MaSSSoftech

SYS-CON Events announces that Jill Tummler Singer, Deputy Chief Information Officer at the Central Intelligence Agency (CIA), will be delivering the opening keynote at the 1st Annual Government Conference & Expo (www.GovITExpo.com) on October 6th in Washington DC.

Sponsor & Exhibit at 1st Annual Government IT Expo!
Register Today and Save!

Ms Singer was appointed in November 2006 and is responsible for ensuring CIA has the information, technology, and infrastructure necessary to effectively execute its missions. Prior to her appointment as Deputy CIO, Ms. Singer served as the Director of the Diplomatic Telecommunications Service (DTS), United States Department of State, and was responsible for global network services to US foreign missions.



GovITExpo builds on the success of SYS-CON's Cloud Computing Expo, the fastest-growing conference anywhere in the world devoted to the delivery of massively scalable IT as a service using Internet technologies. Data storage, security and software services are among the major themes of the technical program, which offers breakout sessionsdivided into three parallel tracks covering

Cloud Computing/Virtualization
Service Oriented Architecture
Security & Compliance

There will be breakout sessions on the security issues that are unique to the Cloud, such as the crucial distinction between Private and Public clouds. Expert speakers from government and the software industry alike will be looking at issues such as the requirements for how companies can handle government information and how information can be most successfully shared by multiple clouds. Doing more with less is the new reality for most IT departments, and the Government is no exception. So the cost-effectiveness of technologies such as Virtualization will also be foremost on the agenda.

With GovITExpo, SYS-CON Events widens and broadens its reach to embrace those who are bringing technology into the Federal domain. This high-energy event will be a must-attend for senior technologists involved in Government IT at every level including CIOs, CTOs, directors of infrastructure, VPs of technology, IT directors and managers, network and storage managers, network engineers, enterprise architects, and communications and networking specialists.

According to the Washington Post, the U.S. Census Bureau is using Salesforce's cloud to manage the activities of about 100,000 partner organizations across the country. And the Defense Department's technology arm has already set up a cloud to let the military rent storage space or use remote software programs. Companies like online application provider NetSuite, have shifted their focus to federal sales, on the basis that what works for Enterprise IT can also work for Government.

"Agency CIOs and CTOs need the flexibility to choose the best tools to accomplish their mission regardless of platform," notes Conference Chair Kevin L. Jackson, a senior information technologist specializing in information technology solutions that meet critical Federal government operational requirements. "Come explore the wide range of currently available technology choices for yourself," he adds. "Join us at the 1st Annual Government IT Conference & Expo on October 6, 2009, in Washington, DC - either as a delegate, sponsor, exhibitor, or speaker. I look forward to meeting you at this important event!"

NEW YORK -- Tata Consultancy Services, a unit of India's Tata Group conglomerate, said Thursday it was selected as a strategic information technology vendor for BP PLC, one of the world's biggest oil and gas companies.

Terms were not disclosed.

The deal is part of a year-old effort by BP to lower costs by consolidating its information technology vendors for application development and maintenance.

Tata will work on refining, manufacturing and corporate IT maintenance.

SRA International Inc. will help protect information technology systems from cyberattacks at the Transportation Security Administration under a task order worth up to $53 million.

Under the contract, SRA will lead a team that will monitor the agency’s IT systems and assess various security threats to those systems, company officials said Aug. 25. The work includes detection, analysis and coordinated response to threats and attacks, the officials said. The SRA-led team will provide the services via a security operations center.

SRA’s team includes InScope Solutions Inc., SE Solutions LLC and Verizon Business.

TSA, a component of the Homeland Security Department, is responsible for the security of the nation’s transportation systems. The task order was awarded through DHS' Enterprise Acquisition Gateway for Leading Edge Solutions contract.

Among the other deals SRA won in recent months is a $63 million contract to upgrade communications infrastructure for the Defense Department’s Joint Staff Information network.

SRA, of Fairfax, Va., ranks No. 26 on Washington Technology’s 2009 Top 100 list of the largest federal government prime contractors.

Government and industry information technology experts have identified critical functions of the country's key information technology assets, some specific risks to the IT's sector's performance and potential mitigation strategies. That information is in a baseline assessment of threats to the IT sector.

The Homeland Security Department and the Information Technology Sector Coordinating Council (IT SCC) released the document, the IT Sector Baseline Risk Assessment (ITSRA), Aug. 25 as part a joint effort to bolster protection of IT assets considered to be critical infrastructure. IT is one of 18 critical infrastructure and key resources sectors that the government identified under DHS’ National Infrastructure Protection Plan.

Approximately 80 experts, mostly from industry but also from the government, came up with the ITSRA, said Bob Dix, chairman of the IT SCC and vice president of government affairs and critical infrastructure protection for Juniper Networks. The IT SCC is made up of IT companies, professional service firms and IT trade associations.

Officials say the document is meant to provide an all-hazards risk profile that the IT sector can use to inform resource allocation for research and development and other protective program efforts. The assessment is “a baseline of national-level risk” and doesn’t deal with all threat scenarios faced by the IT sector, the document states.

In one example, the group identified the risk from the production or distribution of an untrustworthy critical product or service using an attack on a vulnerability in the supply chain. The experts said the consequence of this type of attack would be high but the likelihood of it occurring was low. The group also identified existing mitigations for that threat such as supply chain resiliency, sourcing strategies and product recall in response to compromised production.

The experts used virtual collaboration tools in their process to develop the document. The effort included three phases:
* Developing “attack trees” that describe how a function can be destroyed, incapacitated, exploited or diminished.
* Evaluating risk.
* Analyzing and reporting.

Unisys was awarded a task order for about $106,000 to test new encryption and "bit-splitting" technology at the U.S. Joint Forces Command.

The Blue Bell-based information technology firm said Thursday that it will be testing the Unisys Stealth Solution for Network, which is designed for information sharing for government and commercial organizations operating at different levels of security.

The one-year task order, awarded through the Defense Information Systems Agency's Encore II contract, will have Unisys providing tech support at the agency's sites in Norfolk and Suffolk, Va.

"This technology can address a long-standing challenge for the Department of Defense and other government agencies: how to simplify their networks without sacrificing security, while delivering significant cost savings," said Jim Geiger, managing partner, Department of Defense, Unisys Federal Systems.

By Romit Guha

Of DOW JONES NEWSWIRES

BANGALORE (Dow Jones)--Australia's Foster's Group Ltd. (FGL.AU) said Friday it is in talks with Wipro Ltd. (WIT) to outsource some of its information technology operations in the U.S., the U.K. and Australia, as the beer and wine maker tries to cut costs and consolidate its technology requirements by hiring a single service provider.

This would be the third such deal that Wipro, India's third largest software exporter, has received or is close to receiving in as many days. ...

The Association of Information Technology Professionals (AITP) offers professionals within the Pittsburgh area and Information Technology field, a way to connect.

AITP’s mission is to provide their members with programs and activities that will help them with career growth and community involvement. A majority of their Board of Directors are information technology professionals, but also mention representatives from other industries such as Manufacturing, Health Care Utilities, and Accounting Firms.


What you can find on the AITP Website:

* A Job Postings Page
* An Events Page
* Newsletter
* Discounts on Technical Products and Accessories

Belonging to AITP and networking with other like minded professionals can help you to advance in your career, knowledge, and skills.

Today, access to information is vital for a large portion of the “connected” population; connected to everyday’s information: News, emails, appointments, text messages, calls and videos. Via a variety of devices. Everywhere. Ubiquitous.
The paradox arises when there is a big change on how IT market operates. Before, IT products struggled to have a wide base of users. Today, users have their devices –PCs, servers, laptops, smart-phones, etc; ready to explore IT from everywhere. They longest jump came with the cell-phone to smart-phone transformation, their price drop result of the technology advances and commoditization of the data services for mobile devices.
Now think: potential users, avid to explore, and to take advantage of their data plans. Easy to use devices (full keyboards, wide screens, touch screens). Plenty of opportunities not only for the traditional IT vendors; but also for those who have a good idea and published it, like in the iPhone, Blackberry and Symbian communities.
Then, who has the power here? The users? The IT vendors? It seems to be a win-win situation, not even better than after a good negotiation. For the IT vendors, tons of possibilities, only limited by creativity; for the users, the opportunity to have their senses informed. It used to be “at your fingertips”, nowadays, listening and watching—even wearing. For the users: is there a real need to have the information ready all the time? Do you think the need is created by the products and services available?

Nokia Morph Concept
http://www.nokia.com/about-nokia/research/demos/the-morph-concept
http://www.youtube.com/watch?v=Zto6aTZM9t0

Job Description: BLH Technologies, Inc., is seeking an experienced Director of Information Technology with demonstrated success in planning, organizing, and executing all IT functions for its Rockville, MD, headquarters. The IT Director will be responsible for business plan development, team management, and project management and client relations. Primary responsibilities: direct and manage an IT division; formulate IT policies, procedures, and programs; ensure data and system integrity; evaluate overall operations of computing and information technology functions; and make recommendations for enhancements based upon strategic initiatives and directions.

Job Requirements: Education required: Bachelor’s degree in Information Technology, Management Information Systems, or Computer Science; Master’s degree preferred. Previous experience required: 8-10 years experience in IT sector with increasing responsibilities, 5 years of IT department management experience, 3-5 years of experience in software and database development, preferably in a Microsoft environment, and a broad understanding of computer systems, application, and operating systems, as well as analytical and problem solving skills. Must have demonstrated experience in implementing effective and innovative software development methodologies in order to manage a System Development Life Cycle as well as Federal contracting experience responding to RFPs, and securing new business, particularly with GSA buys.

The law firm Nixon Peabody LLP recently sent to clients an article explaining provisions of the Department of Health and Human Services' recent rule governing breaches of unsecured protected health information. Health Data Management received permission from the firm to publish the article. The firm emphasizes that the article is intended as an information source and readers should not act upon the information without professional counsel. Linn Freedman, a partner and head of the firm's health information technology division, is the author. The following is the article:

HHS issues breach notification requirements for covered entities and business associates

On August 19, 2009, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued an interim final rule ("the Rule") related to the Health Information Technology for Economic and Clinical Health Act (HITECH) requiring covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and their business associates to provide notification to individuals of breaches of unsecured protected health information to unauthorized individuals. In addition, HHS issued an update to its guidance specifying the technologies and methodologies that render protected health information (PHI) unusable, unreadable, or indecipherable. Section 13402 of HITECH, enacted on February 17, 2009, requires HIPAA covered entities and their business associates that "access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured protected health information" to notify the affected individual and the Secretary of HHS following the discovery of a breach of unsecured PHI. In addition, in some instances, HITECH requires notification of a breach to the media. Covered entities must provide the Secretary of HHS with a log of breaches on an annual basis, and the Secretary of HHS will post the list of entities that experienced breaches of unsecured PHI involving more than 500 individuals on the HHS website.

A breach means, generally, "the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information."

HITECH defines "unsecured protected health information" as "protected health information that is not secured through the use of a technology or a methodology specified by the Secretary in guidance." The Secretary of HHS issued guidance on April 17, 2009, listing encryption or an encryption algorithm and destruction as two technologies rendering PHI unusable, unreadable, or indecipherable. HHS issued further guidance in the Rule that access controls do not meet the statutory standard for rendering PHI unusable, unreadable, or indecipherable, and that only encryption and the destruction of paper PHI render PHI unusable, unreadable, or indecipherable and therefore will relieve a covered entity or business associate from the breach notification requirement. Further guidance on accepted technologies and methodologies includes the requirement that encryption keys should be kept on a separate device from the data that they encrypt or decrypt and that valid encryption processes for data at rest and data in motion are consistent with NIST Special Publications.

The importance of covered entities and business associates implementing the technologies and methodologies outlined by HHS cannot be overemphasized. If a covered entity or business associate secures or destroys PHI by implementing encryption technology and destroying paper records according to the specified technologies and methodologies, then in the event of a breach, the covered entity will not be required to notify individuals of a breach.

The Rule distinguishes the definition of a "breach" from that of HITECH. Both HITECH and the Rule limit the definition of a "breach" to a "use or disclosure that compromises the security or privacy" of the PHI. The Rule clarifies that the definition, "compromises the security or privacy of PHI," means "poses a significant risk of financial, reputational, or other harm to the individual," which is more consistent with state breach notification laws. Accordingly, to determine whether a breach has occurred, covered entities and business associates will need to perform a risk assessment regarding the level of harm that may befall the individual as a result of the disclosure. It is important for covered entities and business associates to establish breach notification policies and procedures in order to comply with the Act, and regulations as a specific risk assessment must be done on a case-by-case basis.

The Rule outlines an exception to the breach notification requirement relating to a limited data set (created by removing 16 direct identifiers of PHI). If there is a breach of a limited data set, a covered entity or business associate will have to undergo a risk assessment as in any other breach, but if the information disclosed does not include ZIP codes or dates of birth and the risk assessment indicates that the risk of re-identification poses no significant risk of harm to any individuals, then breach notification to the individual is unnecessary.

The Rule also provides three exceptions to the definition of breach:

1. The unintentional acquisition, access, or use of PHI by an employee or individual acting under the authority of a covered entity or business associate if it was made in good faith, within the course and scope of employment or professional relationship, and does not result in further use or disclosure
2. Inadvertent disclosure of PHI between similarly authorized personnel or within the same facility
3. A disclosure in which an unauthorized person to whom PHI has been disclosed would not have been able to retain the information

The rule requires a covered entity to notify an individual "without unreasonable delay and in no case no later than sixty (60) calendar days after the date the breach was discovered by the covered entity." The purpose is to give covered entities and business associates time to conduct an investigation and to determine whether there was a breach of unsecured information that poses a significant risk of harm to any individual. The notice must be written in plain language and must include:

1. a brief description of what happened, including the date of the breach and discovery of the breach;
2. a description of the type of unsecured PHI that was involved in the breach;
3. any steps individuals should take to protect themselves from potential harm resulting from the breach;
4. a description of the investigation into the breach, mitigation of harm to individuals, and protection against further breaches; and
5. contact procedures, which must include a toll-free telephone number, an email address, website, or postal address.

If the breach involves more than 500 individuals, notice must be provided to prominent media outlets and to the secretary of HHS through a press release. Interestingly, the Rule provides that if the breach involves individuals residing in more than one state, notification to prominent media outlets is required only if more than 500 individuals of one state are involved. Accordingly, if there was a breach of information of 600 individuals, 200 individuals residing in three different states, notification would be required to the individuals and the Secretary of HHS, but notification to the media would not be required. For breaches involving fewer than 500 individuals, a covered entity must maintain a log and submit the log annually to the Secretary of HHS.

HITECH and the Rule require a business associate to provide notification of a breach to the covered entity so that the covered entity can notify affected individuals. In addition to the specific identification of the affected individuals, business associates must provide any other available information that the covered entity is required to include in the notification to the individual and therefore, the Rule suggests that the business associate not delay initial notification of the breach to the covered entity in order for the covered entity to be able to collect the information needed for the specific notification.

HITECH and the regulations require covered entities and business associates to develop and document policies and procedures for notification of individuals, train workforce members on the policies and procedures and implement sanctions for a failure to comply with the policies and procedures. In addition, covered entities and business associates should maintain documentation regarding notifications made, the risk assessment performed and the analysis made to determine that an exception applied to substantiate that notification was not required.

It is extremely important that the breach notification compliance program of covered entities and business associates contain sufficient documentation of the risk assessment and response to the breach as they bear the burden of demonstrating that no breach occurred because it did not pose a significant risk of harm to the individual. In addition, in order to invoke the exception with respect to limited data sets, the covered entity must be able to demonstrate that the information did not include ZIP codes or dates of birth.

Finally, the Rule acknowledges that many states have adopted breach notification laws that may be contrary to the federal regulation. Accordingly, the Rule proclaims that contrary state breach notification laws will be preempted by the HHS breach notification regulations. A state law is contrary if "a covered entity could find it impossible to comply with both the state and federal requirements or if the state law stands as an obstacle to the accomplishment and execution of the full purpose and objectives of the breach notification provisions in the Act." Accordingly, a covered entity, as part of its breach notification policies and procedures, will have to determine whether the state law of the state in which the individual resides is contrary to the federal breach notification regulations to determine whether preemption applies.

The regulations will be effective 30 days after they are published in the Federal Register and include a 60-day public comment period. Based on concern expressed during the comment period, discretion will be used in imposing sanctions for failure to provide notifications of breaches that are discovered before 180 calendar days from the publication of the Rule.

It is imperative that covered entities--including physicians, dentists, ambulatory care centers, kidney dialysis centers, family planning clinics, home care services, mental health and drug rehabilitation centers, medical laboratories, hospitals and nursing facilities, health insurance firms, third-party administrators, health plans, and pharmacies--and their business associates develop and implement breach notification policies and procedures, including a procedure for risk assessment, in order to comply with the HITECH Act breach notification regulations.

For more information on related topics, visit the following channels:

* Data Security
* Policies/Regulation
* Stimulus
* Hospitals
* Group Practices
* Payers