Imran Awan case shows lax security controls for Congressional IT staff

By Kevin McDonald Investigations into the conduct of the IT staff of the House of Representatives raised alarms. Kevin McDonald explains what we can learn from the case of Imran Awan. Those who operate with high-level system access, [...]

Imran Awan case shows lax security controls for Congressional IT staff2020-05-18T15:07:45-07:00

I Am a Non-Technical Executive: What Seven Things Should I Be Asking My IT Guys About IT Security?

Irvine, CA - Overseeing IT and security is a daunting task, even if you are an IT professional. If you are an executive to whom IT reports, then the task becomes near impossible. The list of following questions is designed to empower you to have a meaningful discussion with your IT team so you can be an informed and responsible manager pursuing your due diligence role in protecting the assets of your firm. If you are an IT professional, these are questions you should be prepared to answer.

1.       Q. When did we last do a risk assessment? Please share that document with me. I would particularly like to see the Risk Assessment Table.

A.      Make sure your IT team is periodically assessing the risks to your IT systems.  They should be recommending upgrades and new solutions for you from time-to-time, and you should be listening.  They need to be able to express the threat in operational and economic terms in order to justify the expenditure.  If your team can’t give you a clear and coherent answer on when and how they last did this, send them off with a task and a deadline.

2.       Q. When did we last do a Vulnerability Scan? What were the results of that scan? I would like to see the report.  Who did the remediation? When is our next scan planned?...

I Am a Non-Technical Executive: What Seven Things Should I Be Asking My IT Guys About IT Security?2021-01-28T18:23:01-08:00

What nineteen audiences in twelve months taught me?

Navigating Fear in the Security and Compliance World

In advancing technology it is fear of having a project go sideways, over budget or fail to accomplish the stated objective that has many frozen. What if that technology we recommend doesn’t work as we hope? What if it is something required by law (such as encryption in healthcare) that we fear an unknown outcome so much that we won’t act? What if we miss a key component of a project or underestimate the effort required and the entire project goes over our budget?

What nineteen audiences in twelve months taught me?2014-12-17T23:02:14-08:00

Senate Passes Retroactive Tax Relief Under Section 179

This is one time you may want to make a quick call to your accountant, then order up some of those infrastructure items you are putting off. A bill known as “tax extenders” if signed by the president will reinstate Section 179 tax [...]

Senate Passes Retroactive Tax Relief Under Section 1792023-08-11T01:47:43-07:00

How Frequently Should I Do a Review or Assessment of My IT Systems?

...this then puts all the burden and stigma on Alvaka, our engineer and our NetPlan program.  That fuels some of the debate we have with some clients.  I remember two separate debates with a controller at a 20 year long client.  He said he “should not have to pay for us to check our own work.”  I have two answers for that objection:

1.        He has two of his own guys that work on his IT system, along with other vendors.  His employees can do things unintentionally, etc.  This is not about checking on our Alvaka engineer.  It is all about checking the overall integrity and operational state of his IT system, which has changing needs over time and changes due to different people touching it.  It is simply a matter of doing a periodic review to make sure nothing is getting missed or looking for things that need to be done a different way.  Changing and updating tape/disk backup jobs to accommodate new servers and software is a classic example.  Without review these jobs don’t often get updated and that leads to tragic results down the road.  I have seen it way too many times in 30 years.  It is preventable.

2.       Even if a client does not have their own IT staff, it is prudent to periodically check IT systems to make sure everything is working right, that the current needs are being met and that important requirements/practices are not getting overlooked or wrongly....

How Frequently Should I Do a Review or Assessment of My IT Systems?2014-12-04T16:00:00-08:00

What Should You Do About IT and Network Security in 2015?

So what should you do at your company?

1.       Identify your most valuable IT systems within your company.  What is the most important data that resides there?  Determine your obligations to protect that data and how important is it that those systems are up-and-running.

2.       Do you have a current network/information security policy in place?  Once you determine which systems and data are most important to protect, developing your policy becomes much easier.

3.       Discover where you are most at risk.  A quick and easy solution is to have someone perform a vulnerability assessment on your system.  Alvaka Networks can help you with this.  Vulnerability assessments are our most common security service we provide.  It makes your work easy.  We will help you match the protection needs of your most important IT assets with the vulnerabilities identified in the vulnerability assessment.  From there you can easily create a roadmap for what you should do to protect you, your company and your IT assets from cyber-attack.

What Should You Do About IT and Network Security in 2015?2024-10-09T05:08:03-07:00

Key Questions to Answer After Getting CryptoWall or CryptoLocker

1.       What date did you get infected? 

You might only have a few days to pay the ransom until it goes from $500 to $1000.  After 30 days you might not be able to decrypt the files at all.

2.       What type of files got infected and what do they mean to your business?

If the files are not worth $500 then don’t pay the ransom.  If the files are worth $5 million then you better be very careful and thoughtful about what you do.  The decryption process might not even work and if so....

Key Questions to Answer After Getting CryptoWall or CryptoLocker2024-10-09T05:22:40-07:00

HIPAA business associate agreement consultations could be unlawful

Here is a controversial article written recently by Kevin McDonald for TechTarget. ------------------------------------------------------------------------------------------------------------------------------------- Under federal law, the Health Information Portability and Accountability Act (HIPAA) Privacy Rule extends to a class of business entities (i.e., health plans, health care clearinghouses and [...]

HIPAA business associate agreement consultations could be unlawful2020-04-29T22:44:01-07:00

A Layered Approach to Computer Protection

Tomorrow I speak at the Technolink conference in Los Angeles.  I was asked to talk on the subject of computer security, Ransomware, the Obama executive orders on national infrastructure security and other recent topics affecting businesses that use information technology [...]

A Layered Approach to Computer Protection2013-03-19T02:47:21-07:00