Managing risk is an increasingly important part of the job of CIOs and IT executives. Risk management includes securing corporate systems, networks, and data, ensuring availability of systems and services, planning for disaster recovery and business continuity, complying with government regulations and license agreements, and protecting the organization against an increasing array of threats such as viruses, worms, spyware, and other forms of malware.
The following is a list of recent advisory reports within this section.
A Practical Framework for Business Continuity Planning
Too often, disaster recovery is simply an information-technology-led exercise. There is a growing recognition, however, that contingency planning needs to go beyond recovery of IT systems to become a business-led process that prepares the organization for many forms of disruption and ensures that the business itself—not just the IT systems—will continue uninterrupted. This report provides practical guidance on best practices for business continuity planning. (11 pp., 2 fig.)
IT Security Staffing Ratios
Maintaining strong security does not necessarily require an expansion of IT staff dedicated to security. In fact, IT security staffing as a percentage of total IT staff has remained relatively steady over a number of years. In this study, we help IT executives assess their security staffing needs by providing four benchmarks: IT security staff as a percentage of IT staff, IT security staff as a percentage of the infrastructure group, users per IT security staff members, and network devices per IT security staff member. We also assess the influence of organization size and sector on staffing requirements. (18 pp., 10 figs.)
Disaster Recovery Spending Benchmarks
How much should an IT organization be spending on its disaster recovery efforts? In this study, we look at disaster recovery spending per user, per server, and as a percentage of the IT operational budget. We also examine differences in disaster recovery spending by organizational size and sector. Finally, we assess how many organizations are periodically testing their disaster recovery plans, a best practice that is all too often ignored. The metrics provided in this report can be used to benchmark an organization’s disaster recovery spending and testing practices against industry standards. (15 pp., 10 figs.)
Preparing IT for a Different Kind of Disaster: an Influenza Pandemic
Public health authorities warn risks of a pandemic are growing in light of the swine flu outbreak and avian flu cases. Because pandemics are fundamentally different from the disasters commonly envisioned in business continuity plans, most IT organizations are not prepared to face this threat. This updated report outlines the specific ways in which pandemics are different from other types of disasters. It suggests three planning scenarios, and it outlines specific actions that IT risk managers should consider to prepare for a potential flu pandemic. If adequately prepared, the IT group will be able to continue to support critical business functions, and it can provide solutions to help the organization get through a pandemic. (12 pp., 1 fig.)
Mitigating Security Threats by Minimizing Software Attack Surfaces
An important method for improving the security of software is to assess and minimize the system's "attack surface." In this report, we provide a conceptual understanding of attack surfaces and explore how to use this concept to improve security of both internally-developed software as well as systems purchased as off-the-shelf software. We conclude by recommending best practices for limiting attack opportunities on IT systems. (4 pp., 2 figs.)
Business Continuity Spending: How Much Is Enough?
How much business continuity spending is appropriate for the level of risk an organization is willing to accept? In this study, we look at average spending on business continuity as a percentage of the IT budget. Because risks and compliance issues can vary widely from sector to sector, we break down spending by industry to provide more targeted metrics. We also analyze spending by organizational size and look at the change in spending levels from 2006 to 2007. Finally, we investigate how organizations rank disaster recovery improvements as a budgetary priority. (4 pp., 5 figs.)
Moving Security Beyond Regulatory Compliance
Organizations today must comply with a greater number of regulations than ever before, many of which deal with information and system security. While the intent of these regulations is good, their proliferation is burdensome. Even more troubling, it is possible to be compliant but not secure. Based on our survey of 100 security, IT, and compliance professionals, this article proposes four principles for establishing a security program that goes beyond regulatory compliance. (5 pp., 6 figs.)
Making Security an Integral Part of Project Management
Vulnerabilities are often introduced into an organization when changes are made to its technology, business processes, or facilities. Therefore, security should be an important element of project management, to ensure that the security implications of these changes are addressed. However, a recent survey by Computer Economics suggests that executives have not adequately integrated their security and project management functions. This article presents the results of our survey on the role of security in project management. Additionally, we review the positive impact that security can have on project management practices. (5 pp., 9 figs.)
Resolving the Data Center Power and Cooling Crisis
This article investigates the current crisis in data center power and cooling and provides recommendations for resolving it. It provides forecasts of computer power usage and energy costs and identifies the sources of demand for power in the data center. Unfortunately, common practices of data center managers often worsen the problem. Finally, we outline new approaches that organizations can take to gain control over power and cooling requirements. (3 pp., 2 figs.)
The Business Case for Keystroke Dynamics in Multi-Factor Authentication
Username and password pairs as authentication factors are as weak as they are ubiquitous. They can be phished, stolen, discovered, and cracked in a number of ways. Use of a single factor of authentication is so weak that the Federal Financial Institutions Examination Council (FFIEC) is requiring that all online banking services adopt multi-factor authentication by the end of 2006. In light of these needs, a technique known as keystroke dynamics (or, typing dynamics) is emerging as an effective way to strengthen user authentication. This special report provides scenarios that illustrate the application of keystroke dynamics. We then present a probability model that can be used to analyze the security benefits of multi-factor authentication. Finally, we present an economic analysis of the financial benefits of keystroke dynamics. (8 pp., 5 figs.)
The Relative Effectiveness of Spam-Blocking Solutions
Are we winning the battle against spam? This report, based on a survey of over 100 IT managers, email/security professionals, and end-users finds that perceptions differ between these groups. Furthermore, experiences differ according to the choice of four types of spam-blocking products: third-party spam-blocking services, server-based anti-spam software, client-based spam-filters, and antispam appliances. The survey also explored the reasons that executive management approve spam-fighting technology. (8 pp., 9 figs.)
Organizations are at Risk from Lax Wi-Fi Security
According to our research, laptop computers comprise about one-third of all personal computers in U.S. and Canadian businesses, and most of them include wireless communications capabilities. But according to data from our 2006 IT Security Study, many IT organizations fail to grasp many of the easier concepts and configurations that are available to secure wireless networks. This article quantifies the adoption rate for two public wireless security standards (WEP and WPA) and breaks down the analysis by organizational size (based on the number of laptops supported.) The article also includes practical recommendations for securing wireless networks and itemizes the reasons that organizations should upgrade to the WPA standard as soon as possible.
Overcoming Obstacles to Data Classification
A formal data classification scheme is fundamental to information security. Yet, many organizations--even those that profess a commitment to protecting company and customer information--fail to implement data classification. This article looks at the reasons that data classification can be difficult to develop and implement in practice and offers several practical guidelines to overcome these obstacles.
Combating Back Door Vulnerabilities in Data Center Procedures
Although IT professionals usually adhere to strict security guidelines when dealing with user systems, they sometimes drop their guard when the implement systems and procedures in the data center itself. This article highlights the security weaknesses that can be created by such administrative procedures and outlines common sense management practices that can close such back door vulnerabilities.
Countering the Phishing/Pharming Threat
Phishing attacks are growing in number and in technical sophistication. Furthermore, the impact of these incidents is increasing, with a significant portion in the form of pharming attacks, the newest and most deadly form of phishing. This article explains the evolution of phishing attacks and outlines the countermeasures that organizations need to defend effectively against them (9 pp., 2 figs.)
Disaster Recovery Lessons Learned from Hurricane Katrina
Katrina exposed a weakness in the disaster recovery plans of many organizations. In addition to providing a secondary data center to recover critical IT business systems, companies must also plan to relocate key IT support personnel and key users to administer those systems. This article outlines key considerations in preparing for a Katrina-level disaster and provides updated guidelines for the safe distance and location of the recovery data center. (5 pp., 1 fig.)
Data Center Recovery Site Planning: Geographic Considerations
The U.S. federal government and private industry have developed new guidelines that can be helpful in deciding the optimal distance between the data center and its recovery site. Based on various studies conducted over the past few years, it is clear that the placement of a recovery site too far away from the main data center can be as much of a problem as placing it too close. This research report provides guidelines for the optimal distance.
Organizations Are Not Adopting Measures to Limit Impact of Security Intrusions
The increasing threat of security intrusions has failed to motivate many organizations to take the steps necessary to protect their software, hardware, and data. Clearly the increase in these incidents shows a growing sophistication on the part of those that launch these attacks. The problem is however, exacerbated by organizations failing to adopt prudent measures that would either prevent intrusions or mitigate their impact. This article highlights the extent of security intrusions in surveyed companies by point of entry and by type, and it documents the extent to which the same companies are not implementing common security measures to defend against such attacks. (7 pp., 6 figs.)
To find articles on other topics,
simply use the search field in the header area of each page.