| | 1.2 Demand
02. Software Policy | | |
|---|
| ITIL 1.2.3 Software Policy |
|---|
| 1.2.02 Software Policy | | With any application, the role of software and the role of data can be traded one for the other. Information Engineering Methodology (IEM) enables applications to be defined as data so software can be avoided. The benefit is that software defects are reduced, software maintenance costs are minimised, software deployment time is minimised and documentation comes first. | | Not all applications can benefit from IEM, but commercial CRM, HR and ERP applications have been proven over that last 40 years. |
| Policy | | The ASP does not provide software to any customer for any purpose. The ASP does not provide "apps" that may be downloaded. The ASP does not use application software where Information Engineering, Business Intelligence, Management Information and perfectly normal web pages can be deployed. | | Applications that do not use software have proven to be more secure than applications that do use software. |
| System Software Policy | | The ASP licenses open source system software and associated commercial tools that are in keeping with the open source movement. For historical reasons. a lot of IBM system software and software tools are deployed by Data Administrators, but this is all invisible to owners and users. | | The actual system software employed is different in each data center and what is deployed one year is likely to be upgraded to a different solution the following year. Only the very best leading edge system software can continue provide the technology needed to stay at the leading edge. System software is continually evolving and what was good enough last year may not be good enough for next year. | | As a policy, anti-virus software is not deployed on any server. As a policy, no server is permitted to support any software such as PDF reader, office document reader, browser, Java tool. complier, printer or media package. |
| System Software | | * Web Server software is concerned with accepting user requests and sending a reply within 10 to 40 mili-seconds. A standard rack will house three load balanced web servers so a failure of any web server will not impact on the application service. | | * Application Server software includes the Information Engineering application engine, Business Intelligence engine and Management Information engine. A standard rack will house two load balanced application servers so a failure of any application server will not impact on the application service. | | * Database Server software includes SQL and NoSQL services with full encryption and data stored in encrypted partitions. In the event of a database server failure, other data centers are operational and ready to take over the application service load with the minimum delay. | | * Message Switch softwware copies encrypted data between data centers to avoid the need for backup procedures and to ensure that all data is stored in many physically separate locations. Message switching keeps all replicated databases ready to take over production work in a few moments. | | * Intrusion Prevention softwware manages the network traffic to ensure that only valid messages can get to the web server. With more than 10 years of operating hundreds of applications with thousands of users, rules have evolved to identify and stop cyber-criminal attacks in a very efficient way. | | * Email softwware is issolated and independent of the web servers to ensure that no malware can access any private data. |
| Demarkation Policy | | Web servers are connected to application servers using a firewall router that ensures that the application servers cannot be accessed from the Internet. | | Application servers are connected to database servers using a firewall router that ensures that the database servers cannot be accessed from the Internet. | | Email servers are not connected to any web, application or database server to ensure security. | | Servers are given one job to do and all other services are closed down to ensure that cyber-criminal attacks will not be able to find defects in browsers, PDF readers or even anti-virus software. |
| Virtualization Policy | | Bespoke single-purpose servers are more secure than virtual servers, but where security is not critical, as with WordPress applications, then some virtualization with content managed data has been deployed. Every secure application deploys a large number of small single-purpose servers with built in redundancy. Application and database servers that are not directly connected to the Internet are more secure than any other configuration of servers. Servers that perform one and only one service with all other services disabled are much more secure than general purpose servers that may have a vulnerability in one service. |
| 2.1.34 Software Policy: | | As a policy, we do not write software, do not own software, do not publish software and do not distribute software. However system software such as an operating system, database management system or email system must be licensed. | | Windows is a dominant operating system that carries a lot of legacy baggage and security issues that must be addressed by how it is used. Apple and Google provide operating system software that carries similar security and operation issues that dictate how it should be used. |
| Privacy Policy: | | In Aug 2015, Microsoft issued it new privacy policy to accompany the launch of Windows-10, however the privacy policy is not only about Windows-10 its about all operating system software from Microsoft and other vendors. A key factor is that anything and everything on a local computer is permitted to be copied and sold to other parties. In return for having access to the operating system software, each time a user logs-in, a copy of virtually everything on the computer is copied by the system software vendor. Microsoft call it One Drive - where all data, passwords, history, favourites, music, pictures and emails are copied to somewhere in the USA. Apple call it iCloud - where all data is copied to somewhere in the USA. Google operate many cloud-based backup services - where all data is copied to somewhere in the USA. |
| Artificial Intelligence: | | Cortana, Siri and other AI tools and designed to learn about each logged on person - to capture, use and sell personal data. The includes knowing the persons diary, what alarm calls are made, what calls are made to other people, how many times and when those people are contacted, when pictures are popular, what music is listened to and what text messages are sent. Each person business day can be captured by location, duration, meetings, documents created, web sites visited, passwords used to sign-in, etc... |
| Encryption: | | All governments have the need to permit encryption but not enable a way for criminal to communicate without being monitored. A solution is for all computers to automatically copy all browse history, emails and data to be copied to massive servers in the USA. Intellectual property in the form of business data is automatically copied to where it can be harvested and sold by system software vendors. | | The apparent benefit of automatic backup and synchronisation of computer data may well be the indirect distribution of valuable business data to other parties. Even where local data is encrypted using bitlocker and similar tools, the encryption key and the encrypted data is copied to the USA data stores - Governments get access to anything and everything they need. |
| Solution: | | A gap must be created between each computing device and the person using it. Each computer can be assigned its own unique email address that is only used to login to that computer. Web site browsing history must be deleted in real-time so no history is left to be accumulated in the USA. A private email service must be used where the password is not known to the local computer. | | Email must never be downloaded to a local computer where they will be copied to a server n the USA. Every email must remain in the cloud in a private web service - emails are viewed from a protected online web site. | | Documents must not be created or downloaded to a local computer - documents must always remain in the cloud in a private protected web site. Document sharing and collaboration is done view the private web site and not as an email attachment that must be downloaded. | | Music and photographs must not be kept on a local computer - they must be uploaded to a private web site and physically deleted from the local computer. An online music subscription service is recommended - but take care to use a unique login user-name that is not shared with any other service. | | Cortana, Siri and other Artificial Intilligent Assistants (AIA) should not be used on any computer that is used for business purposes. By definition, any AIA must collect a vast amount of personal data to provide a reasonable service - all that private data will be sold to other parties. Every AIA is free of charge so the personal data accumulated is the property of the AIA vendor who will use it for commercial purposes - to pay for the free service. |
| Bring Your Own Device (BYOD): | | It is not permitted for any personal smart phone to be used for business purposes. The system software on every smart phone is designed to capture all data, passwords, documents and mail that is viewed by the smart phone - that data will be copied to servers in the USA. No matter what kind of application is used for business purposes, history, data interchange and documents will be automatically backup so it can be sold by the system software vendor. | | No matter what kind of encryption is employed, the device that can view business data will have copies of that business data copied and sold to others. The encryption keys needed to view any secure documents must be known to the local computer or smart phone and those keys will be copied with the secure documents - this makes the encryption of little value. |
| Data Ownership: | | Google got very rich by copying web pages that are the copyright works of other people - it violates the spirit of every copyright law in the world. Google sells search information about web pages that Google do not own, but have copied in spite of clear copyright notices on most web pages. | | Facebook got very rich by selling information created by the public - the personal data that is owned by each author is sold on to others for a profit. | | Twitter has a similar business model selling information created by the public - the personal data that is owned by each author is sold on to others for a profit. | | Microsoft and Google offer email services that are paid for by scanning the content of each email and selling the information derived - email data is not owned by its author, its the property of Microsoft or Google. For this reason, it would be unreasonable to use such email services for business purposes - business data would be sold to others. |
|
|