Accountability

This term is one of the most important terms related to the Information Security discipline, without accountability no privacy or limit for information access, laws and systems are needed that hold people accountable for the misuse of personal information, whether public or private.

Definition: Accountability is an essential information security concept. The phrase means that every individual who works with an information system should have specific responsibilities for information assurance. The tasks for which a individual is responsible are part of the overall information security plan and are readily measurable by a person who has managerial responsibility for information assurance. One example is the policy statement that all employees must avoid installing outside software on a company-owned information infrastructure. The person in charge of information security should perform periodic checks to be certain that the policy is being followed.

Every information asset should be "owned" by an individual in the organization who is primarily responsible each one. (computer-security-glossary.org)

Its Relevance: The duties and responsibilities of all employees, as they relate to information assurance, need to be specified in detail. Otherwise, the attempt of establishing and maintaining information security is haphazard and virtually absent. (computer-security-glossary.org)

One of the fundamental requirements of information security, accountability is the property that enables activities on a system to be traced to specific entities; who or which may then be held responsible for their actions. It requires an authentication system (to identify Users) and an audit trail (to log activities against Users).

Accountability supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.

Information accountability means that information usage should be transparent so it is possible to determine whether a use is appropriate under a given set of rules.

Procedures and policies should be set information accountability, All employees should be involved about the access permission of data depend on the privileges for users (Example: department manager has a permission to access to all data about the department, but the department employee has a permission to access to specific privileges to access some of department data)

IT Need a Controller

Let’s start with some assumptions, IT department employed an administrator to manage one of critical systems at the organization this employee have the permission to install any software, another assumption you want to setup a new workstation for new business employee and the IT not have the proper document to manage this setup administrator setup the workstation without any procedures to follow, can you guess what the risk behind the tow assumptions?

Like any operations you need to control and manage the IT operations, what about the risk of the first assumption if the organization has a control unit monitor and control all administrators operations? This risk will be decrease and the organization will be safer, the second assumption give the IT employee to install what he/she want, maybe give the business employee an administrator permission to manage him/her workstation, what if you have a document contain all software’s and the permission for all business employees should be installed ? Again the risk will be decreased and the environment will be typical and follow the organization procedures and policies, you can audit control and manage the IT operations easily.

IT should have an“IT Governance“ function, the IT Governance will be responsible to setup the procedures, policies, processes... etc. to monitor and control the IT organization and keep IT environment safer and more auditable and controllable.

IT Governance is the responsibility of executives and the board of directors and consists of the leadership, organizational structures and processes that ensure that the enterprise?s IT sustains and extends the organization?s strategies and objectives           (IT Governance Institute)

COBIT one of IT Governance framework and I found it very helpful to start with to build the IT Governance in your IT Organization, for more information about COBIT you can access the ISACA website: https://www.isaca.org/Pages/default.aspx

and you can ask contact me directly.i will be happy to serve you anytime.

Before Planning for Disaster Recovery

I posted before The Difference Between Backup and Disaster Recover, I will explain more about disaster recovery, and I hope these information will help you to build an accurate disaster recovery plan that meets your organization strategy and needs.

One of the most important steps for IT people is to create “Business Impact Analysis” (BIA) before planning for disaster recovery at any organization, BIA is essential to success your disaster recovery planning, no matter how you do it whether by using computer software, survey, interview …etc., and by internal team or external team through contract with outsourcing company.

The benefits of BIA are to gather information to help the organization in planning for disaster recovery , design the disaster recovery site and prioritize computer application and software used by business/functional departments and keep the IT people focused on achieving the goals and objectives of disaster recovery.

BIA is a tool to document information about applications; all information will be analyzed to help the organization in disaster recovery planning. Sometimes you need experts to handle analyzing BIAs and document all analysis results to develop accurate disaster recovery plans.

The continent of BIA template is include but not limited to:

          1-      Name of application,

          2-      Department name,

          3-      Work hours for this application (i.e from 8:00 Am to 9:00 Am),

          4-      Number of users,

          5-      Effect on organization ( i.e Reputation, Cost, Legal..etc),

          6-      Key process for the application (i.e Reports to government, customer service, billing…etc.),

          7-      There is any alternative procedure when application is down,

          8-      Related Hardware and Software,

          9-      Infrastructure needed, and

          10-   Application administrator name.

Starting Customer Care Service

I don’t want to talk here about IT service provider to external customer or client, my post for IT people placed in the same organization with business departments.

IT people have customers so the IT people should know the customer care, how to deal with their customers and keeping them satisfied is one of the major responsibilities for IT people. Customers of IT are all people use the applications, computers and all IT services and solutions. In any organization IT people implement IT services and solutions, what about after implementation services (warranty, maintenance, spare parts …etc.). All customers like to be satisfied about services, IT people customers so.

Many of IT People don’t know the basic principles to serve their customers, what is the impact?

“If don’t care about your customers you will lose your business”. IT people will lose their business when they ignore customer care, negative impact will report to the management about bad service or non qualified services.

What IT people have to do to keep their customers satisfied?

My advices here are:

1.      Be careful about customer’s needs.

2.      Solve incidents and problems quickly.

3.      Develop a service improvement plan.

4.      Implement updates as needed.

5.      Monitor and control IT environment.

6.      Try to automate all customer procedures and functions if applicable.

7.      Practice customers on new IT features related to customers work.

8.      Teach IT teams how to resolve conflicts and disputes, and how to communicate to their customers.

9.      Sign service level agreement (SLA) between IT and business departments.

Incidents should be visible

One of reasons to employing IT people is to manage and resolve daily incidents, but not all organizations believe the helpdesk will be a very good tool to ease the communication between end users or customers and IT People, some of organizations use telephone, email or fax to report incidents to IT people, it’s applicable for small business, but what about 500+ employees with 50+ application and 200,000 customer?

We have to care bout incidents, some incidents cost the organizations time and money, IT people should track all incidents till resolved; with phone, email or fax not all incidents will appear to IT people  on a proper time which means cost the organization more money and time, you can’t create a decision reports to resolve the root cause of high frequency incidents, no report about IT employees performance, no priorities for incidents.

What about one communication channel between IT people and end users or customers, this channel offer a documentation for all incidents, categorized and prioritized incidents, monitor and control resolutions and maybe escalate unresolved incident to higher level technician, what about employee’s evaluations about their work on incidents resolution, and logging all resolutions in a Known Error Database, all those benefits and more can be easily implemented by using helpdesk systems.

IT people should view all incidents in a proper time, so the incidents should be visible all the time.

Backup and Disaster Recovery, What the difference?

Do you know what is the difference between backup and disaster recovery? Did you think before about those terms before?

All of us hear about backup, there is always a reminder in our life, you see it in smartphone and with software tips, but disaster recovery is not listed in our terms list it’s not in our dictionary.

Most of small business owners mostly don’t know the difference between backup and disaster recovery, today’s blog, is lowdown of backup vs. disaster recovery, to know the deference.

Backup, what is it?

Let’s start with basics, what is backup? In summary, backup is copying data to storage. This can be through DVD, SAN storage or by means of remotely storage "Cloud".

It is very important to have a backup solution in place. You will protect your data loss in case of employee accidents (delete data), theft (Laptop lost) and technical problems (Server crash); with backup you can restore your data easily.

Disaster Recovery, What is it?

Disaster recovery is similar to backup but disaster recovery used for larger instances. A full image of your servers and disks are mirrored. The image increases the probability to restore your systems faster than re-installing OS and restoring data.

Now read the term “Disaster” does this term make sense to you, don’t get caught up on this term and believe it has to be a major accident. A disaster can be your networks equipment’s and servers are crashes and all of the organization employees no longer work for one day or more. With disaster recovery plan, the organization employees can continue to work using the mirrored systems and servers and IT people work on fixing the problem at main site “Original systems place” while all of business employees are working on the mirrored systems.

Backup is similar to disaster recovery, but disaster recovery is more wider than backup and disaster recovery plan contains backup plans, backup is needed to restore data when case of loss of original data, data in disaster recovery is not needed to restore, employees are moved to work on the mirrored systems in case of data loss or system crash in main data location.

IT people is always right?

My professional career path gives me the chance to think about this question "IT people is always right?", IT people think most of time they have the power to put them in winner side and giving them the permission to be right always.
I worked for many years always I faced a conflict between the  IT and Business, my role as IT Manager gave me  the chance to be in the IT side but as a professional IT Manager I should keep the business satisfy and some time say for business "Yes, you are right", cause they know what is the business need more than IT,  when we think like this we will enhance our relationship as IT people with the Business people.

When you plan to build a success IT organization you should work to enable the needs of the business, remember you have to support business to deliver mission and to help the business to enable vision not fighting the business once you think like that you put your foot on the success way of your IT organization.

make sure the business is part of your success plan your support to the business one of the success keys  for your IT Organization.


My answer now is clear about the question "IT people  is always Right?" is of course "No".