Category: Business Continuity


HourglassWindows XP was a mainstay at many financial services firms for nearly a decade.  In keeping with the Microsoft Lifecycle Support Policy, support for Windows XP and similar aged software must eventually end.  You can learn more about the policy here.

According to Microsoft, extended support for Windows XP is scheduled to end on 04/08/2014.  If your office is using Windows XP, you should be working on plans to phase out XP by replacing those systems with new PCs or upgrading the PCs to a more recent workstation operating system in the next six to nine months.  There is no good reason to wait until or beyond April 2014 to perform these upgrades.

Why should you care?

Most security standards – for instance, 201 CMR 17.00 – require that you apply security patches on a regular basis.  It is the extended support from Microsoft that allows you to do this.  After extended support has ended, there is no guarantee that any security patches will be released for these systems.  In order to stay compliant with security standards, firms using Windows XP will need to upgrade to other systems.

Hasta la vista, Vista!

androide

Currently, we are recommending that business users implement Windows 7 Professional on workstations.  Windows 8 makes sense for home users with touch screens, but we prefer not to implement operating systems before they have become mainstream in the workplace; Windows 8 just isn’t there yet.

Vista extended support is good through 04/11/2017, but Vista has always been a dog, and any business users still using Vista should strongly consider moving to Windows 7 Professional immediately.

Server-based systems affected by the Microsoft Lifecycle Support Policy

Windows 2003 Server extended support is good through 07/14/2015.  Nevertheless, Windows Server 2008 R2 will likely be the most widely used network operating system among investment advisors by the end of 2013.  Windows Server 2012 was released on 09/04/2012 and hasn’t yet been widely implemented among SMBs we are familiar with.

Exchange Server 2003 extended support also ends on 04/08/2014.  The implications of this related to security updates are the same as those detailed above regarding XP.  If you know which version of Exchange is in use at your office, you can check Microsoft’s site here to determine when the end of extended support for Exchange will affect your firm.

Like Vista, extended support of Exchange Server 2007 is good through 4/11/2017, so there is no need to upgrade in the near term future.  Exchange 2010 adds OWA support for Firefox and Chrome.  In addition, Exchange 2010 makes better use of lower-cost disk subsystems, allowing you to get a performance boost over 2007 without spending a premium.  Those are nice features, but not nice enough to push an Exchange upgrade before a normal IT lifecycle replacement demands it.

Exchange Server 2003 will be phased out by many advisors this year, and most will move to Exchange Server 2010.  Though Exchange Server 2013 was technically released in November 2012, it may be premature for the SMBs that dominate the investment industry to adopt Exchange Server 2013 over Exchange Server 2010.  Presently, there is no direct migration path from Exchange 2003 to Exchange 2013.  A number of small investment advisors will move to hosted Exchange solutions and no longer keep Exchange servers at their offices.

With this many possible changes slated for the next ten months, now is a good time to make sure your firm has addressed the issues or has a plan to upgrade any systems affected.

About the Author: Kevin Shea is President of InfoSystems Integrated, Inc. (ISI); ISI provides a wide variety of outsourced IT solutions to investment advisors nationwide.

For details, please visit isitc.com, contact Kevin Shea via phone at 617-720-3400 x202 or e-mail at kshea@isitc.com.

iStock_000003876801XSmallFive to ten years ago, talking about Software-as-a-Service (SaaS) products with my clients would have been a very short converstation: they simply weren’t interested.  Today, however, the landscape has changed.  Investment advisors are more open to using systems in the cloud because they have begun to realize that owning technology and controlling every aspect of it is expensive.  In the past, they wouldn’t have had it any other way.

Now, we live in a different time, with newfound economic pressures and more sensitive budgets.  To those managing the operational budget, the cloud looks good.  Some of my more progressive clients have been ahead of this curve.  Instead of building and implementing systems internally, they have been using outsourced technology systems through the likes of Fidelity’s WealthCentral platform.  They have enjoyed using best-of-breed technology, without paying a premium to own it.

CLOUD-BASED SYSTEM ADOPTION GROWING

Those with experience using cloud-based services are looking to expand use of that technology, and some firms who never would have considered it in the past are taking a hard look at putting some of their systems in the cloud.  No matter which group your firm fits into, you are unlikely to find a complete solution in the cloud, nor should you.  As an example, clients of mine who effectively leveraged cloud services in other areas in the past are only now thinking of using hosted Exchange services from the likes of Rackspace or Google.  I also work with advisors who moved quickly to Google for email, but wouldn’t think of moving their portfolio management system to the cloud.

Recently, some of our clients have made the move and transitioned their servers into the cloud.  Options exist for moving workstations processing into the cloud via terminal services and virtual machines, but not many advisors have taken it to that extreme yet.  Terminal services and virtual machines are frequently used in the contingency systems that most advisors implement, so using them for primary system access isn’t much of a leap.

WHY YOU MAY WANT TO MOVE YOUR SYSTEMS TO THE CLOUD

Typically, one advantage of cloud-based systems is vendor-based redundancy that eliminates the need for similar infrastructure at investment firms.  In other words, you don’t just save money on primary hardware and software systems, you also save on redundant infrastucture and simpify the requirements of your contingency systems.

Advent offers a SaaS solution through their Advent OnDemand service.  This service is available directly through Advent and other channels, such as Fidelity.  In my experience, clients utililizing Advent’s SaaS offering give up some flexibility, but save a considerable amount of money to utililze Advent’s infrastructure rather than purchasing and maintaining their own.  It is not the right solution for every firm, but it is worth looking into.

As users of Portfolio Center and Junxure consider the necessary system upgrades to support their expanding SQL server requirements, they need to understand whether the systems they implement will continue to support their growing databases.  In some cases, these users may need to incur the expense of a full SQL server license in addition to purchasing respectable server-class hardware for their next generation server.  When looking at the price tag associated with these potential upgrades, these users will do well to consider Portfolio Center Hosted, before committing to new system expenditures.  The SaaS version of Portfolio Center is scheduled to be released in April 2013.

2013 AND BEYOND

For the remainder of 2013, advisors will continue to adapt SaaS and cloud-computing systems that spare their businesses significant expense while posing relatively low security risks.  Firms will also resist the urge to move their systems into the cloud fully.  Their perceived need to actively manage security locally is too great for investment managers to entrust to these controls to the cloud for the time being, but at this rate, 2014 and 2015 could be mostly cloudy.

About the Author: Kevin Shea is President of InfoSystems Integrated, Inc. (ISI); ISI provides a wide variety of outsourced IT solutions to investment advisors nationwide.

For details, please visit isitc.com, contact Kevin Shea via phone at 617-720-3400 x202 or e-mail at kshea@isitc.com.

AUTHOR’S NOTE

I touch on cloud-computing briefly in this article and may seem to use the terms SaaS and cloud interchangably.  Cloud-computing apps and SaaS apps both sit in the cloud.  They are closely related, but not the same thing.   If you want to learn more about the differences, here is a link to an article that explains it.

Dad_Vero_ClippedQuarter end reporting for Q4 2011 was a grueling task – one that still wasn’t completed for some firms in February of 2012. I am in touch with the operations staff of representative investment firms of varied disciplines and sizes. That quarter I heard it from just about everybody. Firms were transferring accounts to different custodians, embracing new trading platforms, contemplating portfolio management system changes and enhancements to client-facing reporting as well as more robust outsourcing options … but the show must go on.

The operations staff rarely gets a break. They must deal with new initiatives as they come and still manage to get their regular work done. The act of balancing the two responsibilities can be difficult and exhausting for those faced with these demands. To quote one of my clients, “Every time you turn around its quarter end.”

As a consultant to many of these firms, I have a unique view of the daily grind of typical investment professionals. In the past, they could take reasonable breaks for lunch, etc., but more and more of the people I work with are going without the niceties of lunches out and a little down-time during the day. An illness in the family can be particularly troublesome for those working in investment operations to deal with. Illnesses are seldom convenient or negotiable.

In addition to the normal challenges that I face in any given quarter, that quarter I had to deal with one that I had no control over – the death of a loved one. My father, who, at age 73, seemed to be in outstanding health had a sudden and unexpected heart attack on the evening of January 23rd, 2012. There is never a good time for something like that to happen, but the 23rd was better than the 8th would have been for me. I was on the phone with him when it happened, and heard him utter his last words, “I feel so dizzy.” Then he collapsed.

It was so quick. I could hardly comprehend it. Over the course of the next few hours my brother and sister traveled home to New York to be with my mother as quickly as possible, while I tried to think about what I needed to do to wrap up any loose ends related to my clients’ quarter end reporting, and get home as soon as possible. After a day and half of chipping away at various tasks and setting things in motion, I needed to go home and grieve our loss with my family.

Dennis_shaking_hands_DR003My father had a successful career as a financial officer in the retail and financial service industries acting as consultant to many banks and fortune 500 companies. He kept his financial dealings fairly close to the vest, and though he had shared some of what he had done with me, I was not familiar with everything. His record-keeping was meticulous and nearly perfect in all respects but one – planning for his unexpected death. He had a joint will with my mother, but we couldn’t find it. He had assets and regular income, but getting my mother access to all of their assets would take time.

Over the next week, I went over his records, which included 22 years of tax returns and similar detailed records of my parent’s finances to lend what help I could in assessing the situation for my mother. I am no stranger to investment reports, so I winced when I saw my father’s Morgan Stanley Smith Barney statements. The production of statements as meaningless as these should be a criminal offense. I first saw statements like these back in 1987. In twenty-five years very little has changed. The statements are as dull and drab as possible. The only color afforded is the dark blue line that runs along the top. These statements are difficult for people who know what they are looking for to read – never mind those less familiar. At best, these statements are an inventory of holdings.

After looking through more of the investment statements, I eventually found summary statements that get sent out about a month after each quarter end. These statements were better, but not as good as most of what we create for our clients. Given their ability to produce better statements, firms like Morgan Stanley Smith Barney should be held to a higher reporting standard.

Over the course of nearly two weeks, my brother and I stoically exchanged quips like “Good will hunting” and “Where there is a will there’s a way” in humor that my father would have appreciated. Eventually, we found the will. It was perhaps the only thing improperly filed in his office. Throughout the ordeal, I couldn’t help thinking about how my father could have made things much easier for us by leaving us a list of the top ten things to do if he died. It might have taken him twenty minutes to put together if he had ever thought about it. I half expected to find such a list, but it was nowhere to be found – apparently, my Dad wasn’t planning to die. Here is what the list might have said:

Sorry to leave you all so suddenly, but here is what you need to do:

1. Call my attorney _______________ at _______________ , and have him execute my will. For some reason, I have the original copy of my will in the file marked _________________ at our home in ________________.

2. I have three whole life insurance policies that should provide a total non-taxable death benefit of approximately ___________________ .

They are:
a. _______________________________
b. _______________________________
c. _______________________________

Call my good friend _______________________ in the insurance business at ______________ and have him help you get the forms and file them. The proceeds from my life insurance should help with the transition period.

3. In the event of my passing, Mom should have access to the following regular income sources totaling about ________ per month:
a. ________ Pension.
b. My social security not hers.
c. The annuity.

4. All of the bank accounts are jointly held and your mother is listed as the primary beneficiary.

5. My retirement account will need to be transferred to her and she is listed as the primary beneficiary.

6. There is no money hidden anywhere. It was already raining.

7. Put the funeral on the Amex and the meal afterwards on the Underhill tab.

8. Yes. I want the cheapest casket.

9. Psalm 23.

10. Swing easy.

Love,
Dad

Using my personal experience with my father as an example, we can hopefully learn something.  First and foremost, we should make sure to acknowledge our own mortality and take the steps necessary to make our passing easier on those we would leave behind.  And, of course, since this blog is about investment operations and technology, ensure that your firm has the contingency planning, documentation, staff redundancy and training necessary to survive the loss of key personnel, whether that loss is through a sudden career change, a long-term illness, or an unexpected tragedy.

The impetus for some of the best client relationships I have ever had has been the vacuum created by the loss of personnel.  I have helped firms that experienced 100% turnover in their investment operations department rebuild, assisted those trying to make sense of cryptic documentation left behind by co-workers who left abruptly, and managed to get things running again when the person who “did everything” was severely injured in an automobile accident.

Understanding your firm’s dependancy on key personnel is very important.  Even when systems are documented, that documentation’s usefulness may be questionable.  Documentation that hasn’t been reviewed and tested might be meaningful to those who created it, but not to those trying to use it to complete a process in the author’s absence.

Some of my clients have actually drafted letters to be delivered to their investors in the event of their deaths. Those letters are in their contingency plan – what’s in yours?

About the Author: Kevin Shea is President of InfoSystems Integrated, Inc. (ISI); ISI provides a wide variety of outsourced IT solutions to investment advisors nationwide.

For details, please visit isitc.com, contact Kevin Shea via phone at 617-720-3400 x202 or e-mail at kshea@isitc.com.

Unless you live in a cave, you have probably heard lead-ins to the story from reporters,  “Enjoy the Internet while you have it.”  These reports make reference to Monday, July 9th, 2012 as Internet Doomsday.

Here is what you should know about the threat:

  1. It isn’t new.  This malware has been around for a while.
  2. If your PC is serviced regularly, and your antivirus program is active, it is unlikely to be a problem.
  3. There is no impending attack.  Potential outages will actually be caused by the FBI taking temporary DNS servers offline.  If your PC is infected with this malware, then you will lose Internet access until the malware is removed and the proper DNS settings are restored.
  4. According to current reports, 360,000 PCs worldwide and 64,000 PCs in the United States (US) are still infected.  Per census data (July 2011) there are over 311 million people living in the US.  So there are a relatively small number of infected PCs here.
Nonetheless, you can go ahead and check whether your system has been compromised using the following link: http://www.dns-ok.us/

 

Since servers in the corporate environment typically provide DNS information to the connected workstations in an office, your office DNS servers should also be checked. For more details on this issue, refer to the FBI article.

About the Author: Kevin Shea is President of InfoSystems Integrated, Inc. (ISI); ISI provides a wide variety of outsourced IT solutions to investment advisors nationwide. For details, please visit isitc.com, contact Kevin Shea via phone at 617-720-3400 x202 or e-mail at kshea@isitc.com.

I’ll admit that I worry about my data.  I have a plethora of backups for personal and business reasons, but I’m still concerned that everything may not be backed up and organized as it should be to ensure a speedy recovery of critical data in the wake of a true disaster.   Furthermore, in order to deter would-be hackers from accessing it, the data needs to be stored in an encrypted format.

In the past three decades, hard drive capacities have managed to grow exponentially, while somehow becoming smaller than ever.  Believe it or not, ten megabyte (mb) drives used to approach the size of cinder blocks and cost $4,500.  Today, you can store 32 gigabytes (gb) on something the size of a quarter for $45.  The data stored on systems, both personally and professionally, has mushroomed, making it all too easy to lose track of what is truly important.

The lazy way

Just because your latest PC has room for over 1 terabyte (tb) of data doesn’t mean it all needs to be backed up.  In real-life scenarios, it is surprising just how little data is absolutely critical.  Lazy backup methodologies that capture everything can make recovery more time consuming and potentially problematic. 

In our first-hand experience with clients faced with recovering from a disaster, the only files immediately required are those used in day-to-day operations.  Though a company may regularly back up a few hundred gigabytes of data daily, it likely needs a small fraction of that data to function.

For example, imagine losing everything – including your portfolio accounting system data – and trying to service your clients.  Axys, one of the most critical systems for many investment advisors, is an excellent example because the files typically don’t take that much space. Given our experience with many Axys users, I suspect that most clients’ entire Axys system takes less than 2 gb.

Now imagine losing all of your data, except your portfolio accounting system data and your access to your email.  It would be inconvenient, but you would be able to get by until your other systems could be fully recovered.

Don’t be cheap

Cost should be a non-issue here.  Assuming you have 8 gb of data, an online backup could cost as little as $4 per month or as much as $100 per month, depending on the vendor.  We prefer to use VaultLogix for many of our clients due to the sophistication of their software, which has versatile features such as Exchange message level backup and restore capabilities. 

Even if you feel that you already have a reliable backup in place, we recommend multiple methods.  Based on our experience with disaster recovery, I prefer to see no less than three methods performed by independent parties, but managed by senior IT staff or a consultant who can attest to their veracity:

  1. Local onsite physical backup via NAS, tapes or external hard drives.
  2. An offsite backup server where vital data is synchronized in real-time or regularly restored.
  3. An online backup through a third party.

Local backups require proper management to make sure that data is being backed up and the resulting backups are usable.  Even after all the years I have spent dealing with these issues, I am still surprised when I find out that somebody isn’t managing this process properly.

To err is human

I have run into companies that cycled through media every day without checking the resulting logs, only to find out when they need the backup that it hasn’t been working for years.  And I have seen clients independently decide to insert the same tape over and over again, eventually destroying the tape in the process … along with the only recent copy of their data. 

Read the SLA

The what?  An SLA, a.k.a. Service Level Agreement, is the fine print. It is probably detailed in 7-point font, where most data backup vendors tell you that they won’t reimburse you for more than you pay them on a monthly basis, even if you lose data because of a system failure.  Your data is priceless – you couldn’t sue the vendor for enough to make up for the loss of your data, so even if you contract with a vendor for data backup, your firm needs to own the process. Perform quality checks and have a contingency plan in case your vendor fails to do the job.

In the past, I have preached about the necessity of backing up data through a variety of methods.  For most RIAs, the data is so utterly vital that they cannot afford to take any chances.  Investment advisors cannot afford to forgo insurance against the unexpected; there is simply no excuse not to have multiple backups of your most important data. However, these backups should be encrypted, whether they are stored on a USB drive or through on online backup service.

Your portfolio management accounting system obviously isn’t the only essential data at your office.  Think about what else would be extremely difficult to do without and take proper precautions.  You will likely come to realize that your firm’s most important data doesn’t take anywhere near the amount of space required for your regular backup.  Once you identify your most valuable data, you can look into additional backup methods to protect it.

Our most valuable data is the source code for the programs we have created, our client database, Quickbooks, marketing materials, and Exchange data, in that order.  This data, excluding Exchange, easily fits on a hardware-encrypted 8 gb USB drive.  We have a lot of other information stored on our server, including data test beds, program files, installation files, documentation, and media, but this data is not crucial.

By definition, non-critical information can be downloaded again, acquired easily enough or won’t be missed if it cannot be recovered.  On the other hand, our most critical information would be very difficult and time-consuming to recreate if not impossible.  These same principles should be applied to backing up your personal files.  What is most valuable to you personally?  My personal file priorities include source code, financial records, important documentation, photos, videos, and music, in that order.

At my home, I have a large hardware-encrypted NAS (Seagate NAS 440) that backs up these files locally and has RAID 5 fault-tolerance.  This device is ideal protection against everything but fire or theft.  Using the Acronis software included with the NAS, I can do a full recovery of any of our PCs.  If the NAS is stolen, none of the data can be accessed without the USB drive “key,” which contains the necessary encryption key to unlock access to the drive’s data.

My self-imposed personal needs for file synchronization and a redundant, independent online backup, as well as the sheer quantity of data I back up, demand that I use a combination of low-cost online backup providers such as Dropbox, Mozy or Carbonite.  Users of these systems can and should take extra precautions to ensure that their data is encrypted with keys they manage.  Doing so requires an extra step.  For example, Dropbox data is encrypted in transit, but your Dropbox folder is probably stored on an unencrypted drive.   If your notebook hard drive isn’t encrypted and gets stolen, your data can be easily accessed.  Placing the Dropbox folder on an encrypted drive is a best practice.

The amount of time required to get the initial image of your files into the cloud can be daunting, but the cost is reasonable.  If you have hundreds of gigabytes of data, it could quite literally take months to perform your initial backup, depending on the speed of your Internet connection.  Given this reality, the sooner you start, the better.  Subsequent daily backups typically take minutes, not hours or days.  Mozy, a subsidiary of VMWare, has recently introduced a data shuttle option that eliminates the need to initially back up over the Internet, allowing users to simply send their encrypted data via a Mozy-provided hard drive.  However, the service is only available to Mozy Pro users with physical addresses in the United States. 

Planning for a real disaster

Like many of the investment firms we service, we have a contingency plan in place that we update regularly, but I am a realist regarding disasters and recovery.  A real disaster is unprecedented: an earthquake that spawns a tsunami that causes a meltdown in Japan, tornadoes in Massachusetts and hurricanes in Vermont.  It isn’t one hard drive failing, it’s two or more, and it can happen over the course of a few weeks or a few seconds.  It can be water where it shouldn’t be, or just plain stupidity.

Contingency planning is intended to lower your overall risk, not anticipate every possible disaster.  So even with redundant, independent backups, I worry about the details of restoring my most critical data, and you should worry about yours too.  Get started by identifying your most critical data today.  Make sure you have it backed up three different ways and stored in three different locations.  Don’t assume that one well-managed backup method is sufficient.  Anticipate problems with what you count on most, and plan for a real disaster – one you cannot predict or imagine.

About the Author:
Kevin Shea is President of InfoSystems Integrated, Inc. (ISI); ISI provides a wide variety of outsourced IT solutions to investment advisors nationwide. For details, please visit isitc.com or contact Kevin Shea via phone at 617-720-3400 x202 or e-mail at kshea@isitc.com.