Best IT Documents.com Blog


Sample PC and LAN Support Services Agreement

Posted in Business (600),Networking (340) by Guest on the February 28th, 2010

This is just a tempalte, always seek proper legal advise when doing consulting.

Consultant:  
Client:                       
Contract Date:

PC and Lan Support Services Agreement (the “Agreement”), made as of this xxx day of Month, 2009 (the “Effective Date”) between client (“Client”), and xxxxxxxx, (“Consultant”).   (Client and Consultant are hereinafter collectively referred to as the “parties”).

Now, Therefore, Client and Consultant agree as follows:

1. The Work.  The “Work” hereunder will consist of the following services: General LAN Support including, but not limited to: Printer sharing, File sharing, Outside Connectivity (i.e. modems) at Client’s offices at the location above. 


2. Project Liaisons.  Each party’s primary contact for development efforts shall be the project liaisons specified below or the person otherwise designated in writing by Client or Consultant, as the case may be.  The Work will be requested and directed by ————– of Client. 


3. PRICING AND TERMINATION.

3.1.Pricing.  Client will pay for the Work on a time and materials basis as follows:

i)   Monthly Maintenance – One Hour
ii)  Additional hours as requested and approved by ————.
iii) Rates billed at $150.00 per hour. 
iv) Bills will be submitted every week, net 15 days. 


3.2. Late Payment.  If Client fails to pay any when due, late charges of the greater of one and one half percent (1.5%) per month or the maximum allowable under applicable law shall also become payable by Client to Consultant.  In addition, failure of Client to fully pay any fees within five (5) days after the applicable due date shall be deemed a material breach of this Agreement, justifying suspension of the performance of the Services by Consultant, and will be sufficient cause for immediate termination of this Agreement by Consultant.  Any such suspension does not relieve Client from paying past due fees plus interest and in event of collection enforcement, Client shall be liable for any costs associated with such collection, including, but not limited to, legal costs, attorneys’ fees, court costs, and collection agency fees.

3.3. Termination.  Either party may terminate this Agreement (a) upon thirty (30) days notice, (b) immediately if a bankruptcy proceeding is instituted against the other party which is acquiesced in and not dismissed within twenty (20) days, or results in an adjudication of bankruptcy, or (c) the other party materially breaches any of its obligations under this Agreement, and such breach is not cured within five (5) days of receipt of notice specifying the breach, except that the cure period for failures of payment obligations shall be one (1) day. 

4.  ADDITIONAL TERMS.

4.1.Taxes. Client shall pay or reimburse Consultant for all sales, use, transfer, privilege, excise, and all other taxes and all duties, whether international, national, state or local, however designated, which are levied or imposed by reason of the performance by Consultant under this Agreement; excluding, however, income taxes on profits which may be levied against Consultant. Client shall be the seller of all products if any purchased through the Web Site and will be responsible for any taxes associated with its income form the sale of products through the Web Site.

4.2.Disclaimer Of Warranties.  Consultant Expressly Disclaims All Warranties Or Conditions Of Any Kind, Express Or Implied, Including Without Limitation The Implied Warranties Of Title, Non‑Infringement, Merchantability And Fitness For A Particular Purpose.

4.3.Independent Contractors.  Consultant and Client agree that they will be independent contractors. Neither party will be an agent, representative, employee or partner of the other party.  Neither party shall have any right, power or authority to enter into any agreement for or on behalf of, or incur any obligation or liability of, or to otherwise bind, the other party provided that nothing in this subsection shall be construed to limit the ability of Consultant to secure contractual commitments from third parties to buy or license advertising. This Agreement shall not be interpreted or construed to create an association, joint venture or partnership between the parties or to impose any partnership obligation or liability upon either party.

4.4.Governing Law.  This Agreement shall be governed by and construed in accordance with the laws of the State of Colorado applicable to contracts entered into and wholly to be performed in the State of Colorado. Each Party irrevocably consents to the exclusive jurisdiction of the courts of the State of Colorado and the federal court situated in the State of Colorado, in connection with any action to enforce the provisions of this Agreement, to recover damages or other relief for breach or default under this Agreement, or otherwise arising under or by reason of this Agreement.

4.5.Confidentiality.  This Agreement and price information is confidential and proprietary, and is not to be disclosed to others.

4.6.Limitation of Liability.  Under no circumstances shall Consultant be liable for loss, cost, expense, or damage in an amount exceeding the fees actually paid to Consultant under this Agreement.  Consultant shall not be liable for indirect, incidental, punitive, exemplary, special, or consequential damages of any kind whatsoever resulting from this Agreement. The parties have caused this Agreement to be executed and delivered by their duly authorized representatives as of the dates set forth below.

4.7.Entire Agreement.  This Agreement sets forth the entire understanding and agreement of the parties and supersedes any and all oral or written agreements or understandings between the parties as to the subject matter of this Agreement.  It may be changed only by a writing signed by both parties.  Neither party is relying upon any warranties, representations, assurances or inducements not expressly set forth herein.

4.8.Counterparts.  This Agreement may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same document.
In Witness Whereof, the parties hereto have executed this Agreement as of the date first above written.

By: __________________________                               By: __________________________
           
Name:                                                                                              Name:  _______________________

Date: ________________________                                Date: _________________________

http://www.bestitdocuments.com/IT_Security_Methodology_solutions.html

 

Comments Off on Sample PC and LAN Support Services Agreement

Personal Computer / LAN Security Guidelines

Posted in Business (600),Compliances (1300),Networking (340),Security (1500) by Guest on the February 28th, 2010

Incorporate the following tips into your daily routine to ensure that any pc or LAN you use is secure

· Lock your pc with a power on password

· Lock your pc with a keyboard password when away from your desk

· Back up your work regularly

· Store and lock diskettes in a desk or cabinet

· Don’t write on diskettes

· Don’t’ use magnets around diskettes

· Don’t use commercial software or shareware at an Acme site without a proper license

· Check all files / downloads from electronic bulletin boards for viruses

· Report all computer viruses infections

· Logoff network servers before tuning off your pc

· Do not include passwords in LAN logon scripts

 

User security / password guidelines

· Do use at least (6) character passwords, using both letters and numbers whenever possible

· Do use high quality randomly constructed passwords

· Do change your password every 90 day’s

· Do report to management any known or suspected attempts by others to use your userid or  password

· Do follow normal log-off procedures prior to leaving a terminal unattended

· Don’t use obvious or easily guessed passwords (your name, names or family members, car model, hobby, favorite sports team, and other current months are poor passwords and should not be used

· Don’t post userid’s or passwords

· Don’t’ post telephone numbers used to access acme computers

· Don’t share your userid with others under any circumstances

· Don’t leave a terminal unattended during a session with an acme computer system

· Don’t perform sensitive / confidential work while being observed by un-authorized personal

Comments Off on Personal Computer / LAN Security Guidelines

Computer Replacement Considerations

Posted in O S (375) by Guest on the February 28th, 2010

Options

1. Reseller / distributor agreement—subscribers afforded vendor commitment of best effort” to expedite sale of hardware if it is available at time of disaster

2. Pre-arranged rental agreement—subscribers assured that hardware will be readi­ly available for expedited shipment and can be used/rented for the recovery period

3. Dedicated storage / shipment agreement—subscribers guaranteed hardware stored exclusively for their use, to be shipped immediately to an alternate site in the event of a disaster 

Why Buy?

Most companies depend on client server computer technology to perform mission-critical tasks. However, most client/server hardware vendors operate under a just-in-time inventory system, which can make emergency acquisition a lengthy, cumbersome process. Having pre-arranged agreements in place with vendors who will quick-ship hardware allows mission-critical computing environments to be more quickly and efficiently restored.

Vendors to Choose From

Related listings in this Master Source: computer equipment leasing, emergency delivery, networking computer equipment, peripherals

 

What to Look For

1. Provider whose core business involves managing an inventory of computer hardware for expedited “next day” delivery

2. Dedicated inventory of hardware for subscribers

3. Agreement allowing you to randomly audit availability of pre-selected hardware

4. Provider who can pre-load application software and custom-configure hardware to meet your company’s particular needs

5. Receptiveness to and agreement allowing for multiple levels of preparedness testing

6. A vendor-supplied mobile recovery team to assist with hardware installation and teardown

7. Responsiveness, expertise, and efficiency of provider’s staff

8. 24-hour technical support 

Cost Considerations

A detailed cost analysis will often reveal hidden expenses. When adding up costs, consider the following:

1. Monthly subscription fee

2. Disaster declaration fee

3. Usage fee

4. Testing costs

5. Shipping costs

6. Contract term 

Be Prepared
In order to bid for your business, vendors will want to know:

1. Minimum acceptable hardware requirements, including processor type, processor speed, memory, hard-disk storage, network interface card, peripherals, etc.

2. Network connectivity devices required, such as hubs, routers, bridges, etc.

3. Standard application software image that must be pre-loaded on workstations

4. Time demands: How quickly do you need equipment to arrive, be operational?

5. Anticipated recovery time-frame 

Key Questions To Ask Potential Vendors

1. Can you pre-load my application software?

2. Can you custom-configure hardware to accommodate my particular requirements?

3. How do you handle simultaneous disaster declarations from multiple subscribers?

4. What are disaster declaration procedures?

5. If I declare a disaster, what are the usage fees?

6. Do you subcontract the quick-ship service?

7. Must equipment being shipped internationally clear customs?

8. Can I conduct an unscheduled audit of the facility where my hardware will come from in order to ensure that the inventory is available and being managed appropriately?

9. Can I conduct preparedness tests with all or a portion of the hardware for which I have contracted?

10. References available?

Key Questions To Ask Vendor References

1. How similar to my own are your company’s systems and disaster recovery needs?

2. Has this vendor actually shipped you hardware for tests or disaster declarations? Results?

3. Any experiences with damaged, malfunctioning, or missing equipment upon deliv­ery?

4. Hardware unavailable?

5. Is service prompt, consistent?

6. Have costs exceeded original estimates?

7. Have you conducted preparedness testing?

a. What is the vendor’s attitude toward it?

8. Vendor strengths, weaknesses?

9. How long have you contracted with this provider?

10. Why was this vendor chosen?

a. Others considered?

11. What did the selection process entail?

12.  Network connectivity devices required, such as hubs, routers, bridges, etc. 

Note:

· Standard application software image that must be pre-loaded on workstations

· Time demands: How quickly do you need equipment to arrive, be operational?

· Anticipated recovery time-frame

Buyer Beware

1. Make sure usage fees are reasonable. Determine whether, in the event that you declare a disaster, usage fees for short-term recovery either meet or exceed equip­ment replacement costs.

2. When discussing testing with vendors, ensure your ability to test not only the hard­ware but also the provider’s capacity to respond in the time frames specified in the agreement.

3. If subcontractors are typically employed for quick-ship service, review their con­tractual commitments to the provider and investigate their service capabilities. 

What Next?

1. After pre-qualifying all vendor candidates, request a presentation at your facility.

2. Request written replies to follow-up questions not answered during vendor presentations.

3. Visit actual site(s) of vendor finalists, involving your disaster recovery or security specialist to conduct site surveys.

Comments Off on Computer Replacement Considerations

Creating Customer Service

Posted in Business (600),Compliances (1300) by Guest on the February 28th, 2010

Everyone seems to agree customer service is critical but few practice what they preach.  The industry needs more than fancy rhetoric and catchy slogans to keep customers happy. What are needed is adequate service staffing, training, and supervision to make sure every effort is made to keep your customer’s satisfied.  If you fail to take care of your most precious asset – your customers – they will most certainly take care of you, by taking their business elsewhere.  It is absolutely critical for Call Centers and Help Desk to maintain their customer focus.  The more you can do to satisfy your customers’ needs, the more personally, professionally, and economically satisfying the relationships will be. It is therefore important to offer agents training in how to provide good customer service and to fine-tune existing skills to improve upon their level of accomplishment in this area.  Such training should be in the areas of coaching, communications, customer care, education, and process improvement.

The attributes needed to create a customer service include communication, responsiveness, empathy, accuracy, trust, education, solution-oriented, encouragement, respect, value-added, information, consistency, and excellence. 

Creating Customer Service

There’s a lot of talk these days about customer service being the key to gaining and retaining business.  But with the massive corporate downsizing and a technological explosion going on, one can’t help but wonder if there’s been more talk than action on customer TLC. 

Guaranteeing Good Customer Service

Everyone seems to agree customer service is critical but few practice what they preach.  The industry needs more than fancy rhetoric and catchy slogans to keep customers happy. What are needed is adequate service staffing, training, and supervision to make sure every effort is made to keep your customer’s satisfied.  If you fail to take care of your most precious asset – your customers – they will most certainly take care of you, by taking their business elsewhere.


Over the past several years, many industries have allowed customer service to take a back seat to expense control and cost cutting. It is absolutely critical for Call Centers and Help Desk to maintain their customer focus.  The more you can do to satisfy your customers’ needs, the more personally, professionally, and economically satisfying the relationships will be.

 

Fine Tuning Skills

Customer service is a constant challenge for any organization and a Call Center or Help Desk is no exception.  It is interesting to realize that if a customer has a bad experience with an agent, the entire organization is blamed. It is therefore important to offer agents training in how to provide good customer service and to fine tune existing skills to improve upon their level of accomplishment in this area. 

Such training should be in the areas of coaching, communications, customer care, education, and process improvement.  Having constant training in these core competencies will go a long way to improving customer service. 

Customer Service Elements

The key to long-term success in customer service is to create a mind-set of customer service.  To have the right mind-set, the Call Center must internalize the practices and attributes described in this paper.  Once these are internalized, the center can then identify obstacles to true customer service, and make the necessary changes.

A little-known article published anonymously in the December 2006, issue of Bank Marketing magazine.  In this article, the author presented what he feels is the best elements needed to create the optimum customer service mind set.  These attributes are as follows:

· Communication.  Management and employees should have opportunities to listen and discuss factors that affect service, to arrive at solutions, and to understand the implications of changes necessary to influence solutions.

· Responsiveness.  Be responsive to internal customers, and to those within the organization for whom you are a customer. 

· Empathy.  Show empathy to customers’ problems, whether or not they are related to your particular Call Center.

· Accuracy.  While people want to do the right things right, recognize that new tasks require new critical thinking skills.  Employees need the skills and coaching support to make accurate decisions.

· Trust.  When employees are told to be more caring and responsive, and then watch as large numbers of co-workers are summarily dismissed as redundant, they see a corporation that is not caring and responsive.  The result is distrust.  Trust not distrust, is required for customer service changes to occur.

· Education.  Employers can tap into today’s well-educated and smart work force and help employees learn from each other.  Call Centers should be “learning organizations.”

· Solution-Oriented.  This is the fulcrum.  Give your employees a solution process.  Service is helping a person solve something.  If we have a process that resolves something, we have provided a service.

· Encouragement.  People need encouragement to continue to strive for right decisions and right actions.

· Respect.  Respect for and by employees and management is necessary for service to be delivered and accepted.

· Value-Added.  Tasks that don’t provide value shouldn’t be done.

· Information.  Instantly available information facilitates service.

· Consistency.  Call Centers must be consistent in treatment of employees, in rules, and in expectations for working with customers.

· Excellence.  Employees should be challenged to be excellent performers, not punished for falling short. 

Once a Call Center understands and makes a commitment to each of these thirteen elements, it can answer the question of whether the organizational culture supports each one.  By identifying and correcting any barriers, all employees can begin delivering top-
notch customer service.

http://www.bestitdocuments.com/IT_Security_Methodology_solutions.html

 

Comments Off on Creating Customer Service

How fast is a Cable Modem

Posted in Networking (340) by Guest on the February 28th, 2010

There is no single answer to that one, depends who you ask… You connect your computer (Mac or PC) to the CABLE / DSL modem via your standard 10Base-T Ethernet connection. So, how fast does it really go?

Well, I’ve seen it go over 650Kbytes / sec. Web pages are usually 20 – 40 kb / sec. I’ll just list different results, which can vary based on several factors.

 

TRANSFER RATE FOR A 10 MBYTE FILE

Modem speed/type

Transfer time

9.6 kb/s telephone modem

2.3 hours

14.4 kb/s telephone modem

1.5 hours

28.8 kb/s telephone modem

46 minutes

56 kb/s telephone modem

24 minutes

128 kb/s ISDN modem

10 minutes

1.54 Mb/s T-1 connection

52 seconds

2 Mb/s cable modem

46 seconds

4 Mb/s cable modem

20 seconds

10 Mb/s cable modem

8 seconds

Results vary based on hardware, software and configuration

 
Comments Off on How fast is a Cable Modem

Keeping Operating Systems and Applications up to date

Posted in O S (375) by Guest on the February 28th, 2010

 Develop and maintain a list of sources of information about security problems and software updates for your system and application software.

The most common sources of current information include Web sites of vendors and computer- and network-security organizations. Lists and Web sites appear, disappear, and change frequently. You need to ensure that the sources you consult are up-to-date.

Establish a procedure for monitoring those information sources.
In the case of mailing lists, you usually receive announcements about security problems and software updates soon after they are available. Web sites vary considerably in the timeliness of their announcements, so you need to decide how often to look for information there. Some of the news-oriented Web sites are updated one or more times a day, so daily monitoring is recommended.

Evaluate updates for applicability to your systems.
Not all updates are applicable to the configuration of the computers and networks in your organization and to your organization’s security requirements. 

Evaluate all the updates to determine their applicability, and weigh the cost of deploying an update against the benefits. Keep in mind that failure to install a vendor patch may result in a known vulnerability being present in your operational configuration.

Plan the installation of applicable updates

The installation of an update can itself cause security problems:
During the update process, the computer may temporarily be placed in a more vulnerable state.

If the update is scheduled inappropriately, it might make a computer or information resources unavailable when needed.

If an update must be performed on a large number of computers, there can be a period of time when some computers on the network are using different and potentially incompatible versions of software, which might cause information loss or corruption. 

The update may introduce new vulnerabilities.

Updates can also cause a number of problems in other installed software. You may want to consider running a previously developed regression test suite to compare current performance with past performance. Another approach is to install the update in an isolated test environment and run a series of user trials before releasing the update on your operational systems. 

Software packages are available that show you the differences in the system as a result of installing the update. We recommend that you use one of these to fully understand and analyze the effects of the update on your systems.

In addition, you should always backup your system prior to applying any updates.

Any method of updating that depends on an administrator physically visiting each computer is labor intensive but will work for networks with a small number of computers. You will need to employ automated tools to roll-out updates to a large number of computers. Some of these tools are provided by vendors for their specific products. You may need to develop tools that are tailored to your environment if vendor tools are insufficient.

Given the number and diversity of operating systems and applications, the update process can become unmanageable if it is not supported by appropriate levels of automation. This may result in updates not being performed, which in turn places your systems at risk by allowing intruders to take advantage of known vulnerabilities.

When using automated tools to roll-out updates, the affected computers and the network are likely to be vulnerable to attack during the update process.

To lessen this vulnerability, you should use only an isolated network segment when propagating the updates or consider using secure connectivity tools such as SSH.

http://bestitdocuments.com/Services.html

 

Comments Off on Keeping Operating Systems and Applications up to date

PC Preventive Maintenance Suggestions

Posted in O S (375),Sample - IT Spreadsheets - PowerPoints (251) by Guest on the February 28th, 2010

Here’s a checklist of 27 things you can do to keep your users happy and online.

1) E-mail your computer users. Let your clients know in advance what will be happening on the preventive maintenance visit. Users get attached to their systems, and seeing something change can be upsetting to them. In the e-mail, ask them if anything strange is going on with their system or if they have any questions for you. Often a user may be hesitant to let you know something is wrong, thinking it’s no big deal or afraid of having a finger pointed at them for being the problem. One of the most common complaints you’ll receive is that the computer is getting slower. More often than not, the user is becoming a power user, becoming more familiar with the software they are using. This may be a good time to upgrade the computer to realize productivity gains from the user.

2) Empty the Recycle Bin. Some users need to be reminded to periodically empty the Recycle Bin.
 

3) Delete .tmp files. Before running ScanDisk and Defragmenter, delete all *.tmp files that have been created prior to the current day. It will surprise most people to learn how much hard drive space has been used by .tmp files.

4) Delete files that begin with a tilde. When cleaning the system of garbage files, readers might also like to check for any files beginning with a tilde (~). Make sure that all your application programs, such as word-processing, spreadsheet, and graphics programs, are closed first since sometimes the temporary file you are currently viewing uses a tilde. If the application programs are closed, the tilde files can be deleted. Some users find they have a lot of these on their systems!

5) Delete old .zip files. Users tend to unzip the files but then leave the zipped file on their computer.

6) Delete .chk files, and switch the swap file. For those with permanent swap files, it’s sometimes a good idea to set the swap file back to temporary and then permanent again. This cleans out any garbage (and therefore any possible corruption).

7) Run ScanDisk and defrag the drive as needed. If your Windows XP, Vista and Windows 7 users aren’t running these utilities themselves, it doesn’t hurt to check the disk and make sure the number of disk errors and the percentage of fragmentation are within acceptable limits.

8) Check browser history and cache files. Check that the user history files and Internet cache settings are set properly (cache size). Delete the cache files and history files then reset the history files to no more than three days unless the user specifically needs to store that information longer. By freeing up the cache, downloads from the Web actually speed up since there is more space available to store the temporary files.

9) Clean out Windows temporary Internet files. If the browser is Microsoft’s Internet Explorer, clean out the  Temporary Internet files folder

10) Confirm that backups are being done. Do you have a network solution for automatically backing up user files to a server? If not—and if you’re relying on end users to back up their own files—ask users when their last backups were done. Make sure they’re rotating their disks. Drag their My Documents folder onto a server drive for them. Remind them to verify the backups by trying to restore a sample file or folder.

11) Update drivers as needed. Make sure you’ve installed the latest drivers for printers, modems, sound cards, video cards, and other devices.

12) Check the operating system and applications. Update your OS and applications with the latest service packs or updates. Save your company some money; don’t try to support multiple versions of the same application.

13) Check the connections. Users love to move their equipment around. Make sure all the plugs are snug in their connections. And make sure your users are using surge protectors and not a string of extension cords to power their machines. While the computer is open, re-seat all connections including expansion cards, CPU, memory, data cables and power connections. You’d be surprised how often an expansion card isn’t seated all the way, especially AGP video cards and PCI cards.

14) Take inventory. Update your master inventory of computer assets. Verify serial numbers, CPU speed, hard drive space, memory, etc.

15) Make sure the hardware works. Many computers haven’t seen a floppy or CD inserted in years as most upgrades and new installations are done from the server. Clean or replace floppy disk and CD drives as needed.

16) Clean the screens. Do your users a favor and bring the appropriate screen-cleaning cloth or solution with you on the preventive maintenance visit.

17) Change passwords. Unless you can enforce a “change your password every X days” policy via your network software, use the preventive maintenance visit to remind your users to change their system passwords.

18) Check the printers. Print a test page on your users’ printers. Make sure the printers are producing clean copies, and that the toner cartridges aren’t about to run out.

19) Update the anti-virus software. Make sure your users know how to update their anti-virus software. While you’re there, update it for them.

20) Reboot the system. In some shops, the workstations are left on all the time. While you’re there, reboot the system to force a memory reset and to make sure the machine will boot when you’re not there in person.

21) Bring that can of air! It’s still a good idea to blow the dust and debris out of keyboards every now and then. And make sure there isn’t dust accumulating on the back of the machine or wherever the air fan is located. It’s amazing how much dust can collect in a computer over time. Blowing out the inside of the computer has a couple of pitfalls that must be addressed. First, since the pressure is much higher with canned air, don’t direct the air at an unsecured fan. Try using a pencil erasure to keep the fan from turning while you clean out the power supply and CPU. Blow out the power supply from the inside out first, or you’ll get tons of dust blown into the computer. Take each computer to a place that doesn’t mind the dust, outdoors preferably.

22) Clean the keyboard. With the power off, tip or turn the keyboard upside down and carefully use the palm of your hand to strike the keyboard several times. You’ll be surprised how much junk will fall out.

23) Clean the CD-ROM drive. Clean the laser. Many programs are installed corrupted from a dirty CD reader.

24) Clean the mouse. It never hurts to make sure the mouse is free of dust and grime.

25) Check the power sources. Make sure systems are plugged into protected outlets or power strips, if not uninterruptible power supplies.

26) Check the fan. Remember to check that the CPU’s cooling fan is working and that the airflow isn’t impeded by dust.

27) Check the network hardware. It is also necessary to check and reboot hubs, routers, switches, and print servers from time to time. They contain memory that needs to be flushed and have connections that can work loose. Most networks have a server reboot schedule but forget about the other, just as vital, network kit.

http://www.bestitdocuments.com/Services.html

 

Comments Off on PC Preventive Maintenance Suggestions

Project Management Methodology Summary

Posted in Projects (400),Sample - IT Spreadsheets - PowerPoints (251) by Guest on the February 28th, 2010

The “Program Office” is a project management methodology that provides a process for managing projects. As organizations continues to grow, so does the need for new projects that will provide new and exciting services to the end –user. The Project Management Methodology will assist project team leads and team members in their ability to balance project work with their day-to-day duties by providing the tools and procedures required to maintain visibility of the status of tasks and issues.

As you read this document you will realize that the methodology defined is simply an organized breakdown of the project steps you probably already execute. By formalizing this process, we are trying to provide project team members with the ability to make project work more efficient and effective in the fast paced environment you work in. This tool will allow Project Leads to track tasks and dates, evaluate resource allocation, and to proactively see the project impact if dates are changed or resources are not available.

 

Definitions

Roles and responsibilities:

  • Senior level managers:

o   Senior level managers are responsible for determining the approval and priority of the project within the company

  • Business Sponsor:

o   Senior level manager who champions the project. This person typically has the business need for this project.

  • Stakeholder:

o   Any cross-functional department members who may be impacted by this project.

  • Manager:

o   Responsible for assisting the team with critical decisions such as:

§  What are the rules for participating on the team

§  Who should be on the team, and how does this membership impact their existing workload

  • Project Lead:

o   Responsible for tracking the projects progress. This includes:

§  Establishing and tracking delivery dates using MPS

§  Logistics

§  Reporting progress and issues to management

§  Coordinating meetings

  • Team Members:

o   Coordinate the effort within their core area of the credit union. Team includes:

§  Project Lead

§  System User Tester

§  Trainer

§  Documenter

§  Business team member (s)

Other terms and definitions:

  • Specification: 

o   Specifications detail ‘how’ something will be done.

  • Issue:

o   An issue pertains to clarifying a questionable or incomplete item or task.

  • Defect:

o   A problem known to be incorrect.

  • Enhancement:

o   An additional feature or improvement.

  • POM:

o   Program Office Methodology

  • Microsoft Project (MPS):

o   A Microsoft tool used to track tasks and dates associated with projects

 

Ongoing Tasks from start to end of a Project

This list encompasses tasks that need to be conducted on an ongoing basis for the duration of the project.

  • Tracking of issues and action items.

o   These can be tracked on an excel spreadsheet and updated on a regular basis (at least once a week)

  • Regularly scheduled team project status reports.

o   These status meeting should be held (as determined by the Project Leader) and include:

§   Review and status of outstanding issues

§   Review of project plan tasks dates/schedule

 

Deliverables from the meeting to include:

  • Action items from meeting with resource assignment and due date
  • Minutes of the meeting distributed to all team members within 24 hrs after the meeting (if appropriate)
  • Risk assessment if necessary
  • Any changes to the project schedule and the impact it may have

1.      Project Approval Phase: (Approval to move forward with a project):

  • Project concept is discussed with senior management by business sponsor for approval to pursue

o   Business sponsor provides business case, ROI, as requested

  • If project is approved, the following must occur prior to resources being assigned:

o   Sr. Management team to assign priority of this project within the existing project list

o   A budget for the proj
ect needs to be assigned:

§   Staff hours

§   Contractor time

§   Capital expense

  • Assign Project Lead and team members
  • Once the above tasks have been completed, the assigned project teams should move forward on the project, following the Program Office Methodology defined in this document
  • The originator of the project is to send an email to the distribution list containing cross-functional team/department members in order to communicate the new project information. The admin team will maintain a ‘master ‘ project list to contain projects and their priorities
  • Deliverables from Phase 1   (To be stored in a shared folder)
  • Brief description of the project
  • Project Objectives
  • High level scope document
  • Benefits, target delivery date, budget estimates
  • Email regarding new project information
  • Update to the ‘master’ project list
  • Initial Issues to be documented and assigned for resolution
  • Decision from the Project Lead regarding moving to the next step

 

2.       Requirements Phase (What specifically are we going to do?)

  • Invite all members of the operations team to attend requirements meeting in order to determine if they will be impacted
  • Drill down into the details documented in the high level scope from Phase I in order to provide a road map for the project team
  • Obtain stakeholder input as well as their ongoing review of the requirements
  • Document requirements and communicate availability
  • Conduct a walkthrough meeting with project team, stakeholders and Business Sponsor if appropriate
  • Communicate final requirements to above mentioned team members
  • Once requirements are approved, create a project plan (using MPS) to include resource assignments, task duration, and start date
  • Document Issues, assign for resolution, and track outstanding issues for updates
  • Analyze resource requirements and determine staff availability
  • Update requirements as necessary and re-distribute
  • Deliverables from Phase II  (To be stored in a shared folder)
  • Requirements document
  • Initial draft of Project Plan
  • Updated Issues document

3.      Specifications Phase (How are we going to do it?)

  • Document both a Technical and a Functional specifications document detailing how you are going to execute and implement what is required to support the defined requirements
  • Conduct a walkthrough meeting with project team, stakeholders, and Business Sponsor if appropriate
  • Communicate final specifications to above mentioned team members
  • Make any necessary adjustments to the project plan
  • Document Issues, assign for resolution, and track outstanding issues for updates
  • Update specifications as necessary and re-distribute

Deliverables for Phase 3:  (To be stored in a shared folder)

  • Specification document
  • Final Project Plan
  • Updated Issues document

4.      Execution Phase (Do what we said we would do.)

  • Conduct walkthrough with team members to review project plan tasks and dates.
  • Execute tasks per Project Plan
  • Document Issues, assign for resolution, and track outstanding issues for updates
  • Conduct regular project status meetings (frequency to be defined by Team Lead) and distribute minutes and status to team members and business sponsor
  • Update project plan as necessary
  • Escalate to manager and business sponsor (if appropriate), any changes in schedule and associated impacts
  • Project updates to be communicated as appropriate

Deliverables for Phase 4: (To be stored in a shared folder)

  • Updated Issues document
  • Status reports
  • Meeting minutes as necessary
  • Up to date project plan

 

5.      System User Testing Phase (Did we do it right?)

  • System User Testing team members should be involved at Requirements Phase, in order to write test scripts that validate the requirements have been met, and all is working properly
  • Write test scripts
  • Conduct walkthrough of test scripts, if appropriate, with project team
  • Coordinate set up test environment, including test data
  • Execute tests scripts
  • Enter and track project defects and enhancements
  • Report test results to team and business sponsor in order to make ‘go live’ (Or not) decision
  • Document Issues, assign for resolution, and track outstanding issues for updates

Deliverables for Phase 5: (To be stored in a shared folder)

  • Test Scripts
  • Useable test environment
  • List of remaining known issues

 

6.      Training Phase (Train Users)

  • Team members should be involved at Requirements Phase, in order to write accurate training documentation
  • Determine content of training
  • Write training documentation as required
  • Conduct walkthrough with team members (as appropriate) to insure all information is accurate, up to date, and easily understood by users.
  • Schedule training classes
  • Coordinate set up of training environment including data
  • Conduct training as scheduled

Deliverables for Phase 6: (To be stored in a shared folder)

  • Training documents
  • Training schedule
  • Useable  training environment

 

7.      Documentation Phase (Document what we did and how to use it)

  • Assigned team member should be involved at Requirements Phase, in order to write accurate documentation
  • Write documentation as required
  • Conduct walkthrough with team members to insure all information is accurate, up to date, and easily understood by users
  • Communicate documentation as requested

Deliverables for Phase 7: (To be stored in a shared folder)

  • Document as required

 

8.      Implementation Phase (Use in production)

  • Decision made to ‘Go Live’ based on successful completion of all appropriate phases
  • Any necessary prep work conducted
  • Project work moved/used in production environment
  • Environment monitored to insure all is working properly
  • Project complete

 

Deliverables for Phase 8: (To be stored in a shared folder)

  • Completed project plan

 

9.      Post Project Debrief (How did we do?)

  • Project lead to conduct follow up meeting with team members to review and document the following:

o   What did we do right?

o   What could we have done better?

o   What do we put in place to insure we don’t repeat any mistakes?

o   Determine and award appropriate recognition

 

Deliverables from Phase IX: (To be stored in a shared folder)

  • Document containing the above

(To be stored in a shared folder)

http://www.bestitdocuments.com/Services.html

 

Comments Off on Project Management Methodology Summary

System Configuration Guidelines and Considerations

Posted in Business (600),Compliances (1300),O S (375) by Guest on the February 28th, 2010

Hardware Inventory Complete evaluation of all existing hardware

o   Configuration
o   Date purchased
o   Depreciated value
o   Replacement cost
o   Appropriateness of work

Report by hardware item

o   Present Cost
o   Life expectancy
o   New cost
o   Depreciated value
o   Repair costs
o   Planned replacement date

Software inventory

o   Type of usage (are the right people using the right software)
o   Legal licenses (where are they and what are they)
o   System level software

Data base inventory

o   Types of data bases
o   Approximate sizes
o   Who uses what
o   Locations

Backup procedures

o   Are backups done regularly?
o   If so, with what frequency?
o   What is backed up
o   Have any restores been done to test
o   Are they kept off site
o   Are they adequate?

Security overview

o   Anti virus usage
o   Dial up access
o   Web based access
o   User access levels

Network mapping

o   Map out all system and wiring interconnections
o   Speed of the elements
o   Physical locations

Usage analysis

o   Programs used
o   By whom
o   Volume / frequency

Comments Off on System Configuration Guidelines and Considerations

What is a DoS Attack

Posted in Compliances (1300),Security (1500) by Guest on the February 28th, 2010

A specific directed attempt by individuals to cripple or deny access to technology resources. Most Dos attacks are directed to Internet online services. 

Techniques: 

  • Resource Exhaustion Attacks
    • Flood the victim (server) with packets
  • Bandwidth Consumption Attacks
    • Overload packet processing capacity
    • Saturate network bandwidth 

Result of the attack 

  • Network starvation
  • Network connectivity
  • Bandwidth consumption
  • Consumption of limited system resources
    • CPU starvation
    • Memory starvation
    • Processing time
    • Disk space
    • Lockout of an account
    • Alteration of configuration information 

Flood Attacks

A flood attack overwhelms a target’s Web site, CPU, memory, or other network resources by sending large numbers of spurious requests. Most network devices (including routers and NICs) are limited by packet processing rate, and an attacker will generally send small packets as quickly as possible to overload the network. These attacks lead to legitimate packets to be dropped as network routers struggle to keep up with the combination of bogus and legitimate packets. Making them more difficult to resolve or prevent is the fact that attack traffic generally appears to be no different from legitimate user traffic.  

The popular types of attacks include:

SYN Flood Attack: Consists of a stream of connection requests aimed at the target server. A relatively small flood of bogus packets on many systems will tie up memory, CPU, and applications, resulting in shutting down a server. It is one of the most common and powerful of flooding attacks. A single host launching a small SYN flood at its maximum rate can overload a remote host and cause significant damage. These effects are compounded when attackers mount more powerful distributed attacks that leverage the resources of multiple hosts.

ICMP Flood Attack: Overwhelms the network with a stream of ICMP packets. This results in hanging the server and/or exhausting bandwidth, causing the denial of further connections. 

Some Types of Denial of Service Attacks

Logic or Software Attacks
Logic attacks exploit existing software flaws in order to cause remote servers to crash or degrade in performance. Implementing a firewall and keeping operating system software current will address and resolve most of these.

Among the most popular software attacks are:

Syn-Attack– This sophisticated method of attack is characterized by an attacker flooding a particular server or server farm with Syn packets. Syn packets are the first packet sent during the setup of a TCP session. By only sending a Syn packet, and no subsequent packets to complete or end the session, the server leaves an orphan session open. By sending enough Syn packets, an attacker can successfully disable a server by opening all of its available connections, thus denying real users from gaining access to the server. This type of attack is somewhat difficult to detect because each session that is opened looks just like a regular user to the server.

Ping of Death
These attacks utilize over-sized, invalid ping (ICMP) packets than can overwhelm the physical memory of a web server. This type of attack is aimed at specific operating systems with TCP stacks that cannot handle this type of traffic. 

Smurf
This method of attack utilizes ping (ICMP) as well, but differs from the Ping of Death attack method by its uses of many normal pings from many physical sources. A large number of ICMP echo (ping) messages are sent to an IP broadcast address, with the spoofed source address of the intended victim. The router for the destination network forwards the traffic to those broadcast addresses, whereupon most network hosts on that network reply directly the spoofed address, which is the address of the site to be attacked. This can successfully flood a site with legitimate ping responses, thus occupying the server’s resources. These packets are spoofed with the target as the source of these packets. All the hosts on these networks reply to the attack target with ICMP echo replies. This rapidly exhausts the bandwidth available to the target, effectively denying its services to legitimate users.

These packets are spoofed with the target as the source of these packets. All the hosts on these networks reply to the attack target with ICMP echo replies. This rapidly exhausts the bandwidth available to the target, effectively denying its services to legitimate users.

These packets are spoofed with the target as the source of these packets. All the hosts on these networks reply to the attack target with ICMP echo replies. This rapidly exhausts the bandwidth available to the target, effectively denying its services to legitimate users.

The Land Denial of Service attack works by sending a spoofed packet with the SYN flag – used in a “handshake” between a client and a host – set from a host to any port that is open and listening. If the packet is programmed to have the same destination and source IP address, when it is sent to a machine, via IP spoofing, the transmission can fool the machine into thinking it is sending itself a message, which, depending on the operating system, will crash the machine. 

Teardrop is a program that sends IP fragments to a machine connected to the Internet or a network. Teardrop exploits an overlapping IP fragment bug present in Windows 95, Windows NT and Windows 3.1 machines. The bug causes the TCP/IP fragmentation re-assembly code to improperly handle overlapping IP fragments. This attack has not been shown to cause any significant damage to systems, and a simple reboot is the preferred remedy. It should be noted, though, that while this attack is considered to be non-destructive, it could cause problems if there is unsaved data in open applications at the time that the machine is attacked. The primary problem with this is a loss of data.

Fraggle or UDP Flood Attack: These are variants of the Smurf attack, and send UDP packets to broadcast addresses. These packets are spoofed with the target as the source of these packets. All the hosts on these networks reply to the victim with ICMP “unable to reach” messages. This rapidly exhausts the bandwidth available to the target, effectively denying its services to legitimate users. An important point to note is that these are just a few of the most popular methods of attacks, and that many of today’s server operating systems already defend against many of the most common Denial of Service attacks like Ping of Death and Syn-Attacks. 

D. O. S. Policy Enforcement Point

Attack Type

Firewalls

Routers

DDOS Product

OSI Layer

Recommended Enforcement Point =

 

 

Common Enforcement Point =

 

IP Options for Anomalies

 

 

 

3

TCP Sequence

 

 

 

4

Validating IP Fragments

 

 

 

3

Ping O’Death attacks

 

 

 

3

Land Attacks

 

 

 

4

Broadcast Attacks

 

 

 

3

ICMP Backwash Attacks

 

 

 

2

Syn Floods

 

 

 

2

Connection Floods

 

 

 

2

Page Floods

 

 

 

7

ICMP Floods

 

 

 

2

TCP Floods

 

 

 

3

UDP Floods

 

 

 

3

IP Floods

 

 

 

3

Outbound Bandwidth Floods

 

 

 

ALL

Inbound Bandwidth Floods

 

 

 

ALL

The worst offending IP addresses

 

 

 

3

Inbound Port Filtering

 

<span>
 

 

 

Chargen: Attempts to hang the server causing it to send packets to itself and become occupied with processing those packets. This results in hanging the server. 

Type of DOS Remediation 

Syn-Attack Protection
This feature monitors each new connection made to a server within a load balanced server farm. Because Internet Traffic Management devices front-end a company’s web server farm, they are aware of all new and existing user sessions being load balanced to the servers. When the Internet Traffic Management device receives a request for a new session from a user, it is load balanced to the most available server, using a number of definable criteria. If the session is not completed within 5 seconds (meaning that only the Syn packet was received) and no subsequent packets to complete the session are received, the Web Server Director manually closes the sessions on the physical server, and removes the entry from it’s own client (session) table. This approach of D.O.S. attack protection not only protects a Web Server Director, but more importantly protects a company’s web servers as well, thus maintaining the sites usability and available status. 

Facility for Access Control and Security (FACS)
Packet filtering is used to control the flow of specific types of traffic to and from servers. Rules can be created to control access based on user-defined criteria such as packet type (TCP, UDP, ICMP, etc) as well as specific user defined ports as well. Flexibility exists with the ability to control access based on source and destination addresses as well as application port. This can be extremely important when trying to prevent any type of ICMP attack such as Ping of Death and Smurfs. 

By utilizing this feature, the Web Server Director will simply drop any traffic meeting the administrator’s predefined criteria as well as report such incidents via SNMP or Syslog traps. 

Global Fail-Over and Load Balancing
This technique allows for protection against attacks that render a company’s Internet link useless by consuming the link’s bandwidth ability. This involves the deployment of multiple, globally redundant, and load balanced sites. If a hacker is attempting to flood a site with bogus requests, Internet Traffic Management load balancing techniques within the DS (Distributed Sites), or NP (Network Proximity) can insure uptime to legitimate users by directing them to the most available site. This can be achieved with several redirection methods, while allowing users with access to sites based on real-time site load, as well as true proximity to the actual site.

Multi-Homing
Another popular method aside from deploying multiple, geographically different sites, is to add an additional Internet connection through an alternate Internet provider. Internet Traffic Management allows for the seamless operation of outbound and inbound traffic through both links. If one link were to succumb to an attack, the Internet Traffic Management can intelligently direct all traffic, inbound and outbound, through the unaffected link allowing for the continuous flow of traffic and site availability. 

Links:

DDoS.ppt

DDoS2.ppt

 

Comments Off on What is a DoS Attack

Anatomy of a hack

Posted in Compliances (1300),Security (1500) by Guest on the February 28th, 2010

1. Acquire target

2. Footprint the system

3. Gain entry to system

4. Escalate privileges

5. Exploit system resources

6. Leave backdoor for later

7. Clean up, get out, cover tracks

 

Risk management

· It’s not a matter of if a computer security breach will happen, it’s a matter of when, and how prepared will you be…

· Risk = (Cost of Asset) x (Vulnerability) x (Threat)

· Managing risk is like having the right amount of insurance

 

Types of Threats

· Interruption

An asset of the system is destroyed of becomes unavailable or unusable

o Attack on availability

o Destruction of hardware

o Cutting of a communication line

o Disabling the file management system

· Interception

An unauthorized party gains access to an asset

o Attack on confidentiality

o Wiretapping to capture data in a network

o Illicit copying of files or programs

· Modification

An unauthorized party not only gains access but tampers with an asset

o Attack on integrity

o Changing values in a data file

o Altering a program so that it performs differently

o Modifying the content of messages being transmitted in a network

· Fabrication

An unauthorized party inserts counterfeit objects into the system

o Attack on authenticity

o Insertion of spurious messages in a network

o Addition of records to a file

Links:

Penetration Testing.ppt

Comments Off on Anatomy of a hack

Isn’t Traditional Anti-Virus Protection Enough

Posted in eMail (66) by Guest on the February 28th, 2010

If your desktops and file servers are protected with quality anti-virus software, why bother applying an additional tier of protection at your Notes or Exchange servers, and at your Internet SMTP mail server? Isn’t traditional anti-virus protection enough?

In the vast majority of cases, the answer to this question is a resounding “NO”. Notes and Exchange are powerful groupware environments that enable viruses to spread more quickly and easily than ever before.  

At the same time, email to and from the Internet continues to increase corporate exposure to infection from outside sources.


Supplementing desktop and file server virus protection with native anti-virus software at the groupware and SMTP mail server clearly provides added insurance when virus outbreaks occur. It also pays dividends in several other important areas: 

1.    Fewer Calls to the Help Desk
Suppose someone in Human Resources, for example, unknowingly distributes an infected Word document to 1,000 employees. Even if each of these employees is using Virus tool on the desktop, has it updated, and cleans the file successfully, the incident is likely to generate a substantial volume of calls to the help desk with related questions and concerns. Catching infected files at the Internet mail server or internal groupware server can increase productivity of the IT staff significantly. 

2.    Increased Employee Productivity
By stopping viruses at the email or groupware server whenever possible, employees can continue to do their job without unnecessary interruptions. In the above scenario, all 1,000 employees who received the infected file will lose productivity as they individually fight off the infection. If the infected message is forwarded before the virus is detected, additional users will be infected, perhaps even those outside the company.  

3.    Better Audit Trail and Alerting Capabilities
It is considerably easier for network administrators to accurately record and analyze virus incidents when they occur on a centrally monitored server than when they are widely distributed among a variety of end user desktops.


Solutions to detect and clean infected attachments one time… on the mail server itself. After a successful clean, the original message is automatically forwarded through to all intended recipients with a clean bill of health. Unless you choose to alert the message recipients, they will never even know that it contained a virus in the first place. Only the sender and mail administrator are notified. A problem that could have resulted in substantial help desk activity and productivity loss, has been stopped before it had a chance to get started.

Comments Off on Isn’t Traditional Anti-Virus Protection Enough

Useful SQL Commands

Posted in Application (380),Security (1500),Web Services (250) by Guest on the February 28th, 2010

SQL Commands

Begin Statements that make up the block.
Built In functions Most SQL data functions are supported within PL/SQL blocks.
Code storage Blocks may be stored within an Oracle database as procedures, functions, packages (a group of blocks) and triggers.
Composite Datatypes Records allow groups of fields to be defined and manipulated in PL/SQL blocks.
Connect userid/password Connect to another schema.
Connect userid/password@instname Connect to another schema on another database instance.
Cursor handling Cursors (a memory area holding a result set) can be explicitly defined and manipulated allowing the processing of multiple rows. A group of PL/SQL system attributes provide the ability to test a cursor’s internal state.
Declare Definition of any variables or objects that are used within the declared block.
Describe tablename Describe the structure of the named table, abbreviate to DESC.
Ed Start the local text editor and load the last SQL command. When you save the text file the SQL will be placed back into SQL *Plus.
End; End of block marker.
Exception All exception handlers.
Exception handling Blocks have the ability to trap and handle local error conditions (implicit exceptions). You may also self generate explicit exceptions that deal with logic and data errors.
Flow Control   
Help Call system help (if installed)
Host command Run command on local shell (UNIX or DOS)
Load commandfilename Load a command file but don’t run it.
Pause In command file, forces command file to halt execution until any key is pressed.
Prompt text Output a line of text to any user of the command file with the PROMPT in it.
Remark Comment line in a command file.
Save commandfilename Save the last SQL command to the named command file
Set Used to set SQL *Plus environment variables.
Spool filename Write all console text from this point on to named text file.
Spool Off Close any open spool file, stop spooling.
Sql support All SQL statements are supported within PL/SQL blocks including transaction control statements.
Start commandfilename Load a command file and run it, also use @commandfilename.
Variables and Constants These objects are used to store and manipulate block level data. They can be CHAR, Varchar2, Number, Date or Boolean data types.

  http://bestitdocuments.com/Services.html

 

 

Comments Off on Useful SQL Commands

SQL Design Considerations

Posted in Application (380),Security (1500),Web Services (250) by Guest on the February 28th, 2010

In order to assist us in designing your database, please have your applications and dba review and answer the following questions.

SQL:

• Has SQL been explained/optimized?

• Have ‘bind variables’ been used? ie select * from my.table where name = :b1; Bind variables are not actually substituted until the statement has been successfully parsed. This allows the sql to be shared even though the bind variables are different.

• Where possible, has ‘hold_cursor’ been used?

• Are explicit rather than implicit cursors being used? If not, is there a reason?

o Explicit cursors usually perform better than implicit cursors. An implicit cursor (one without the declare) usually requires 2 fetches to ensure that there are no more rows to fetch.

• If part of your processing requires deleting all rows from a table, are you using the ‘truncate’ command? This command performs much faster than the ‘delete’ command when deleting all rows.

• Have hints been used where necessary to help the optimizer choose the appropriate path?

• Are sequences used. Should they be cached?

• If using wildcard searches (e.g. XXX%) and an index is available, code with a hint…’select /*+ index(tab indx) */ to tell Oracle to use an index. 

Analyze:

• After tables are loaded, has analyze been run?

• If the tables will increase dramatically with time, should we cron an analyze job?

This puts statistics in the data dictionary and helps Oracle to choose the proper path when using the cost based optimizer.

Indexes:

• Have indexes been defined on all foreign keys?

• Have indexes been created where required?

• When using indexed columns in where clauses, are both variables of the same type? ie char = char or numeric = numeric. If a character type is compared to a numeric type, the character column is automatically converted to numeric. This can cause an indexed column NOT to be used.

• Has the use of functions been avoided on index columns?

• Indexes are not used if the indexed column is part of a function… ie ‘salary + 12’.

Same question for ‘NOT’. Same question for ‘OR’.

Distributed:

• When doing distributed calls, are you using ‘arrays’ to return multiple values over the network at one time? In addition, if doing a lot of distributed calls, have the SA look at the size of the SDU.

How to Set Array Sizes:

Oracle Call interface: uses the OFEN parameter to specify #of rows

SQLPLUS : Use set arraysize

SQL LOADER : Use the rows parameter

SQL FORMS : Uses array processing by default

Pro Cobol : Occurs xx times

Pro C : name[xx]

• Is the multi threaded (mts) feature of Oracle being used?

• This should only be used if > 500 concurrent users are expected.

• Do you require or provide data for other database(s)?

• If so, which database(s) and in what form? Will links need to be set up?

• Are there dependencies that the DBA will need to be aware of?

• Do you require snapshots? If so, are they simple snapshots?

• The use of snapshot logs with simple queries usually perform faster.

• What version of sqlnet are you using? 

Design/Sizing:

• Have heavily inserted tables had there ‘freelists’ adjusted?

• This should be set to the number of concurrent inserts you would expect against the table.

• Have you calculated production sizes for all of the tables. In addition, have you anticipated future growth? If so, please supply documentation.

• Will a lot of sorts be needed….ie order bys or index creations? Can most be done in memory? If not, would your application benefit by multiple temp tablespaces?

• If there are long queries on a table with many updates, please provide as much info as possible so that the optimal parameter can be set correctly on the rollback segment to avoid the dreaded ‘snapshot too old’ message.

• What is a good timeout value for your application.

• A system parameter is required to detect when a connection is no longer valid.

• How many updates/inserts/deletes to you expect to do per hour/day?

• This information is required to size both the rollback and the redo logs correctly.

• How many users to you expect? How many concurrent? Do you want roles set up….ie groups of privileges assigned to a role which can then be assigned to multiple users? Is each user going to have there own unique Oracle account?

• Do you have any special data retention requirements?

o Is there a preferable time to take backups?

o The default is to take an export and backup nightly.

o These are saved for 15 days.

• Do you have any special monitoring requirements?

This would include application processes and logs that you might want monitored.

• Do you have any web server requirements?

• Do you use hash clusters or partitioning views?

• Which tables have high update activity with rows that may increase?

• These tables should have a higher pctfree value than the default.

• Which tables have either low update activity, or row sizes that do not increase? These tables can be set with 5 pctfree.

• All ‘not null’ columns must be at the beginning of a table to save row storage

• All ‘long’ columns must be at the end of a table

• Primary keys should be placed at the beginning of a table

• Is referential integrity implemented using the database rather than the application? If not, why?

• Are your business rules implemented in stored objects or within the application. If in the application, why? Stored objects allow 1 version of the code.

• It also allows the server to execute all of the code.

• Will you require any special cron jobs to be set up?

• Do you have any application documentation which you can provide me?

• ERD diagrams? Implementation plan? etc.

• Have you addressed the need to purge off data?

• If so, how? 

Loads:

• Will you require large rollback segments?

• If so and if possible use the ‘set transaction use rollback segment’ statement to specify the large rollback.

• If you require a large load, are you creating the indexes after the data is loaded?

• If possible, sort data before loading in the sequence of the most commonly used index.

• If using imports:

o Is the buffer set to at least 10m?

o For a large table import, is commit=y specified?

o This commits after each array (buffer). This can decrease the rollback size required and can improve performance of very large imports.

o Is the table sized properly?

o Export by default consolidates extents. The new table must be large enough for the consolidated table.

• If using sqlload:

o Can you use direct path?

o If so, can you use unrecoverable?

o If using conventional, set the bindsize/rows up as high as possible.

• If doing custom loads:

o Set the commit count up if possible…ie between 100-1000.

o This will prevent the redo log buffer from having to be flushed to disk too often if set too low. Setting too high can effect the size of the rollback segment.

Application

• What are the business hours for your application?

• What processes are required for your app on the server?

• Do you have startup and shutdown scripts?

Comments Off on SQL Design Considerations

Planning a Backup Strategy

Posted in Business (600),O S (375) by Guest on the February 28th, 2010

Planning a Backup Strategy

You should have a solid backup plan in place before any application is ever moved from a development/test environment into a production environment. In addition, just as you would never put an untested application into production, you should never go into production without testing your backup strategy. It is always a good idea to include backup strategy planning as a key component of any project. In some cases, the backup strategy may even have a large impact on the design of the application. In planning the backup strategy for a given application, answer the following questions before launching the application into production:

How often should the backups be done?
What will be backed up at various times (for example, full database dumps versus transaction log dumps)?
To what medium will the backups go (tape, diskette, disk)?

Will the backups be done online (while users are working) or after-hours?

Will the backups be done manually or by an automatic scheduling facility?

If the backups are automated, how will it be verified that they actually occurred without error?

How long will the backups be saved before reusing the medium?

Assuming failure, how long will it take to restore to the last backup?

Is that an acceptable amount of downtime?

If not, what is?

Is there a mechanism in place to ensure that the backups are good, that they can be reapplied if necessary?

Where will the backups be stored, and do the necessary people have access to them?

Who is responsible for seeing that the backups are done and done correctly?

If the system administrator is gone, is there someone else who knows the proper passwords and procedures to do backups and if necessary restore the backups?

This, of course, is not a complete list of all the questions you should think about in planning your backup strategy. You will need to answer these questions for every SQL Server environment, and there may be many other questions specific to your particular environment.

Comments Off on Planning a Backup Strategy

SQL Security Overview

Posted in Application (380),Security (1500),Web Services (250) by Guest on the February 28th, 2010

SQL, maintains it own internal security umbrella including password encryption, password aging, minimum length restrictions on passwords and user account management resources. Integrated security relies on trusted connections, which are only available with both named pipes protocol and MS new RPC based multi-protocol net library. Because SQL Server supports many different network options simultaneously, clients running TCP/IP can connect to SQL Server along with clients using IPX/SPX all at the same time! SQL Server installs different network libraries during installation to handle network communication with other servers and client workstations. SQL Server always installs the named-pipes protocol. You have the option during installation (and after) to install one or more network libraries. Keep in mind the type of network support you select determines the security mode you can use for SQL Server. Microsoft SQL

  • Server supports virtually all corporate network environments;
  • Novell® NetWare® IPX/SPX,
  • Microsoft Named Pipes (including Windows NT, Windows for Workgroups, Windows 95, LAN Manager)
  • TCP/IP sockets, Banyan®
  • VINES®
  • DECnet, AppleTalk®, multiprotocol networks.

 

Assigning User and Group Privileges

By default, SNA Server does not allow users to access the resources defined within the SNA Server domain. Access privileges must be explicitly granted. To grant access rights to users and groups, open the Users and Groups window.

SQL security considerations:

  • Disable the xp_cmdshell stored procedure and disable access to the Registry from stored procedures
  • Run SQL Server under a user account (not a system account) with restricted permissions
  • Change the systems administrator password
  • Install SQL Server on a computer hidden from the Internet
  • Don’t debug programs on a computer connected to the Internet
  • Don’t run any Web scripts from the sa account
  • Disable the Guest account everywhere
  • Don’t run NMA on a computer inside a public network
  • Set only Execute rights for Web-script folders
  • Install all patches from the Microsoft Web site 

 

Disable NetBIOS over TCP/IP (NetBT)? NetBT performs name-to-IP address mapping for name resolution. To hide the server(s).  

You need to know that you can set up SQL Server with one of three security modes: standard, integrated, or mixed. The method you use to enter the SQL Server login determines the security mode you use. But whichever security mode you use, you must still create mappings to database users. Which mode are they using?

Comments Off on SQL Security Overview

Hotel Room Security

Posted in O S (375),Policies - Standards (600),Security (1500) by Guest on the February 28th, 2010

Security in your own hotel room should be a top priority, whether you are traveling for business or pleasure. In an attempt to make your valuables more secure, many hotels are tightening security by installing small safes in every room and issuing coded insert cards instead of numbered keys to open room doors.

The best bet is to be your own security guard. No matter how effective hotel security is, it can’t think of everything. If you want to see just how good hotel security is, call the switchboard from a house phone and ask for yourself. Tell the operator you are not sure of the room number. If the answer is, “He’s in room 203,” you’re in trouble. The correct answer is, “I’ll connect you.” Good security requires that the hotel switchboard not give out room numbers, and the best hotels strictly adhere to this policy.

Another good way to determine how efficient hotel security is to watch how hotel room keys are controlled. For example, if it is check-out time and a pile of keys are lying on the front desk, chances are that security is lax. Anyone can grab a key from the pile. This is particularly dangerous if the room number is embossed on the key blank.

Also, do not draw attention to yourself by displaying large amounts of cash or expensive jewelry. Instead, store valuables in the hotel safe.

Finally, the “Do Not Disturb” sign is a valuable sentry for your room Ñ if you leave it on the doorknob outside the room. The sign is valuable when you aren’t in the room because it gives the impression you are still inside.

Source: National Security Institute

http://www.bestitdocuments.com/Services.html

 

Comments Off on Hotel Room Security

Websense Web Filtering Software Overview

Posted in Business (600),Compliances (1300),Security (1500) by Guest on the February 27th, 2010

How Websense Works

Websense is based on pass-through filtering technology, the most accurate, reliable and scalable method of Internet filtering. Pass-through filtering requires all requests for Web pages to pass through an Internet control point such as a firewall, proxy server or caching device. Websense is integrated with these control points and checks each request to immediately determine whether it should be allowed or denied. All responses are logged for reporting purposes.

Websense filters Internet content by working in conjunction with the Websense Master Database of millions + sites, organized into 85+ categories, including MP3, gambling, shopping and adult content. You can choose to block, permit, limit by time-based quota or postpone access to individual categories by user, group, workstation or network.

New sites are added to the database daily, and Websense Enterprise automatically downloads updates to the database every night to ensure you’re keeping up with the rapid evolution of the Internet.

Enterprise Solution

Sites are categorized based on the definitions below. These categories have been broken down to allow organizations to better adjust the level of access they want to give their users. In case of uncertainty, a collaborative decision is made as to whether a site is included, and in what category it is placed. Our database is regularly checked for accuracy and quality.

Categories are tools. Like other tools, they to be used for particular purposes. When they are separated from those purposes, or turned to purposes for which they were not intended, they often are less useful and sometimes may be misunderstood.

The categories used by Websense are to sort out the millions of Websites on the Internet have been designed to collect together in useful groupings the kinds of sites of interest and concern to its subscribing customers. They are not intended to characterize any site or group of sites or the persons or interests who publish them, and they should not be construed as doing so. Likewise, the labels attached to Websense categories, necessary aspects of the tool, are convenient shorthand and are not intended to convey, nor should they be construed as conveying, any opinion or attitude, approving or otherwise, toward the subject matter or the sites so classified.

1. Abortion Advocacy

Sites with neutral or balanced discussion of the issues are classified under the main category “Abortion Advocacy.”

1.1 Pro-Life

1.2 Pro-Choice

2. Advocacy Groups

Sites sponsored by or devoted to organizations that promote change or reform in public policy, public opinion, social practice, economic activities and relationships. Excludes commercially sponsored sites (4, 13, 22), sites dedicated to electoral politics or legislation (10.2) or to the abortion issue (1), sites advocating hate or violence (16, 20, 29).

3. Adult Material

3.1. Adult Content. Sites featuring full or partial nudity reflecting or establishing a sexually oriented context, but not sexual activity (3.3); sexual paraphernalia; erotica and other literature featuring, or discussions of, sexual matters falling short of pornographic; sex-oriented businesses such as clubs, nightclubs, escort services, password/verification sites. Includes sites supporting online purchase of such goods and services.

Sites featuring full or partial nudity reflecting or establishing a sexually oriented context, but not sexual activity (3.3); sexual paraphernalia; erotica and other literature featuring, or discussions of, sexual matters falling short of pornographic; sex-oriented businesses such as clubs, nightclubs, escort services, password/verification sites. Includes sites supporting online purchase of such goods and services.

3.2 Nudity. Sites offering depictions of nude or seminude human forms, singly or in groups, not overtly sexual in intent or effect.

Sites offering depictions of nude or seminude human forms, singly or in groups, not overtly sexual in intent or effect.

3.3 Sex. Sites depicting or graphically describing sexual acts or activity, including exhibitionism.

Sites depicting or graphically describing sexual acts or activity, including exhibitionism.

3.4 Sex Education. Sites offering information on sex and sexuality, with no pornographic intent.

Sites offering information on sex and sexuality, with no pornographic intent.

3.5 Lingerie & Swimsuit. Sites offering views of models in suggestive but not lewd costume; suggestive female breast nudity. Also classic “cheesecake” art and photography.

Sites offering views of models in suggestive but not lewd costume; suggestive female breast nudity. Also classic “cheesecake” art and photography.

4. Business & Economy

Sites sponsored by or devoted to individual business firms, but not supporting ecommerce (22) and not firms engaged in computer or Internet businesses (13) or the sale of alcohol or tobacco (23.1), travel services (27), vehicles (28), or weaponry (29). Includes commercial real estate, but not residential real estate (21.2).

4.1 Financial Data & Services. Sites offering news and quotations on stocks, bonds, and other investment vehicles, investment advice; but not online trading. Includes banks, credit unions, credit cards, and life insurance.

Sites offering news and quotations on stocks, bonds, and other investment vehicles, investment advice; but not online trading. Includes banks, credit unions, credit cards, and life insurance.

5. Drugs (as characterized by U.S. law)

5.1 Abused Drugs. Sites that discuss or promote or provide information about prohibited, scheduled, or otherwise controlled or regulated drugs and their abuse; also, paraphernalia associated with such use and abuse.

Sites that discuss or promote or provide information about prohibited, scheduled, or otherwise controlled or regulated drugs and their abuse; also, paraphernalia associated with such use and abuse.

5.2 Prescribed Medications. Sites providing information about approved drugs and their medical use.

Sites providing information about approved drugs and their medical use.

5.3 Supplements/Unregulated Compounds. Sites providing information about or promoting the use of chemicals not regulated by the FDA (as naturally occurring compounds, for example).

Sites providing information about or promoting the use of chemicals not regulated by the FDA (as naturally occurring compounds, for example).

5.4 Marijuana. Sites whose primary function is to provide information specifically about or promoting the use of marijuana.

Sites whose primary function is to provide information specifically about or promoting the use of marijuana.

6. Education

6.1 Educational Institutions. Sites sponsored by schools and other educational facilities or by faculty or alumni groups, or that relate to educational events and activities.

Sites sponsored by schools and other educational facilities or by faculty or alumni groups, or that relate to educational events and activities.

6.2 Cultural Institutions. Sites sponsored by museums, galleries, theatres (but not movie theatres), and other cultural institutions.

Sites sponsored by museums, galleries, theatres (but not movie theatres), and other cultural institutions.

6.3 Educational Materials. Sites whose primary function is to provide historical information, scientific/research pages, or educational curriculum materials.

Sites whose primary function is to provide historical information, scientific/research pages, or educational curriculum materials.

7. Entertainment

Sites that provide information about or promote motion pictures, non-news radio and television, books, humor, music, and magazines (other than those devoted primarily to adult material (3), business (4), electronic games (9
), information technology (13), alcohol and tobacco (23.1), health (11), hobbies (23.5), sports (25), travel (27), vehicles (28), or weaponry (29)).

7.1 MP3. Sites that support downloading of mp3 files or that serve as directories of such sites.

Sites that support downloading of mp3 files or that serve as directories of such sites.

8. Gambling

Sites that provide information about or promote gambling or that support online gambling. Risk of losing money possible.

9. Games

Sites that provide information about or promote electronic games, video games, computer games, role-playing games, or online games, but not board or card games (23.5); also sites that support or host online games. Includes sweepstakes and giveaways.

10. Government

Sites sponsored by government branches or agencies; all levels of government (i.e., *.gov)

10.1 Military. Sites sponsored by military branches or agencies (i.e., *.mil)

Sites sponsored by military branches or agencies (i.e., *.mil)

10.2 Political Groups. Sites sponsored by or providing information about political parties and interest groups focused on elections or legislation.

Sites sponsored by or providing information about political parties and interest groups focused on elections or legislation.

11. Health

Sites that provide information or advice on personal health or medical services, health insurance, procedures, or devices, but not drugs (5). Includes self-help groups.

12. Illegal/Questionable

Sites that provide instruction in or promote crime (except computer crime (13.1)) or unethical or dishonest behavior or evasion of prosecution therefore.

13. Information Technology

Sites sponsored by or providing information on computer- and Internet-industry firms.

13.1 Hacking. Sites providing information on or promoting illegal or questionable access to or use of communications equipment and/or software.

Sites providing information on or promoting illegal or questionable access to or use of communications equipment and/or software.

13.2 Proxy Avoidance Systems. Sites that provide information on how to bypass proxy server features or to gain access to URLs in any way that bypasses the proxy server.

Sites that provide information on how to bypass proxy server features or to gain access to URLs in any way that bypasses the proxy server.

13.3 Search Engines & Portals. Sites that support searching the Web, news groups, or indices or directories thereof.

Sites that support searching the Web, news groups, or indices or directories thereof.

13.4. Web Hosting. Sites or organizations that provide hosting services, or top-level domain pages of Web communities.

Sites or organizations that provide hosting services, or top-level domain pages of Web communities.

13.5 URL Translation Sites. Sites that offer online translation of URLs including those that offer online language translation of Web sites by submitting the URL of the target site.

Sites that offer online translation of URLs including those that offer online language translation of Web sites by submitting the URL of the target site.

14. Internet Communication

14.1 Web Chat. Sites that host Web Chat services, Chat sites via HTTP, on-IRC chat rooms. Home pages devoted to IRC. Sites that offer forums or discussion groups.

Sites that host Web Chat services, Chat sites via HTTP, on-IRC chat rooms. Home pages devoted to IRC. Sites that offer forums or discussion groups.

14.2 Web-based Email. Sites that host Web-based email. Any Web based email service, either browser or software based.

Sites that host Web-based email. Any Web based email service, either browser or software based.

15. Job Search

Sites that offer information on or support seeking employment.

16. Militancy/Extremist

Sites that offer information on or promote or are sponsored by groups advocating antigovernment beliefs or action.

17. News & Media

Sites that offer current or real-time news, including those sponsored by newspapers, magazines, trade and academic journals, radio and television stations and networks, wire services; but not current financial quotes (4.1) or sports (25).

17.1 Alternative Journals – On-line equivalents to supermarket tabloids or non-mainstream periodicals Note: This category may contain material which is sexual in nature.

– On-line equivalents to supermarket tabloids or non-mainstream periodicals Note: This category may contain material which is sexual in nature.

18. Racism/Hate

Sites that promote the identification of racial groups, the denigration or subjection of groups (racially identified or otherwise), or the superiority of any group.

19. Religion

19.1 Non-Traditional Religions. Sites that provide information on or promote religions not listed in 21.2 and on other unconventional religious or quasi-religious subjects, including cults.

Sites that provide information on or promote religions not listed in 21.2 and on other unconventional religious or quasi-religious subjects, including cults.

19.2 Traditional Religions. Sites that provide information on or promote Buddhism, Baha’i, Christianity, Christian Science, Hinduism, Islam, Judaism, Mormonism, Shinto, and Sikhism; also atheism.

Sites that provide information on or promote Buddhism, Baha’i, Christianity, Christian Science, Hinduism, Islam, Judaism, Mormonism, Shinto, and Sikhism; also atheism.

20. Shopping

Sites that support online purchasing of consumer goods but not including sexual paraphernalia (3.1), investments (4.1), computer software or hardware (13), supplements (5.3), alcohol and tobacco (23.1), travel services (27), vehicles and parts (28), or weaponry (30). Included are sites exclusively devoted to selling sports or religious goods.

20.1 Internet Auctions. Sites that support the offering and purchasing of goods between individuals.

Sites that support the offering and purchasing of goods between individuals.

20.2 Real Estate. Sites that provide information on renting, buying and selling residential real estate.

Sites that provide information on renting, buying and selling residential real estate.

21. Society & Lifestyle

Sites that provide information on matters of daily life, excluding sex (3), entertainment (7), jobs (15), sports (25), and those topics covered in subsections below.

21.1 Alcohol/Tobacco. Sites that provide information on, promote, or support the sale of alcoholic beverages, tobacco products, and any associated paraphernalia. Excludes self-help groups like AA, which are in Health.

Sites that provide information on, promote, or support the sale of alcoholic beverages, tobacco products, and any associated paraphernalia. Excludes self-help groups like AA, which are in Health.

21.2 Gay & Lesbian Issues. Sites that provide information on or cater to gay and lesbian lifestyles, including those supporting online shopping; but not sexually oriented (3.1, 3.3) or issue-oriented (2).

Sites that provide information on or cater to gay and lesbian lifestyles, including those supporting online shopping; but not sexually oriented (3.1, 3.3) or issue-oriented (2).

21.3 Personals/Dating. Sites that promote interpersonal relationships, excluding those of exclusively gay or lesbian appeal.

Sites that promote interpersonal relationships, excluding those of exclusively gay or lesbian appeal.

21.4. Restaurants & Dining. Sites that list, review, advertise, or promote food, catering, or dining services.

Sites that list, review, advertise, or promote food, catering, or dining services.

21.5 Hobbies. Sites that provide information on or promote private and largely sedentary pastimes, but not electronic, video, or online games (9). h5>

Sites that provide information on or promote private and largely sedentary pastimes, but not electronic, video, or online games (9).

21.6 Personal Web Sites. Web sites published by an individual for personal use and interchange; not published by an organization.

Web sites published by an individual for personal use and interchange; not published by an organization.

22. Special Events

Sites devoted to a current event that requires separate categorization owing to objectionable content, bandwidth demand, or potential effect on productivity. Some such sites will disappear; others will be reviewed after 90 days for possible reclassification.

23. Sports

Sites that provide information on or promote sports, active games, and recreation.

23.1 Sport Hunting/Gun Clubs. Gun club sites or directories of gun club sites. Includes war-game and paintball sites.

Gun club sites or directories of gun club sites. Includes war-game and paintball sites.

24. Tasteless

Sites that cannot be categorized elsewhere but offer offensive, grotesque, frightening, lurid, material with no redeeming value.

25. Travel

Sites that provide information on or promote various travel-related services and destinations, including those that support online purchase or reservations.

26. Vehicles

Sites that provide information on or promote vehicles, including those that support online purchase of vehicles or parts.

27. Violence

Sites that provide information on or promote violent activity. Sites containing excessive profanity may be classified here if not under Tasteless (26).

28. Weapons

Sites that provide information on, promote, or support the sale of weapons and related items.

http://www.bestitdocuments.com/IT_Security_Methodology_solutions.html

 

Comments Off on Websense Web Filtering Software Overview

Database Security Assessment Overview

Posted in Application (380),Security (1500) by Guest on the February 27th, 2010

Oracle Security Assessment Checklist

1. Is the Oracle software owner account locked to prevent remote logins?
2. Are the Audit database user activities – logins and failures – logged?
3. Where is the Audit information stored?
4. Does the Oracle user own all of the files in $Oracle_root$/bin?
5. Are there any help and sample data installed (files and directories)?
6. How often is it reviewed?
7. Are default installed user accounts present (i.e. TNSLSNR, sys, system, etc)?


MS-SQL Security Assessment Checklist

1. Is account login auditing is enabled? Where are these auditable events stored?
2. Is cross-database ownership chaining enabled?
3. Are encrypted drives and SSL connections used?
4. Do the Administrator account(s) have strong password complexity enforced?
5. Is the Kill Password (KillPwd) utility is used to prevent account/user information disclosure?
6. Is access to the database tables restricted by permissions for users and groups?
7. Are only authorized users and groups permitted direct access to database tables and other database commands (i.e. Insert, Delete, Select, etc)?
8. Are ‘views’ used to assist column and row security instead of only applying security settings to the database tables?
9. Is the registry secured to ensure only authorized users (i.e. Administrators, SQL services, etc) have access to the registry keys?
10. Is access to services TCP 1433 and UDP 1434 are restricted to authorized users, hosts or networks?
11. Are there any legacy configuration and setup files on the system?
12. Are there any sample files and directories?

Comments Off on Database Security Assessment Overview

IT Auditing Standards Guidance

Posted in Compliances (1300),Policies - Standards (600),Security (1500) by Guest on the February 27th, 2010

Guidelines provide guidance in applying IT Auditing Standards. The IT auditor should consider them in determining how to achieve Implementation of the standards, use professional judgment in their application and be prepared to justify any departure. The objective of the IS Auditing Guidelines is to provide further information on how to comply with the IT Auditing Standards.

Procedures provide examples of procedures an IT auditor might follow in an audit engagement. The procedure documents provide information on how to meet the standards when performing IS auditing work, but do not set requirements. The objective of the IS Auditing Procedures is to provide further information on how to comply with the IT Auditing Standards.

COBITresources should be used as a source of best practice guidance. Each of the following is organized by IT management process, as defined in the COBIT Framework. COBIT is intended for use by business and IT management, as well as IT auditors; therefore, its usage enables the understanding of business objectives, communication of best practices and recommendations to be made around a commonly understood and well-respected standard reference. COBIT includes:

· Control Objectives—High-level and detailed generic statements of minimum good control

· Control Practices—Practical rationales and “how to implement” guidance for the control objectives

· Audit Guidelines—Guidance for each control area on how to obtain an understanding, evaluate each control, assess compliance and Substantiate the risk of controls not being met

· Management Guidelines—Guidance on how to assess and improve IT process performance, using maturity models, metrics and critical success factors

Linkage to Standards

· Standard S6 Performance of Audit Work states, “IS audit staff should be supervised to provide reasonable assurance that audit objectives are accomplished and applicable professional auditing standards are met.”

· Standard S6 Performance of Audit Work states, “During the course of the audit, the IT auditor should obtain sufficient, reliable and relevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriate documented analysis and interpretation of this evidence.”

· Procedure – Intrusion Detection Systems (IDS) Review provides guidance.

· Guideline – Review of Virtual Private Networks provides guidance.

http://www.bestitdocuments.com/Services.html

Comments Off on IT Auditing Standards Guidance

Email Retention Policy – Scope

Posted in eMail (66),Policies - Standards (600) by Guest on the February 26th, 2010

Email

A primary communication vehicle

• An enterprise collaboration tool

• A personal filing cabinet

• An electronic record repository

• A storage glutton

• A legal and data management liability

To start with most companies make when creating an email retention policy is not involving all areas of the company in the construction/review process.

  • An email retention policy is not just a legal document, it will effect employee productivity company-wide. So, the first step is to create a policy group with representatives from all major areas of the company.
  • It is important that you understand how employees use the email system.
  • Do they create their own personal archives?
  • How often do they reference old emails?
  • Understanding these things will ensure you don’t put in place procedures that will adversely affect employee productivity.
  • User Email Categorization – Thinking that categorization of documents is necessary.
  • Because various regulations require companies to retain certain documents for a specified number of years, many companies take this as the only way to retain documents. For example, in the Sarbanes-Oxley regulation, documents that show how a financial decision was made need to be retained for a certain amount of time.
  • User error is a major problem with categorization. When users control record categorization, some documents that should be retained as business documents are not, and vice versa.
  • The original reason for categorization was to avoid accumulating too many documents because that would increase physical space requirements and costs of offsite storage. Too many documents would also slow retrieval if the need arose because there would be fewer documents to have to wade through. This is based on an outdated reality. With electronic documents like email, storage space is plentiful and cheap, and with several of the email archiving and retrieval software programs on the market today, it doesn’t matter if there are terabytes of records, the search and retrieval are immediate.
  • The final reason why categorization is a mistake is because there is no way to know for sure, at the time of creation of the email, that it may or may not be required during a future compliance audit or investigation. This is why it would be ideal to keep every record, instead of trying to have your staff inconsistently make guesses as to which documents should be retained and which should not.
  • Action: Avoid manual and automatic categorization of documents, archive every document.

Business Goal

  • Compliance should not be the business goal of a company. Business goals should be to become a better business; to reduce business risks, to improve business productivity; to improve customer service, and to ensure the company image and reputation is not damaged, etc..
  • The mistake many companies make is to take the regulations literally and as complete business guidelines. They are not; they are government minimum standards. Do you want to operate your company solely according government minimum standards?
  • Action: Make sure your business includes goals of achieving high ethical standards, solid operations and processes and an institutionalization of a culture of compliance from the top down. Compliance is an ongoing process that should be the by-product of these goals. If these are your business goals, then meeting compliance mandates will be easy.

Expensive

Thinking that a company needs an expensive, complex content management system to achieve email compliance.

  • The truth is that it is much easier to have email be in compliance with most of the major regulations by simply archiving everything, keeping it in an easily accessible location, and being able to search by keyword, and produce requested documents in a timely fashion. All of this can be accomplished with a fairly priced email archiving solution, which can be installed in a day.
  • Related to this same mistake is thinking that a backup tape system is sufficient for compliance requirements. It is not. Compliance is not about collecting data for a disaster recovery solution, it is about timely retrieval of specific data. Back up tapes will be more expensive in the long run, and are simply not a valid compliance solution.
  • Action: Do the research to find reasonable priced email archiving vendors for small to medium sized companies that can implement their system in a few days. Do not rely on your tape back up system for email compliance.
    • Who is in charge?
    • How will you enforce this process?

Retention

Thinking that after the retention period ends, documents must be destroyed

  • Regulations mandate a minimum period to keep your business documents, not a maximum period. Regulations do not compel a business to destroy their documents. Why should you keep business records longer than the retention period?
  • Business documents are critical assets of the business, they hold corporate knowledge, customer histories, long term trends, and other information that can be used as a guide to the business long after an email retention period is over.
  • All the ‘old’ reasons for deleting electronic documents are no longer valid, since storage costs are so low and email retrieval software is so widely available. There are more reasons than ever to keep all email records. The need for email search and retrieval will continue to increase because the quantity of email is increasing, and more information is created and stored only in email.
  • Very recently, the judge in the Morgan Stanley v. Ronal Perleman case, created a precedent for requiring a company to produce records regardless of the fact that a company has a document retention policy and has already destroyed the emails in question. The net result of this case was that Morgan Stanley lost a $1.4 Billion judgment in part due to the inability to keep and retrieve their emails assets.

Action

Implement a permanent email archiving solution. I would argue that all emails should be kept forever, and I challenge why any email should ever be destroyed if we have the ability to inexpensively store it and easily access it when needed.

Once a company knows about or anticipates a lawsuit, it must implement a “litigation hold” and suspend normal procedures to preserve relevant data the court might request. Counsel should inform all employees, the IT department and the “key players” of the pending litigation as well as ensure that all relevant informati
on or sources of relevant information are discovered and preserved, and that non-privileged material is produced to the opposing party upon request. Failure to conduct an adequate search of documents before they are destroyed could constitute bad faith and warrant sanctions.

You must communicate the new policy to the employees. Employee communication and training can lower your compliance and legal liability. Ail retention policy should have the following topics:

1. Effective date

2. Last change date and changes made

3. Person or department responsible for the policy

4. Scope/coverage

5. Purpose of the policy

6. Policy statement: This can include a company philosophy statement about the business/legal/regulatory reasons for records retention

7. Definitions

8. Responsibilities

  • § Procedures

9. Other retention policy guidelines

  • § Duplicate copies/convenience copies
  • § Consequences if the policy is not followed
  1. Appendix A: Litigation hold/stop destruction policy including a backup procedure

http://www.bestitdocuments.com/Services.html

Comments Off on Email Retention Policy – Scope

IT Auditing Cobit Mapping

Posted in Business (600),Compliances (1300),Security (1500) by Guest on the February 26th, 2010

Linkage to COBIT

COBIT Framework states, “It is management’s responsibility to safeguard all the assets of the enterprise. To discharge this responsibility as well as to achieve its expectations, management should establish an adequate system of internal control.”

COBIT Management Guidelines provides a management-oriented framework for continuous and proactive control self assessment specifically focused on:

· Performance measurement – How well is the IT function supporting business requirements?

· IT control profiling – What IT processes are important?

o   What are the critical success factors for control?

· Awareness – What are the risks of not achieving the objectives?

· Benchmarking – What do others do?

o   How can results be measured and compared?

COBIT Management Guidelines provides example metrics enabling assessment of IT performance in business terms. The key goal indicators identify and measure outcomes of IT processes and the key performance indicators assess how well the processes are performing by measuring the enablers of the process. Maturity models and maturity attributes provide for capability assessments and benchmarking, helping management to measure control capability and to identify control gaps and strategies for improvement.

COBIT Management Guidelines can be used to support self-assessment workshops and can also be used to support the implementation by management of continuous monitoring and improvement procedures as part of an IT governance scheme.

COBIT provides a detailed set of controls and control techniques for the information systems management environment. Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on the choice of specific COBIT IT processes and consideration of COBIT information criteria.

The COBIT references located in the appendix of this document outline the specific objectives or processes of COBIT that should be considered when reviewing the area addressed by this guidance.

Need for Procedure

Primarily intended for IT auditors—internal as well as external auditors—this document can be used by other ARE security professionals with responsibilities in capacity of information security.

Modern businesses are organized as a set of core processes operating within supply and demand networks. Almost every organization in the world is faced with increasing pressure for effectiveness and efficiency (i.e., higher quality requirements for products and services, increased revenue, cost reduction, new product development), a pressure for better, faster and cheaper processes. These increasingly complex operating networks are supported by available communication technologies (mainly the Internet), allowing businesses to focus on their core competencies and partner with others to deliver enhanced value to customers; thereby, complexity introduces multiple avenues of threats and vulnerabilities.

The transformation of the old processes is enabled by new communication channels. These channels provide new linking possibilities among different systems and networks, making them available to more people and letting the organizations and their processes interact (e.g., e-procurement and e-sourcing).

This document provides guidance for IT auditors who are required increasingly to audit or review perimeter and internal controls to provide reasonable assurance that all external and internal threats, including potential system compromises, are minimized by identification and correction of vulnerabilities detected in performing a penetration test and vulnerability assessment.

This procedure is not a substitute for an internal audit including an organization wide risk assessment and internal general controls and application audits of all critical infrastructures and applications, including those with financial statement implications. Weaknesses in a noncritical infrastructure and applications component could have a consequential impact on a critical infrastructure and application components; therefore, a system wide audit should be completed in its totality and not in a piece-meal fashion.

 

COBIT Reference

Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on the choice of specific COBIT IT processes and consideration of COBIT information criteria:

·      PO6—Communicate Management Aims and Direction

·      PO9—Assess Risks

·      A13—Acquire and Maintain Technology Infrastructure

·      DS5—Ensure Systems Security

·      DS7—Educate and Train Users

·      DS10—Manage Problems and Incidents

 

The information criteria most relevant to a penetration testing and vulnerability assessment are:

·      Primary: confidentiality, integrity and availability

·      Secondary: efficiency and reliability

http://bestitdocuments.com/Services.html

 

Comments Off on IT Auditing Cobit Mapping

Sample Cisco Options Matrix

Posted in Business (600),Networking (340),Security (1500) by Guest on the February 25th, 2010

 

Networking Devices

Description Type Comments
Firewall (Internal) Embedded into internal switch  
Load Balancer (Internal) Cisco CSS 11500 With SSL Termination/Fiber GigE
Load Balancer (Perimeter) Cisco CSS 11500 With SSL Termination/Fiber GigE
Router (Border) Cisco 7600 Router Fiber GigE Interface
Switch (BOso) Cisco 2900  
Switch (Internal) Cisco Catalyst 6513  
Switch (Perimeter) Cisco Catalyst 6509  
Switch (Client) Cisco 3550  
VPN (Perimeter) Class 6 Server – High Range Low Density  See server configurations
VPN (Site2Site) Cisco VPN 3030 Concentrator  
Wireless Access Point Cisco Aironet 1200 Access Point PEAP Compliant
Wireless Access Point Cisco Aironet 350 Access Point PEAP Compliant
     
Cisco Catalyst 6509 Configuration
Product Description Comments
WS-C6509 Catalyst 6509 Chassis  
WS-CAC-2500W Catalyst 6000 2500W AC Power Supply  
WS-CAC-2500W/2 Catalyst 6000 Second 2500W AC Power  
CAB-AC-2500W-US1 Power Cord, 250Vac 16A, straight blade NEMA 6-20 plug, US  
S6S22ALV-12113E Catalyst 6000 SUP2/MSFC2 IOS ENTERPRISE LAN ONLY  
EMS-65-76-001-2.1 Cisco 6500/7600 Mgr v2.1 Mgr Single Chassis RTU  
WS-C6X09-EMS-LIC Catalyst 6×09 RMON Agent License  
WS-X6K-S2-MSFC2 Catalyst 6500 Supervisor Engine-2, 2GE, plus MSFC-2 / PFC-2  
WS-X6K-S2-MSFC2/2 *Cat 6500 Red. Sup2, 2GE, MSFC2 and PFC2 (In Chassis Only)  
WS-X6316-GE-TX Catalyst 6000 16-port 1000TX GE Mod., RJ-45  
WS-X6548-RJ-45 Catalyst 6500 48-port 10/100, RJ-45, x-bar  
WS-X6381-IDS Catalyst 6000 Intrusion Detection System Module  
SC6K-IDSM-3-K9 Catalyst 6000 IDS Module v3.0 Base Software  
WS-SVC-FWM-1-K9 Firewall blade for Catalyst 6500  
SC-SVC-FWM-1.1-K9 Firewall module software for Catalyst 6500  
MEM-S2-128MB Catalyst 6000 Sup2 Mem, 128MB DRAM Option  
MEM-MSFC2-128MB Catalyst 6000
MSFC-2 Mem, 128MB DRAM Option
 
MEM-S2-128MB Catalyst 6000 Sup2 Mem, 128MB DRAM Option  
MEM-MSFC2-128MB Catalyst 6000 MSFC-2 Mem, 128MB DRAM Option  
CON-OSP-WS-FWM1K9 24x7x4 Onsite Svc, Firewall blade for Catalyst 6500  
CON-OSP-WS-C6509 24x7x4 OS Service,Catalyst 6509  
     
VPN 3030 Concentrator Configuration
Product Description Comments
CVPN3030-RED VPN 3030 Concentrator (Redun. and 2 P/S);1500users@50Mbps  
CVPN3030-SW-35-K9 ^Rel 3.5 SW Load VPN 3030 Concentrator (Reqd for 3030)  
CON-OSP-VPN3030R 24x7x4 Onsite Svc, Cisco VPN 3030-RED  
     
Cisco Catalyst 6513 Configuration
Product Description Comments
WS-C6513 Catalyst 6513 Chassis  
WS-CAC-4000W-US 4000Watt AC Power Supply for US (cable attached)  
WS-CAC-4000W-US/2 Redundant 4000W AC Power Supply for US (cable attached)  
S6S22ALV-12113E Catalyst 6000 SUP2/MSFC2 IOS ENTERPRISE LAN ONLY  
FR-C6FW Catalyst 6000 family IOS Firewall Feature Set  
WS-C6513-EMS-LIC Catalyst 6513 RMON Agent License  
WS-X6K-S2-MSFC2 Catalyst 6500 Supervisor Engine-2, 2GE, plus MSFC-2 / PFC-2  
WS-X6K-S2-MSFC2/2 *Cat 6500 Red. Sup2, 2GE, MSFC2 and PFC2 (In Chassis Only)  
WS-X6408A-GBIC Catalyst 6000 8-port GE, Enhanced QoS (Req. GBICs)  
WS-X6316-GE-TX Catalyst 6000 16-port 1000TX GE Mod., RJ-45  
WS-X6316-GE-TX Catalyst 6000 16-port 1000TX GE Mod., RJ-45  
WS-X6548-RJ-45 Catalyst 6500 48-port 10/100, RJ-45, x-bar  
WS-X6548-RJ-45 Catalyst 6500 48-port 10/100, RJ-45, x-bar  
WS-X6381-IDS Catalyst 6000 Intrusion Detection System Module  
SC6K-IDSM-3-K9 Catalyst 6000 IDS Module v3.0 Base Software  
WS-SVC-FWM-1-K9 Firewall blade for Catalyst 6500  
SC-SVC-FWM-1.1-K9 Firewall module software for Catalyst 6500  
MEM-S2-128MB Catalyst 6000 Sup2 Mem, 128MB DRAM Option  
MEM-MSFC2-128MB Catalyst 6000 MSFC-2 Mem, 128MB DRAM Option  
MEM-S2-128MB Catalyst 6000 Sup2 Mem, 128MB DRAM Option  
MEM-MSFC2-128MB Catalyst 6000 MSFC-2 Mem, 128MB DRAM Option  
CON-OSP-WS-FWM1K9 24x7x4 Onsite Svc, Firewall blade for Catalyst 6500  
CON-OSP-WS-C6513 24x7x4 Onsite Svc, Catalyst 6513 Chassis  
WS-G5484 1000BASE-SX Short Wavelength GBIC (Multimode only)  
Cisco 3550 Configuration
Product Description Comments
WS-C3550-48-EMI 48-10/100 and 2 GBIC ports:Enhanced Multilayer SW Image  
CON-OSP-C3550-48E 24x7x4 Onsite Svc, 48-10/100 and 2 GBIC ports:Enhanced Mult  
Comments Off on Sample Cisco Options Matrix

Vendor Management Considerations

Posted in Business (600) by Guest on the February 25th, 2010

Critical Vendors

  • Are they critical to your organization continued viability?
  • Do they capture, house, process, store or dispose of member or organization s confidential information?
  • Are there regulatory requirements?
  • What is our dependence on the vendor?
  • Would they be difficult to replace?

Contract Owner Responsibilities

  • Critical Vendor Reviews
    • Performance and SLA
    • Financial Status
    • Internal Controls (SAS 70 or other objective review)
  • Request from Vendor Annually: SAS 70, Financials, independent reports, regulatory reviews.
  • Document Your Review
Comments Off on Vendor Management Considerations

Email Archiving Concepts

Posted in eMail (66) by Guest on the February 25th, 2010

 (Author unknown)

Journaling email creates a real-time copy of all email flowing between the mail server and the secure email boundary, writing this copy to a journaling mailbox within the mail server

 Archiving email empties the journaling mailbox at configurable intervals, moving the data to an archive container which may support configurable encryption and/or compression

 Email stubbing matches archive data to the mail server data, with the server copy physically deleted and replaced by a “stub” pointing to the archive container; this “stubbing” is transparent to the end user; the archive container may be placed on economic tier 2 or 3 disk media or CAS or disk WORM storage with response times substantially unaffected

 Archive migration moves archive containers to other tiers or storage media (such as tape), maintaining the integrity of the stub; in a move to tape, the stub allows any user access to prompt the appropriate tape load; response time is longer when the archive container is on tape

 Archive purge identifies and releases data for subsequent physical purging as needed, such as when the defined retention period expires; the actual physical purge is often a separate function and is rarely automated on the expiry date

Sample Strategic Policies

 Strategic Policies call out the basic rules, laws, metrics, and approach to achieving the organizations strategic imperatives. Such rules and laws provide a unifying and aligning capability to achieve corporate objectives across organizational boundaries. Strategic Policies lay down the basic governance to apply to the execution of organizational imperatives.

 The following are elements of an actual overall email policy and are meant as examples:

Compliance – The company will actively comply with all appropriate legislation, regulation, and industry practice.  This includes the preservation of intellectual property and related business information assets that may be initiated and or contained within or attached to email received by or sent from email facilities. This policy requires each departmental head to be responsible to ensure that data requiring preservation such as but not limited to the official copy of record is preserved by moving such data to approved file containers on approved IT-provided departmental servers where protection policies are executed by IT operation.

 Storage – Unauthorized storage may expose the company to damaged reputation, major financial penalties, legal jeopardy, and disadvantage in litigation-ordered discovery. To protect the company against such exposure, the activity of email users on their computer is subject to certain constraints including a prohibition on storage of email or email attachments  for periods beyond that defined by departmental policy and the departmentally-selected tier of service for archiving.

 Exceptions – Departments requiring retention periods not covered by the four standard classes of service may make a case to management to seek an exception. A request for such exception must include lifetime cost of retention estimates and will require formal signoff by management as a pre requisite to consideration. The department receiving such exception must fund the exception policy.

Tactical Policies

Support the achievement of the strategic policy.  As business units develop their own plans in response to strategic plans laid down by the organization, the need to develop supportive policy at the tactical level becomes apparent. Tactical policy provides a disciplined and documented framework of laws, or rules, that will govern the development of infrastructure required to support the strategic objectives.

The following are elements of an actual overall email policy and are meant as examples:

 All email entering or leaving the secure email boundary shall be automatically captured and protected.

The base level of service is to retain email for a period of two years after receipt or sending.

 Additional Tiers or levels of service are offered to departments requiring additional retention periods.

 Service level objectives for all tiers provide for a Retrieval Time Objective based on the age of email.

 Email will regularly be migrated from production technology tiers to more cost-effective tiers.

 

Email Retention Tiers
Tier
Retention
Price per
Message
1
10 years
$.07
2
7 years
$.02
3
5 years
$.005
4
2 years
Free

 

gn=”top” style=”width: 161px”>Less than 12 months

Email Retrieval Time Objectives
Message Age
Retrieval Time
Objective
  Under 5 seconds
1 to 2 years
Under 30 seconds
2 to 5 years
Under 5 minutes
Over 5 years
Under 24 hours
Comments Off on Email Archiving Concepts
Next Page »