PKF AvantEdge

Page 36 of 40

Are we a biscuit company?

March 18, 2013 / / 0 Comments

When our IT consultancy group first joined up with PKF, one of the first thing we did was to check if pkf.com.my was taken up. We had pkfmalaysia.com running already. Unfortunately this is where things got tricky, pkf.com.my was already taken up by a biscuit company. Hence, I suppose this is where we get a lot of “Are you a biscuit company” queries.There’s nothing much to be done about it, but when pkf.my first became available, we snapped it up, and did a forwarding to our main site.

I was speaking to a company that handled domain services last week, over a nice lunch, and one of the things they do is called “Digital Branding”. A simple form of it, in DNS speak is to ensure that your branding on the net doesn’t get devalued against anything that attaches itself to your name. It sounds like a simple service, but it’s really a critical one.

When Pope Francis was chosen to lead the 1.2 billion catholics in our world recently, he was viewed as a breaker of tradition. He asked the crowd to pray for him instead of blessing them. He refused to stand on a podium, instead stood together with his bishops and cardinals. He tweeted. He started a blog called www.popefrancis.com. Oh wait, that’s taken.Popefrancis.org…oh nuts, it’s squated by a blog. Popefrancisi.com? Wait, taken as well. A whole pile of popefrancis name with the top level domain .uk, .de, .be, .net, .tv all taken. The good news is that popefrancis.my is available. He should set up his site on our .my domain. It’s opportunistic. Sometimes, a $20 investment can get you around $3000 to $5000. Who wouldn’t want it?

Or what about the long drama between Nissan Motors for www.nissan.com? Nissan is actually a jewish name. In the bible, there’s reference to Nissan as month in the Hebrew calendar. If you go to www.nissan.com you can read the drama on how Nissan motors tried flexing its corporate muscles to bump out this guy running a computer shop from nissan.com domain. It’s a David and Goliath scenario, except the Goliath here is Japanese…who is half French.

So back to digital branding. As we become more and more dependent on the internet as the main source of information, it’s important to look at the simple stuff like this. For Pope and Nissan, they dropped the ball. For PKF, I’m just glad that pkf.com.my is a biscuit company and not some sort of porn site.

The Essentials of a Service Level Agreement

March 5, 2013 / / 0 Comments

In PKF Avant Edge, one of the things we’ve been asked to do is to provide advisory and implementation on policies and procedures. We find a lot of companies have sound policies governing internal processes, but not so sound policies governing third-party providers. Some have not even heard of a Service Level Agreement (SLA) before, and when asked when would the vendor respond to their IT issues, they blissfully responded, “Maybe tomorrow. Sometimes next week.”

In many cases, the promise of a cheap service provider, whether supporting your network, your server or devices or simply IT infra; is enough for the company. As long as they pay RM1000 less a month, that’s all that matters. Is it? What if you get crap service? What if the provider is unable to support certain things? What if there are variation orders for additional tasks not provided for?

This is where proper third party governance comes in. It’s invariably a critical process we look at in all our IT audit exercises. No use strengthening internally when your dependence on external parties are not properly structured!

What is a Service Level Agreement?

A service level agreement is a contract between a service provider and a customer that specifies what the services are being provided by the service provider. The services can be measured, justified and compared to those who are providing the same services.

 

The benefits of SLA:

  1. A proper SLA helps to strengthen communication, so that the parties come to better understand each other’s need, priorities and concerns.
  2. The SLA process facilitates the identification and discussion of expectations. Therefore, the two parties will achieve shared expectations about services and service delivery.
  3. With shared understanding about needs and priorities .An SLA and the communication process involved helps to minimize the number and intensity of conflicts.
  4. SLA provides mechanism for periodic review and modifications to services, expectations and responsibilities due to changing circumstances.
  5. With the presence of an agreement, SLA provides a consistent, on-going and mutually agreed to basis for assessing the service effectiveness.

The key components to SLA:

  1. List the exact services being provided so that customer will not expect more than the expected services listed in the SLA.
  2. Let the customer know what they should expect from you and what you expect from them.
  3. SLA give customers a timetable to let them know how long it will take the service provider to get back with them via phone call, email or whatever agreed upon method is.
  4. Let the customer know what is the procedure for any disagreement and how exactly it is handled will gives the customer peace of mind.
  5. The SLA let you know when you’re expected to pay and if you don’t pay by that time, what the repercussions will be.

Popular metrics used in Customer service:

  1. Turn Around Time: The time it takes you to complete any given task.
  2. Time Service Factor: A percentage of calls answered within a defined timeframe.
  3. Average Speed to Answer: This is self-explanatory, the amount of time it takes to have a call answered by your customer service agents.
  4. Abandonment Rate: Percentage of calls abandoned while they are waiting to be answered.

Why do SLAs fail?

  1. Service providers want to create an SLA to suppress customer complaints. Conversely, customers want to use an SLA to blow the service provider whenever service slips.
  2. The process of communicating and building the foundation for a win-win relationship is essential to the success of SLA. It is much more than just filling in the SLA template. If the relationship is lacking, even the best-written document will be worthless.
  3. Both parties must be involved in the formulation of an SLA. If one party attempts to control the process, member of the other party may resist its provision even if they might otherwise support them.
  4. A common misconception is that once the SLA document is complete, the job is done. As a result, an SLA that is not managed fails upon implementation.

So please, if you haven’t done so, ask yourself: “Did we formalise our relationship with the service provider? Has an NDA been singed? Are proper SLAs measurements in place?”. Gone are the days of a handshake agreement. We now need proper documentary proof to govern how we run our businesses.

 

 

 

 

 

Good Grief, Another Virus?

February 28, 2013 / / 0 Comments

Of all the most useless, time wasting activity that IT spends its life at is removing viruses from corporate systems and networks. It’s a mind boggling, grief stricken task for any IT administrator to go through, especially when the virus is so embedded into the network system, that it is a losing battle to sanitise the company. Most IT admin prefer lobotomy than to go through this thankless task.

We don’t usually clean viruses and worms for our clients, but at times end up doing it. It takes a lot of time, and we usually diagnose on the severity and the spread. In some cases we recommend a low-level format on the drive and reinstall new. But most worms now reside on the network and even if we clean or reinstall new, sooner or later, it gets sick again. The only way is to do an overall purge, meaning, every single desktop needs to be scanned and disinfected.

We’ve been helping out a client on this, and basically, the haphazard sharing of files and such has caused unmitigated disaster in the form of autorun.inf files propagating through the systems via shares, and then auto loading the payload. One of the mischievious things this virus does is to hide all the files so that we think that everything is deleted.

It’s a losing battle. In our previous battles with viruses, we decided to euthanise most of the old laptops that had viruses and buy new sets, reformat and reload our servers. We even moved our office physically, and set fire to our old office, watching all 22 floors go down in a blaze of glory. Of course not. It’s arson. And it’s illegal. But we did move office, because our rent got too high. Landlords are also another form of virus at times, but that’s another story.

Anyway, the term prevention is better than cure applies to viruses in IT terms as well as in health terms. The best way is not to get sick. And here are some practices for companies:

1. Get a good antivirus. Not one of those free AVG or whatever. A paid one. Kaspersky, Norton, we don’t care. Most of them are more or less the same, and works on most virus.

2. Update your OS. I hate to do it, because Windows releases updates like crazy, but we bought windows and agreed to be part of the guinea pigs to fix their systems so….

3. Host firewall. Your computer should have a firewall. Get one.

4. IT admins shouldn’t give admin rights to normal users. It’s like giving the keys to Candyland to a kid.

5. Secure your perimeter. This means you are at war. Don’t expose yourself to the internet, secure all systems that faces the internet.

6. Control your DNS. Most viruses infect your DNS, force you to a website, download the payload and execute. In PKF, we firewalled all DNS requests out (even Google ones), except to the approved DNSes we have. So if someone contacts a rogue DNS, it’s blocked.

7. Control your internet access. Most users have no idea that www.persiankitty.com isn’t a site to adopt cute kittens. Kill it. Get a webfilter tool and make sure your policies are pushed out to all desktops/laptops with internet access.

8. Educate your people. People are the weakest link to corporate security. Teach them that they are not supposed to click on strange links on emails, accept any file transfers from skype, open attachments, or engage in Professor Muzazoagabe from Nigeria who wants to pay them a million Euros, but require 1000USD to release the funds.

9. Use strong passwords. No, Iloveyou is not a strong password. Neither is 1234, or password123.

10. Document and have policies. Countless companies fail to have proper policies to address issues like this, and users are not govern in how they are supposed to conduct themselves.

11. Monitor! The best prevention is to rabidly monitor your systems and network as well as software on devices. Have a proper asset listing, software management system and patch management system.

12. Finally, and we’re not selling here: Do your IT audits and Penetration testing! It’s like saying I don’t need to go for a health checkup since I’m fine. By the time you are not fine, it’s too late.

Drop us an email if you need more information on how to stay well, or get well!

Quit Calling Me or I will PDPA you!

February 21, 2013 / / 0 Comments

This might be what, in the near future, we- the hapless victims of thousands of unsolicited phone calls and emails and SMSes- can say to the perpetrators who haunt our dreams with midnight messages and ghostly voicemails.

Here’s the fact:

1) In my SMS inbox, I have three dozen messages from entities I don’t know over the last week. Half of them from politicians wishing me a good year of the Snake. Others from banks. Others from Astro. And I just had one telling me there’s an MACC stand up comedy coming up. What. The.

2) I have received some ridiculously timed phone calls. One came a few days back when Unifi was facing a nationwide outage, and which had all the TM support coming back from their homes to fix it, given that they had a one year downtime policy, with the commitment to give updates to customers every 500 hours of downtime. Yes, I am being sarcastic. Unifi is a good intention and we appreciate it, but there’s still a lot of holes to plug for that service. While halfway through one of the worst Unifi outage in the history of their short existence, I received a chirpy call from a woman identifying herself as a representative of TM. I immediately thank the gods for such superb, initiative from TM: to call me to apologise and to have my Unifi fixed immediately, without me lodging a call (since it was not possible due to Unifi support line also being down). Instead the chirpy woman started to ask me if I wanted to upgrade my Unifi package to better ones. I asked her if she was aware there has been a major outage and the entire world was tweeting #unifi and trending to #garbage. She happily responded she had no idea. I wish we could do an audit on Unifi support based on ISO20000 or ITIL. I bet we could add some value there.

3) How many emails have we received from companies we have unwittingly gave our information to? I am not talking about those health hormones, Nigeria scams, appendage enlargement junk email. I am talking about unsolicited marketing material from restaurants we have visited, companies we have met along the way etc. Admittedly we have also done such things (updating our customers)…but I have received piles and piles of emails and trilobytes of documents. It’s time for this madness to end.

So, Personal Data Protection Act? We’re not going to go through the 7 principles here. Many other websites have articulated it well enough. The question here is, if I have a company and we collect data as part of our CORE business, are we screwed?

No, you’re not. But you have some work to do.

You see, the PDPA is not telling you NOT to collect personal data. It’s governing the way you do it. It’s setting up rules, like putting a referee in a previously free for all football game. The good news is that, the rules are not extremely rigid or specific. So there’s what we unprofessionally call, wriggle room. Most consulting companies have fancy terms for this, but at PKF, we are what we term a coffee-shop jargon company. We don’t like to throw in big terms that can use an easy word to describe.

There are numerous ways to comply to PDPA, which we will touch on later. We provide IT and legal assistance for PDPA compliance. But the first thing you can do for yourself is this: do you have any policies and procedures governing your business processes? If the answer is no, then  there’s where you will generally need to begin. A documented approach on collecting, sharing and storing data is essential for compliance. If you already have, well, you’re on your way to compliance already even before you begin.

Let the new era of Data Protection begin!

« Older posts Newer posts »

© 2024 PKF AvantEdge

Up ↑