractors?
Forms. How does sensitive data come in to your company? Via your website? E-mail? Through the mailroom? What kind of information is collected at each entry point? Customers’ credit card, debit, or checking account numbers? Do you receive sensitive health or financial data?
Access. Who has, or could have, access to the information? Which of your employees has permission to look at or view sensitive data? Could anyone else get a hold of it? What about vendors who supply and update software you use to process credit card transactions? Do you have contractors that run your call center, distribution, or fulfillment operations?
Storage. Different types of data present varying risks. Pay particular attention to how you store personally identifying information such as Social Security numbers, credit card numbers, checking account, or other financial information. Determine if the data you store can facilitate fraud or identity theft if it fell into the wrong hands.

Network security assessments help identify, manage, and reduce your IT related risks.

Information Security Tip #2: Less is More

2009-12-03T09:54:00.000-08:00

Protect your customers and employees by securing sensitive data in your possession. Keep only what you need for business:

Eliminate. If you don’t have a valid business reason to collect personal information, don’t collect or gather such information. Once you gather information it must be stored, archived, protected, and disposed. By not collecting the information, you save your organization a lot of unnecessary work. Review the forms you use to gather data (applications, fill in web site forms, etc.) and revise them to eliminate requests for information you don’t need.
Archive. Unless you have a legitimate business justification, don’t store and retain sensitive information. Keeping sensitive data longer than necessary creates an unwarranted risk for fraud.
Defaults. Sometimes the software you use is preset to store information permanently. Check your settings to make sure you’re not inadvertently keeping more than you need.
Compliance. Ensure your organization meets required compliance privacy and security requirements.
Retention. If you must keep information for business reasons or to comply with the law, develop a written records retention policy to identify what must be kept, how to secure it, how long to keep it, who’s authorized to access it, and how to dispose of it securely when you no longer need it.

Risk assessments help organizations identify, manage, and reduce their information risks.

Information Security Tip #3: Procedures

2009-11-09T11:58:00.000-08:00

Policies and procedures help you meet your obligation to your customers, affiliates, and employees. Protect your electronic information with these simple steps:

Physical security. Network defenses can be critical, but when it comes to protecting personal information, don’t forget physical security. Ensure access to network servers is restricted to authorized personnel.
Encryption. Use encryption to protect sensitive data such as credit card numbers, social security numbers, driver’s license numbers, etc.
Viruses. Viruses, spyware, and other malware can compromise your systems and your data. Ensure your anti-virus and anti-spyware software is updated on a regular basis.
Passwords. Most organizations use an ID and password to grant access to your data. Ensure your passwords are long and complex and changed on a regular basis.
Education. Remind your employees that electronic security is everybody’s business. Hackers certainly pose a threat, but sometimes the biggest risk to a company’s security is an employee who hasn’t learned the basics.
Access. Provide access to sensitive information only on a “need to know” basis. Have a procedure in place for making sure that workers who leave your employ or move to another part of the business no longer have access to off-limits information.
Detection. Intrusion detection systems can alert you to breaches in your network security. IT should monitor incoming and outgoing traffic for higher-than-average use at unusual times of the day.
Patching. Check expert resources like www.sans.org and your software vendors’ websites for alerts about the latest vulnerabilities and vendor-approved patches.
Providers. Ensure security practices of your contractors and service providers. Before outsourcing business functions, ensure agreements define security requirements.
Documentation. Organization policies give direction and guidance but generally lack sufficient details to describe how things should be done. By documenting your detailed procedures, your organization can ensures consistent and sustainable protection of your information assets.

Not all risks are created equal and risk assessments help firms reduce their costs while increasing protection of their “information assets”.

Information Security Tip #4: Disposal

2009-10-01T13:27:00.000-07:00

Disposal. Ensure your organization takes the following precautions when disposing of workstations, laptops, USB flash drives, and other devices that may contain sensitive information:

Delete. Deleting a computer file doesn’t mean that the information has been permanently removed from your system. The data may continue to exist on the computer’s hard drive and could be easily retrieved. Ensure your employees request assistance from your IT department when permanently deleting data.
Disposal. When getting rid of old computers, laptops, hard drives, portable storage devices, cell phones, etc., use wipe utility programs or physically destroy the media. Wipe utility programs are inexpensive and overwrite the contents so that the files are no longer recoverable.
Remote. Whether working from home or on the road, ensure telecommuters and business travelers maintain your company’s high security standards. Remind employees and contractors to be as careful when disposing of sensitive documents off-site as they are when creating them.
Compliance. If you use consumer credit reports in your business, you may be subject to the FTC’s Disposal Rule. The Rule requires companies to adopt reasonable and appropriate disposal practices to prevent the unauthorized access to, or use of, information in credit reports.
Papers. Effectively dispose of paper records containing sensitive data. Having shredders available throughout the workplace helps ensure employees understand the need to properly dispose of sensitive information.

IT security audits and assessments help organizations identify, manage, and reduce their security risks.

Information Security Tip #5: Incident Response

2009-09-10T16:17:00.000-07:00

Incident Response. Taking steps to protect personal information in your files and on your network can go a long way toward preventing a security breach. Nevertheless, breaches can happen. That’s why Altius IT recommends that organizations have a plan in place to respond to security incidents. Altius IT's tips on customizing your company’s security response plan include:

Team. Senior management sets the tone for an organization’s commitment to data security. Designate a well-respected senior official to head up your response team.
Plan. Once you’ve put together your response team, have them draft plans for how your business will respond to different types of security incidents. Sample scenarios may include a lost laptop, servers hacked, internal theft of data, etc.
Timely. If your staff suspects a breach, investigate it immediately. Waiting days to convene a committee can waste precious time.
Disconnect. If you suspect a computer breach, immediately sever the compromised computer’s access to the Internet and to your network. To assess the impact, ask your IT staff to preserve any available network logs, file transfer logs, system logs, and access reports. Also investigate if intruders opened files or placed new programs on your computer.
Contact. Consider whom to inform in the event of an incident, both inside and outside your company. You may need to notify consumers, law enforcement agencies, customers, credit bureaus, and other businesses that may be affected by the breach. In addition, about 40 states have laws addressing data breaches. Have that information on file before you need it.

Security assessments help organizations identify, manage, and reduce their risks.

Protecting Intangible Assets

2009-08-04T15:13:00.000-07:00

As recently as 1982, tangible equipment such as buildings, facilities, furniture, computer hardware, etc. comprised 62% of an organization's business value. Unfortunately, large buildings and facilities were expensive to acquire and maintain. Over time, organizations adopted a new business model, relying on technology to deliver products and services at a lower cost.

By reworking their business model, firms automated many of their manual processes and migrated from manufacturing plants and equipment to the electronic delivery of products and services. This transition shifted organization value from tangible to intangible assets. By 2002, tangible assets were only 12% of an average company's market value. 88% of the value of the organization was attributed to intangible assets such as intellectual property and "information assets".

With the change in business model from tangible equipment to "information assets", organizations experienced a new type of business risk, electronic threats. Electronic threats included viruses, hackers, data theft, and many others. Without proper protection, organizations found that their market value was at risk. Over time, organizations implemented security in a reactive manner, first installing anti-virus software and later implementing firewalls as Internet risks increased. Unfortunately, this ad-hoc approach wasn't sufficient and many firms experienced downtime, lost employee efficiency, and reduced market value.

Leading organizations took a different approach, realizing that security needed to be implemented according to the value of their intangible assets. Since many threats were hidden, a proactive approach of using risk assessments helped these organizations identify hidden threats, implement steps to manage these risks, and eliminate or reduce threats to acceptable levels.

Not all risks are created equal and risk assessments help firms reduce their costs while increasing protection of their “information assets”.

Risk Analysis

2009-07-15T09:45:00.000-07:00

Risk analysis helps organizations secure sensitive information, protect its image and reputation, and meet compliance requirements. A formal risk analysis process includes identifying risk areas and implementing controls to reduce risks to acceptable levels.

The first step in the process is to identify assets that need protection. The assets can be tangible or intangible and generally provide value to the organization. Examples of tangible assets include buildings, employees, computer and network servers, etc. Examples of intangible assets may include intellectual property, custom software presently installed and under development, customer lists, goodwill, etc.

Once the assets have been identified, you will want to identify threats to the assets. The threats can be unintentional or intentional and may include:

Natural threats (acts of God)
Accidental or unintentional threats (worker illness, equipment failure)
Intentional threats such as asset theft and asset tampering (malicious damage)

For each threat, there may be one or more specific vulnerabilities. Vulnerabilities may be based upon location, employee skill sets, network access controls, network monitoring, etc. Examples of vulnerabilities include lack of employee security related education, user knowledge, security functionality, poor password selection by employees, etc. Once a vulnerability has been identified, you should determine how likely it is to occur (probability).

Once your assets, threats, and vulnerabilities have been identified, you can then evaluate the potential impact or loss. Examples of impact can include the cost of downtime, loss of information, breach of legislation, impact on reputation, loss of opportunity, etc. For each asset, consider the asset value, specific vulnerability, and probability of the event.

The next step in the risk analysis process is to develop controls that help eliminate risks or reduce them to an acceptable levels.

Risk assessments help organizations identify, manage, and reduce their risks.

Proactive Document Management

2009-06-16T10:24:00.000-07:00

As organizations review their business processes and make them more efficient, document management solutions help automate the process of electronically capturing, storing, and securely managing business information.

Benefits of electronic document management solutions include:

Centralized storage of information leads to increased employee productivity
Enhanced levels of customer service through improved access to information
Reduced costs by instantly locating documents

Document management solutions do have their risks. If documents are not filed using a formal methodology, document management solutions can reduce employee productivity and increase your costs. In addition, failure to manage and secure your documents may increase your liability to lawsuits.

A proactive approach to managing electronic files protects your documents and helps meet compliance requirements. Many firms are using security audits to help them identify, manage, and reduce their document management risks.

Security During Tough Economic Times

2009-05-14T14:35:00.000-07:00

Employee risks. Although many decision makers are focused on getting through tough economic times, security experts say that management needs to be weary of employees, who fearful that their jobs could be on the cutting block, could take actions that potentially jeopardize the physical and logistical security of the company. As companies automate manual processes and adapt to the changing economic environment, merge IT departments, and cut back on controls, organizations face greater threats.

Risk assessments can help identify sensitive and proprietary information, risks to the data, and relevant state and federal compliance requirements. Everyone is concerned about security and protecting sensitive information. Once sensitive data and compliance requirements have been identified, the organization can leverage the information from the risk assessments to build in security structures that protect against IT, people, and process threats.

Network and security assessments help protect your sensitive information and provide peace of mind.

Automated Scans Aren't Sufficient

2009-04-09T13:52:00.000-07:00

Automated scanners. If automated vulnerability scanners caught all security risks, hackers would be out of business and security personnel wouldn't have much to do. In reality, automated vulnerability scanners are only one tool used in the process of identifying and managing security risks.

For many organizations, web applications are a vulnerable element of an organization’s IT infrastructure. As your organization uses the Internet for customer, supplier, employee, and vendor interactions, Internet technologies and database interfaces become complex and require additional security.

Automated web site scans provide little defense against knowledgeable hackers and full scale web attacks. Hackers don’t rely exclusively on automated scanners and neither should you. Organizations should use manual tools and experienced professionals to find technical vulnerabilities as well as identify risk areas created during the design, programming, installation, and maintenance phases of a software development lifecycle.

By emulating the approach used by hackers, organizations can better protect themselves and the sensitive information stored on servers. Altius IT recommends network and security audits that can assess internal network security, firewalls, and web application vulnerabilities.

Small Business Security Quiz

2009-03-03T14:31:00.000-08:00

Take this quiz to determine your Security Quotient. Preparation is the key to protecting your company’s information assets. Take this security quiz to determine your Security Quotient.
1) We have recent off-site computer backups. Yes/No
2) We have updated anti-virus software on all computers/servers. Yes/No
3) We restrict employee access to confidential information. Yes/No
4) All of our policies are documented and in written form. Yes/No
5) We have a firewall to protect us. Yes/No
6) We encrypt confidential documents/E-mail. Yes/No
7) We have a formal electronic document archiving procedure. Yes/No
8) We monitor and restrict Internet access. Yes/No
9) We performed a security assessment of our IT systems. Yes/No
10) We can distinguish an intruder from normal Internet traffic. Yes/No

Score one point for each Yes answer.
8 or more points - You are well on your way to securing your IT systems.
6 to 7 points - keep working, you may need assistance to reduce risks.
5 or fewer points - you need to make security a priority and get assistance as soon as possible.

Network and security assessments help protect your sensitive information and provide peace of mind.

Managed Security Services

2009-02-03T13:06:00.000-08:00

Leading firms are taking a proactive approach to security and using managed security services to reduce their IT related risks. Managed security services typically provide traditional forms of security protection:

Network Infrastructure - Physical access to servers, system backups with off-site rotation, encrypting the backup media, and protecting wireless networks.
Internet Connectivity - protection can include firewalls & Virtual Privacy Network (VPN), intrusion detection and prevention, and remote connectivity.
Management - incident response plans, patch management, and change management processes.
Employee Management - policies and procedures, passwords, protection against social engineering, locking down USB thumb drives, handheld PDA's, encrypting laptop hard drives, etc.
Document Management - protection includes access privileges, document retention and archiving, encryption, etc.
Electronic threats - protection from anti-virus, anti-spyware, anti-popup, etc.
E-mail & Communications - anti-spam, e-mail archiving, instant messaging (IM), and archiving.
Risk Management - risk evaluation, business continuity planning, testing, etc.

While managed security services provide the initial layers of protection against IT related threats, they should be supplemented with security assessments and audits. Assessments and audits help ensure the organization's security expenditures are properly allocated to the most important areas. In addition, assessments and audits help protect the organization's intellectual property and its image and reputation.

Security Assessments – A Subscription Service

2009-01-06T15:11:00.000-08:00

A matter of priority. Not every security risk is created equal. Some risks have a greater impact than others. In addition, some threats are more likely to occur than others. Security assessments help organizations allocate their budget to the areas that reduce risks.

Security is an on-going process and leading organizations are taking a subscription approach to security assessments. With new vulnerabilities discovered on a daily basis, a system that is secure one day may be completely wide open the next. Much like regular anti-virus updates, subscribing to recurring security assessments helps your organization identify weaknesses before they can be exploited. Security assessments provide specific knowledge about your system, allowing you to more effectively allocate your security budget.

Don’t wait for an unwanted intruder to discover your network vulnerabilities. A comprehensive network security assessment helps:

Protect your image and reputation
Reduce your costs by cost effectively allocating your security budget to the most important areas

Mitigating Risks

2008-12-04T11:46:00.000-08:00

Organizations are finding that IT systems are a double edge sword. Not only do they increase employee productivity and reduce costs, they also increase risks as intellectual property and sensitive information are stored in a central location. Assessments can help organizations identify and manage risks. Once risk areas have been identified, organizations have a number of ways to mitigate or reduce their risks.

Risk Assumption. Accept the potential risk and continue operating the IT system or implement controls to lower the risk to an acceptable level. Administrative, physical, and technical controls help lower the organization's risks.
Risk Avoidance. Avoid the risk by eliminating the risk and/or consequence. For example, bypass or eliminate certain functions of a system or shut down the system when risks are identified.
Risk Limitation. Limit the risk by implementing controls that minimize the adverse impact of the risk. For example, implement preventive controls such as Intrusion Prevention Systems (IPS) that actively identify and restrict access to information.
Risk Planning. Manage risks by developing a risk mitigation plan that prioritizes, implements, and maintains controls. Implement managed services to minimize risks.
Risk Research. Lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability.
Risk Transference. Compensate for the loss by transferring the risk to another party. In addition to securing systems,organizations have the option to insure against security breaches. For example, insurance can cover the cost of regulatory mandated notifications that a security breach has occurred as well as fines, fees, or penalties arising from privacy or consumer protection errors.

Database Regulatory and Compliance Issues

2008-11-11T15:21:00.000-08:00

Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley (GLB) Act were all enacted to help protect information. These acts require internal controls to protect information integrity, confidentiality, availability, and accountability. While accountants and auditors are familiar with internal controls, many IT departments lack the the knowledge and controls needed to safeguard information. Even sophisticated databases, managed by Database Administrators (DBAs), lack secure controls and and connectivity to information.

Many DBAs have complete access to all of your organization's data. While complete access helps manage and minimize downtime, it also puts your organization at risk as the DBA has access to all information and log files. Your management must determine the minimum amount of access needed to allow the DBAs to perform job duties. For example, must the DBA have access to confidential or sensitive data such as payroll, protected health information (PHI), or other types of confidential information?

Assessments help ensure your internal controls provide the appropriate reporting and procedures, detect unauthorized use of systems, and meet compliance requirements.

FACTA Identity Theft Red Flags Rule

2008-10-02T11:03:00.000-07:00

FACTA - the Fair and Accurate Credit Transactions Act of 2003 requirement, known as the “Identity Theft Red Flags Rule”, became effective January 1, 2008, with compliance mandatory by November 1, 2008. It requires certain organizations to adopt a written identity theft prevention program approved by the Board of Directors.

The Identity Theft Prevention Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft. The regulation requires an institution to have:
1) An established written Identity Theft Prevention Program approved by the Board
2) Initial Risk Assessment
3) Policies and procedures for detecting, preventing, and mitigating identity theft. This includes identifying patterns of activity that are signals for possible identity theft, monitoring and detecting “red flags”, responding appropriately to any red flags, policies and procedures to verify address changes
4) Regular compliance reporting
5) Oversight of service providers
6) Mandatory staff training
7) Ensure the Program is reviewed and periodically updated to reflect changes

Find out more information on complying with FACTA and the initial risk assessment.

Cloud Computing – Thunder and Lightening on Your Horizon?

2008-09-09T09:46:00.000-07:00

Cloud Computing
As organizations automate more and more of their manual processes, the Internet is increasingly becoming an important tool in the delivery of IT services. Several years ago, organizations purchased software on CD-ROMs and DVD media. Today, users have the choice of downloading software from the Internet or using their browser to access software that runs outside the organization on Internet servers. The use of external software on Internet servers is called Software as a Service (SAAS).

Instead of writing software for a workstation, software developers are now writing software programs that run on Internet servers. This software may run on servers outside the organization on other companies’ data centers. Familiar examples include web sites such as Amazon.com and Salesforce.com.

In the past, individual applications ran in the Internet cloud. Now, entire data centers are moving to the cloud, accessible by a wide range of users. Cloud computing describes a grouping of service offerings that includes application software, data storage, and computing. The computing can be delivered over the Internet (public cloud computing) or within an organization (private cloud computing).

Cloud advantages over desktop software
Many SAAS applications are available at little to no cost. In addition to lower software costs, IT administration labor costs are reduced as software does not need to be installed and constantly patched. SAAS applications tend to be supported by paid advertisers, thus subsidizing the cost to the software user.

Another benefit is group collaboration. In the past, software was loaded on many distributed devices. With the Internet cloud, software and data can be stored on centralized servers facilitating access to data by a large group of users.

Cloud computing offers almost unlimited storage of applications and data. No longer must users and IT staff be concerned about collecting and archiving volumes of data.

Mobile applications
Employees want functionality and access to data from a number of different locations. The Internet cloud allows hand held Personal Digital Assistants (PDAs) and laptop users to access applications and data from a variety of locations. Internet cloud computing allows information to be accessed by a number of different devices (desktop, laptop, mobile phone, GPS, etc.) since the applications and data are stored at Internet data centers.

Mobile computing will drive more applications to the Internet cloud. The cloud is an ideal way of supplying software and data to small computing devices that don’t have the storage and processing power to hold volumes of applications and information.

Application interfaces
Internet applications leverage the power of end user devices by introducing to browsers features commonly found in the graphical interfaces on desktop applications. Better software development tools support applications that can run on a wide range of devices from desktop browsers to smart phones.

Pubic cloud computing risks
As with any other form of technology, organizations must address a wide range of cloud computing risks:

User traffic – in the past, applications and data were stored locally. With Internet cloud information accessed via Internet lines, connectivity and bandwidth usage may become a critical issue if Internet users create Internet access bottlenecks.
Internet connectivity – connectivity to the Internet increases in importance. If Internet connectivity is down for an extended period of time, employee productivity will drop. Redundant high speed Internet lines may be needed to help mitigate this risk.
Employee productivity – applications and data that are stored on user hard drives tend to have fast response times with little impact on the employee. Internet applications may experience delays and not be able to manage volumes of data. Service Level Agreements (SLAs) with the cloud computing vendors can provide response time, throughput, and other metrics that help protect the organization.
Lack of availability – there are risks related to having a critical software application programmed and managed by an outside entity. If a vendor’s software application ceases to function, the organization may experience financial losses as well as damage to its image and reputation.
Confidentiality – SAAS vendors may store data in a central repository. This repository may hold data from many different businesses, even competitors. The organization should determine if it is appropriate to store the type of information (client lists, pricing, intellectual property, etc.) on external servers.
Integrity – since data is stored on outside servers, the organization must ensure information integrity. Balancing controls, managing information stored on external servers, monitoring, and other controls must be used to protect the organization.
Compliance – information collected, stored, archived, and secured must meet regulatory requirements.

Privacy issues
In exchange for lower cost service delivery, users may have to provide personal information. This information is often used to deliver custom advertisements. The cloud model may require sharing of information with other marketing alliances in exchange for the convenience and low cost of using Internet cloud applications.

Many SAAS vendors focus on one area of specialty, storage, e-mail applications, on-line backups, etc. Organizations must rely on the vendor’s security solutions to protect their information. Unfortunately, for many SAAS vendors, their focus is on service functionality, not security.

Private cloud computing
Organization data centers adopting the technologies and practices of public cloud infrastructures can be considered private clouds. Private clouds are data centers within the corporate perimeter, within the firewall.

Software applications can be designed for both the public and private cloud infrastructure. Tools such as systems management software, clusters, grid technology, and load balancing permit private clouds to employ utility like environments with computing resources and applications provisioned with greater efficiency.

Cloud computing service delivery considerations
IT managers should take professional care and due diligence when evaluating cloud computing applications:

Service levels - your organization should determine if the outsourced provider has professional, high performance infrastructures that can guarantee levels of performance delivery.
Support – user and technical support must be determined up front. Will first level user support be provided by their staff or yours?
Redundancy – organizations should have redundant solutions that allow systems to continue operating even during single component failure. This includes the Internet software application as well as the organization’s connectivity to the Internet.
Contingency plans – business continuity and disaster recovery plans must be updated and tested on a regular basis.
Private clouds – IT departments have the administration costs and responsibilities of acquiring, installing, managing, and securing data centers.
Security – public and private clouds must ensure information availability, confidentiality, and integrity.

Summary
While outsourcing software applications to the Internet cloud isn’t for every organization, many firms have found that cloud computing can be a simple, reliable, and cost effective solution.

Both the Internet cloud vendors (SAAS) and the organization should have audits performed on a periodic basis.

SAAS vendors - audits help ensure system availability, information confidentiality, and data integrity.
Organizations - audits ensure organization management that the firm is managing its cloud computing risks.

Risk assessments and audits help organizations identify, manage, and reduce their risks.

New and Emerging Threats

2008-08-07T12:27:00.000-07:00

One way organizations manage new and emerging threats is by performing network and security assessments and audits on a periodic basis. By reviewing your systems, people, and processes, assessments helps determine the areas that create the greatest risk.

Once the assessment has identified risk areas, the organization can quantify the likelihood of the event and implement corrective action to mitigate and reduce IT related risks. This prioritized Action Plan is a risk response mechanism that addresses the risks according to the importance to the organization.

By allocating IT funds to areas that are most critical, assessments and audits add value to the organization by:

Helping align IT with the business
Prioritize security spending
Allocating resources to areas with the greatest impact

Security Assessments

2008-07-01T10:51:00.000-07:00

The assessment difference. Many organizations wait until it is too late, either they've been hacked or they are mandated by regulations to have an outside, external security assessment. Leading organizations don't wait and are proactive, using outside security assessments to help the firm leverage its IT investment to enhance employee productivity, reduce costs, improve customer service, and achieve a competitive edge.

As organizations automate manual processes, information systems and the data they manage become a corporate asset. In addition to increasing value, these same information systems create additional risk for the organization and create a single point of failure.

Network and security assessments help organizations identify, manage, and reduce their risks. In addition to technical configurations, security assessments can also be used to review your staff, how they work, and their procedures.

Find out more information about various types of assessments that help manage firewall, user, web application, database, and compliance related risks.

Overview of Security Standards

2008-06-11T08:16:00.000-07:00

Standards help protect information. All organizations, regardless of size, need to secure their data and intellectual property. Standards provide organization management information security guidance and direction. Each standard, when applied effectively, helps an organization address security related issues. Standards represent the knowledge of a large number of experts and provide security implementation recommendations. However, by their nature, standards cannot exactly match the requirements of every organization and care must be taken when determining the appropriateness for each organization.

Various Standards

ITIL - Information Technology Infrastructure Library is not focused on security. Instead, it provides a foundation for managing IT infrastructure with a primary focus on service support and service delivery.
COBIT - Control Objectives for Information and related Technology focuses on controls that provide management with assurance that IT is operating in a controlled manner.
NIST - the National Institute of Science and Technology develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Management Act (FISMA) of 2002 and aims to protect information and information systems.
ISO - the International Organization for Standardization (ISO) is the world’s largest developer of standards (over 15,000 in total), including the 27000 series focused on information security.

When combined with assessments, standards can help you identify, manage, and reduce your security risks.

Software Updates

2008-05-21T09:54:00.000-07:00

When is it time to upgrade your computer your software? Software tends to drive changes in hardware. You'll know it is time to upgrade your software when:

Your current software can't handle your transaction volumes or isn't flexible to meet your needs
You need to share or collaborate with others that have newer software
You are concerned about new and emerging security threats

Data protection software should always be kept up-to-date. This includes:

Backup software
Anti-virus software
Anti-spware software

Some vendors bundle software into protection suites. For example, Symantec's Endpoint Protection software includes both virus and spyware protection. Keeping software updated (patch management) should be a formal methodology that includes a review and testing process before the changes are moved into your production environment.

Assessments identify risk areas and help allocate your funds to the most important areas. This way you get the biggest bang for the buck.

Web Application Security

2008-04-10T14:25:00.000-07:00

Web applications are the most vulnerable element of an organization’s IT infrastructure. As your organization uses the Internet for customer, supplier, employee, and vendor interactions, Web technologies and database interfaces become more complex and require additional security. Web application and database assessments are ideal for:

Web sites that interface with database systems

Ensuring compliance (HIPAA, Sarbanes Oxley, GLB, etc.)

Emerging and fast growing firms Businesses concerned about security

Organizations in the financial and health care industries

Buffer overflow, SQL injections, cross site scripting, JavaScript, and other programming concerns

Web application security assessments help your firm manage a range of vulnerabilities including buffer overflow, SQL injection, cross site scripting, Google hacking, authentication risks, JavaScript, Common Gateway Interface (CGI), PHP, broken links, authentication hacking, and many other types of web related vulnerabilities.

Controls Help Mitigate and Reduce Risks

2008-03-06T10:44:00.000-08:00

Controls are administrative, management, technical, and legal methods that are used to manage risk. Controls include policies, procedures, programs, techniques, technologies, guidelines, and organizational structures. They help an organization comply with standards by addressing information security risks, information confidentiality, integrity, and availability.

Security policies and control objectives express management’s commitment to the implementation, maintenance, and improvement of its information security management system. Leading organizations use best-practice information security control measures to satisfy the stated control objectives. Standards frequently do not mandate specific controls, but leave it to the users to select and implement controls that suit them, using a risk-assessment process to identify the most appropriate controls for their specific requirements. Organizations are typically free to select controls as long as their control objectives are satisfied.

Leading organizations follow a Plan, Do, Check, and Act process:

Plan – planning

Do – implement, operate, and maintain

Check - monitor, audit, and review

Act – continual improvement

An example of a control standard is ISO/IEC 27002:2005 Information technology -- Security techniques -- Code of Practice for Information Security Management. Network and security assessments are part of the "Check" process and help ensure you have the proper controls in place and they are functioning as desired.

Business Continuity - more than disaster recovery

2008-01-04T10:01:00.000-08:00

Business continuity requires more than just a plan to recover from a disaster. Business continuity policies, planning, and activities allow an organization to continue critical operations even during a business disruption. Business continuity generally consists of three areas:

Business resumption planning (business operations recovery)

Disaster recovery planning (technical aspects of recovery)

Crisis management (organization's response)

A top down approach to business continuity planning helps an organization minimize the impact of a disruption on business operations. More than just recovering from a data center outage, continuing business operations requires the involvement of business units and upper management.

Risk management and a Business Impact Analysis (BIA) provide management with a planned approach to managing a disruption caused by a fire, flood, earthquake, terrorism, or other natural disaster. When recovering from a disaster, the organization's image and reputation must be protected. An employee, designated as the spokesperson for the organization, allows a consistent message to be delivered to employees, customers, and the media.

Business continuity plans reduce the cost of a business disruption. Many organizations use risk assessments to help them itentify areas that can lead to disruptions in business operations.

Information Security Policy

2007-12-04T16:11:00.000-08:00

Security Policies. Policies represent the corporate philosophy of an organization. They provide management the direction and support needed to perform their day-to-day duties. In the case of information security, an information security policy helps provide direction in accordance with business requirements, standards, laws, and regulations.

Policies should be established in line with business objectives. For example, management demonstrates support for and commitment to information security through the issuance and maintenance of an information security policy.

Leading organizations use an information security policy to define information security and establish the framework for setting control objectives within an organization. Policies help organizations ensure that preventative, detective, and corrective controls are in place and operating as desired.

IT Governance

2007-11-09T10:32:00.000-08:00

What is IT governance and why is it important? Let's first start with corporate governance. Corporate governance is a set of responsibilities and practices used by an organization’s management to provide strategic direction to the business. Governance ensures that goals are achievable, risks are properly addressed, and organizational resources are properly utilized.

IT governance is an integral part of corporate governance and consists of the leadership, structures, and processes that ensure IT extends the organization’s strategy and objectives. IT governance is the responsibility of the board of directors and executive management.

IT governance helps ensure the alignment of IT with business objectives. Fundamentally, IT governance is concerned with:

Value - IT delivers value to the business by strategic alignment of IT with the business
Risks - IT risks are mitigated by embedding accountability into the business

Assessments help ensure IT is propertly managing risks and delivering value to your organization.

Need to Manage your Risks?

2007-10-11T15:55:00.000-07:00

Mid-size firms have growth challenges. Many are growing quickly and don't have the resources of large firms. One mid-size organization provided employment screening and background checks. The firm was growing rapidly, attracting large clients, and expected to double in size within two years. Management was concerned that the IT staff and infrastructure cannot support the organization’s rapid growth.

They contracted with a firm to provide a network assessment amd an analysis of data backups, anti-virus, e-mail, software licensing, software patching, laptops, and many other areas. In addition to the IT infrastructure, the Work Plan included interviews with IT, management, and key users to determine if there was an alignment or satisfaction issue with IT.

The analysis included a comparison of the IT department with industry benchmarks so the organization could evaluate if they were making effective use of IT spending. The assessment also reviewed written policies, business continuity plans, and related procedures and guidelines.

The assessment identified several “hidden” issues that would have caused a disruption in business operations. The prioritized Action Plan gave the firm guidance to make immediate changes to their network infrastructure and IT staff. The organization’s management had peace of mind knowing that the plan allowed the firm double in size over the next two years.

Network assessments provide management with peace of mind and help organizations achieve growth targets.

Information Security Management Systems (ISMS)

2007-09-16T13:01:00.000-07:00

Securing information systems is a business, not an IT issue. As more and more systems are automated, business managers are at risk to IT related disruptions. As a result, business managers now play an important role in IT related risk management.

Technology has revolutionized the operations of many firms as they have moved away from mainframe computer systems to infrastructures comprised of networks, the Internet, and enterprise-wide processing. Risk management services assess the risks of an organization’s use of technology, the resulting exposure to technology risks, and the adequacy of controls to mitigate those risks.

A variety of outside, independent risk assessments are available that help firms identify, manage, and reduce their risks. In addition to providing peace of mind, risk assessments help organizations meet compliance related requirements.

Preventing Identity Theft

2007-08-07T15:20:00.000-07:00

Personally identifiable information such as your name, date of birth, social security number, and many other forms of identification present risks when this information is stored electronically. Not only can the information be easly accessible by many employees, but it can also be viewed by unwanted intruders.

Information identity thefts present two different types of risks:

Take overs - accounts can be taken over by an imposter posing as you. The imposter can purchase goods and services using your existing accounts.
Application fraud - with sufficient information, an imposter can open new accounts in your name. Their goal is to get as much money and products as quickly as possible.

Five steps you can take to protect sensitive information:
1) Request a free credit report by calling (877) 322-8228 or visiting http://www.annualcreditreport.com/.
2) Reduce the amount of credit cards and shred unsolicited credit card applications.
3) If a business requests a SSN, ask if another number can be substituted instead.
4) Ask businesses to only request and keep the minimum amount of information they need to do their job.
5) Ask if your information is shared with others and how your information is protected.

Five steps businesses can take to secure sensitive information:
1) Identify the minimum amount of information that needs to be collected and stored.
2) Identify the minimum amount of staff that needs to access sensitive information.
3) Educate your staff about policies and the need to keep information private.
4) Encrypt information so it is protected even if the network is compromised.
5) Outside independent security assessments help identify, manage and reduce risks.

For more information on assessments, please visit Altius IT.

High Connectivity Costs

2007-07-14T16:12:00.000-07:00

Prevent high connectivity costs. Executives are concerned about the high costs of connecting people with information. Well managed networking and security initiatives with follow-up support can prevent these high costs.

Suites of networking, security, and risk management services specifically address concerns expressed by executive management:
1. High costs – Executives are finding it increasingly difficult to be in constant communication with business associates and the high cost of bringing together people and information is a major problem.
2. Experience - Very few IT personnel have the depth of experience and expertise working with executives to prevent the high costs of bringing together people and information.
3. Support – Executives are finding that efficient and effective use of their existing systems requires knowledgeable employees and support.

Outsourcing can be a cost effective solution if in-house IT personnel don't have the necessary experience and support. Network security assessments help you manage your IT related risks.

Policies Manage Your Risks

2007-06-05T16:05:00.000-07:00

Policies help organizations manage risks. By reviewing business requirements and anticipated future growth plans, organizations can identify and prepare policies that are aligned with the organization's goals and objectives.

Policies often consist of the following:

Policy – the rules and requirements for risk management and continuing business operations.

Standards – detailed networking and security technologies for protecting information systems.

Guidelines – system or topic related recommendations and best practices.

Procedures – details to implement standards and guidelines, guides for installing software, securing facilities, documenting security breaches, etc.

In some instances, policies can conflict with each other. In these circumstances, a steering committee can address policy conflicts and identify appropriate compromises and alternative solutions.

If your organization lacks policies, policy templates provide a jump start and help you manage your risks. More information on policy templates is available at Altius IT.

Network Assessments

2007-05-04T08:52:00.000-07:00

Network assessments help organizations identify, manage, and reduce their risks. While there are many forms of assessments, a typical assessment reviews the network infrastructure with the main purpose of ensuring reliability.

Typical areas reviewed include:

Network – servers, workstations, laptops
Scalability - performance, connectivity
Backups – including off-site rotation
Electronic communications - e‑mail and IM
Software - licensing, patch management, custom
Policies – procedures, change management

Find out more about network assessments and how they can help you enhance the reliability of your network infrastructure.

5 Steps to Risk Management

2007-04-17T13:28:00.000-07:00

Risk management services provide strategies, processes, and tools to identify, analyze, respond to, control, and evaluate risks. A formal five step approach to risk management helps organizations identify, manage and reduce risks.
1. Identify Risks - Assessment. Outside, independent assessments identify risks that cause downtime and business interruption. Review your technology systems, people, and processes.
2. Risk Findings - Analysis. Additional investigation and research. Analyze findings and evaluate your organization’s risk tolerance based upon information provided during the assessment.
3. Risk Response - Action Plan. Develop a prioritized action plan of recommendations, responsibilities, and related costs. The Action Plan provides the steps needed to address vulnerabilities.
4. Risk Control - Managed Services. Managed networking and security solutions protect your information assets.
5. Risk Effectiveness – Evaluate & Repeat. Evaluate the effectiveness of your organization’s risk management mechanisms. Not just a one-time event, prepare for the next assessment.

Find out more about assessments and how they can help your organization reduce its risks.

Data on the Move

2007-03-22T12:45:00.000-07:00

Portable devices, such as USB flash drives, offer employees the ability to transfer data from one device to another. Frequently used by exectives that work both in the office and at home, these devices put data "on the move".

Outside the protective perimiter of the IT department, security of the data on the portable storage devices is now the responsibility of the employee. To minimize their risks, many organizations are now implmenting porttable storage device security controls:

Restricting users and their ability to store information on USBs, CD-RWs, etc.

Implementing policies that require biometric security access on the USB devices

Requiring that data on the USB devices be encrypted (some devices permit only 10 attempts to crack the code before being permanently locked out).

Network and security assessments can help organizations identify, manage, and reduce their portable store device security risks.

Security - not just a one-time event

2007-02-20T09:14:00.000-08:00

Managed Security. Many organizations take a "Project" vs. an "Investment" approach to securing their information assets. With "Project" security, an organization waits until a security breach occurs and then the organization takes appropriate action. For example, an organization gets hit with a virus. It then authorizes the acquistion of anti-virus software. The Project approach to security is typically ad-hoc with many as yet undiscovered vulnerabilities.

An alternative approach to security involves the "Investment" approach to security. By investing in security, the organization recognizes that securing the network infrastructure is critical to the success of the organization. The "Investment" approach typically uses a managed approach to security.

A managed approach to security can better balance functionality with security and typically involves the following five phases:

Security strategy

Security alignment

Security design and implementation

Security monitoring

Security audit

For more information on these five phases, please visit Security Overview.

Security Tip #1 - Assessments Enhance Value

2007-01-16T16:21:00.000-08:00

Network and security assessments and audits help determine if IT funds are effectively being used, identify and quantify IT related strengths and weaknesses, and help you focus on those areas that create the most value for your firm. Assessments are ideal for:

Ensuring compliance (HIPAA, Sarbanes Oxley, etc.)

Emerging and fast growing firms

IPO ready organizations

Organizations concerned about security

Businesses with geographically distributed offices

Organizations in the financial and health care industries

Firms working with the government or large institutions

Organizations that share and collect personal and/or proprietary data

Assessments and Business Value

While some organizations want tactical advice on the state of the IT department, others want to maximize their investment in IT by developing and implementing a formal strategy. Before an organization can develop and execute strategy, the business can use assessments to understand its IT infrastructure and related strengths and weaknesses.

Find out more about IT network and security assessments and how they can help your organization.

Security Tip #2 - Protecting Your Data

2006-12-22T09:37:00.000-08:00

Encryption can protect your data. Most organizations have sensitive information that needs to be stored on IT systems and distributed to authorized business contacts in a safe and secure manner. It is important to use secure encryption technology when conducting business and electronically exchanging information. Encryption makes information unintelligible to everyone except for your intended recipient.

Confidential information is created on a daily basis. Restricting access to confidential information on your network is only part of the solution. Increase the integrity of the data by encrypting sensitive information. Your business contacts need to use encryption to help maintain the confidentiality of your data since not all of your confidential information is contained within your office. Employees frequently work out of the office and this information must be transported in a safe and secure manner.

Your reputation is at risk when confidential information is compromised and increased costs are incurred when information is exposed to unauthorized personnel. Don’t wait for someone to gain access to your confidential information. Encrypt information to protect you from threats both inside and outside of your organization.

Find out more about networking, security, and risk management solutions.

Security Tip #3 - Firewalls, What they Can't Do For You

2006-11-02T13:49:00.000-08:00

Firewalls can't do everything. Firewalls are a good first step to protect you against hackers, but they do have their limitations. Like a deadbolt lock on a front door, a firewall can't tell you if you have other vulnerabilities that might allow a hacker access to your network.

Why you need formalized security protection:

Firewalls can’t protect against attacks that don’t go through the firewall – wireless networks, dial-up modems, and internal employees often by-pass firewall protection
Firewalls reflect the overall level of security of your network – a failure may expose your sensitive data

Firewalls stop incoming threats but you still require formalized management, destruction, and archival procedures for your electronic documents

Firewalls are not a replacement for a strong Security Policies and Procedures Manual

Your reputation is compromised when a firewall doesn’t encrypt confidential documents and E-mail. Your costs increase when a firewall doesn’t protect you against computer viruses. Formalized procedures and tools are needed to protect your confidential documents and electronic communications. Organizations need security vulnerability assessments to manage their risks.

Your security structure is only as strong as its weakest link. Security professionals have the experience needed to help protect your reputation. Security assessments help you identify, manage, and reduce your risks.

Security Tip #4 - Hackers, What You Need to Know

2006-10-03T14:41:00.000-07:00

Hackers know things that you don't. That's their edge. It's the reason that they can break into networks, leaving a path of destruction in their wake. Concerned about security? Your concerns may be directly related to the value of the information you are trying to protect. For example, is your data difficult to recreate? What are the implications if someone outside the company gets access to your confidential documents? You can’t always prevent hackers from breaking in, but you can make it more difficult for them to succeed.

Why you need formal security protection:

Hackers like the challenge of breaking into systems

Without proper protection, any part of your network is at risk

Hackers cause network downtime (downtime cost calculator)

Hackers seek out weaknesses in your systems

Don't assume that ad-hoc security can protect you from Internet threats. A managed approach to security provides the protection you need.

Security Tip #5 - Employees are your hidden threat

2006-09-19T09:00:00.000-07:00

Internal employee threats. You have probably taken steps to secure your systems from external “hacker” threats. But what steps have you taken to protect your organization from your own employees? The Computer Security Institute estimates that between 60% and 80% of network misuse comes from within the enterprise.

Managing your employees and their access to data help you manage your risks. From the inside, employees bypass many of your controls designed to protect your data from unwanted intruders. Even if you maintain passwords on confidential documents, employees can run scripts that detect and remove passwords on files. How can you address this employee threat? Identify your vulnerabilities and integrate security solutions at the network level.

The top three reasons why you need employee network level security protection:

Your employees already have access to your network.

Employees don’t have to pass through external security checkpoints.

Your confidential data needs more than password protection.

Enhance and enforce security at the network level. Managing your employees and their access to data help you manage your risks. Please visit Altius IT for more information on security readiness and risk management.

Security Tip #6 - Viruses are a constant threat

2006-08-03T10:32:00.000-07:00

Anti-virus threats are increasing. Experts believe that as many as one out of every ten e-mail messages contain a virus. Don't put your organization at risk, obtain and implement reliable anti-virus software. Consider the follwing:

Viruses destroy the integrity of your computer systems.

Manual anti-virus updates at inconsistent intervals doesn’t provide protection from viruses that spread quickly with no advance warning.

Viruses cause significant damage.

Your critical files are distributed across your network. Server and workstation files at corporate and remote locations need to be protected.

Viruses cost you money and increase IT support time. In addition, employee frustration results in employee turnover and increased management recruiting time and expenses. Your loss of data integrity results in customer dissatisfaction. Viruses compromise your image and reputation.

Don’t count on inconsistent anti-virus solutions to protect your valuable information assets. Automated anti-virus systems with server and desktop protection help you manage your risks. For more information on viruses and to learn the difference between a worm and a virus, please visit http://www.altiusit.com/files/articles/articlewpviruses.htm. Call us today and find out how our security services can help protect your information assets.

Security Tip #7 - Passwords, what you need to know

2006-07-06T13:31:00.000-07:00

Passwords, are you ever really secure? If you have a newer computer, you already know the experience of increased productivity you get from having state-of-the-art equipment. What you don’t know is that faster systems, when combined with high-speed Internet lines, let unwanted visitors “crack” your passwords at an alarming rate.

Many organizations forget that not all of their threats are external, internal threats must be considered as well. In addition, confidential data may be accessed from remote locations and a good password policy may be the only protection.

Without a formalized password protection policy, you risk loss of revenue due to system and network downtime. Many organizations have determined their cost of downtime, however recent surveys show that the cost to recreate data is generally greater than originally estimated. In addition to internal costs, organizations must consider the cost of customer dissatisfaction due to loss of data integrity.

Passwords are a critical component of your security readiness. Formalize your password policies and verify that they are enforced. Inconsistent password policies and procedures leave you at risk and cannot protect your valuable information assets. Managing your passwords will help you manage your risks and protect your image and reputation.

Want more information on how passwords can be part of an overall approach to securing your network? Find out how our security consulting service provides information asset protection.

Security Tip #8 - Security Assessments

2006-06-06T15:57:00.000-07:00

Subscription security assessments. It is often difficult to decide where to properly allocate your security budget. Rather than simply throwing money at the problem, leading organizations use periodic security assessments to help pinpoint network security issues.

As new vulnerabilities are discovered on a daily basis, a system that is secure one day may be completely wide open the next. Much like regular anti-virus updates, subscribing to recurring security assessments helps an organization identify network security weaknesses before they can be exploited.

In addition to protecting your IT systems, periodic security assessments help protect your organization's reputation by helping identify vulnerabilities before they are exploited by unwanted intruders. Find out more about security assessments and how they can help protect your "information assets".

Security Tip #9 - Backups Are Your Initial Defense

2006-05-04T14:08:00.000-07:00

Don’t risk losing your valuable data. What are your annual costs of lost data when you consider lost employee productivity, lower levels of customer service, and reduced competitiveness? Protect your IT systems with reliable backups so you don’t lose money.

Why you need reliable IT system backups

Information can be lost at a moment’s notice

It is time consuming to recreate data

The cost of downtime is greater than your initial estimates

Hackers and viruses aren’t your only threats, employees can accidentally delete critical files

Data is often distributed - server and workstation files at corporate and remote locations needs to be protected

Your risks

Lost productivity results in higher employee costs

Increased IT support costs you money

Lower levels of customer service results in lost clients

Don't count on untested backup systems to protect your valuable information assets. Formalized backup systems with off-site rotation help you manage your risks and are your key to protecting your information assets.

Call us today and find out how our security consulting service can help protect your information assets.

Security Tip #10 - Don't Risk Client Trust

2006-04-05T10:32:00.000-07:00

Don’t risk losing your clients’ trust in you. Protect your IT systems with security policies and procedures. You'll protect your information assets and your valuable image and reputation.

By not having sound policies and procedures, many organizations face the following risks:

Loss of data integrity and client trust in you

Your clients incur lower levels of service due to untimely IT operations

You experience increased management accountability due to loss of adequate controls

You incur increased costs due to systems that are not always available

Security policies and procedures can help you maintain client confidentiality. By implementing effective policies and procedures, client trust is maintained even while security threats are increasing at an alarming rate.

Many critical business processes and client interactions are now automated to the point where the importance of security readiness has risen exponentially. Don’t count on firewalls and passwords to protect your valuable information assets. Security policies help you manage your risks and are your key to maintaining client trust.

Find out why you need a managed approach to security instead of the ad-hoc approach that leaves many organizations vulnerable.

Does Ad-hoc Security Really Work?

2006-03-03T13:11:00.000-08:00

Ad-hoc security may not provide the level of security you need. Imagine installing a firewall here and a database application there. Each element may be secure, however, when all components are combined into an interrelated network, your organization may be at risk.

Altius IT recommends a formalized and planned approach to security. Security design allows top down planning and implemention of security technology. Not only does this approach offer enhanced security, it may also reduce your costs since security can be aligned with your organization's goals and objectives.

Single Points Of Failure

2006-02-01T09:47:00.000-08:00

A Single Point of Failure (SPOF) analysis analysis helps your organization manage its risks. By identifying your points of failure, you can:

Reduce your costs. By effectively allocating and prioritizing resources to critical areas. In addition, your internal staff can focus on your core competencies.
Enhance your image and reputation. By delivering on a narrow range of assigned duties, the team evaluating your single points of failure can help you eliminate downtime.
Improve your competitive position. By improving system availability, you'll be more competitive in your market place and better able to compete against larger organizations.
Increase your levels of customer service. Your systems will keep you in contact with those you serve.

Find out more about managing your Single Points of Failure.

Electronic Communications

2006-01-26T13:34:00.000-08:00

Concerned about managing your risks? Want to know how others plan to use Information Technology to manage their risks?

Organizations are finding that the fast paced Information Technology (IT) industry is a double edge sword. While improving operational efficiencies, employees are exposing their businesses to even greater risks.

Imagine going in to work one day and finding that you have been summoned to appear in court. You find that a lawsuit has been filed against your organization. After some research by your legal staff, you are told that one of your employee’s E-mail messages is being used against you and will appear as evidence in your upcoming trial. Imagine that when you read your employee’s E-mail message for the first time, you discover that the E-mail contains sensitive and confidential information about your organization. What can your organization do to avoid future risks?

Organizations are finding that they need to change the way they handle and maintain their electronic records and communications. Many are planning to use IT to manage their risks and potential liabilities by securing and managing their electronic documents and confidential communications.

Areas where IT will be used to manage business risks include:

Document management
Confidential communications
Sensitive communications

Document Management
In the past, organizations maintained large volumes of paperwork in office filing cabinets and off-site warehouses. Access to information required employees to sift through files trying to locate the needed records.

Many organizations improved their access to information through the use of Information Technology solutions that automated the document storage and retrieval process. Through IT solutions such as electronic mail and electronic scanning and filing, documents could be located in minutes or even seconds. No longer did it take days or weeks to find the requested information.

In providing immediate access to information, a new risk emerged. While documents were accessible for internal reference purposes, they were also available to be subpoenaed. A second problem also arose. With traditional file cabinets, organizations tended to have only one version of a document on file. However, with electronic filing, an organization could have word processing documents, E-mail messages, electronic fax transmissions and other types of electronic communications available at a moment’s notice.

Organizations now realize the implications of maintaining electronic communications and the need to better manage these documents through a formalized document management archival and destruction procedure.

To manage risks, future document management procedures will be developed at the highest executive levels and pushed down to lower levels within the organization Enforced company wide, document management will consider information stored internally, on tape backup media, on the Internet/Intranets, as well as communications with outside business contacts.

Confidential Communications
In addition to managing their documents, organizations must be especially concerned about their confidential communications. These types of communications may occur within an organization or may also include communications with outside business contacts.

To mange their risks, organizations will use IT to better protect their electronic communications. Confidential documents and communications will be encrypted to protect information. While these steps are already being used by some organizations, others are finding that more extensive procedures need to be implemented.

Electronic communications via E-mail will receive special attention. Employees typically have found it beneficial to store electronic versions of E-mail messages. Management tends to believe that these messages may pose more harm than good. As a result, management may dictate that this type of correspondence be removed after a period of time. While many organizations have controlled the archival and destruction of E-mail messages within their organization, most have yet to address electronic communications with outside contacts.

To manage their risks, organizations will implement solutions that more fully address confidential communications and E-mail. For example, management can dictate that E-mail messages expire a pre-determined number of days after the initial transmission of the message. This provides management with the peace of mind knowing that their risks are properly managed.

Sensitive Communications
Business executives in the future will be expected to take more of a proactive role by actively controlling and monitoring electronic communications. IT systems will be configured to restrict the sending or receiving of messages that may contain questionable material.

By configuring software applications to look for certain keywords or phrases, outgoing E-mail correspondence can be stopped before the message has left the sender’s desk. Questionable incoming messages may be routed to a special pending mailbox where they will be held pending a third party review.

By configuring software to look for certain keywords or phrases, an organization can prevent questionable communications that may result in sexual harassment lawsuits or other types of litigation.

Summary
Electronic document management and communications solutions allow organizations to control costs and improve their operational efficiencies. To manage these risks, organizations will implement solutions that address the liabilities associated with electronic records and communications.

Organizations that are successful in using Information Technology to manage current and future business risks will achieve competitive advantages in their marketplaces. Please contact us for more information on managing your risks.

Fix on Fail Network Management

2005-12-01T10:07:00.000-08:00

Managing risks. To reduce their total cost of ownership, industry leading organizations know that IT systems need to be properly managed and maintained. The “Fix on Fail” approach to systems management results in employee frustration, missed deadlines, increased costs, and lower levels of customer service.

Manage IT provides you with the peace of mind knowing that your systems are properly managed and maintained. Our network management service provides you with immediate access to our network experts who quickly respond to your questions and problems.

Want to Save on Security Costs?

2005-12-01T09:57:00.000-08:00

Security alignment. Concerned that you aren't cost effectively allocating your security resources? Information Technology (IT) strategy and security alignment ensures cohesive goals and results throughout the enterprise. Altius IT’s security services align IT to the organization, improve efficiencies, reduce costs, enhance customer service, and help the organization achieve a competitive edge in its market place.

Focus on Core Business Functions

2005-11-02T11:15:00.000-08:00

Insourced vs. Outsourced IT? In this day and age, It is important to recognize the value of IT and its tie to enabling business operations. Successful solutions require skills and competencies to address networking and security issues.

Outsourcing IT may help an organization achieve a competitive advantage in their marketplace. As the number and sophistication of security threats continue to increase, organizations find it difficult to justify keeping all functions in-house. The majority of organizations are already facing difficulty in finding and hiring staff with the required skills and competencies. As well, the majority of their perceived threats revolve around non-core functional areas, like patch management and viruses.

By outsourcing non-strategic security functions, organizations may be in a better position to concentrate on their core business while working with their outsourced service providers to enhance their security infrastructure and support their growth initiatives.

Please visit Altius IT for more information on outsourced solutions for your networking and security concerns.

Risk Management Benefits

2005-11-02T10:55:00.000-08:00

Risk management tools and processes allow business managers to position their organizations to be industry leaders. By properly employing risk management processes, an organization can receive many benefits including:

Peace of mind by through enhanced network and system availability

Enhanced image and reputation by keeping you in contact with your business associates

Improved competitive position by helping you compete effectively in the market place

Increased levels of customer service by keeping you in contact with those you serve

Don't let your organization get left behind. Learn more about our risk assessment services and how they can help you.

Reduce Total Cost of Ownership

2005-10-08T19:45:00.000-07:00

Reduce total cost of ownership. Industry leading organizations know that IT systems need to be properly managed and maintained. The “Fix on Fail” approach to systems management results in employee frustration, missed deadlines, increased costs and lower levels of client service.

Altius IT recommends the managed solutions listed below. The support schedule depends upon the importance of IT to your organization.

Daily/Weekly

Check hard drive – capacity and free space

System – scan drives for errors, defragment

Software patches – patch management

Review anti-virus software – auto updates

Troubleshooting – examine log files for errors

Check anti-spyware – updates and scans

User access – add/remove access to systems

Applications – add/configure and troubleshoot

Mobile devices – synchronize with desktops

User support – problem determination, assistance

Server – application monitoring and size limits

Monthly/Quarterly service

E-mail – size, user delegate permissions

Firewall – firmware updates, subscription status

Internet - review firewall bottlenecks and log file

System backups - test and review off-site rotation

Security assessment – penetration test and report

Backup e-mail – test proper operation and findings

Public folders – access and security

Data folders – access and security

Document – retention procedures, archiving

Assessment – independent review of systems

Annual service

Integrity – review user access to systems & data

IT alignment – with business goals and direction

IT planning – long range planning and updates

IT budget – maintenance and special projects

Policies – review/update policies and procedures

Best practices – to ensure system availability

Business continuity – testing and plan revision

Updates – renew annual subscriptions

Domains – check expiration of domain names

Archiving – year end archiving procedures

Best practices – tools/checklists (database, e-mail)

Audit – outside independent audit of IT

For more information, please refer to Altius IT's managed networking and security services.

Security Outsourcing Solutions

2005-10-08T19:38:00.000-07:00

Security outsourcing allows an organization’s internal staff to focus on core competencies without dealing with day-to-day distractions. Altius IT takes an extremely complex and complicated undertaking and ensures that every step is properly planned and executed.

Altius IT’s five step outsourcing toolkit manages the process of migrating from insourced to outsourced security and networking services:

Requirements – defines and establishes the roles of internal and external resources

Service level agreement (SLA) – documents the formal blueprint of duties and procedures

Transition – identifies the steps to be followed both before and through the transition to outsourced services

Reporting – deliverables provided during the course of the engagement

Management – project management and quality control to keep outsourcing on target

Freedom and Peace of Mind

2005-09-11T18:09:00.000-07:00

Time…there is never enough of it. Have you ever thought how nice it would be to have unlimited time where you can spend as much time as needed to secure your systems? The reality is that you wear many hats and you don't have sufficient time to spend on security.

Life made easier one task at a time. The solution is IT support on demand. It helps you be every where you need to be. Outsourced IT can be your virtual IT assistant. Unique suites of services allow you to accomplish multiple tasks simultaneously without the normal time constraints.

Hourly, daily, weekly, and monthly support packages are provided based upon your specific needs and requirements.

Manage IT Suite provides you with the peace of mind knowing that Altius IT provides you with technical expertise so your network is well managed and maintained.

Enterprise-wide security audit services provides a multilayered approach to advance your level of security.

Risk Management services provide full service solutions to reduce your risks.

Freedom for your business and built for business. Security makes your life easier one task at a time.

Security Quiz - Find Your Security IQ

2005-09-10T18:56:00.000-07:00

Think you are secure? Take a security quiz and find your security IQ. Protection of your network and data is one of your primary concerns. This simple Security Quiz will help you determine your Security Quotient. Score one point for each Yes answer in this simple ten question quiz.

Security Vulnerability Flowchart

2005-09-10T18:24:00.000-07:00

See how your assets may be threatened. Your information systems face a variety of threats from a number of different sources. Consider the risks you face from:

Hackers scanning and probing access points to your network

Access to your corporate data from remote locations

Firewalls and their limitations

E-mail threats such as phishing and viruses

Internal security breaches

Business continuity and single points of failure issues

Web site threats including Denial of Service and defacing

Intruder detection and prevention systems

Data protection and encryption

Our security audit services provide an Executive Summary overview of how your information assets are threatened.