Regency Continue on G-Cloud

Regency IT Consulting are pleased to announce their continued participation on the Government’s G-Cloud catalogue.

G-Cloud 6 is live now and Regency’s services can be obtained through LOT 4 – Specialist Cloud Services. For a full list of the services we offer please follow the link.

LOCS and Regency ITC join forces in strategic partnership

Regency IT Consulting and LOCS have agreed a strategic partnership that extends and strengthens the service offerings of both companies. The enhanced capabilities include world-class security expertise, consultancy, secure hosting, managed services, contract/licence and  IT Asset/inventory Management including cost compliance and risk management..

Regency IT Consulting specialises in cyber security and secure hosting and has been part of Airbus Defence and Space since 2010. Airbus defence and Space is a worldwide leader in global security solutions and systems, providing lead system integration and value-added products and services to both civil and military customers around the globe. With around 40,000 employees Airbus Defence and Space achieved revenues of € 14 billion in 2013.

LOCS is an independent consultancy with a background in IT service management. Under the partnership arrangement Regency will market and support the Straightedge product and provide a hosted service in a secure environment as required.

Whilst Regency and LOCS remain independent, the linkage under Airbus defence and Space gives access to a range of resources which has and will continue to enable the development of customer offerings and services and provides the reach-back to tackle much larger projects and programmes by scaling enterprise-class capability to all sizes of organization.

Microsoft Product Updates

For many small and medium sized companies the start of a New Year provides a focus for the IT projects that will be taken forward and the upgrade of software products and operating systems is often high on the list.  There have recently been a number of news articles about support ending for both MS Server 2003 and MS Windows 7. However, the reality is that both these products are in different stages of the Microsoft Product Lifecycle. The following is some general advice which may help if your project involves updating MS software products.

The majority of Microsoft products (typically we are talking here about software packages) will follow a 10 year lifecycle. During the first 5 years they will be under mainstream support and during this time new features may be added to the product together with bug fixes and security updates.  After 5 years the products will be placed into extended support where no further new features will be added and only bug fixes and security updates will be applied.  More information can be found at the Microsoft Support Lifecycle web page.

Microsoft also provide a good Product Lifecycle Search page where you can either search for a product name (an auto completion facility assists, especially where there are multiple product versions) or by clicking on “show more search options” you can search for the following as a single item or in combination with a specific product:

  • Lifecycle Start Date
  • Mainstream Support Date
  • Extended Support Date
  • Mainstream or Extended Support Date
  • Service Pack Date

Once the search results are returned, there is an option to save them to a CSV file if you wish to use the information in a report.

 

Products Reaching End of Extended Support (No more updates)

There are a number of products reaching the end of extended support and these are mainly products launched in 2005.  An exception to this are the Microsoft .NET Framework 4, 4.5 and 4.5.1 products that reach the end of extended support in January 2016 having been released in 2010, 2012 and 2014 respectively.  This is more of a note to developers, as if you have Windows updates configured on your servers and desktops, the .NET Framework 4.5.2 should have already been installed earlier this year.

I have chosen the next 2 products as I am aware that a number of organisations are still running this technology:

The first is Microsoft Forefront.  A number of the Microsoft Forefront products and the Microsoft Internet Security and Acceleration Server reach the end of extended support this year.  These product lines have undergone some major changes, being incorporated into other products and not being available as a single entity after December 2015.  The new road map can be found here Forefront Changes.

The second is Microsoft Windows Server 2003.  All versions of Server 2003, including R2, reach the end of extended support in July 2015.  The upgrade path for those organisations using this product is either to Server 2008 (which has the look and feel of Server 2003) or to Server 2012.

 

Products Entering Extended Support

Earlier this year both Microsoft Windows 7 (all versions) and Microsoft Server 2008 (all versions including R2) entered the extended support portion of the lifecycle.

Although the majority of the MS Forefront products are reaching the end of extended support, the Microsoft Forefront Threat Management Gateway 2010 (Enterprise and Standard) reached the end of mainstream support in April 2015.  Other products entering extended support include Microsoft SharePoint Server 2010 (and all the related services) and the Microsoft Office 2010 suite, including all the individual components.

With the above and other products entering the extended support stage, planning should start on the migration of these products to later versions. Alternatively you can take the chance of assessing the business and system requirements with a view to moving to different applications or technologies when you have a better understanding of their features and how they best fit in with your business requirements.

The updated ISO/IEC 27001:2013 standard – your concerns on transitioning answered

The International Accreditation Forum (IAF) has called for global conformity with ISO 27001:2013 by October 1st 2015. Registration bodies will already be working towards transitioning to ISO 27001:2013 if they have not done so already.  Following this, accredited registration bodies are expected to transition their own clients within the following 12 months. Note that the UK Accreditation Service (UKAS) will not accept scope extensions from 1st May 2015.

If you currently hold registration to the 2005 version of the Standard, you will seriously need to consider making amendments to your Information Security Management System (ISMS) now in order to meet compliance requirements in time for the next visit from your certification body. The following are a few of the most common questions we come across when talking to our clients.

  1. Why is there a new standard of ISO 27001?

ISO standards are usually updated on an approximate 5 year cycle with this one reportedly taking so long due to the global growth in cyber capabilities, their emerging threats and international agreement on how to account for them.

  1. What are the major changes in the ISO27001:2013 version?

Updating of controls to bring them more in line with today’s technologies and business practices. These include: Mobile Device Policy, Tele-working Policy, Information Security in Project Management, Secure Development Policy, System Security Testing, Response to Information Security Incidents etc.

Threats, and a recognition that the organisation and its context, along with business and regulatory requirements receive much more focus in terms of the types of information security controls are put in place.

Recognition that the role of the board is much more of a governance focussed role in relation to guidance, monitoring and evaluation rather than being involved in day to day management activities.

Requirements clauses are now numbered 1 – 10 with Planning, Support and Operation now having their own mapped clauses. Additionally, Annex A has been restructured to provide a more logical layout and to include Business Continuity Plans.

Organisations are now able to use a wide range of continuous improvement standards, other than that of Plan, Do, Check, Act. Ultimately the organisation can use whatever method works best for them. Indeed, the new standard is much more accommodating on many fronts, especially for Small to Medium Businesses.

  1. What does this new standard mean to companies who are already certified to ISO27001:2005?

Your current certification is of course still valid as are the controls you have in place, however organisational boards have to take notice of the timeframes in transitioning before October 2015 and begin to resource a project team now.

  1. What if we don’t update to the new version of the Standard?

Many business agreements and partnerships are formed on the basis of mutual trust and respect for the other party. Complimentary to that, ISO 27001 is a prerequisite for many companies who enter into partnerships in the first place, particularly in the financial, manufacturing and IT sectors. Failing to transition to ISO 27001:2013 by your registration body’s next audit and compliance check will mean your ISO 27001 certificate will become invalid and you may well lose clients as a result.

  1. Transitioning is going to be labour intensive and expensive?

Most of the changes involved with the new Standard are backwards compatible. Organisations will mostly be able to successfully transition after conducting a gap analysis and identified follow actions without incurring significant costs or utilising many resources.

 

So if you already have ISO 27001:2005 certification you don’t have to go through it all again; whilst the 2013 standard brought some changes, they are not drastic and with the aid of a timely plan transition should be easily achievable. There are a number of publications that have been produced which may also help and of course we here at Regency are always on hand to offer our expert experience and advice. Contact us here or Tel: 01242 225699.

 

 

The Importance of Recording and Reporting the Success and Failure of Tasks

The Operations section of Regency IT Consulting are sometimes called upon to assist in the implementation of monitoring systems and reporting processes for clients.  There are times when the client thinks that we are asking for too much to be recorded or reported but the following example illustrates that this may not be a bad thing.

Regency were assisting a client to implement processes to ensure that their backup systems were working efficiently and that this was being reported to senior management.  Through this reporting it was noticed by the client that some of the backups were not working as efficiently as they had been previously and taking more engineering time to resolve the issues so they asked us to assist them in investigating further.

The system had been setup so that the failure of an individual job was always recorded in their ticketing system and if it fails regularly one of the engineers would raise the priority of the fault within the team and it would be investigated further.  This time the overall failure rate of the backup jobs was starting to increase over a number of weeks and it was at this time they decided to call for assistance.

The initial investigation, completed by looking at the management reports and reviewing the support tickets, never resulted in any single cause of the failures, just a number of different jobs failing at different times.  It was clear at this stage that this was going to be an intermittent fault!

After performing a double check of the backup software configuration Regency started looking at the tapes being used, the client knew some of them were older and had been written to a number of times so wouldn’t be surprised if they were faulty, but none of them were showing a high number of errors and when the faults occurred it was for different jobs using different tapes.  This was not going to be an easy fix but luckily the clients backup strategy and timings of the backup jobs allowed for either the backup jobs to be re-run (in the case of offsite backups) or allowed a risk based decision to be made as to whether the data could be backed up the next time the daily job ran.

The diagnosis took a few weeks to complete as each time additional debugging was turned on, either on software or hardware, the jobs started completing again but would then fail after a few days.  Regency, in conjunction with the client, finally found the root cause to be a mechanical issue with the tape changer.  This was found by having the tape changer email the debug fault codes into the ticketing system and correlating them with the job failure messages from the backup software.

The tape changer has been swapped out for another one and the backup success rate is now  back to the normal 100% completion.

In addition to the monitoring and reporting implemented above the client regularly tests the backups by performing a test restore of the different types of backup and these are recorded within their audit plan for ISO27001.