Earlier his month, an IT employee in Delaware rigged a hidden laptop to his company's computer network to secretly read his boss's email, and threatened to make the information public unless he was paid a substantial sum.
Fortunately, the suspect was apprehended and arrested before the extortion plan could take root. However, such corporate blackmail schemes underscore the need for companies to have checks and balances within their IT departments or to hire an outside IT outsourcing or auditing firm.
While your company's IT professional is not likely quite as rogue, how do you know for certain that he/she has your best interest in mind?
5 Questions to Ask Your IT Staff
Most small business executives don't have the time, IT knowledge or familiarity to know whether their IT staff's actions are aligned with company goals. Here are five questions to ask your IT employee about your company's IT setup:
1. What happens if the server goes down?
In other words, how does the company protect against productivity and data loss in the event of a server or workstation failure? What redundancies are currently in place?
Even if the data is backed up in a secure offsite location, how long would it take to repair or replace the hardware, retrieve, restore and configure the data/software to restore operations as usual?
Has this process been tested?
2. What if a laptop or workstation is lost or stolen?
One of the leading causes of data loss is misplaced or stolen thumb drives or laptops, with the average laptop containing approximately $250,000 worth of confidential client data or trade secrets.
Is this data properly backed up? Is the company equipped to remotely wipe the data in such an event to prevent the data falling into ther wrong hands?
3. If data is corrupted, how long would it take to restore the data, if at all?
How many backup copies of a particular file are kept? How long would it take to go back and retrieve the most recent, good version?
3. What is your mean time to resolve technical issues?
For how long are company employees unproductive while they are kept waiting for technical issues to get resolved? Do the same metrics apply to remote workers or those in satellite locations where support is not as readily available?
4. What is our per-employee IT cost?
Most executives have a good idea of their one, three and five-year growth plans, and should know what it would cost to add new employees as the company continues to grow.
5. Who else has access to critical company information?
Is the IT person the only one with access to company information to the point where he/she can hold the company hostage? What checks and balances are currently in place?
If these questions can't be adequtely addressed, you may want think twice about who is controlling your company's data.
How to hire an IT auditor or IT outsourcing service
To combat the risk of IT espionage, many small businesses are hiring third-party IT services, including cloud computing services. Please feel free to download the tool below to get started.
Image courtesy of Saturday Night Live.
It's human nature. When a new paradigm arises, those accustomed to the traditional model become skeptical. And cloud computing is certainly not impervious to this trend of preliminary cynicism.
Like any new model, cloud computing deserves the skepticism, if not a barrage of questions. After all, clients are being asked to hand over their data - the lifeblood of their organization to the cloud computing provider.
Like any business venture, cloud computing implementation should be aligned with business objectives. How else would one measure ROI or the success of a cloud project? On the flip side, cloud computing will always fall short when compared to utopia. Here's a recent true story to illustrate this point.
Client: What happens when one of your system components fail?
Cloud Provider: Business critical functions run in a disaster-proof data-center, on multiple, independent components that switch over automatically in the event of failure.
Client: What happens if a super-disaster incapacitates your entire data-center?
Cloud Provider: We have yet to encounter an issue, but as a contingency, the entire system is replicated in real-time to a data-center in another geographical location.
Client: What happens if a nuclear holocaust destroys the entire region?
True story. In all likelihood, the client did not have a contingency plan to protect against a mass-destructing nuclear holocaust, but it didn't matter. Perception is reality. In reality, if a nuclear bomb destroys your entire region, there's a good chance that data is not your biggest problem.
According to CIO and CFO Magazines, most executives don't have a good understanding of what their IT system truly costs their organizations. Issues like downtime, security breaches and time spent discussing IT issues are rarely factored into the equation.
Here are two steps on evaluating an onsite IT network versus a transition to a cloud computing provider:
Step 1: Know your IT Hazards (Infographic)
The following inforgraphic outlines a few of the hidden pitfalls of owning and managing an onsite IT system. Click on the image to view a larger version.
Step 2: Conduct a Risk Assessment
So how would you advise a nervous business owner or manager? Make a realistic assessment of the processes and systems involved in day-to-day operations:
Here's a sample risk assessment matrix:
- Evaluate scenarios and their probability of damage
- Identify systems, users and departments that might be at risk
- Evaluate contingencies, disaster plans, costs pros and cons
We at Xvand would like to extend our sympathies to those affected by the devastation of Hurricane Sandy.
As a Houston computer service company serving the Gulf Coast area, disaster preparedness is a prevalent topic of discussion.
Since Hurricanes Katrina, Rita and Ike ravished the region, business executives have been bombarded by seven years of accouncements and warnings surrounding the dangers and risks of natural disasters.
In 2010, the world witnessed the deadliest year in a generation. In 2011, the United States suffered a record ten weather catastrophes costing more than a billion dollars.
With so much pomp and circumstance, human nature begins to sink in. Most of us don't want to think about the potential for disaster unless it's absolutely necessary. The problem, of course, is that by that time, it's probably too late.
To help properly plan for disaster, we've compiled a small business disaster recovery infographic that, we hope, helps your organization plan for future disasters.
Embed this infographic on your site (copy code below):
Embed this infographic on your site
(copy code below):
Does your business have a disaster plan in place? Download a complimentary 10-Step Disaster Preparedness template.
Tropical storms, like Ernesto, are once again threatening the Gulf Coast.
Thankfully, you've stored offsite data backups and have tested your disaster preparedness plan.
You have, right?
(Editor's note: If you prefer last-minute dashes to Home Depot, miles of bumper to bumper- traffic heading out of harm's way and scrambling to protect and recovery lost data, this article is not for you.)
Disaster preparedness is always better than disaster recovery. Houston-based businesses like have become all too aware of this adage.
Unfortunately, after Hurricane Irene left $15 billion in damages in its wake, the East Coast was rudely awakened to this message as well.
The silver lining in this hurricane cloud? We know from experience how to plan for such disasters.
Here's a brief outline disaster recovery checklist & plan:
1. Take inventory of IT equipment
- Take inventory of computers, equipment, supplies and receipts/verification of ownership (individual employees should be encouraged to do the same)
- Take “before” photographs for documented evidence
- Back-up power supply
- Have copies of maintenance agreements and break/fix providers readily accessible; be sure to capture serial numbers of equipment
2. Risk Assessment & Management
(Identify & categorize the risk of IT disaster on business)
- Impact on revenue
- Impact on clients/reputation
- IT systems assessment (create a spreadsheet that uses weighted values assigned to various systems, functionality and dependencies)
- Which data can the organization afford to lose?
- How long can data be inaccessible?
- Examples: Email = critical. Photoshop = less critical, etc.
3. On the Road - Mobile Device Security
- Do not back up company data on mobile devices (49% of data breaches were due to lost or stolen laptops or devices such USB flash drives – Dell)
- Use best practices for securing wireless devices
- Protect against lost laptops and remote devices
- Record all serial and model numbers of all equipment
- Laptop tracking and remote data deletion capabilities are a safe and economical way to protect company assets and data
- Contact local law enforcement and your organization's data recovery department as soon as a laptop goes lost or missing
- When sensitive data contained on laptop hard drives needs to be destroyed
- Ensure your organization is in compliance appropriate data destruction policies.
- Ask for a certificate of destruction and find out how the hard drives are disposed.
4. Prepare Disaster Recovery Plan in Advance.
Test the following on a QUARTERLY basis:
- Data access – move data to systems that will allow browser access
- Data backup, is your offsite storage facility in the hurricane path
- Data restoration - how do your vendors define “recovery” and how long is the recovery interval – have you timed it?
- Where will restore occur? Are the backups up-to-date and good? Will the data be in sync? How LONG will it take?
- Will the equipment be compatible
- Data security – cyber thieves love natural disasters, best time to strike
- System uptime – your recovery interval is twelve hours and your battery back up is good for four hours
- Data accessibility (before, during, after hurricane)
Five Questions to Ask Your DR Vendor
- What’s the recovery interval?
- Who’s responsible for restoring data?
- Do you document your backup procedures?
- How often do you test your data backup plan?
- What are staffing levels in an emergency?
Did you know that cloud computing can help create the framework for a comprehensive disaster plan? Register for a free webinar on the Five Steps to Understanding and Implementing Cloud Computing.
Photo courtesy of National Geographic
Our educational institutions, whether universities or elementary schools, possess a tremendous amount of confidential and sensitive data. Unfortunately, the number of data breaches at educational institutes has been higher on average than those in other sectors, indicating that as yet, schools have failed to effectively make use of modern data protection methods.
Failing to Implement Effective Data Protection
Unencrypted data is a glaring security vulnerability from which many schools suffer. Should any storage media with unencrypted data be lost, it is almost certain that the data will be lost. By utilizing a centralized system with organization-wide access, cloud computing providers enable schools to reduce the danger that the theft of equipment will result in the loss of confidential data.
Improperly Secured Data and Equipment
In today’s world, the ubiquity of portable data storage equipment presents a challenge in maintaining data security. All too many schools have not set policies for what files may be copied to these items, nor have they created an effective inventory system to track the use and status of mobile computers and data storage systems.
By creating a policy that limits the distribution of confidential data to secure machines only, and by effectively tracking those devices at all times, the school can drastically reduce the danger of a data breach stemming from the loss of such a device. This is especially useful when all critical data is not stored on the device but in the secure confines of the cloud computing provider's datacenters.
Limiting Information Distribution
All schools have a wide variety of employees, including volunteers, student employees and outside vendors. Another source of data breaches is the failure to effectively limit system privileges to those who require them.
A cloud computing service can help ensure that all employees only have access to the confidential information they need to perform their duties. Using the management console provided by the cloud vendor management can revoke the access privileges of former employees, especially those who have been asked to resign or terminated to avoid the malicious vandalism or theft of privileged records.
Establishing a Clear Data Security Policy
The last and most serious source of data breaches is the failure to create and adhere to a clearly defined information security policy. Although the cloud computing service provides the back-end data security, schools fail to focus on making information security a part of the school culture, in addition to failing to establish managers who are clearly responsible for implementing the policy.
By creating such a policy, the school can ensure that its security policies are continually examined and updated for devices outside the control of the cloud provider, and that all employees are effectively prepared to maintain data security.
Data security requires a holistic approach on the part of the school. By working to deal with all potential weaknesses, a school can effectively protect the information of its educators, students and managers alike.
Additional Ways To Implement Security Programs
Identify goals of the security program, create a clear and defined process so that all parties involved know the correct protocol (i.e. Proper process after an employee is terminated is to immediately revoke all access etc)
Schools can implement access control management systems (there is both physical access control and logical) by implementing a logical access control system the school could restrict access to certain files or restrict users to read only so that information cannot be edited etc.
In addition to cloud computing, schools can print smart cards on-site and the cards can be used to control these access rights or used to create role based access control where based on the persons role they are granted access to specific information.
IT departments should ensure devices are regularly inspected for any malware, and updated, and should make sure that all employees are instructed on how to maintain the security of confidential information.
Special thanks to Rebecca Fischer at CardPrinter.com, a retailer providing identification printers and logical access control products to a variety of industries.
Sick of hearing about how great cloud computing is? Want practical tips on whether cloud computing services are right for your organization?
Do you need a few pointers on how to successfully transition to the cloud? Want to sound informed at your next board meeting?
As a Houston cloud computing provider, we're met with an array of opinions from the people with which we correspond. Some aren't sure about the viability of cloud services. Others are simply concerned about the security of data that's not hosted at their offices. Most have simply been jaded by personal or heavily-publicized experiences with cloud computing services.
In fact, we recently had someone tell us that they don't trust advice of IT people. Fair enough! In addition to our own thoughts, we've gathered 11 tips from experts in different fields on how to approach cloud computing.
1. Determine whether cloud computing serves a business need
You may be experiencing explosive growth and you don’t want to keep over-investing in onsite equipment. Or perhaps your employees are frustrated with the instability of your in-house IT system and you’re looking for a more stable infrastructure. Today’s businesses are no longer confined to a specific geographic location, and a centralized remote repository might be a business need.
If you find yourself not really using the clouds full capabilities, you may find that your organization isn’t quite ready for the cloud.
Bottom line: Tying your cloud decision to a specific business benefit will help you gauge and monitor the ROI of your cloud investment. (Source: IsUtility®)
2. Clearly delineate what business objectives you can achieve by moving to the cloud
Carefully list what business problems you can resolve by moving to the cloud. (Source: Sean Kapoor, Gestalt Health)
3. Determine if there any legal or compliance constraints before moving to the cloud
What should be considered for data or systems targeted to be hosted externally? (Source: Josette Rigsby, Elektronic Kopy)
4. Outsource your IT from “Day 1.”
This is because computer technology is changing so fast you won't be able to keep up with it all; and because you have enough hassles to deal with running your own business.” (Source: Shane Fischer, Shane E. Fischer, P.A.)
5. Before moving to the cloud, make sure to scope out your specific requirements and don't over-buy.
A big benefit of the cloud is being able to easily upgrade but buying too much up front and getting locked into a contract with that configuration could end up costing you much more. They can always sell you more horsepower later. (Source: Mike Ogburn, ABC Signup)
6. Find out what your employees need before moving to the cloud
All sorts of new work strategies will be revealed as a result of this internal assessment and discussion - make good use of the information and use it to design your cloud interface well and sufficiently (Source: Billie G. Blair, PhD, Change Strategists, Inc.)
7. Take a holistic approach to cloud computing
Examine how your business processes are supported (or not) by the systems and people in place. Determine what's redundant, what's inefficient and where there are gaps. Then build a holistic delivery model for technology services that identifies the functions that should be performed in-house versus by a third party and the technological architecture associated with those functions.
Based on that delivery model, the company can then build a sourcing strategy to determine what functions should be outsourced, to whom, and when. (Source: John L. Nicholson, Pillsbury Winthrop Shaw Pittman LLP)
8. Do diligent research on the security levels of your cloud computing provider.
Many cloud computing providers are created for convenience – and not security – so be prepared to ask a prospective provider some tough questions. Due to the ‘shared’ nature of the cloud, knowing about a cloud computing provider’s security features is a key component in your search for a provider. Do they outsource some of their data security features? If so, to what extent? If you need a password for every new screen you move to, that may be an indication that more people than you realize are handling your information.
Bottom line: Your cloud provider should have impeccable security history – ask if they’ve ever been breached or whether you will be notified when/if they are breached in the future.(Source: IsUtility®)
9. Ensure the agreement with the cloud provider acknowledges your rights
Make sure you contorl who has access to data and under what circumstances. Be careful of a “click to acknowledge“ agreement that may be subject to change at the service provider’s option. (Source: Livia)
10. Determine data portability and retention in your cloud computing contract.
Make sure you fully understand the policies around secure deletion, data retention/requests and what happens to your data if you sever the relationship or the cloud vendor is acquired/goes out-of-business.(Source: Chris Caldwell, LockPath)
11. Develop exit clauses to mitigate the pain of cloud computing vendor lock-in.
(Source: Rob Barrish, GfK Business & Technology)
"We've installed a server. But we don't have the resources to support it or our employees.”
Whether small, medium or multi-national enterprise, today's organizations need a secure, robust, and remotely accessible IT system stay competitive in an ever-evolving marketplace.
That's easier said than done if you're technologically-minded. But for most, the thought of kitting out an entire business with the best IT technology can bring on the headache to end all headaches. Luckily, there are cloud computing providers with experience and expertise in dealing with the stress and anxiety that can come hand-in-hand with dealing with technology.
Before moving to a cloud computing provider, here are a few benefits to consider:
Technical and Strategic IT Support
There are a number of companies that offer IT support services to not only provide technical support for your employees, but also provide on-going support to ensure that your organization is making the best of its software. When considering technical support, here a few questions to ask a prospective cloud provider about their support offerings:
- What is the average hold times? (Is there a phone queue?)
- What is the average resolution of issues?
- What percentage of issues are resolved on the first call?
- Who is responsible for problem determination and resolution? (Be sure to ask which components and/or software this covers)
- Will the software work compatibly?
- Who's responsbile for setup/transition to and away from their cloud platform?
- Do you trainstaff on how to use technology to increase productivity?
- What is your clients' average recovery interval? (How long will it take to restore operations to normal after a disaster?)
There are so many options out there, and things can always go wrong, so finding a xloud computing service with a support service is essential, and will give you peace of mind that all your queries can be dealt with in a swift and precise manner.
Warranties & Guarantees
When you have completed your checklist, start shopping around to find the best deals on the products that you need, and always double check the warranties and on-going support available before you start making a purchase.
- Is there an uptime guarantee?
- Are there financial penalties if the provider fails to meet requirements? If so, what are they?
- When is the last time the financial penalties were implemented?
Take a long hard look at what your business needs in terms of IT technology and make a checklist. Remember that all components should be aligned to a business benefit. Here are a questions to ask about a cloud provider's infrastructure?
- Will your data and applications run on redundant system components?
- Are key functions running on distributed (separate) components to prevent failure of one component affecting others?
- How many data backup copies are provided in the event of file corruption?
It is a great idea to check online to read testimonials from businesses that have used these services. Do they have consistently good reviews? Check with other businesses in your area to find out which service they used. The provider should be able to put you in touch with more than a few good references.
With thanks to Daley of Abtecnet who provides businesses with IT support needs in the UK.
As a Houston cloud computing provider, we deliver technology resources and IT support services remotely, via the internet. However, there is some computer maintenance that we can't provide without being onsite - cleaning.
You likely spend the best part of your working day in front of a computer, putting a lot work on your keyboard and mouse. Just as you would empty your waste-basket or dust your desk, your computer peripherals also need a bit of a spring-clean once in a while to keep in tip-top-shape.
Why clean your peripherals?
You may think of your keyboard and mouse as being designed to withstand a hammering. However, these input devices see a lot of physical interaction. Sweat, grease, particles of dead skin, food crumbs and other horrors can often accumulate in any recesses, as well as building up a patina of general nastiness which ends up coating the surfaces of the items. Build-up of such debris can start to affect the performance of the devices – sticky keys on keyboards, reduced tracking accuracy of mice and other problems are one thing, but if your equipment starts to harbour harmful bacteria, your health could be at risk!
How to clean your peripherals
You don’t need to be a computer expert to give your peripherals a clean – all it takes is a bit of spare time and a few simple items which you can get in any good office supply store or supermarket – here is a list of what you will need to get started:
- A can of compressed air – Try to get one which reads ‘invertible’ on the packaging, as this means that you will be able to spray the can upside down without any liquid spraying out (a potentially damaging side-effect of using non-invertible canisters)
- Cotton buds – You should never stick these in your ear, but using them to clean between your keys is a great idea!
- Isopropyl alcohol – This is good stuff for thoroughly cleaning your components without causing them any harm – look for a concentration of 70% alcohol or so for the best results. It is possible to by this substance by the bottle, but handy wipes coated with this wonderful substance can be purchased to make cleaning even easier.
- A damp cloth – Useful for removing dust and general grime from items.
What do I do to clean my keyboard and mouse?
- First of all, disconnect your keyboard and mouse from your computer.
- To remove a light coating of surface dust, give a few quick blasts with the compressed air canister (usually the cans come with a thin tubular attachment to help reach tight spots, which can be handy to help the air blasts reach between the keys of your keyboard) – this can be followed up with a quick wipe from a damp cloth (be careful that this has been wrung thoroughly); the idea is to wipe away dust without getting liquid droplets running down inside the components.
- Deeper-seated debris can be dislodged from your keyboard by holding the unit upside down and giving it a bit of a shake or tap (you might want to lay down a dust cloth or some old newspaper to catch the falling crud) – this can be followed up with a bit of a blast from the compressed air.
- Once the keyboard is clear of dust and chunks of debris, use the cotton buds dipped in isopropyl alcohol to clean each key individually – this might seem like a bit of a painstaking task, but if you incorporate this step into a regular routine, it will be a very quick job indeed – the alcohol makes quick work of dirt and grime and helps restore items to their former glory.
- As for your mouse, if it uses an optical or laser sensor, a quick blast of compressed air should do the trick to dislodge any dust particles on the underside: you can wipe the outside of the mouse (where your hand makes contact) with a damp cloth and finally use the same cotton bud and isopropyl alcohol trick (as with the previous steps for cleaning your keyboard) on the buttons and the scroll-wheel.
- If your mouse is one of the older kinds which uses a ball, it is an easy enough step to remove the ball – just twist the plate on the underside of your mouse (there will be arrows underneath, indicating direction of rotation) to release the ball – you can then use compressed air to blast the inside of the mouse – follow this up with a dab of isopropyl alcohol on the internal rollers (usually it is these which clog up with dirt, whilst the ball itself normally just needs a wipe with a cloth – use cotton buds as before to apply the isopropyl alcohol and clean off any stubborn sticky lumps of dirt)
- Finally, give your cables (not the connectors) and mouse pad a quick wipe with a damp cloth, to remove dust.
With thanks to Adam Akiva who runs a successful franchise offering specialist commercial OfficeCleaning Services.
“Auditing Cloud Computing: A Security and Privacy Guide”, edited by Ben Halpert, CISSP, is a tremendous resource for auditors, security professionals, privacy officers and IT executives who need to understand the risks and mitigation strategies for an effective cloud computing solution. The chapters are written by leading professionals in IT, audit, security and management and cover progressively more detail and complexity so the reader builds on knowledge and the basics are not repeated. The editing provides a consistent style and tone throughout the book, making for smooth transitions from chapter to chapter.
While the title focuses on auditing, the information provided in each chapter addresses topics that are pertinent to non-auditors, particularly security managers and business executives who are interested in an objective, vendor-independent overview of cloud computing risks and benefits. The information can also benefit cloud providers, particularly from the information on customer and auditor expectations.
Chapter One: “Introduction to Cloud Computing”
The chapter overs the basics quite well, from describing infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS) to the differences between public, private and hybrid clouds to the concepts of data residency and multi-tenancy. This chapter also starts introducing some of the risks that needs to be addressed, such as data regulations based on where the data is located, other cloud users adversely impacting performance or availability of the cloud, and unedited audit logs with multiple companies’ information recorded.
Chapter Two: “Cloud-Based IT Audit Process”
This section addresses requirements for auditing in general as well as additional risks that should be considered when planning and conducting an audit. These include data no longer residing entirely within a trusted environment; potential security risks for internal applications that are not tested for Internet vulnerabilities; and identity management concerns when the local Active Directory (or other centrally controlled service model) is not used.
Includes familiar standards, such as NIST and ISACA as well as the lesser known Cloud Security Alliance (CSA), the FedRamp program, and the European Network & Information Security Agency (ENISA) Cloud Risk Assessment.
Chapter Three: “Cloud-Based IT Governance”
The governance framework described is from the IT Governance Institute and ISACA, but here it is focused on the key aspects of governance of cloud services and risks. There is no discussion of other IT governance frameworks that could equivalently be used, such as ISO 38500, King III (South African standard) or Calder-Moir (UK standard), but auditors familiar with these other standards can follow the same outline as presented in this chapter.
Chapter Four: “Lifecycle Management of The Cloud”
The fourth chapter addresses the lifecycle management aspects of the cloud, and how an organization’s SDLC processes can be maintained or supported by a cloud provider. The key concepts of process handoffs, responsibilities and risk management are covered, and several examples are provided to address typical lifecycle processes such as disaster recovery. Various frameworks for lifecycle management are also addressed, including COBIT, ITIL, NIST, and the CSA’s control matrix.
Chapter Five: “Cloud-Based IT Service Delivery and Support”
The fifth chapter introduces the concepts single-tenant, isolated-tenant and multi-tenant cloud operations. The pros and cons of each architecture type are discussed, and the specific risks associated with multi-tenant platforms (true cloud operations) are addressed in detail, as are the cloud provider responsibilities in establishing this type of platform.
Particularly with regards to Software as a Service (SaaS), this chapter compares granular data element privilege assignments to hierarchical data privileges, inherent transaction visibility to post-implementation event logging, and consistent customization to ad hoc application modifications and notes the positive benefits the cloud infrastructure provides to both customers and providers in these instances.
Chapter Six: “Protection and Privacy on Information Assets in the Cloud”
There are three types of cloud users with security concerns: the cloud service consumers, the cloud service providers, and the cloud service regulators. Their concerns are addressed in a cloud security reference model that includes data at rest and data in motion which the authors refer to as the “Cloud Security Continuum.” Data classification is also covered in some detail, as well as how this practice is key for ensuring data privacy and security in the cloud. The authors segue into how security, privacy and data classification can be used to map compliance coverage for the various regulatory concerns of organizations that might use cloud computing.
Chapter Seven: “Business Continuity and Disaster Recovery”
Includes the key distinctions and similarities between these two perspectives. The critical concepts of recovery time objectives and recovery point objectives are clearly described, and there is excellent coverage of the audit tests that should be included in a BCP/DRP review (these points are useful in both a traditional IT environment as well as in the cloud environment). One of the key benefits of cloud computing is, in fact, the ease of business continuity in a distributed and virtual environment – from the cloud consumer’s point of view, that is.
Chapter Eight: “Global Regulation and Cloud Computing”
The chapter also covers how auditors can proactively identify risks and work with the IT and business managers to establish mitigation strategies for those risks.
There are very few rules promulgated by industries, consumer groups, or legislative bodies that specifically address cloud computing – that will not always be the case! The current regulatory environment for data privacy and security is addressed, and the main security benchmarking groups are identified, which should help the auditor know where to look for additional information on regulatory changes.
Chapter Nine: “Cloud Morphing”
and provides some guidance as to what may change in the future with regards to cloud security and cloud auditing. Several resources available from the CSA are discussed, including “CloudAudit 1.0” – an effort to create an API that can be used to gather data about the cloud services, cloud provider, and other key practices advocated by the CSA. Additional discussions are provided for the security and audit of the hypervisor and the virtual machines that make up the cloud. The authors also address cryptography concerns, and note that cloud data almost certainly should be encrypted and that the encryption keys should NOT be stored in the cloud (although they do bring up the concept of a key management cloud, but little detail is provided on how such a process would function and what security would be implemented for the keys).
The book includes an appendix with an audit checklist for cloud computing, and includes a reference to the key review aspects covered in the various chapters of the book. While this is not itself a risk-based audit program, it does provide sufficient guidance for a risk assessment to be generated and the applicable audit checklist steps could then be performed.
More companies are considering a move to a cloud computing provider, and whether or not they actually move their data, applications and/or processing to the cloud, it is beneficial for auditors and security professionals to be aware of the risks in advance of that move. With the number of cloud providers increasing, the concerns with third-party and vendor data being cloud based will be a concern even if the auditor’s company data is retained onsite.
Book review by Richard Fowler, CIA, CISA, CFE, a Senior Audit Specialist at Huntington Ingalls Industries, where he conducts risk assessments and operational, compliance and technology audits. Richard has over 15 years of audit experience in a number of fields and significant previous experience as an engineer and as a computer programmer.
As a Houston cloud computing and IT support provider, we frequently receive calls that have nothing to do with data security, computer downtime, or file backups. Clients that use popular software, such as those found in the Microsoft Office suite, just to want to know how to optimize the tools they already have. So we've dedicated a "Beyond The Cloud" Section with quick and easy computer tips and tricks.
Today's guest author, Ang Lloyd writes on behalf of Now Learning, which promotes online education opportunities such as IT and Microsoft courses in Australia.
It’s a universal workplace problem: too much to do and not enough time! No matter how much you plan, schedule or prioritize, you always seem to run out of time. You may not realize it, but the solution to effective time management is on your desktop. MS Outlook can literally save you hours. According to Office.Microsoft.com, most people spend 2-3 hours per day e-mailing, with one hour spent searching for or filing information. After doing an MS Outlook course, that average goes down to 1-2 hours spent e-mailing and 10 minutes looking for information! These are just some of the tools that will increase your efficiency and raise your productivity.
To help you maximize your time and eliminate unnecessary tasks, MS Outlook has a number of useful shortcuts. Instead of spending 10 minutes combing through your inbox for a particular message, you can quickly search it by just clicking on the ‘related’ button (Slideshow.net). You can also set up specific sub-folders, so you’re not bogged down with unimportant e-mails. You can set reminders to reply to e-mails and create a ‘No Reply All’ template, which prevents those seemingly endless group replies.
MS Outlook has a surprisingly under-utilized feature called Journal. According to Brighthub.com, this feature allows you to track exactly how much time you spend on a particular application (or any number of MS Office software, including Word and Excel). This enables you to create a productivity report, which you can do daily, weekly or monthly. According to Brighthub.com, you can set productivity goals, and Journal conveniently allows you to monitor your progress. You can also use Journal to track changes by the hour or to see how long it takes you to create a spreadsheet. It’s an incredibly useful tool for time management and for measuring your efficiency.
Benefits of doing a course
MS Outlook has so many time saving benefits that a short training course is often necessary to fully utilize all of them. According to Office.Microsoft.com, those who take a training course usually increase their overall usage of features by 50%. That means half of the features are normally not even looked at. Office.Microsoft.com adds that after a course, most people reduce their (unnecessary) inbox messages by a whopping 81% and the volume they receive is 50% less! In e-mail alone, MS Outlook has the potential to save you a lot of time and eliminate clutter.
MS Outlook can free up your day, so that you’re able to focus on being more efficient and productive. Enroll in a training course and learn how to track your time, use shortcuts and how to create useful reference systems. You’ll still probably have too much to do, but at least you’ll have enough time.