I was recently attending a conference on Business Continuity Management, and happened to attend an enlightening talk given by Mr. Vijay Sethi, CIO of Hero Honda – the world’s single-largest two wheeler company. The focus of the talk was on “Reasons for BCP Failure”, and I believe the points given below are highly applicable to a lot of organizations. With his permission, I am presenting the key ideas presented:

1. Faulty drivers for implementing BCP A lot of organizations implement BCP because customers demand it, or they need it for ISO 27001 certification, or because their auditors have repeatedly stated so.

2. Not business-centric A lot of BCPs end up becoming focused purely on IT infrastructure, and are more like Disaster Recovery Plans, rather than comprehensive Business Continuity Plans.

3. No clear owner of the BCM process The success or failure of the BCM depends on who is the internal driver or champion of the process. Thus the owner of the BCM should be clearly defined. While, the CIO or CTO could be the owner, he must ensure he has a larger business perspective, and more importantly the rest of the organization should not see it as an technology-focused initiative, rather as something that affects all of them.

4. No regular BCP tests The efficacy and strength of the BCP depends on the frequency and quality of tests carried out. More often than not, testing is done just before an audit. The lessons from a BCP test are also not incorporated into improving the BCP. The practical reason for this is that testing is not an easy process – it requires a lot of thought, effort, and resources to execute properly and efficiently.

5. No regular updating of the BCP documents Often the numbers given in a call-tree turn out to be not reachable or worse still the person no longer works for the organization. In today’s business environment, organizations are changing rapidly in terms of processes, new technology, new lines of business, as well as people turnover. The BCP document can very quickly become obsolete and useless if it is not updated regularly.

6. No regular training The truth is that no one will have the time or occasion to read the BCP document when an emergency strikes. Therefore, the successful execution of the steps in the BCP is dependent on the level of training and awareness regarding the BCP. Again, people turnover results in training not being given to the people who have replaced earlier BCP team members.

7. BCP is too rigid or too complex No crisis will turn out exactly as envisioned in the BCP. Therefore, the BCP must allow for enough flexibility, fallback options, and enough authorization to the crisis management team to take decisions that they feel to be in the best interests of the organization. Teams should be trained to think outside-the-box. Primary focus should be on enabling and empowering the team, rather than the BCP document.

8. No clear management involvement I would put this as the #1 reason. Management is often not truly interested in the development and maintenance of the BCM, and usually plays a peripheral role in developing and driving it within the organization.

9. Cost cutting In the current economic scenario, it is likely the first budget cuts might be to resources allocated to the BCM. Check whether within your organization, during budgetary discussions, it is the BCM that is losing out on getting priority.

To round out the number to 10, and to also add some post-script after the 26/11 attacks, I’d also like to add my 2-cents to the list above: 10. Post 26/11 knee-jerk reactions From what we are observing around the country, organizations are rushing in to implement security measures, which are not really based on a risk assessment or business impact analysis. Especially in hotels, malls, corporates and governmental organizations the measures are being implemented without taking into account realistic threat probabilities and actual business dependencies.

The talk was filled with very interesting quotes, and I’ll end this article by reproducing a very appropriate one here:

“The time to repair the roof is when the sun is shining”, John F. Kennedy.

That's the essence of .... this week, who made some remarkably candid comments (for Microsoft, anyway) about the failures of Windows Vista and his hopes for the future.

In new comments, Ballmer referred to the Vista debacle as having been an issue of "some uneven reception" because "we made some design decisions to improve security at the expense of compatibility."

That's putting it mildly -- Vista was initially hampered by massive hardware incompatibility problems, awful performance, and interface changes that often felt random, all leading to savage reviews and a massive user backlash -- but it is at least a recognition, however slight, that Vista hasn't been a runaway success, an idea that Microsoft has been crazily clinging to ever since Vista launched.

But in Ballmer's view, this is all good news. With PC sales down up to 15 percent from their high, Microsoft is hoping that Windows 7's release a mere two weeks from now will unleash a torrent of demand for computers and, of course, all of Microsoft's software products as well.

Will it pan out that way? While Windows 7 has started to see the first signs of a backlash, with a few critical reports bubbling up as we get closer to launch, the outlook still seems overwhelmingly positive, with high hopes that Windows 7 will be a hit. Whether that is due to Win 7's merits alone or because users are so extremely jaded with the capabilities of Windows Vista and will accept anything so they can be rid of it remains to be seen.

There will be a launch of Windows 2007 and Windows Server 2007 at the following venues respectively 5th November, Protea Hotel, Legos. 12th November, M-Plaza, Accra. 19th November, Reiz Continental Hotel, Abuja.

I will encourage all IT professionals in Ghana and Nigeria to attend this launch.

From bad building designs to management that ignores badge rules, ReSeArChEr runs through the top building security mistakes.

You've got a few security guards and your CCTV system is up to snuff. You've got your building security covered, right? Think again. While many organizations are taking the steps to ensure their building is secure, many are ignoring basic pieces of the puzzle that is physical security in and around a facility.

ReSeArChEr, a security consultant advises clients about how to design a security plan that fits the risk-level and needs of their building. He provides a rundown of some common missteps organizations make when devising a plan to secure their facilities.

"Most companies don't have an inside person with facilities security expertise. Often the facilities manager will put together a guard services contract and contract services with a company and they really have very limited ideas about how to manage it."

The problem is that an outside contract company will often come into the assignment with their own post orders and place security personnel without first conducting a real analysis of the security needs of the building. And because there isn't an experienced person within the company that understands security, there is no system of checks to ensure the contract security personnel are doing what they should be doing. (Read a first-hand account of how easy it is for criminals to get in the door of a secure building in Anatomy of a Hack) Before any contract security services firm creates post orders for a building, they should first conduct a thorough assessment of the unique needs for security in the facility.

"Buildings differ primarily because of who the tenants are. Security needs to evaluate who is in there and what kind of risks they bring with them. Some have a high-traffic volume of visitors. They could be controversial; some might face the possibility of problems with former or disgruntled employees. All of those things dictate what security should be doing at their posts

This mistake can be made as early as when the building is designed by an architect. While ground-level lighting and hidden cameras may be more pleasing to the eye, neither are good for security.

"But someone seeing the camera is 50 percent of the value because it's a deterrent. "When people know they are on camera, they are much less likely to do something wrong."

I believe in the rule that the fewer entrances into a building, the better.

"Every door is another opportunity for someone to get in,"

While it is important to have several doors for emergency exits, they all too often get neglected. I suggested alarms at all doors that have been designated as emergency. Employees should also be asked to demand ID or badges from individuals entering a secure building, and the best defense against intruders is a good security awareness program among workers that gets them to notice what is going on around them.

Sure, a good awareness program might ask employees to "check" on one another to ensure they are wearing badges or ID. But what if management is neglecting to follow the rules? it is a physical security mistake we sees all the time.

"I tell them you have to make a choice. If you are going to have badge-wearing program, you have to wear the badge. If you're not going to wear one, do away with the program because if you don't wear it, you undermine the program."

Physical security technology, such as CCTV, has come a long way in the last decade. The problem is many people don't know how to use it. Often a good CCTV recording system will be for naught because if there is an incident, the staff doesn't know how to find the recording they need.

"Companies will have a contractor come in and install the cameras, and then there is no follow up to learn how to really use it."

Another common scenario is a building with 40 or more cameras around the facility which use a multiplexer to toggle between cameras and record images. But the switching is done at random and is therefore of little use.

"If you don't set that up properly you might have situation where a person is breaking in a door but you don't capture the event because the recorder was not on the door at that time."

I recommends that monitoring systems be configured to have event-driven recording, which means a camera is activated wherever an alarm goes off.

"We used to have people working in the server room all the time (in organizations). But now they can control what is going on in there remotely. So if someone is going in and out of there, you really want to know who it is and why they are there."

I recommend access control systems around data centers that include badges and/or access cards as well as cameras. I also advise clients who have concerns about proprietary information to secure their mail rooms as well.

Lastly, it's important to remember that these tips are not a one size fits all prescription for your building's security. The level of facility security will need to fit the level of risk an organization faces.

I'm opposed to going into a facility and having them do as much security as they can do. If you overdo it to where it doesn't make sense, within six months people will have figured out ways to get around security and it will be a waste of money. It has to match the risk and culture of the business.

It's impossible to come up with a formula that says an organization needs specific elements in their building security plan because there are too many variables. Consider your environment and invest appropriately.

Information Security is simply the process of keeping information secure: protecting its availability, integrity, and privacy.

Information has been valuable since the dawn of mankind: e.g. where to find food, how to build shelter, etc. As access to computer stored data has increased, Information Security has become correspondingly important. In the past, most corporate assets were “hard” or physical: factories, buildings, land, raw materials, etc. Today far more assets are computer-stored information such as customer lists, proprietary formulas, marketing and sales information, and financial data. Some financial assets only exist as bits stored in various computers. Many businesses are solely based on information – the data IS the business.

Information Security is a Process: Effective Information Security incorporates security products, technologies, policies and procedures. No collection of products alone can solve every Information Security issue faced by an organization. More than just a set of technologies and reliance on proven industry practices is required, although both are important. Products, such as firewalls, intrusion detection systems, and vulnerability scanners alone are not sufficient to provide effective Information Security.

Information Security is a process. An information system Security Policy is a well-defined and documented set of guidelines that describes how an organization manages, protects its information assets and makes future decisions about its information systems security infrastructure. Security Procedures document precisely how to accomplish a specific task. For example, a Policy may specify that antivirus software is updated on a daily basis, and a Procedure will state exactly how this is to be done – a list of steps.

Security is Everyone’s Responsibility: Although some individuals may have “Security” in their title or may deal directly with security on a daily basis, security is everyone’s responsibility. A chain is only as strong as its weakest link. A workplace may have otherwise excellent security, but if a help desk worker readily gives out or resets lost passwords, or employees let others tailgate on their opening secure doors with their keycard, security can be horribly compromised. Despite the robustness of a firewall, if a single user has hardware (e.g. a modem) or software (e.g. some file sharing software) that allows bypassing the firewall, a hacker may gain access with catastrophic results. There are examples where a single firewall misconfiguration of only a few minutes allowed a hacker to gain entrance with disastrous results. Security is an issue during an application’s entire lifecycle. Applications must be designed to be secure, they must be developed with security issues in mind, and they must be deployed securely. Security cannot be an afterthought and be effective. System analysts, architects, and programmers must all understand the Information Security issues and techniques that are germane to their work.

End user awareness is critical, as hackers often directly target them. Users should be familiar with Security Policies and should know where the most recent copies can be obtained. Users must know what is expected and required of them. Typically this information should be imparted to users initially as part of the new hire process and refreshed as needed.

Information Security involves a Tradeoff between Security and Usability: There is no such thing as a totally secure system – except perhaps one that is entirely unusable by anyone! Corporate Information Security’s goal is to provide an appropriate level of security, based on the value of an organization’s information and its business needs. The more secure a system is, the more inconvenience legitimate users experience in accessing it.

Remember, IT - and Information Security are business support functions:

Unless a companies business is IT, IT is (one of many) business support functions. Many IT professionals lose perspective - we do not!

I recently visited South Africa for the first time, and I was impressed. The South African government invited me to give a presentation on “Malware: The Emerging Cyber Threat” at GovTech 2009 in Durban on hot cyber security trends within governments around the world. Not only was the conference impressive, I met people of different nationalities before, during and after the conference who convinced me that we have cyber allies in every corner of the globe.

As I think back on what I learned in South Africa, I was truly humbled by the trip. The world is a big place, and there are a lot of good things going on. Ghana doesn't have a corner on protecting the Internet. Cyber experts: we need to think globally and act locally.

The Govtech 2009 Conference offered speakers from Brazil to South Korea, Europe to Canada as well as many South African experts. The excitement was evident in a country that will host the 2010 FIFA World Cup. My talk covered what's hot in cybersecurity.

The interesting thing is the similar technology or cyber battles that we are fighting. We all know that cybersecurity is truly a global set of problems, and the Internet knows no borders. However, we (or at least I) tend to forget that solutions can be offered from countries that go well beyond our. For example: I heard very interesting perspectives and tactics for dealing with the Nigerian Internet scams from people who have lived in Nigeria and know these people first hand.

I also heard some fascinating "thought-leading" approaches and case studies on identity management from countries as diverse as Austria and South Korea. Both of those countries are well ahead of the USA in e-government adoption and secure digital identities for their citizens.

I even met a gentleman on the flight back to Ghana who described a recent Secure ICT conference in Nairobi, Kenya - of all places! This banker was working on partnerships between US and African countries on technology matters. This group plans more conferences throughout Africa in the coming years.

Yes, we all know about excellent Israeli or European countries with cyber solutions, but who would think that the next generation of technology and security leaders may come from somewhere on the African continent or from Asia or South America. I now do.

What are your thoughts on global security trends and solutions?

10 Rules for Creating a

Hacker-Resistant Password

Passwords are frequently the only thing protecting our private information from prying eyes. Many web sites that store your personal information (for example web mail, photo or document storage sites, and money management sites) require just a user name and password for protection. Some sites, such as online banking and brokerage accounts, may provide additional protection through “secret questions” or additional authentication techniques.

Password-protected web sites are becoming more vulnerable because often people use the same passwords on numerous sites. One study by Sophos, a security firm, found that more than 30% of users recycle the same password for every site that they access. In one recent well-publicized account, a hacker infiltrated a Twitter employee’s account to access confidential business documents. Twitter did not blame the dubious practice of storing confidential information online. Instead, they stressed the importance of maintaining adequate security including strong passwords.

A strong password can help individuals protect themselves against hackers, identity theft and other privacy invasions. The strength of a password is a measurement of its effectiveness in resisting guessing and attacks. It estimates how many trials an attacker who does not have direct access to the password would need, on average, to correctly guess it. The strength of a password is a function of its length, complexity, and randomness.

Want to develop tough-to-crack passwords that resist infiltration? Follow these 10 rules:

1. Avoid using dictionary words. These passwords are easy for hackers to figure out using an electronic dictionary.
2. Don’t use personal information. Any part of your name, birthday, Social Security number, or similar information for your loved ones is a bad password choice.
3. Avoid common sequences, such as numbers or letters in sequential order or repetitive numbers or letters.
4. If the web site supports it, try to use special characters, such as $, #, and &. Most passwords are case sensitive, so use a mixture of upper case and lower case letters, as well as numbers.
5. Passwords become harder to crack with each character that you add, so longer passwords are better than shorter ones. A brute-force attack can easily defeat a password with seven or fewer characters. Microsoft has an online password strength checker at ....
6. To help you easily remember your password, consider using the first letter from each word in a sentence, a phrase, a poem, or a song title as a password. Be sure to add in numbers and/or special characters.
7. Create different passwords for different accounts and applications. That way, if one password is breached, your other accounts won’t be put at risk too. Do not use the same or variations of the same password for different applications.
8. Despite admonitions to the contrary, one easy way to remember your passwords is to write them down and keep them in a securely locked place. Never leave them on a Post-It note on your monitor, in an address book, in a desk drawer, or under your keyboard or mouse pad (or any other obvious place). To me this is against the rule of defense in-depth.
9. Consider using a secure password manager. The Firefox browser has a password manager already built in.
10. If you have already established a password that is not strong, change it! Web sites have a variety of procedures that govern how you can change your password. Look for a link (such as "my account") somewhere on the site's homepage that goes to an area of the site that allows password and account management.

The back door to your password. Many sites offer a password reset or recovery system if you should happen to forget your password. While a useful feature, this may offer an additional opportunity to compromise your password. Be cautious when you choose the site security questions and answers that will be used to authenticate you if you forget your password. Be sure that you don’t pick a question which can be answered by others. Many times, answers to these questions (such as a pet’s name or where you went to high school) can be ascertained by others through social networking or other simple research tools. In fact, this was the method recently used to infiltrate the Twitter employee’s account.

‘Till Death Do Us Part. While the integrity of your passwords is important to maintain your privacy, it’s important to consider what can happen when you die. You may have bank statements, bills, and other important papers that are only accessible online. Your heirs may not be able to access this information without a potentially lengthy and costly court proceeding ordering the web site to release the information. You may wish to provide a list of important passwords that will be needed after your death to your attorney or another trusted individual.