SIDEBAR
»
S
I
D
E
B
A
R
«
Five Common Reasons for Data Loss
Dec 18th, 2015 by aperio

When the drive is damaged physically.

One of the most common reasons for data loss is physical damage. A simple manufacturing defect, or external influences such as shock, dust or power surges may cause internal damage. Anti-static discharge or ESD is also another common cause of failure. Physical damage will inevitably require the help of a data recovery expert. Unless you have a clean room and donor parts, any attempts to recover the data yourself will almost certainly render the data unrecoverable. A data recovery expert will assess the damage to your media before they can determine what parts of it may need to be replaced in order to have the drive working again. Often the expert will use a duplicate hard disk drive of the same make and model to replace damaged parts. Reputable experts will provide a file listing of files and quote for the recovery beforehand.

When the operating system fails.

Luckily if your operating system fails, it means that nothing is wrong with the hard drive itself. The data areas are usually safe, therefore your chances of a full recovery are high. All the expert needs to do is to copy the data from your hard drive to a new one. This can be easier said than done, so take advice. If you are not familiar with hard drives and data structures, don’t risk your valuable information.

When it dies of old age.

As hard drives grow old they experience unpredictable failures. All hard drives will fail at some point, but you will never know when. The mechanical parts of a hard drive will wear down over time and the media surface degrade. Eventually this will cause the drive to crash. Hard drives are becoming increasingly more reliable, but always read the manufacturers ‘mean time before failure’ or MTBF. This is normally calculated in hours and when this has expired, it might be time to upgrade.

If it catches a virus.

Computer viruses can be extremely malicious and damaging to your computer, whilst ransom-ware can be expensive if you fall victim. It is not only recommended but necessary to have a decent anti-virus program installed on your computer. Many users forget that malware doesn’t always present itself as a virus. So anti-malware software such as Malware bytes should also be considered essential. Some viruses will quickly spread around your computer and onto any networks your computer is connected to. So even if you have a mapped backup, catch any malware quickly before it spreads. Make sure you are extremely careful when downloading files and applications online, ensuring they are from safe sources, and don’t open any files emailed to you from an unknown source.

When you accidentally delete or overwrite data.

Manually overwriting data or accidentally deleting it is a common story. Many people will often think their data is already saved somewhere else and will delete the files. While data being overwritten is usually an accident, it is often intentionally done. In criminal and forensic circumstances data may be intentionally erased in an attempt to cover up the tracks of illegal activities, meaning forensic experts may be hired to perform data recovery for the hidden data. Unfortunately, it can be difficult and sometimes impossible to recover data that has been overwritten.

The best way to avoid data loss, is by simply backing up your valuable files on external hard drives or making use of cloud services. If you choose to back up your data, make sure to store it in a safe and secure location away from your computer. This will ensure any damage such as flood, fire or theft will not affect your backed up files. Also make sure that you are saving whole copies of the original files and remember to back up regularly.

Aligning IT to fit your Business Objective
Dec 14th, 2015 by aperio

IT has emerged as a central business function for many organizations in the recent years, and this holds true regardless of the industry that an organization caters to. Having said that, irrespective of the huge part that IT plays in reducing costs, standardizing processes, enhancing productivity and improving workflow and communications, its role in business planning is subservient to a large extent.

It is high time that establishments stop looking at IT as a mere implementation tool which does not have any role in shaping an organization’s business strategy. Today, technological developments pave the way for many business opportunities and IT can play a proactive and larger role in developing the long term business strategy of organizations.

Given below are some tips that would help your organization align its IT with its business objectives:

Understand your business and the nature of your organization

Unless you understand the nature of your business and how it fits into the sector and economy, it is very difficult to come up with a serious IT plan that would actually work. You can start by gathering important information such as organization charts, roles and responsibilities and associated markets and products. Needless to mention, you must also possess a crystal clear understanding of your customers and their persona. Also, you must take time to analyze the structure and cultural ethos of your organization. Once you have a map of your corporate model and how it fits into the larger picture, you can start planning for the future. At this stage, it is also crucial that you start documenting all IT assets and applications.

Identify and understand the relationship between your core business and your IT assets

Understand your business’ value chain and analyze its major components. You must have an in depth understanding of the factors that drive your business as these key scaling factors play a crucial role in planning IT strategy and alignment. At this stage, you must also duly collate information about internal as well as external factors.

Determine and set the change agenda

While setting the agenda, you must research and analyse your strategy several times; not only that, you must also ensure that there is a perfect balance between the cost, value and precedence of the IT estate and then identify the impact and implications of the IT alignment plan. Of course, you must also identify requirements, prioritize time frames and functionality, model and test the strategy well in advance to ensure that the final outcome is lucrative.

Once you have all the necessary information, chart out an IT plan that has business drive and is not extremely technology-eccentric

The most difficult hurdle that many organizations face while aligning IT with its business objectives is that most IT strategies lack business drive and are too technology-eccentric. This strategic variance can be counter-productive and can lead to overtly intricate IT infrastructures that are difficult to sustain and modify. In order to avoid such obstacles, it is recommended that organizations invest in strategic partnerships with IT Managed Service Providers who specialize in aligning IT with business objectives.

What Does Your IT Team Need to Know About PCI DSS Compliance?
Dec 9th, 2015 by aperio

(Part 6 in our series on IT Compliance Concerns.)

In Part 5 of our series, we discussed how the Payment Card Industry Data Security Standard (PCI DSS) was created in an effort to o improve protections for storing, processing, and transmitting cardholder data. In this part, we will look at some of the details your IT team will need to deal with regarding PCI DSS compliance.

What are some of the Information Technology concerns for PCI DSS compliance?

Keeping in mind that the penalties for failing to comply with these standards can include fines and possibly the termination of privileges to process credit cards, your IT team will need to pay careful attention to many details. We discussed the twelve general requirements for PCI DSS compliance in our last post. Naturally, each one of these raises concerns for your IT department.

Firewalls

This includes installing and maintaining a firewall configuration to protect cardholder data. Additionally, your IT team will need to regularly test your firewall for effectiveness.

Not using vendor-supplied defaults for system passwords and other security parameters

Your company will need to create, maintain, and regularly update your system passwords with unique and secure passwords. You cannot allow your employees to simply continue to use passwords your vendors started them with. For an IT department, getting users to follow password requirements can be a frustrating process. Educating your employees so they understand the real need for inconvenient policies is key to winning their compliance.

Protecting stored cardholder data

(This applies only to companies that store cardholder data.) In addition to encrypting all stored cardholder data, your IT team may need to combine virtual and physical security features. Examples of virtual security: authorization, authentication, etc. Examples of physical security: restricted access, locks on cabinets, servers, etc.

Encrypting transmission of cardholder data across open, public networks

Given the increased use of public networks, your IT team will need to pay close attention to wireless networks and remote access solutions for this requirement.

Using and regularly updating antivirus software

Your IT department is probably already aware of the need for antivirus software. With this requirement in mind, to need to regularly update software and apply patches becomes even more important.

Developing and maintaining secure systems and applications

Your IT team will need to have a process for tracking newly discovered security vulnerabilities in the software your company uses. This may mean making use of alert systems provided by your software vendors.

Restricting access to cardholder data by business need-to-know

This simply means limiting the number of employees who have access to cardholder data. It requires your company to have carefully designed processes for determining which employees will have that access so that your IT team can then provide that access.

Assigning a unique ID to each person with computer access

This will ensure that when actions are taken on critical data, those actions can be connected to known, authorised users.

Restricting physical access to cardholder data

Again, limiting access limits the chances of a security breach.

Tracking and monitoring all access to network resources and cardholder data

This means logging networks and appropriate devices, as well as storing those logs in case they need to be used later as evidence in case of a security breach.

Regularly testing security systems and processes

This means conducting regular vulnerability scans for possible weaknesses.

Maintaining a policy that addresses information security

  • Such a policy needs to address remote access and wireless technologies, removable electronic media, email, internet usage, laptops and other mobile devices, as well as addressing the monitoring of service providers.

To learn more about PCI DSS and related issues:

Other posts in this series:

Part 5: Is Your Company PCI DSS Compliant?

Is your company PCI compliant?
Dec 4th, 2015 by aperio

(Part 5 in our series on IT Compliance Concerns.)

What is the Payment Card Industry Data Security Standard?

In the first four parts of this series, we discussed SOX compliance (Sarbanes-Oxley or Sarbox) and HIPAA compliance (Health Insurance Portability and Accountability Act) and what Information Technology concerns arise from them. In this post we’ll look at what the Payment Card Industry Security Standard (PCI DSS or PCI) is, and how it can affect your company.

PCI DSS was originally separate security programs for five different companies: Visa, Mastercard, American Express, Discover, and JCB, a credit card company based in Japan. Each company was attempting to improve protections for storing, processing, and transmitting cardholder data. On December 15, 2004, these companies released version 1.0 of the Payment Card Industry Data Security Standard. Version 3.1 was released recently in April, 2015.

Which companies should be concerned about PCI DSS compliance?

The PCI DSS is a proprietary standard for for organizations handling Visa, Mastercard, American Express, Discover, and JCB credit cards. Private label cards are not included in the PCI DSS.

What are the penalties for failing to comply with PCI DSS?

Penalties are enforced by the payment brands, and can vary. They can include fines for banks from between $5,000 to $100,000 per month. Banks are likely to pass these fines on to merchants, who may also face having the bank terminate their relationship with the merchant or increasing transaction fees, both of which can have a profound negative effect on small businesses.

What does a business need to do to comply with PCI DSS?

Although detailed requirements can vary depending on the level of the business (determined by number of transactions), the twelve general requirements remain the same:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update antivirus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security.

These requirements naturally mean challenges for your IT department. They may have to implement new security measures or more strictly enforce existing ones. (We will discuss this more detail in the next part of our series on IT compliance concerns.)

Coming soon: Part 6 in our series on IT Compliance Concerns, “What Does My IT Team Need to Know About PCI DSS Compliance?”

To learn more about PCI DSS and related issues:

Other posts in this series:

What Does Your IT Team Need to Know About HIPAA Compliance?
Nov 30th, 2015 by aperio

(Part 4 in our series on IT Compliance Concerns.)

In Part 3 of our series, we discussed how the HIPAA Act was created in an effort to make it easier for people to keep health insurance, maintain the confidentiality and security of their healthcare information, and to control healthcare administrative costs. In this post, we will focus some of the concerns faced by your IT team with regard to HIPAA compliance.

What are some of the Information Technology concerns for HIPAA compliance?
The main issue faced by IT with regard to HIPAA is keeping Protected Health Information (PHI) secure. The HIPAA Security Rule covers what is expected of companies with regard to maintaining the security of PHI in electronic form, but does not state the way that entities must go about providing this protection. Instead, it states the factors that should be considered for security measures. These factors include an entity’s size and capabilities, its information technology infrastructure, costs of security measures, and the chance and magnitude of anticipated risks to the security of PHI.

The Security Rule does specifically require that security measures include: measures to maintain the confidentiality, integrity, and availability of all electronic PHI an entity creates, handles, or transmits; measures to identify and protect against threats to the security or integrity of PHI that can be reasonably anticipated; measures to protect against uses or disclosures of electronic PHI that are prohibited by HIPAA; and efforts to ensure that employees comply with HIPAA requirements.

Some of the areas affected by these security needs include:
●    Data encryption.
●    Email encryption.
●    Multi-factor authentication (a system of security that requires multiple methods of authentication from different categories of credentials in order to identify a user for login purposes or for other transactions).
●    Compliance training.
●    Social engineering awareness. (You can read about social engineering in our blog post, “Technology Alone Is Not Enough for Security”.)

Another point to consider is that any company that allows the uses of mobile devices for business (particularly hospices, which do much of their work in patients’ homes), will need to be aware of and have solutions for mobile devices’ known security issues. As an example, consider the $50,000 penalty paid by the non-profit Hospice of North Idaho. In this case, an unencrypted company laptop was stolen, which contained electronic PHI for 441 patients. The investigation found that the company had not conducted adequate risk analysis.
Additional Concerns for HIPAA Regulations for the Use of PHI
Additionally under HIPAA, certain uses of PHI may be curtailed or prohibited. For instance, HIPAA prohibits the use or disclosure of PHI for marketing to individuals without obtaining an authorization, with only some exceptions. HIPAA also prohibits the receipt of direct or indirect remuneration in exchange for PHI. It also has rules for when PHI can and cannot be used for further research.

Coming soon: Part 5 in our series on IT Compliance Concerns, “Your Company and PCI DSS Compliance.”

Additional HIPAA resources:
●    National Hospice and Palliative Care Organization’s Compliance Tip Sheet.

Other posts in this series:
●    Part 1: Making Sure Your Business is SOX Compliant
●    Part 2: SOX Compliance and Your IT Team
●    Part 3: Making Sure Your Business is HIPAA Compliant

SIDEBAR
»
S
I
D
E
B
A
R
«
»  Substance:WordPress   »  Style:Ahren Ahimsa