The document discusses how businesses must effectively manage risks in an uncertain world. It provides an example of an IT team having to quickly recover a critical CRM application from server failure, though they cut corners on security to meet their recovery timeline. While this resolved the immediate issue, it introduced new risks. The document advocates that IT professionals must play a key role in risk management. It discusses how businesses face a wide range of evolving threats and how regulations like Sarbanes-Oxley aimed to increase transparency and minimize accounting and financial reporting risks. Specifically, it focuses on how businesses are strengthening availability of information, data privacy/security, and information lifecycle management to reduce compliance risks and operational risks that can damage reputation and profits.
In January-February 2016, the EIU, surveyed 1,100 senior executives on data security practices within their firms. The survey’s primary objective was to analyse the differences, if any, between the C-suite and senior IT executives on data security.
The survey sample was recruited from companies with between $500 million and $10 billion in revenues, and is equally representative of the Americas, Asia-Pacific and European regions. The panel came from 20 industries, with no single industry accounting for more than 14% of the total.
This was a survey of senior executives. The C-suite segment, sometimes referred to herein as senior management or corporate leadership, consisted exclusively of C-suite executives (eg CEOs, CFO, COOs). The security segment, sometimes referred to herein as the security executives, consisted of the CIO and those who identified themselves as Chief Data Officers or Chief Information Security Officers (CISOs).
Each panel was asked an identical set of 20 questions, and the results have been reviewed for insight and commentary by a panel of independent experts.
Cyber-criminals are assaulting every part of the enterprise. But not all cyber-attacks are created equal. In the minds of senior executives, the greatest danger of cyber-attacks is damage to the reputation of the firm with its customers.
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
Managing risk is a balancing act for organizations of all sizes and disciplines. While some organizations take on too much risk, others arguably do not take on enough. Complicating this equation is the emergence of cyber as one of the most impactful sources of risk in the modern enterprise
My article published in the Canadian Institute of Corporate Directors journal, Director, outlining why not only the CIO, but also the COO and CHRO have roles to play in effective cybersecurity leadership
The Trust Paradox: Access Management and Trust in an Insecure AgeEMC
This white paper discusses the results of a CIO UK survey on a“Trust Paradox,” defined as employees and business partners being both the weakest link in an organization’s security as well as trusted agents in achieving the company’s goals.
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...GFI Software
In their “Sector Insight” research study, Aberdeen Group investigated the considerations small business should take when selecting anti-malware solutions. Read this research paper to learn why Aberdeen recommends small businesses be open to endpoint security solutions from vendors other than McAfee and Symantec.
In January-February 2016, the EIU, surveyed 1,100 senior executives on data security practices within their firms. The survey’s primary objective was to analyse the differences, if any, between the C-suite and senior IT executives on data security.
The survey sample was recruited from companies with between $500 million and $10 billion in revenues, and is equally representative of the Americas, Asia-Pacific and European regions. The panel came from 20 industries, with no single industry accounting for more than 14% of the total.
This was a survey of senior executives. The C-suite segment, sometimes referred to herein as senior management or corporate leadership, consisted exclusively of C-suite executives (eg CEOs, CFO, COOs). The security segment, sometimes referred to herein as the security executives, consisted of the CIO and those who identified themselves as Chief Data Officers or Chief Information Security Officers (CISOs).
Each panel was asked an identical set of 20 questions, and the results have been reviewed for insight and commentary by a panel of independent experts.
Cyber-criminals are assaulting every part of the enterprise. But not all cyber-attacks are created equal. In the minds of senior executives, the greatest danger of cyber-attacks is damage to the reputation of the firm with its customers.
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
Managing risk is a balancing act for organizations of all sizes and disciplines. While some organizations take on too much risk, others arguably do not take on enough. Complicating this equation is the emergence of cyber as one of the most impactful sources of risk in the modern enterprise
My article published in the Canadian Institute of Corporate Directors journal, Director, outlining why not only the CIO, but also the COO and CHRO have roles to play in effective cybersecurity leadership
The Trust Paradox: Access Management and Trust in an Insecure AgeEMC
This white paper discusses the results of a CIO UK survey on a“Trust Paradox,” defined as employees and business partners being both the weakest link in an organization’s security as well as trusted agents in achieving the company’s goals.
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...GFI Software
In their “Sector Insight” research study, Aberdeen Group investigated the considerations small business should take when selecting anti-malware solutions. Read this research paper to learn why Aberdeen recommends small businesses be open to endpoint security solutions from vendors other than McAfee and Symantec.
Welsh Consultants publishes its Thought Leadership article- The essence of Leadership is summarised well in this- "Good leaders identify people’s competencies and articulate their strengths, but the best ones are always rediscovering and moving up the learning curve themselves especially in tough times." As the saying goes, “We cannot lead anyone farther than we have been ourselves.” My belief is that while leading your organisations through difficulties, too much change can knock people out of their equilibrium. One has to start with what they have and what works well – then build on it and create solutions that produce incremental innovations to generate major changes over time. COVID-19 has handed that opportunity to show real leadership. This paper explores this.
1. How often do you see non-sanctioned cloud services in use?
2. Are we protecting ourselves against insider threats?
3. Do we have a cyber security task force in place?
4. Is our BYOD policy secure?
5. Do you feel limited by your security budget or staff size?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
This white paper summarizes the results of a survey done by RSA, NYSE Governance Series, and Corporate Board Member, in association with Ernst & Young, with 200 audit committee members responding on a variety of issues regarding their cyber risk oversight program.
Cloud Complexity: The need for resilience is an EIU report that looks into the critical shifts brought about by an increased organisational dependence on the cloud. In this survey, sponsored by Sungard Availability Services, and conducted by the EIU, 304 executives dispersed across France, the United Kingdom and the United States, were polled regarding their organisational resilience and technology adoption.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Digital has increased businesses’ cybersecurity risk – and yet few have elevated security to a senior leadership concern, according to our recent research. Here’s what businesses are thinking about cybersecurity, and a framework for strengthening their security strategies.
This global study, conducted by the Economist Intelligence Unit (EIU) and sponsored by Palo Alto Networks, sheds light on the ways business leaders are dealing with the increasing volume of threats they face from insecurities that arise because of disruption beyond their corporate borders.
For in-depth interviews from industry leaders on how companies are combating security threats, go to https://goo.gl/fXcnLN
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsElizabeth Dimit
Blog post discussing why CISOs need to collaborate with privacy, legal, and product teams to effectively identify and mitigate risk in their organization.
This presentation was held in October 2011 in Brussels at the McLuhan Centennial Conference, leading to the publication:
Yoni Van Den Eede, Joke Bauwens, Joke Beyl, Marc Van den Bossche, and Karl Verstrynge, editors (in press). Proceedings of ‘McLuhan’s Philosophy of Media’ – Centennial Conference / Contact Forum, 26-28 October 2011, Brussels: Royal Flemish Academy of Belgium for Science and the Arts
Welsh Consultants publishes its Thought Leadership article- The essence of Leadership is summarised well in this- "Good leaders identify people’s competencies and articulate their strengths, but the best ones are always rediscovering and moving up the learning curve themselves especially in tough times." As the saying goes, “We cannot lead anyone farther than we have been ourselves.” My belief is that while leading your organisations through difficulties, too much change can knock people out of their equilibrium. One has to start with what they have and what works well – then build on it and create solutions that produce incremental innovations to generate major changes over time. COVID-19 has handed that opportunity to show real leadership. This paper explores this.
1. How often do you see non-sanctioned cloud services in use?
2. Are we protecting ourselves against insider threats?
3. Do we have a cyber security task force in place?
4. Is our BYOD policy secure?
5. Do you feel limited by your security budget or staff size?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
This white paper summarizes the results of a survey done by RSA, NYSE Governance Series, and Corporate Board Member, in association with Ernst & Young, with 200 audit committee members responding on a variety of issues regarding their cyber risk oversight program.
Cloud Complexity: The need for resilience is an EIU report that looks into the critical shifts brought about by an increased organisational dependence on the cloud. In this survey, sponsored by Sungard Availability Services, and conducted by the EIU, 304 executives dispersed across France, the United Kingdom and the United States, were polled regarding their organisational resilience and technology adoption.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Digital has increased businesses’ cybersecurity risk – and yet few have elevated security to a senior leadership concern, according to our recent research. Here’s what businesses are thinking about cybersecurity, and a framework for strengthening their security strategies.
This global study, conducted by the Economist Intelligence Unit (EIU) and sponsored by Palo Alto Networks, sheds light on the ways business leaders are dealing with the increasing volume of threats they face from insecurities that arise because of disruption beyond their corporate borders.
For in-depth interviews from industry leaders on how companies are combating security threats, go to https://goo.gl/fXcnLN
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsElizabeth Dimit
Blog post discussing why CISOs need to collaborate with privacy, legal, and product teams to effectively identify and mitigate risk in their organization.
This presentation was held in October 2011 in Brussels at the McLuhan Centennial Conference, leading to the publication:
Yoni Van Den Eede, Joke Bauwens, Joke Beyl, Marc Van den Bossche, and Karl Verstrynge, editors (in press). Proceedings of ‘McLuhan’s Philosophy of Media’ – Centennial Conference / Contact Forum, 26-28 October 2011, Brussels: Royal Flemish Academy of Belgium for Science and the Arts
Ref # 217 – Ain Saade – Villa / Bld for sale (4 floors & Roof with Open Mountain & sea view)
-The living space is over 1000 sqm including balconies.
-The land surface is 506 sqm.
-The villa was totally renovated between 2008 and 2009.
- prime location
- 2 additional floors (-2, -3)
- Price : 2,300,000 $
info@realestatelebanon.net / + 961 70 592 593
En esta presentación se explican las características del medio de comunicación 'Aragón-in', un medio aragonés que pretende divulgar los proyectos científicos y tecnológicos aragoneses.
Driving efficiencies in the new month end close - vena solutionsVena Solutions
The month-end close has become more complex since the early 2000’s. Increasing regulatory scrutiny is forcing companies to change the way they measure their success while continuing to generate full-scale, compliant, and timely financial statements every month. This paper examines four ways companies can remedy a dysfunctional month-end close without altering their core business systems or processes.
Evalueserve and McAfee conducted this study in 2011 to highlight how IT decision-makers view the challenges of risk and compliance management in a highly regulated and increasingly complex global business environment. The research investigates how organizations address both risk and compliance, which are so inextricably interrelated. Research was aimed to forward looking, revealing companies’ plans for refining and automating their programs in 2011 and beyond. Significant portions of IT budgets is being spent on risk and compliance management and the spending is only expected to grow in the future.
Protecting Corporate Information in the CloudSymantec
Keeping Your Data Safe: Protecting Corporate Information in the Cloud is an insights-driven thought leadership study conducted by WSJ. Custom Studios in collaboration with Symantec Corporation. The goal of this research is to better understand worldwide cloud adoption across leading organizations and the challenges associated with its use. This survey also explores attitudes toward security as well as the behaviors that can lead to potential data loss and security breaches.
An online survey was conducted from February to March 2015 among 360 global business and IT executives with 180 respondents from the United States, 60 from the United Kingdom, 60 from Germany and 60 from Japan. Of these, 15% are CEOs, presidents or owners; 14% are CIOs/CTOs/CSOs; 5% are other C-level executives; 13% are heads of business units or EVPs/VPs/directors; 23% are IT/security professionals; and 30% are managers or other business professionals (e.g., engineering, research and development, sales, legal and compliance, etc.).
Portal Authentication: A Balancing Act Between Security Usability and Complia...PortalGuard
Virtually every organization maintains highly sensitive information to which it must
control strict access. These data sources might include customer databases, CRM
systems, repositories of financial information and the like. Increasingly, these content
sources are accessed through portals Microsoft SharePoint and other solutions.
Importantly, SharePoint is among the leaders in Gartner’s 2013 Magic Quadrant for
horizontal portalsi.
http://www.portalguard.com
ORX Analytics & Scenario Forum 2019 - summaryLuke Carrivick
Discover more about the ORX Analytics and Scenarios forum.
On 3-4 July, more than 50 operational risk and scenario experts from banking and insurance met in London for two days of discussion and networking. The ORX Analytics and Scenario Forum takes place each year, and gives participants the chance to talk about the biggest issues facing the industry today.
Five principles for improving your cyber securityWGroup
Corporate assets have been shifting from physical assets to virtual assets over the past 20 years. This trend has been accompanied by a corresponding increase in the vulnerability of intangible assets, leading to a greater general awareness of corporate cyber security risks. The alteration or destruction of a company’s data can result in harm to reputation, loss of public confidence, disruption to infrastructure, and legal sanctions. The security risk can adversely impact a company’s stock price and competitive position in the marketplace. In this document, WGroup cites 5 principles that will help improve a business's cyber security. The 5 principles are risk identification, risk management, legal implications, technical expertise, and expectations.
how to swap pi coins to foreign currency withdrawable.DOT TECH
As of my last update, Pi is still in the testing phase and is not tradable on any exchanges.
However, Pi Network has announced plans to launch its Testnet and Mainnet in the future, which may include listing Pi on exchanges.
The current method for selling pi coins involves exchanging them with a pi vendor who purchases pi coins for investment reasons.
If you want to sell your pi coins, reach out to a pi vendor and sell them to anyone looking to sell pi coins from any country around the globe.
Below is the contact information for my personal pi vendor.
Telegram: @Pi_vendor_247
How Does CRISIL Evaluate Lenders in India for Credit RatingsShaheen Kumar
CRISIL evaluates lenders in India by analyzing financial performance, loan portfolio quality, risk management practices, capital adequacy, market position, and adherence to regulatory requirements. This comprehensive assessment ensures a thorough evaluation of creditworthiness and financial strength. Each criterion is meticulously examined to provide credible and reliable ratings.
Lecture slide titled Fraud Risk Mitigation, Webinar Lecture Delivered at the Society for West African Internal Audit Practitioners (SWAIAP) on Wednesday, November 8, 2023.
Seminar: Gender Board Diversity through Ownership NetworksGRAPE
Seminar on gender diversity spillovers through ownership networks at FAME|GRAPE. Presenting novel research. Studies in economics and management using econometrics methods.
BYD SWOT Analysis and In-Depth Insights 2024.pptxmikemetalprod
Indepth analysis of the BYD 2024
BYD (Build Your Dreams) is a Chinese automaker and battery manufacturer that has snowballed over the past two decades to become a significant player in electric vehicles and global clean energy technology.
This SWOT analysis examines BYD's strengths, weaknesses, opportunities, and threats as it competes in the fast-changing automotive and energy storage industries.
Founded in 1995 and headquartered in Shenzhen, BYD started as a battery company before expanding into automobiles in the early 2000s.
Initially manufacturing gasoline-powered vehicles, BYD focused on plug-in hybrid and fully electric vehicles, leveraging its expertise in battery technology.
Today, BYD is the world’s largest electric vehicle manufacturer, delivering over 1.2 million electric cars globally. The company also produces electric buses, trucks, forklifts, and rail transit.
On the energy side, BYD is a major supplier of rechargeable batteries for cell phones, laptops, electric vehicles, and energy storage systems.
how can I sell pi coins after successfully completing KYCDOT TECH
Pi coins is not launched yet in any exchange 💱 this means it's not swappable, the current pi displaying on coin market cap is the iou version of pi. And you can learn all about that on my previous post.
RIGHT NOW THE ONLY WAY you can sell pi coins is through verified pi merchants. A pi merchant is someone who buys pi coins and resell them to exchanges and crypto whales. Looking forward to hold massive quantities of pi coins before the mainnet launch.
This is because pi network is not doing any pre-sale or ico offerings, the only way to get my coins is from buying from miners. So a merchant facilitates the transactions between the miners and these exchanges holding pi.
I and my friends has sold more than 6000 pi coins successfully with this method. I will be happy to share the contact of my personal pi merchant. The one i trade with, if you have your own merchant you can trade with them. For those who are new.
Message: @Pi_vendor_247 on telegram.
I wouldn't advise you selling all percentage of the pi coins. Leave at least a before so its a win win during open mainnet. Have a nice day pioneers ♥️
#kyc #mainnet #picoins #pi #sellpi #piwallet
#pinetwork
1. Elemental Economics - Introduction to mining.pdfNeal Brewster
After this first you should: Understand the nature of mining; have an awareness of the industry’s boundaries, corporate structure and size; appreciation the complex motivations and objectives of the industries’ various participants; know how mineral reserves are defined and estimated, and how they evolve over time.
1. RISK NEVER SLEEPS White Paper Series
MANAGING RISK IN AN
UNCERTAIN WORLD
An IT manager starts off the week with a hardware failure on a server
running the firm’s CRM application. Sales and marketing, as well as senior
management, are flustered – they can’t access the application to contact
key customers regarding a change to a scheduled product delivery date.
The IT manager had a replacement server on hand—a rarity in today’s
tough financial environment—and was able to get the new hardware
up and running quickly. The IT team needed to cut some corners in the
interest of time – they decided security checks and data de-duplication
efforts could wait. They were able to meet their prescribed recovery
time objective, and more importantly, the business managers stopped
complaining, so the IT team felt the crisis was resolved positively.
2. 2 Risk Never Sleeps
This type of scenario plays out in companies around the world every day; yet, what
potential risk has been introduced with the approach the IT team decided to take? IT
professionals are increasingly responsible for doing more than just provisioning servers
and maintaining applications – they are core players in the risk management process.
“Risk never sleeps” – or so goes the phrase made popular by a recent series of Travelers
Insurance advertisements, where a metaphorical character representing risk wanders
aimlessly and sleeplessly through a city, followed by a series of humorous mishaps.
The concept may seem simple, but its truth is without question. Today’s businesses
face a rapidly evolving threat universe, ranging from fires and floods, to increasingly
sophisticated hackers and stolen data, to hardware and software outages.
Risk also extends to accounting errors and fraudulent activity, and in 2002,
Sarbanes-Oxley legislation was enacted to help organizations increase transparency and
minimize these risks, which had badly shaken the foundation of confidence in the public
markets and the U.S. economy.
Recent studies suggest that overall, Sarbanes-Oxley
has been successful in boosting corporate governance
standards and increasing investor and market confidence.
Glass Lewis, an investment advisory firm, points to the
fact that in 2006, restatements – revisions of previously
released financial statements – at large public companies Today’s businesses face
fell by 14 percent, one piece of proof that Sarbanes-Oxley is a rapidly evolving threat
improving the accuracy of financial statements.1
universe, ranging from fires
A recent poll by Financial Executives International, an and floods, to increasingly
advocacy group for chief financial officers and controllers, sophisticated hackers and
echoed these sentiments – with nearly half of all financial stolen data, to hardware
executives agreeing that Section 404 has made their and software outages.
financial reports more accurate and reliable.2 Section 404
of the Sarbanes-Oxley Act requires companies to report
on the internal controls they have in place to ensure ethical
conduct related to financial reporting, which the senior
management must attest to annually. It is designed to
improve the public’s trust and confidence in the financial
information that companies report publicly.
However, the cost of compliance can be high, particularly from a business psychology
perspective. A recent PricewaterhouseCoopers report suggests that an overriding focus
on avoiding risk at all costs often causes organizations to implement layer upon layer of
controls in endless pursuit of “zero risk”3 – a fallacy which simply does not exist, by virtue
of the fact that many risks (floods, fires and other natural disasters, for example) are
completely unpredictable.
Furthermore, Sarbanes-Oxley brings with it its own degree of risk – the risk of
non-compliance – which can be quite costly, resulting in hefty fines or even prison
sentences for top executives.
3. Risk Never Sleeps 3
Over the years, SunGard has seen organizations make great strides in transforming their views
of risk and regulation from a cumbersome, costly challenge, to a valuable framework for increasing
transparency and protecting shareholders’ interests; asserting greater control over operational risks,
known as operational risk management (ORM); and accurately assessing enterprise-wide risk levels in
order to drive competitive advantage through more productive use of capital resources.
In the five years post-Sarbanes-Oxley, widely-held attitudes toward risk and regulation may have
changed, but one notion that hasn’t changed is the need to bring specific operational risk factors –
including IT-related risk factors – under control. In business, the term ORM refers to the oversight of
many forms of day-to-day operational risks including the risk of loss resulting from inadequate or failed
internal processes, people and systems or external events.
Information availability, data privacy and security and information lifecycle management (ILM)
have been, and continue to be, three key areas of IT that businesses focus on in order to reduce
risk of non-compliance. The primary reason is that these three areas can significantly impact the
completeness and validity of financial reports. But these three areas also represent, in and of
themselves, operational risks that can exert long-term damage to company reputation and the bottom
line if not properly controlled.
While risk can never be eliminated entirely, this white paper explores the new approaches businesses
are taking to fortify these IT areas and minimize their risk potential. At times, these approaches involve
combining new technologies with a renewed focus on more traditional techniques at the people and
planning levels.
INFORMATION AVAILABILITY
It’s no wonder that business continuity capabilities (or lack thereof) are consistently viewed as a top
risk factor, considering the pure cost of availability lapses in business terms. It’s a cost that is difficult
to quantify, particularly when factoring in the potential loss of repeat business and tarnished company
reputation that may occur after a highly publicized outage.
ABOUT PINGDOM
Pingdom has a very strong and narrow focus which lies in “covering the uptime monitoring
needs of 90% of the companies in the world.” More specifically, Pingdom monitors and
reports on the uptime performance of leading websites supporting a vast majority of the
world’s online business initiatives, including Yahoo! and Google.
According to Pingdom, “If you are a business with an online presence, it is important that
your website and other online services are available 24/7, all year round. However, all
websites have occasional problems, whether the reason is external or internal, and there
is a significant risk that you are unaware of these problems. Poor online availability can
become costly both in terms of lost goodwill and lost business opportunities. The Internet
is more and more becoming the main point of contact, and if you are not there to be seen,
you become invisible.”
4. 4 Risk Never Sleeps
In June 2007, the popular social networking site Facebook experienced a period of
extended downtime which it blamed on power issues at one of its data centers. The
incident ignited the blogosphere, which quickly criticized Facebook for losing its
snappiness and reliability and being unable to satisfy the heavy technical demands of
personalized services – an issue which had plagued Facebook’s predecessor, Friendster.4
In today’s highly connected world, it’s virtually impossible to keep even the briefest period
of downtime a secret. Evidence of this can be seen in uptime monitoring companies
like Pingdom, whose sole reason for being is to monitor and report publicly on the
performance of leading websites supporting customers’ online initiatives (see sidebar
previous page). In April 2007, Pingdom publicly released year-to-date downtime records
for leading websites: Yahoo! came out on top (with zero minutes of downtime), with
Google falling into second place with seven minutes of downtime. However, YouTube.com
and Blogger.com – both owned by Google – were called out for experiencing well over
four hours of downtime each.5
Today’s IT executives bear heavy responsibility for avoiding these risks. Fortunately,
advanced information availability approaches are helping IT executives meet this challenge
head on and deliver uninterrupted access to information, which serves to mitigate risk,
protect the bottom line and enhance competitive position. Following are examples of the
shift from the old, traditional way, to new data recovery and availability methods.
The traditional focus on “always being ready” is evolving to “always being on.”
An “always being ready” approach emphasizes an organization’s ability to recover from
a disaster once it has happened or is imminent. In this scenario, the process of getting
a business back up and running can take hours or even days – resulting in potentially
significant revenue losses.
Conversely, an “always being on” approach helps ensure that organizations have access
to data, when and where they need it, depending on the level of criticality as defined by
users. For example, truly mission-critical applications would continue processing during
an event and resulting data would be captured, thus protecting revenue streams. This can
be achieved through application or disk mirroring, or by moving to a managed services
model, whereby lifeblood corporate applications and data are operated and housed
securely by a third-party specialist at a remote data center location.
The traditional practice of relying soley on tapes for back-up has evolved to
supplementing tapes with e-vaulting and/or storage and server replication.
Disasters can damage tapes, or prevent tapes from getting to their desired locations in
a timely fashion altogether. Sole reliance on tapes that may not be properly stored or
transported can also increase vulnerability to tape loss or theft.
By supplementing tapes with e-vaulting (electronic back-up to a remote location, such as a
disk array at an off-site data center managed by a third party), businesses can help ensure
continuous automated back-up to a secure site – for their most critical and sensitive data –
driving a higher level of data availability, security and continuity.
Real-time storage replication (copying or mirroring data from a source to a target) and
server replication (implementing fail-over database servers to pick up processing loads
should an interruption occur) allow organizations to reduce recovery time objectives
5. Risk Never Sleeps 5
(RTOs) to a few hours or even a few minutes, and minimize data loss and application recovery time.
These techniques are finding favor as quick, reliable solutions for organizations that need to keep
information up-to-the-minute. They are also important for databases, email and file servers, where
extended downtime may represent an unacceptable business risk.
The traditional focus on driving greater data center resiliency has expanded to include partners
and customers.
Rapidly proliferating collaborative networks require businesses to be able to communicate outside
their four walls to maintain 24/7 access to customers and partners. Businesses are deploying
network recovery solutions to achieve “always on” connectivity for their network, website and IP
connections, through global, protocol-independent, resilient networks designed to meet needs for
fast and reliable recovery.
However, new risks such as that of an avian flu pandemic could potentially take down or disrupt the
public Internet altogether, as more employees work from home and networks become overloaded.
Today’s IT executives are collaborating with third-party experts to architect plans to ensure that
their most critical employees maintain network access – even if it means limited access for other
employees, temporarily.
However, the more things change, the more certain elements must stay the same.
The industry has gone through significant leaps and bounds to reduce business continuity-related
risks. The new information availability approaches described above have had a positive impact, but
an Achilles heel of many organizations is the tendency to focus on the latest and greatest technology
without paying due attention to the equally critical components of people, processes and planning.
In fact, as technology grows more complex and advanced, there’s an even greater likelihood that
organizations won’t pay enough attention to these elements because they erroneously think that
technology has the job covered.
As many are all too painfully aware, IT disruptions are an unpredictable element of risk and reinforce
the notion of “zero risk” as a fallacy. However, this does not mean that organizations are completely
at the mercy of these risks. Organizations need a strong focus on three core elements – people,
processes and planning – coupled with decisive leadership, in addition to technology. This is a
“back to basics” approach to information availability which further fortifies an organization against
unplanned risks coming in the form of disasters or other unexpected events. For example:
PEOPLE ARE THE HEARTBEAT OF THE ORGANIZATION:
No matter how advanced an organization’s technology may be, it’s the employees who are at the
core of a company, because they are the ones to recover the environment and resume business
processes at the time of a disruption. To illustrate this point, an organization that has 100 percent
of its data fully replicated and running at a hot site will remain paralyzed if it doesn’t have the right
people there who are trained and equipped to take the reins and bring the organization back onto
its feet.
Companies need to ensure the right people are available to execute business recovery processes,
based on preplanned guidance and scenarios. They must also plan for the possibility that lower level
staff may have to make critical decisions due to a lack of executive team availability. This requires
an understanding of who represents the organization’s “brain trust” during the normal course of
business, and establishing a “back-up chain of command.” Those representing the brain trust must
then prepare their respective “back-ups” in the chain to make decisions in their absence.
6. 6 Risk Never Sleeps
A focus on people also requires an organization to comprehensively consider and document a wide
range of processes and issues including:
• What is the chain of command? That is, who decides what, and when?
• Where are the people going if the building is unavailable?
• Who’s going, and who determines who is making the trip?
Should a potentially
• How are they going to get there?
disruptive event of any kind
• How long are they going to stay there?
occur, the fact that many
• If this is a long-term scenario, what about their families? employees would not be
aware of an overall business
Processes and documentation: When a disaster strikes continuity plan – or their
there are three major steps to begin the process of managing
roles within such a plan – is
the incident:
alarming, to say the least.
1. mobilizing a central command center;
2. activating a business recovery plan; and
3. identifying exactly how long the organization will operate in a recovery state, and planning
accordingly.
Following closely behind the imperative of managing people is the need for organizations to carefully
document their processes, both in terms of how to recover and how to operate. Organizations also
need to practice and refine processes using a variety of scenarios.
For example, if a central command center becomes unavailable due to a natural disaster, where
is the default command center? What applications and systems should be brought online first, and
in what order? Does this answer vary based on the nature of the business disruption? What level of
damage to an organization’s primary site warrants a complete move to a new site? At what point are
conditions considered safe or stable enough for employees to report back to the primary site, and
what is the proper process for communicating this throughout the organization?
Planning, communicating and practicing the information availability plan: Once processes are
established and documented, the next critical step is to effectively communicate these processes to
employees and thoroughly practice the actual execution of the process parameters, or the business
continuity plan.
Communications is one area where many organizations are falling very short.
According to a recent IDG Research6 survey, almost half (44 percent) of respondents indicated their
organizations never communicate an overall business continuity plan to employees. Fifty-nine percent
go on to state their organizations do not articulate their organization’s business continuity plan to key
external stakeholders.
Should a potentially disruptive event of any kind occur, the fact that many employees would not be
aware of an overall business continuity plan – or their roles within such a plan – is alarming, to say the
least.
These responses also seem at odds with heightened expectations for greater corporate transparency
and communications on the part of all critical stakeholders, extending beyond employees to partners,
customers and shareholders. Stakeholders should expect a comprehensive picture of how their
organizations would respond to a business disruption, as a means of holistically understanding their
7. Risk Never Sleeps 7
own risk and adopting precautionary, self-protective measures when needed. Here, again, the need for
leadership becomes apparent. A commitment to business resiliency that is continually communicated
at the highest levels of an organization reinforces a perception that the organization is in good hands
and “knows what it is doing.”
Finally, the importance of testing and conducting disaster recovery dry-runs cannot be over-
estimated. IDG Research also uncovered an alarming percentage of respondents whose companies
do not test their plans often enough for them to be most effective during a disruption. A total of 80%
indicated they test their disaster recovery plans annually or less often.7
In the past, annual testing may have been sufficient to accommodate changes in business processes;
however, today, organizations are facing ever-increasing, nearly constant (and sometimes daily)
changes to mission-critical processes and systems, from staff updates to alterations in hardware and
software. As a result, business continuity plans become outdated much more quickly than in the past.
An organization that tests its plans once a year – or less often – may be able to recover, but the road
to recovery is apt to be longer and riddled with speed bumps that can take their toll on business
resumption and corporate reputation.
DATA PRIVACY AND SECURITY
In the quest for greater efficiency, businesses worldwide have looked to increase data accessibility via
back-up tapes, computers, networks, the Internet and wireless devices. But unless properly managed,
increased accessibility can also mean greater vulnerability to risk in the form of mishandled or stolen
data, or unplanned downtime as a result of malicious network activity. Vulnerability to these risks
increases every time a new system, user or device is added to the network.
In spite of this challenge, it remains the fundamental responsibility of businesses to secure customer
and corporate information to minimize this potential risk. Criminal activity involving the information
technology infrastructure is a rapidly growing concern for the global community. The FBI now ranks
cybercrime as its third priority behind terrorism and espionage. McAfee CEO David DeWalt recently
noted that cybercrime – which has become a $105 billion business – now surpasses the value of the
illegal drug trade worldwide.8
Since the advent of the Internet, there have been dozens of widely publicized security breaches
and incidents that have heightened the risk of lost customer confidence and trust for the
companies involved. For example:
• In January 2007, TJX Corporation, a Framingham, Massachusetts-based retailer which owns brands
such as TJ Maxx, Marshall’s and Bob’s Stores, reported that unknown intruders had accessed its
payments systems and account data belonging to an unknown number of customers in multiple
countries. At the time, TJX said it believed the intrusion took place in May 2006, even though it
didn’t discover the breach until mid-December 2006. A few weeks later, the company revealed the
intrusion actually took place in July 2005. Casting further doubt and uncertainty, TJX had originally
reported that data from 45.6 million payment cards had been exposed, but in October 2007, reports
showed that the actual number may have been as high as 94 million.9
Since January 2007, the TJX breach has prompted several lawsuits and investigations by the Federal
Trade Commission and the attorneys general of several states as well as numerous class action
lawsuits. It has also spurred a hefty dose of negative attention from consumer advocacy groups. Not
only do the after-effects of the incident continue to linger, but they continue to impose heavy costs
– both from a financial and customer confidence perspective.
8. 8 Risk Never Sleeps
• In February 2007, Johns Hopkins – a Maryland-based organization comprising Johns Hopkins
University and Johns Hopkins Hospital – disclosed that it had lost personal data on roughly 52,000
employees and 83,000 patients in a tape mishap. More specifically, nine tapes containing sensitive
information, which were dispatched to a contractor for back-up, were never returned to Johns
Hopkins. Both the contractor and Johns Hopkins investigated the incident and reportedly
determined that the tapes never reached the facility. “It is highly likely that the tapes were
mistakenly left by a courier company hired by the contractor at another stop,” noted a statement
on the Johns Hopkins website.
While the tapes were thought to have been incinerated, Johns Hopkins was forced to notify all
employees – current and former – as well as all patients, and undertake an exhaustive review of
processes and procedures. The Johns Hopkins example illustrates the danger and high costs of
human error often associated with transporting and storing back-up tapes.
• In September 2007, online brokerage TD Ameritrade Holding Corp. (Ameritrade) announced that
a hacker broke into one of its databases and stole personally identifying information for some of its
6.3 million customers. An online advisory and letters to account holders disclosed that names,
email addresses, phone numbers and home addresses were taken in the data breach. While
clients’ financial assets were never touched, affected customers did experience a highly annoying
and inconvenient increase in spam, resulting in a public apology from Ameritrade’s management.
AVAILABILITY AND SECURITY: DICHOTOMOUS ENDS?
Therein lies the fundamental challenge for today’s organizations – how to guarantee
information availability combined with privacy and security. Companies are now minimizing
information privacy and security risks through comprehensive security programs comprising
professional information security consulting services and managed security services. This approach
provides ideal protection against a treacherous and dynamic threat environment.
Where security is concerned, consultants need to do more than provide standard recommendations
and uniform best practices for technology applications. Rather, they need to take into account each
organization’s unique data security priorities and most vulnerable points of weakness in order to
design and implement tailored, effective solutions.
This professional consulting services approach follows four main steps:
• Prioritization of systems and applications – Understanding that many organizations have limited
resources, professional services consultants should conduct a comprehensive audit with the
organization to segregate and prioritize which systems need to be most available and secure. For
instance, a business may deem its credit card transaction processing systems as the most critical
and align resources accordingly, while a procurement system for non-critical supplies – pens and
paper, for example – can afford a bit more leniency. Classifying data this way offers cost savings
allowing important (but not mission-critical) data to live on lower-cost storage options.
• Enterprise risk assessment – Once systems and applications are prioritized, a consultant conducts
a comprehensive enterprise risk assessment focused on the applications and systems that need to
be most secure, as well as common threats to overall data security. For a typical enterprise, these
threats may include hacking, fraud or identity theft, denial-of-service attacks, malware or spyware.
The consultant must demonstrate an understanding of the unique characteristics of the broadest
possible range of threats, in order to gauge threat-by-threat risk levels and formulate an accurate
overall risk assessment. The practice of measuring against ISO 17799 – the industry data security
standard – helps establish a performance benchmark.
9. Risk Never Sleeps 9
• Information availability assessment – Professional consultants must also understand and
convey how this overall risk assessment affects information availability, and the resulting
implications that must factor into business decisions. For example, if risk is considered
sizeable, resource allocations that otherwise would have gone toward a more strategic
investment – for instance, opening new locations and/or expanding into new markets – may
have to be set aside in order to cover the potential cost of the organization being down or
not operating properly for a certain period of time. Simultaneously, this assessment will
influence technology decisions (e.g., implementing server replication as a means of reducing
the risk of data loss in the event of a disruption).
• Ongoing testing – Consultants should put a program in place to simulate aggressive network
attacks as a gauge of real resistance levels. Aggressive testing should not be considered a
one-time event, but rather, an ongoing, regular procedure that addresses and adapts to the
constantly evolving security landscape.
Looking beyond professional services, a managed security services approach provides
ongoing, reliable protection against a wide variety of threats. Other key benefits include
the ability to offload relatively mundane tasks such as access management, freeing up IT
staff to focus on more strategic, revenue-generating and/or customer-focused initiatives.
In addition, from the perspective of ongoing cost and continuity of delivery, there are
tremendous benefits from leveraging dedicated third-party experts equipped with the
industry’s most current tools and technologies in the following areas:
• Firewall and VPN services – Known as the first layer of protection, managed firewall services
provide round-the-clock protection against intrusions, while managed services configure a
VPN to provide remote users with reliable access to the systems and data they need.
• Intrusion detection and prevention – By extending firewall capabilities, this service
leverages intelligent sensors to check traffic for malicious activities coming from internal or
external sources. When the service detects suspicious events – ranging from protocol
violations and suspect traffic patterns to repeated login failures – it immediately alerts
network administrators. If configured in its prevention mode, the service can also block the
events before they affect systems or networks.
• Vulnerability protection – Using an advanced scanning technology, this service automatically
scans for network security weaknesses on firewalls, Web, FTP and DNS servers, routers and
other systems. The service also examines networks on a regular basis to locate potential weak
points and suggest strategies to fix them.
• Identity and access management – Identity and access management services help
organizations configure and manage user access and authorization.
• New portal offerings – These provide a first-hand view – at any point in time – into the
real-time performance of managed services.
As a final note, combining consulting and managed services drives maximum impact through
greater collaboration and knowledge-sharing. For example, consultants may work with an
organization to define policy procedures – such as optimal password complexity and duration
for a particular application – based on the value of the inherent information. Managed services
can then tailor and deliver identity and access management services in a manner supporting
the defined policies.
10. 10 Risk Never Sleeps
INFORMATION LIFECYCLE MANAGEMENT
Information lifecycle management (ILM) is a comprehensive
approach to managing the flow of an information system’s
EXPLOSIVE GROWTH IN
data and associated metadata, from creation and initial
ELECTRONIC MESSAGING
storage to the time when it becomes obsolete and is deleted.
ILM has become increasingly important as businesses
The Radicati Group, a
face compliance issues in the wake of legislation like
market research firm
Sarbanes-Oxley, which dictates how organizations must deal
with particular types of data. specializing in messaging,
recently reported that the
Sarbanes-Oxley is not a set of business practices and does number of active email
not specify how a business should store records; rather, it
mailboxes worldwide will
defines which records are to be stored and for how long. For
this reason, the legislation not only affects the financial side jump from 1.4 billion in
of corporations, but also the IT department whose job it is to 2006 to 2.5 billion in 2010.
store a corporation’s electronic records and documents.
The number of worldwide
For example, Sarbanes-Oxley states that all business records, instant messaging accounts
including electronic records and electronic messages, must will increase from 944
be saved for “not less than five years.” million to 1.4 billion in the
same time period, while the
This is no easy task, given that email use (see sidebar) average daily email storage
and corresponding storage requirements are growing at a needs of a corporate email
rampant pace across the business world. Gartner estimates user will increase from
that the worldwide e-mail active-archiving market was $376 16.4 megabytes to 21.4
million in new software license revenue and maintenance megabytes.
services in 2007, an increase of 33.7% over 2006. The market
is expected to grow to $1.7 billion by 2012.12 However, it is the
newer breed of email
Newer legislation like e-Discovery, enacted in 2006, places
technologies, like wireless
further strain on IT departments in that instant messages – an
increasingly popular form of business communications – must email, that pose the
be archived in the same comprehensive manner as email biggest challenge: the
(see sidebar). In its Third Annual Litigation Trends Survey number of wireless email
presented in 2006, the law firm Fulbright & Jaworski LLP users is expected to
found 80 percent of respondents reporting that they were not increase from 14 million
prepared or only somewhat prepared for e-discovery.
in 2006 to 228 million in
The survey also revealed that the average company with more 2010. The reason for this
than $1 billion in annual revenue is currently facing more than may be that the majority
500 discrete lawsuits where that company must produce email of people have email and
messages. The cost to retrieve and review the messages can
instant messaging accounts
be as much as $2 per message and can total more than $30
already, while there is still
million in annual legal expenditures.13
plenty of room for more
Regardless, failure to comply with ILM requirements put wireless email users, since
forth by Sarbanes-Oxley and e-Discovery can be costly – this is still a fairly new
resulting in heavy fines, sanctions or even prison sentences.
activity for most people.10
IT departments therefore face tremendous pressure to create
and maintain a corporate records archive in a cost-effective
fashion that satisfies the requirements put forth by legislation.
11. Risk Never Sleeps 11
In doing so, IT departments must also ensure that
data is saved in a manner that does not slow or
impede data recovery efforts and/or access to
E-DISCOVERY
the most critical corporate data in the event of a
business disruption.
In 2006, the U.S. Supreme Court made
Today, many organizations are looking to managed several amendments to the Federal
email archiving solutions to deliver highly reliable Rules of Civil Procedure calling for the
email retention, availability and management rapid and efficient rendering of data
designed to address specific regulatory, business evidence in electronic form.
and technical needs. The services provide a secure
and reliable way to capture, transmit, archive, store Today, these requirements are
and retrieve emails while helping meet compliance known as electronic discovery, or
requirements. The services also help organizations
“e-discovery.” According to the terms
to optimize server performance and reduce email
message volume substantially. Lastly, by delivering of e-discovery, parties in a lawsuit can
policy-based email retention and e-discovery with now demand from each other word
full end-user access and outage protection in a processing documents, emails, voice
highly cost-effective manner, the services help mail and instant messages, blogs,
free up IT resources to manage core business backup tapes and database files.
competencies.
This was the first time that emails and
WHAT YOU CAN DO TO KEEP PACE WITH RISK – instant message chats were designated
THREE KEY IT AREAS TO FORTIFY as likely records that needed to
Let’s face it, risk may never be eliminated entirely, be archived in accordance with a
but there are three key IT areas that if better company’s records retention policy
fortified – information availability, data privacy and and produced when relevant. The
security, and information lifecycle management rapid adoption of instant messaging
– can help you in your quest to avoid operational as a business communications medium
risk.
during the period 2005-2007 has made
1. Information Availability instant messaging as ubiquitous in
Risk management and business continuity the workplace as email, and created
go hand-in-hand. Keeping pace with risk the need for companies to address
means keeping pace with new paradigms for archiving and retrieval of instant
information availability:
messaging chats to the same extent
• “Always being ready” won’t cut it – you must they do for email.11
work to be “always on.”
Today, organizations that fail to meet
• For true back-up, add storage and server
e-discovery requirements may find
replication to your basic tape solution.
themselves subject to serious sanctions
• Don’t forget the people, processes and IT and fines, to the tune of millions of
systems in your planning.
dollars. Or, they may find themselves
having to pay staggering fees for the
2.Data Privacy and Security
legal manpower needed to sift through
Faster networks, handheld devices, remote
thousands of paper-based documents.
working arrangements – these add to our
productivity and efficiency, but also infuse
opportunities for risk in the enterprise.
12. 12 Risk Never Sleeps
When it comes to security, every company is different. To avoid risk, you must consider your
unique data security priorities and points of weakness.
Make sure to follow these four steps:
a) Prioritize your systems and applications
b) Conduct an enterprise risk assessment
c) Go through an information availability assessment
d) Test, test and test again!
3.Information Lifecycle Management
Information lifecycle management has become increasingly important as businesses face
compliance issues in the wake of legislation like Sarbanes-Oxley.
ILM can be overwhelming, and presents one of the greatest opportunities for risk. Handing
even one aspect to a partner – such as managed email archiving – can help in your efforts to
address specific regulatory, business and technical needs.
CONCLUSION
Taking a holistic approach to business continuity, information privacy and security and ILM,
with the goal of mitigating operational risk, is no small task. Yet, organizations that are better
able to accurately assess and manage operational risk are apt to achieve strategic competitive
advantage in their respective marketplaces, combined with stronger public perception.
Often, organizations benefit from expert, third-party assistance. When seeking a partner,
organizations should consider firms that offer extensive experience in the three separate areas:
information availability, data privacy and security and ILM. It is also helpful to engage a partner
that has demonstrated skill in identifying, adopting and deriving best practices from industry
rules and regulations.
Working with a partner such as SunGard Availability Services provides a comprehensive
enterprise perspective: the peace of mind that comes from working with a trusted partner and
third-party objectivity in developing best practices that address multiple regulatory concerns.
SunGard can help develop an overarching and enterprise-wide approach to risk mitigation and
incident planning as they relate to corporate governance. SunGard offers a complete array
of services to help organizations assess risks; integrate their business continuity, information
privacy and security and ILM plans; and continually test and improve consolidated plans and
implement them with an eye toward improved risk management, regulatory compliance and
controlling costs.
SunGard’s team of experts help eliminate identified concerns through targeted risk mitigation
services, which address such issues as policies and procedures, architecture, internal controls,
monitoring and measuring and awareness.
In short, SunGard helps clients elevate their thinking and plans and drive improved operational
and business performance as a positive outcome of risk and regulation.
13. Risk Never Sleeps 13
AUTHORS
This white paper is based on the collective experience of SunGard Availability Services and was written by:
Jim Grogan, MS, CISM, Vice President, Consulting Product Development
REFERENCES
1. Glass Lewis referenced in “Sarbox Controversial, But Seen Doing the Job.” Investor’s Business
Daily. 17 August 2007.
2. Financial Executives International, referenced in “Sarbox Controversial, But Seen Doing the Job.”
Investor’s Business Daily. 17 August 2007.
3. PricewaterhouseCoopers. “Making Smarter Risk Decisions.” October 2007.
4. Nick Denton quoted in “Downtime: Facebook Crashes.” Valleywag: Silicon Valley’s Tech Gossip
Rag. 25 May 2007.
5. Royal: The Official Blog of Pingdom. “Downtime in 2007 for the 20 Most Popular Websites.”
2 April 2007.
6. IDG Research. “Business Continuity: How to Raise the Bar 2007.” 17 July 2007.
7. IDG Research. “Business Continuity: How to Raise the Bar 2007.” 17 July 2007.
8. David DeWalt, McAfee, Inc., quoted in “Cyberthreats Outpace Security Measures.”
InformationWeek. 18 September 2007.
9. Jaikumar Vijayan. “Scope of TJX Data Breach Doubles: 94M Cards Now Said to be Affected.”
Computerworld. 24 October 2007.
10. The Radicati Group, referenced in “Fun Facts About Email.” GigaOM. 12 June 2006.
11. Wikipedia. “Electronic Discovery.” 4 October 2007.
12. “Magic Quadrant for E-Mail Active Archiving.” 20 May 2008.
13. Fulbright & Jaworski LLP. “The Third Annual Litigation Trends Survey Findings.” December 2006.