Organizations need to make virtualization security a higher priority, says SunGard
Five essential steps for improving virtualization security.
http://www.continuitycentral.com/news04275.html
• Region: US/World

Data disasters: the golden hour
The majority of avoidable data damage occurs in the first sixty minutes after a failure.
http://www.continuitycentral.com/news04280.html
• Region: World

Researchers find that companies have still not learned to manage the security problems caused by used hard drives
Huge amount of sensitive data still being left on redundant computer hard disks.
http://www.continuitycentral.com/news04264.html
• Region: World

Anatomy of a corporate data theft…
A step-by-step description of corporate data theft by a Trojan.
http://www.continuitycentral.com/news04251.html
• Region: World

Downtime in critical systems surveyed
Half of organizations ‘have experienced significant downtime in critical IT systems over the last twelve months.’
http://www.continuitycentral.com/news04240.html
•Date: 28th October 2008• Region: UK/World

Maintaining information, IT and cyber security during a merger or acquisition
Dr. Jim Kennedy shares his personal experiences.
http://www.continuitycentral.com/feature0623.html
• Region:US/World

When Hurricane Katrina hit New Orleans in 2005, the Louisiana Organ Procurement Agency (LOPA) lost both its landlines and its cell phone service, effectively isolating all of its agents. "We mostly communicated via voice, and our ‘disaster plan’ consisted of a phone tree notification list," which was useless under the circumstances, said Max Prather, the agency’s director of quality and information services. "Our people were scattered, and with no communications, we couldn’t bring them together or put them to work elsewhere."

This was simply unacceptable for LOPA, which supplies transplant centers and hospitals with donated organs and tissue. "Our work is urgent," Prather said. "We need to be able to communicate with our agents, 24/7, in order to serve our customers effectively. Quite simply, being able to go on working during a disaster saves lives."

After evaluating voice, text messaging and the Web, Prather and his team chose email as the most viable way to communicate during a disaster. In the event of a disaster, employees could access email "pretty much anywhere they were evacuated to," Prather said. In contrast, if LOPA’s landlines are down, "even if employees can gain access to a phone, there’s no way they could inform us of how to reach them."

So LOPA deployed Neverfail Ltd.’s Continuous Availability Suite, which ensures near-instant access via email during a disaster, should its Microsoft Exchange server fail. The agent-based software continually replicates software and database changes at the byte level to a remote backup site. Meanwhile, it monitors server activity. If it perceives an incipient hardware or software failure, it alerts a human operator, who switches users over to the backup system in a matter of minutes. "Neverfail can do it automatically, but we traded a little recovery time in order to retain control," Prather said.

Neverfail’s suite suited LOPA on several fronts. First, it required a minimum of equipment and bandwidth. Second, it was relatively inexpensive and simple to set up. Recovery is seamless to users. Furthermore, the product supports a range of key applications, Prather said. The agency plans to have Neverfail replicate its Oracle database server in Dallas "so we can reduce downtime during updates."

The Neverfail suite paid for itself in about two years, mainly by enabling LOPA to take Exchange off Data Protection service and save $500 a month, Prather explained.

Austin, Texas-based Neverfail belongs to a group of vendors that address disaster recovery and prevention at the application level, said John Morency, research director at Stamford, Conn.-based Gartner Inc. The group includes CA Inc., with XOsoft; Double-take Software Inc.; and InMage Systems Inc. While more traditional offerings respond to system failures, products from these vendors can "probe deeply" into an application’s inner workings; spot and address small, incipient problems, like a corrupted index; and fix them before they become serious, Morency said. Because they are application-specific, such products address a limited but growing list of critical software products, such as Microsoft Exchange and SQL Server, customer relationship management applications and offerings from VMWare Inc.

We mostly communicated via voice, and our ‘disaster plan’ consisted of a phone tree notification list.
Max Prather director of quality and information services, Louisiana Organ Procurement Agency

 The near-continuous availability such products provide has become increasingly crucial to midrange firms in the past eight to 10 years, Morency said. Between 2007 and 2008, the volume of Gartner client inquiries about recovery and continuity went up 55%, he added. Many of those queries came from midrange firms, that, like everyone else in an increasingly global and Web-based business environment, can no longer afford to lose critical tools like email communication for even a couple of hours, Morency said.

Hurricane Gustav gave LOPA a chance to test Neverfail. Well in advance of the August storm, the agency switched email operations over to its backup site in northern Louisiana — only to learn that Gustav was bypassing New Orleans and heading right for the secondary facility.

"We were afraid that site would go down, so we ended up switching back to the New Orleans site," which never went down, Prather said. The switchover went seamlessly and smoothly, he added. "All our users were out of the office, accessing email remotely. We were able to reach everyone and keep them informed, and go on working."

Elisabeth Horwitt is a contributing writer based in Waban, Mass. Write to her at editor@searchcio-midmarket.com.

Today’s corporations face an almost endless list of rules and regulations with which they must comply: HIPAA , Sarbanes-Oxley and the recently updated Federal Rules of Civil Procedure (FRCP) are just some of the laws that businesses are already under the gun to comply with them. Now on November 1, 2008, the Federal Trade Commission (FTC) Red Flag Rules , which were passed in 2003, will take effect, and while these rules have received scant attention outside of the financial industry, the new regulations have a loophole in it that makes more businesses subject to it than may realize.

The FTC Red Flag Rules are primarily targeted at financial institutions that maintain large amounts of sensitive consumer information such as social security and bank account numbers. This information is used by identity thieves who, if they can obtain it through methods as phishing attacks, use it to open new consumer accounts or misuse existing ones.

The Red Flag Rules are designed to counteract these phishing attacks. They require financial institutions to implement a program to detect, prevent and mitigate instances of identity theft. This is the good news and long overdue.

The disconcerting component of these rules for businesses is they define a "creditor" as any entity that regularly extends, renews or continues credit. It explicitly lists automobile companies, mortgage brokers and utility companies as being subject to this law, so in essence anyone that extends credit to consumers now comes under the FTC’s purview.

With penalties at the federal and state level, an open-ended FTC definition of "creditor" and class action suits a distinct possibility; it behooves all companies to figure out where they stand in regards to these rules and then take action accordingly. And though there is a cost to comply, the cost on noncompliance is potentially unlimited.

Jerome Wendt is the president and lead analyst at DCIG Inc. You may read his blogs at www.dciginc.com

(DCIG Analyst Howard Haile contributed to this column.)

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.