The Disaster Recovery and Business Continuity Template address these issues directly.  At the same time the security of the enterprise records needs to be taken into consideration.  It is for that reason that the Disaster Recovery/Business Continuity and Security Manual Template bundle is a must have product.

• Establishing a position at the right level and empowering the individual appointed to provide value to the enterprise.
• Defining clearly and communicating the “power” of the CIO to enterprise executive and operational management to all levels within the enterprise.
• Selecting the right person for CIO with the necessary skills. Career senior executives should not be discounted as possible appointments to the position.
• Building credibility, which comes through the CIO delivering on leadership, ideas and products.
• Changing the perception of an information technology manager from that of a technical support function to a CIO who is part of the senior management team.
• Longer-term challenges involve building a "comprehensive management system" for information resources.

• Wet objects (electronic) - Disconnect from the power source and do not turn it on.  In the case of disk drives or other electronic storage devices - inventory all of them and label them.  Create a log of all objects recovered, actions taken, and location.  Have a disaster clean-up specialist be the one who looks at what can be recovered. 
• Wet objects (non-electronic) - Rinse with clear water or a fine hose spray. Clean off dry silt and debris with soft brushes or dab with damp cloths. Try not to grind debris into objects; overly energetic cleaning will cause scratching. Dry with a clean, soft cloth. Use plastic or rubber gloves for your own protection.
• Drying Objects - Air dry objects indoors if possible and use portable fans to move the air. Sunlight and heat may dry certain materials too quickly, causing splits, warping, and buckling. If possible, remove contents from wet objects and furniture prior to drying. Storing damp items in sealed plastic bags will cause mold to develop. If objects are to be transported in plastic bags, keep bags open and air circulating.
• Mold Prevention and Cleanup -  Exposure to molds can have serious health consequences such as respiratory problems, skin and eye irritation, and infections. The use of protective gear, including a respirator with a particulate filter, disposable plastic gloves, goggles or protective eyewear, and coveralls or a lab coat, is therefore essential. In order to inhibit the growth of mold and mildew you must reduce humidity. Increase air flow with fans, open windows, air conditioners, and dehumidifiers. Moderate light exposure (open shades, leave lights on in enclosed areas) can also reduce mold and mildew.  Remove heavy deposits of mold growth from walls, baseboards, floors, and other household surfaces with commercially available disinfectants. Avoid the use of disinfectants on historic wallpapers. Follow manufacturers' instructions, but avoid splattering or contact with objects and wallpapers as disinfectants may damage objects.
• Broken Objects - If objects are broken or begin to fall apart, place all broken piecesand detached parts in clearly labeled, open containers. Do not attempt to repair objects until completely dry or, in the case of important materials, until you have consulted with a professional conservator.
• Paper Materials - Documents, books, photographs, and works of art on paper are extremely fragile when wet; use caution when handling. Free the edges of prints and paper objects in mats and frames, if possible. These should be allowed to air dry. Rinse mud off wet photographs with clear water, but do not touch surfaces. Sodden books and papers should also be air dried or kept in a refrigerator or freezer until they can be treated by a professional conservator.
• Office Furniture - Furniture finishes and painting surfaces may develop a white haze or bloom from contact with water and humidity. These problems do not require immediate attention; consult a professional conservator for treatment. Textiles, leather, and other "organic" materials will also be severely affected by exposure to water and should be allowed to air dry. Shaped objects, such as garments or baskets, should be supported by gently padding with toweling or uninked, uncoated paper. Renew padding when it becomes saturated with water. Dry clean or launder textiles and carpets as you normally would.
• Art Work - Remove wet paintings from the frame, but not the stretcher. Air dry, face up, and away from direct sunlight.
• Metal Objects - Rinse metal objects exposed to flood waters, mud, or silt with clear water and dry immediately with a clean, soft cloth. Allow heavy mud deposits on large metal objects, such as sculpture, to dry. Caked mud can be removed later. Consult a professional conservator for further treatment.

Janco strongly encourages business owners, CIOs, CSOs, and line managers to fully explore their insurance needs and obtain adequate coverage before a disaster strikes.

• Buy flood insurance
• Find out if your busienss or prospective new location is in a flood zone
• Get informed on the full range of insurance coverage available to businesses
• Prepare financially for disasters
• Create a Disaster Recovery / Business Continuity Plan

Disaster Recovery processing Datacenters are a first step and options that businesses have are:

• Load balancing between two Datacenters – Complex and requires over-provisioning for continuous availability. Actively load balancing between two Datacenters means that both datacenters are updated and verified in the case of a disaster. But, the datacenters are duplicated and require 2x physical and management complexity if continuous availability is expected.
• Stand-by Datacenters - Expensive to build, maintain, and test. Stand-by datacenters provide computing resources that sit idle waiting for a Disaster to occur. Building, maintaining, and testing a duplicate datacenter is expensive and complex.
• Outsource Disaster Recovery - Very Expensive and typically very slow to recover. Outsourcing Disaster Recovery is not effective if multiple customers are impacted as in the case of area wide disasters such as hurricanes and earthquakes. Outsourced Disaster Recovery requires long-term contracts and inflexible testing environments, and provides insurance only that resources will be available.

Each option is expensive - but must less expensive than going out of business!

generation of SmartPhones and PDAs are arriving with built in 3G capabilities.  In addition, 3G connectivity is also emerging as an alternative or backup to more traditional network connectivity options such as dialup, frame relay and ISDN. The high data rates and secure communication channel of 3G technologies are driving demand for new applications of this technology. Some benefits that businesses are trying to achieve with this technology are:

• Network diversity - High-speed wireless wide-area networks provide an alternative to traditional network access and provide backup when hard wired connections, such as a T1 line, are broken in a disaster.
• Low-cost - Backup access can come at affordable rates.
• SmartPhone Effective Terminals - With the advent of 3G SmartPhone if Internet applications are designed correctly cost to implement disaster recovery and business continuity plans is significantly reduced.
• Productivity - During a disaster access on 3G does not exactly match the throughput of dedicated T1 access but is fast enough for business operations to continue in a degraded but functional mode.
• Routing - Configuration for business continuity purposes can be done quickly.

• Withdrawal - Employees want to avoid what discomforts them, and those organizational conditions that can cause burnout are certainly discomforting.  Signs to watch for are that employees leave work early, arrive at work late, take long breaks, and stay away from the workplace as much as possible.
• Interpersonal friction - Employees strike back at what they do not like.  Signs are employees begin being cynical and callous toward others, small differences lead to monumental arguments, work assignments begin to seem like insurmountable challenges, and friends begin to look like foes.
• Performance declines - When employees are  not happy they do not perform well.  The quantity of the employee’s may not be reduced, but the quality will.  Signs are clients say that service quality is poor and interrelationships been the burned out employee, their peers, their customers is a low point.  There are few smiles and jokes - it is all work and no play.
• Family life and personal space negative - Just as burnout leads to behaviors that have a negative impact on the quality of one's work life, it can also lead to behaviors that cause a deterioration of the quality of home life and personal space. Burned out individuals are often described by their wives as coming home tense, anxious, upset, angry, and complaining about the problems they faced at work. These individuals are also more withdrawn at home -preferring to be left alone, instead of sharing time with their families.
• Declining health and gaining weight - Burnout often leads to health-related problems. Burnout victims are more likely to suffer from insomnia, excessive drinking or smoking,  and to use medications of various kinds.

• Strategy - Decide where analytics should be leveraged in the business and information technology. The CIO must articulate the business' information technology distinctive capability and chosen basis of competition, determine where in the business environment to leverage the power of information technology and organizational infrastructure, and direct productivity initiatives.
• Capability - Drive with passion and commitment the organizational changes needed by an information technology competitor. Without top executive support, any company is unlikely to make the needed changes in skills, information management processes, and IT capabilities.
• Execution - Advise and educate the enterprise's management team so  that the business takes action based on the CIOs recommendations. It’s often easier, for example, to create a Service-Oriented Architecture (SOA) scheme for customers than to actually treat customers differently. And it's easier to establish the profitability of products than to discontinue unprofitable ones. Managers of the functions involved in productivity projects must be prepared to take action – with the insistence and backing of top management.

• If your enterprise is going through periods of rapid or dramatic change, including changes in the way you do business, how will outsourcing impact this?
• Your enterprise's IT function is efficient and has a low cost of operation, what value will the outsourcer provide?
• The primary motivator for outsourcing is the drive to reduce costs, why could you not do the same internally?
• The enterprise does not have the management talent or competency to plan and manage the outsourcing process and outsource provider, how will you know that you are getting value from your outsourcer?
• Outsourcing is being driven by senior management that does not have a strategic vision of where the enterprise is going, is the driver behind this move someone who thinks this is the "in" thing to do?
• Internal costs of the IT function are not fully understood, how will you know that you are getting the most cost effective solution from your outsourcer?
  Performance metrics are not well defined for the IT function, how do you know that the service provided by your outsourcer will be as good if not better than what the enterprise is getting today?
• The enterprise operations are entwined with IT functions such that if the IT function is outsourced a significant amount of core enterprise functionality and operational knowledge will have to be transferred to the outsourcer, will the outsourcer have a large "learning curve"?
• The enterprise's strategic plan has not been defined with all of the outsourcing implications defined, is it possible that outsourcing is not in the best interest of the enterprise's operation?

However, more than three-quarters of respondents say their business has been impacted by the financial crisis, according to the study, which was released on Monday by the law firm DLA Piper.

Still, only 27 percent said they were cutting sales and marketing expenditures, and only 15 percent said they were reducing planned R&D spending. The executives were surveyed between Sept 23 and Oct 6.

"That suggests that most of the companies are focused on the fact that this crisis would not have a big impact on them or that they wanted to continue to make investments through this cycle," said Peter Astiz, global co-head of the technology sector practice at DLA Piper.

Slightly more than half of the respondents think the economy will begin to rebound in the second half of 2009, while nearly a third think it will not happen until 2010 or later.

However, a majority agree that the market for initial public offerings -- often seen as a sign of truth health in the technology industry -- is not likely to rebound until at least 2010.

The poll received 145 responses from senior executives at technology companies and venture capital firms in the technology sector.

Separately, a study found that overall VC investment in the third quarter dipped 1 percent from the previous quarter to $7.37 billion, according to data compiled by Dow Jones VentureSource. That figure is 7 percent lower than a year ago.

When managing the help/service desk in an IT Service Management environment (ITSM) with Service-Oriented Architecture (SOA), there are four (4) things that you need to do.  They are:

• Validate that you have implemented service tools versus having added unnecessary overhead and bureaucracy Evaluate your policies, procedures, and processes from the user perspective. To be a service desk, you must serve your clients, rather than make them change what they do to meet your needs.
• Survey your users often and understand what they do not like Review the comments and listen to critics with an eye improving what you are doing.  When an change is implemented go back to the critics and see if you have improved.
• Implement metrics and track performance over time Use metrics that apply to your users, see what the trends are overtime. In addition, use the same metrics to see how your competition is doing.  Determine if you are providing “world class” service or just average service.
• Determine the cost of a service solution and its ROI before you implement it – measure achievenent.  Be professional in implementing changes to your help/service desk.  If you are constantly changing the process you will not know if your changes are having the right impact.
• Encourage input from your users Listen to your users, validate that the problem that you are solving ti the one the user want solved. Listen to your clients. Tell them what you heard them tell you and what your action steps will be. After you implement the solution confirm with them what you did and how it worked.

• Validate that you have implemented service tools versus having added unnecessary overhead and bureaucracy - Evaluate your policies, procedures, and processes from the user perspective. To be a service desk, you must serve your clients, rather than make them change what they do to meet your needs.
• Survey your users often and understand what they like and do not like - Review the comments and listen to critics with an eye improving what you are doing.  When an change is implemented go back to the critics and see if you have improved.
• Implement metrics and track performance over time - Use metrics that apply to your users, see what the trends are overtime. In addition, use the same metrics to see how your competition is doing.  Determine if you are providing "world class" service or just average service.
• Determine the cost of a service solution and its ROI before you implement it – measure achievenent  - Be professional in implementing changes to your help/service desk.  If you are constantly changing the process you will not know if your changes are having the right impact.
• Encourage input from your users - Listen to your users, validate that the problem that you are solving ti the one the user want solved. Listen to your clients. Tell them what you heard them tell you and what your action steps will be. After you implement the solution confirm with them what you did and how it worked.

Where tape backup fails as an email continuity and recovery solution, is the fact that it takes anywhere from hours to days to recover a company's data from tape. In the event of a disaster, whether natural, man-made or technological, keeping the lines of communication up and running is critical to recovery. If used as an email backup option, tape backup is too slow to meet reasonable recovery goals.

1.      Be aware of what IT and you can do to help your enterprise succeed - The more you know about of the enterprise, the more valuable you become as the company looks for utility players rather than specialists.

2.      Expand your horizons by walking around - Learn the language of enterprise and become someone who not IT specialists see as someone who know the enterprise and.

3.      Expand friendships beyond IT in the enterprise - Become the unofficial computer help desk, and you will soon have the chance to make lots of new friends.

4.      Eliminate non enterprise activities - Do not waste time on non-business Email and web surfing.

5.      Manage and use enterprise resources wisely - Turn off unused equipment and don't make extra copies of anything.

6.      Learn new skills - Be aware of anything that is new out there and think about how you can apply that technology within the enterprise cost effectively if appropriate.

7.      Manage your boss's perception of you - Do that one extra thing that will remind him of your value to the enterprise.

8.      Eliminate waste - Know what tasks and what activities are necessary and what are not.  Highlight them and get the process started to eliminate them.

PCI requires at least the following:

• Install and maintain a firewall configuration to protect cardholder data
• Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect stored cardholder data
• Encrypt transmission of cardholder data across open, public networks
• Use and regularly update anti-virus software or programs
• Develop and maintain secure systems and applications
• Restrict access to cardholder data by business need-to-know
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder data
• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes
• Maintain a policy that addresses information security for employees and contractors

Those steps include:

• Immediately create an updated Business IT plan assuming the worst will happen -Prioritize all IT and enterprise initiatives.
• Put in place a hiring freeze - Proceed to hire only if position is need to comply with the update Business IT plan.
• Evaluate all spending plans for projects and staffing - Will the current situation still support them?
• Evaluate the need to continue existing consulting contracts - What costs and risks are faced if the contracts are terminated or suspended immediately?
• Convert any "key" contractors to employees - If the role the contractor is playing within the enterprise is critical convert it to an employee position and be ready to explain the increase in head count.
• Suspend any upgrades in software and hardware that are not critical to the enterprise's success - Determine if the ROI is still the same given today's situation.

Once that is done determine how much technical debt will be incurred because of delays in technical work that will be incurred when the update Business IT plan is implemented. Just like financial debt, some technical debts can serve valuable business purposes. Other technical debts are simply counterproductive. Explicit risks and benefits must be understood before taking on technical debt.

The credit crisis has triggered a number of acquisitions in recent months, and fraudsters have previously tried to exploit such events by orchestrating phishing attacks against the acquiring companies. One motivation for these types of attack is the increased chance of success when potential victims have less familiarity with the genuine website that is being fraudulently mimicked.

With all of the turmoil in the financial services markets phishing attackers are going to town with all of the mergers, takeovers, and bailouts.  Citigroup, Wachovia, Bank of America, and Wells Fargo to mention a few have seen increases in phishing attacks.

A laptop theft is not just a loss of a thousand dollars of hardware - it is the missing data that can really set one back by days, in addition to potential security issues. An organization that automatically backs up data from all PCs ensures that an organization/person can quickly recover from a stolen or lost laptop and be up and running in no time.

• With the ever-increasing technical complexity of the IT
•  Infrastructure and its inter-relationships with enterprise operations what can be done to maximize margins and improve customer satisfaction?
• Are there any areas for margin-improvement and productivity enhancement?
• How do we minimize the cost of maintenance for IT and enterprise operations?
• How do we make use improved service level management to market-share advantage?
• How soon can we move away from fixing problems to driving improve product and service value?
• Are Outsourcing and off-shoring really helping?

 
The Nevada law requires each business in Nevada to encrypt customers' personal information when it is transmitted outside the business' secure network. The Nevada statute does not require businesses to encrypt consumers' personal information while it is being stored on the businesses' servers, laptops, or backup tapes.   The limited, data-in-transit, encryption mandate in the Nevada statute  does little to stem the tide of stolen and lost consumer data.

While the PCI DSS already requires such measures for payment card data, both bills would enact the requirements into law and a Michigan law would extend such protections to all digital personal information.

Michigan law requires businesses to encrypt stored consumer data. The Michigan law prohibits the following conduct -- If the person collects personal identifying information in the regular course of business and stores that information in a computerized database, failing or neglecting to store that information in the database in an encrypted form, in conformity with current industry-standard encryption methods and capabilities.
This prohibition makes it unlawful to fail to encrypt consumers' personal information stored in digital form and to fail to use "industry-standard encryption methods and capabilities." The latter prohibition prevents businesses from deploying out-of-date encryption programs and from using deficient encryption procedures. 

The Michigan law also includes authorization for financial institutions to bring civil actions for card replacement and other costs against persons who maintain computerized databases that contain personal information if a security breach of the database occurs.
Two proposed laws in Washington State also would authorize financial institutions to recover such costs from persons who must disclose data breaches. They require businesses that collect or store computerized personal information in connection with payment cards to "comply with payment card industry data security standards established by the PCI security standards council." Both Michigan and Washington require businesses that collect digital personal information to take effective steps to protect the information.

• Availability solutions keep critical business and IT processes available and functional in the face of uncertainty.
• Recovery solutions helping the enterprise restore enterprise processes, systems, networks and data when a disaster or interruption occurs.
• Backup and recovery solutions supporting high availability and making recovery easier by meeting the day-to-day needs for data continuity and protection, including recovery time and recovery point objectives.
• Crisis management solutions providing crisis response planning as well as expertise and direction if a disaster does occur, managing employees, communications and logistics.

The Record Management, Retention, and Destruction is a detail policy template which can be utilized on day one to create a records management process.  Included with the policy are forms for establishing the record management retention and destruction schedule and a full job description with responsibilities for the Manager Records Administration.

You areas included with this policy template are:

• Record retention requirements for SOX sections 103a, 302, 404, 409, 801a and 802.
• Policy
• Standard
  • Scope
  • Responsibilities
  • Record Management
  • Compliance and Enforcement
  • Email Retention and Compliance
• Job Description Manager Record Administrator
• 12 forms for Record Retention and Disposition Schedule 

• Perimeter or firewall security - When and enterprise makes systems like email servers, CRM, ERP or intranet Web pages accessible wirelessly, the first priority is to maintain the security of the internal network. Additional perimeter security considerations include:
  
  Authentication - Each component of a wireless system must be able to prove that it is authorized to communicate on the network.
  
  Administrative security - Enterprises need to ensure that different administrative tasks are accessible only to the appropriate administrator.
  
  
• Transmission/Over-the-Air (OTA) security - When internal information is transmitted over the public Internet and/or a wireless network, the data must be protected against interception or "man-in-the-middle" attacks. Data packets can be intercepted and read if unencrypted or weakly encrypted transmission security is employed. The handheld session can be hijacked and an unauthorized user can interact with backend systems if transmission and authentication security is not robust.
  
  
• Handheld security - Once internal information is received and decrypted for viewing on a handheld, that information must be protected against access by unauthorized users or programs on the handheld. Handheld security must also address corporate requirements to control various functions on the handheld as well as provide IT managers with a mechanism to control which applications are used on a handheld.

• Deployment of unlicensed software,
• Lack of preparation for software audits, and
• Inadequate effort to ensure compliance. .
  

The majority of participants report that they do not automatically track software assignments and have limited capabilities to report on software license compliance. Today’s processes for tracking software license compliance are primarily manual. It appears there remains an opportunity to provide tools that automate software license compliance management.

• 69% of participants are not confident that they are fully in compliance with software license agreements
• 67% of IT executives and managers do not believe their companies have taken appropriate steps to ensure compliance
• 60% of IT executives and managers believe they have unlicensed software deployed
• 73% of IT executives and managers believe they are not prepared for a software audit
• 55% of participants from companies with 1000 or more employees believe they have unlicensed software deployed in their environments
• 32% of total participants believe they are prepared for a software audit
• 56% of participants track software assignments manually or not at all
• 16% of participants can automatically report on compliance; 20% are not able to report on compliance at all
• 8% of participants have a fully automated process for tracking software license compliance

Nearly one-third of organizations reported they have had to implement part of their DR plan. However, in the past year there was a significant decrease in executive involvement on DR committees. And, while there appears to be improvement in successful disaster recovery testing, one-third of respondents indicate testing will impact their customers, and one-fifth admit such testing could negatively affect their organization's sales and revenue.

There has been a rapid increase in mission critical applications combined with the continued growth of stored data - both physical and virtual - it is crucial that enterprises incorporate a comprehensive disaster recovery and business continuity plan into the overall business strategy. This helps to ensure the successful recovery of data and applications with the least amount of impact to business operations should a disaster - natural disaster, human error or system failure - occur.

Sharp increase in applications considered mission-critical

On average respondents indicated that 56 percent of applications were deemed mission critical - significantly up from 36 percent in 2007. With the increase in the number of mission critical applications, it becomes difficult for organizations with flat IT budgets to maintain the availability of a greater number of mission critical applications. As a result, companies should look at more cost effective ways to protect applications including reducing spare servers, increasing server capacity, looking at physical to virtual configurations, and more.

More than one-third of organizations have executed DR plans

The data from the Symanatic survey concurs with the data from the Janco Associates survey of its clients.

According to Symanatic, In the past year, one-third of organizations surveyed had to execute their disaster recovery plans due to a variety of factors including: Hardware and software failure (36 percent of organizations); external security threats (28 percent of organizations); power outage/failure/issues (26 percent of organizations); natural disasters (23 percent of organizations); IT problem management (23 percent of organizations); data leakage or loss (22 percent of organizations); and accidental or malicious employee behavior (21 percent of organizations). Given the regularity of events that cause downtime, IT organizations should expect that their DR plans will be tested at some point in the future.

• What impact will inflation and a downturn in earning have on IT budgets and metrics?
• Where is the next security breach going to occur?
• Where are the areas where IT can improve its productivity and / or help the enterprise better meet its objectives?
• How can IT minimize the effect of inflation on the expenditures that they make each day?
• How can IT help the enterprise to improve its market-share?
• How can IT improve its service management process?
• Is outsourcing a solution or a problem that needs to be managed?

Service is now the life-blood of most IT organization.  Enterprise operations are now run with the aid of IT applications, hardware, and structure.  Productivity and revenue now depend on  the level and quality of service that the IT function provide

As businesses  have become more dependent on technology traditional service level management has been proven to be woefully inadequate. Many executive are dissatisfied, IT organizations feel pressured and overworked, and the CEO wonders why IT is not delivering better value for the money being spent.  Turnover is over 20% within IT and the CIOs job is at risk

Add to all this the need for IT to satisfy corporate governance objectives, leverage technology to provide a competitive advantage and meet ever-increasing user demands, and it’s easy to see why most corporate IT organization are in trouble.

Most security incidents and data breaches are caused by employees, contractors, and company who provide critical services to the enterprise.  Many believe that non-employees with access to sensitive information committed the most incidents of data breach in their organization. Non-employees such as temporary contractors pose a significant challenge for IT managers, because they often are not required to comply with company policy and they often are authorized to access and digitally store sensitive information.

Contractors are also much more likely to work oncomputers that are not protected by corporate data security solutions like encryption software. It is no surprise then, that IT professionals are seeking endpoint security solutions that provide protection for sensitive information regardless of employee action. Many IT professionals are interested in an endpoint security solution that would help recover their PDA or Smartphone in the event that it was lost or stolen.

• Risks and Costs Associated with email, Electronic Communication, and Mobile Devices
• Appropriate use of Equipment
• Internet Access
• Electronic Mail
• Retention of Email on Personal Systems
• Email Forwarding Outside of ENTERPRISE
• Email User Best Practices
• Email and Business Records Retention
• Copyrighted Materials
• Ownership of Information
• Security
• Forms

1. Internet & Electronic Communication - Employee Acknowledgment Form
2. Email - Employee Acknowledgement Form
3. Internet Use Approval Form
4. Internet Access Request Form