Wednesday, 19 April 2017

Risk Mitigation as a process


Software companies in India
Risk mitigation, another process of risk management, involves prioritizing, evaluating, and implementing the suitable risk-reducing controls suggested from the risk assessment process. Since the elimination of all risk is typically impractical or close to impossible, it is the obligation of senior management and functional and business managers of software companies in India to practice the least-cost approach and implement the most appropriate controls to shrink mission risk to an acceptable level, with minimal adverse impact on the organization’s resources and mission.

RISK MITIGATION OPTIONS
Risk mitigation is an organized methodology used by senior management to shrink mission risk. Risk mitigation can be accomplished via any of the following risk mitigation options:

Risk Assumption
To accept the probable risk and continue operating the IT system or to implement controls to lower the risk to an satisfactory level

Risk Avoidance
To avoid the risk by eradicating the risk cause and/or consequence (e.g., forgo specific functions of the system or shut down the system when risks are acknowledged)

Risk Limitation
To limit the risk by implementing controls that minimize the opposing impact of a threat’s working out a vulnerability (e.g., use of supporting, preventive, detective controls)

Risk Planning
To manage risk by developing a risk mitigation plan that ranks, implements, and maintains controls

Research and Acknowledgment
To lower the risk of loss by recognizing the vulnerability or defect and researching controls to correct the vulnerability

Risk Transference
To handover the risk by using other options to reimburse for the loss, such as purchasing insurance.


The goals and mission of an organization should be reflected in selecting any of these risk mitigation options. It may not be practical to tackle all identified risks, so importance should be given to the threat and vulnerability pairs that have the potential to source significant mission impact or harm. Also, in defending an organization’s mission and its IT systems, because of each organization’s distinctive environment and objectives, the alternative used to mitigate the risk and the methods used to implement controls may differ. The “best of breed” tactic is to use suitable technologies from among the several vendor security products, along with the suitable risk mitigation option and nontechnical, administrative measures.

Following are rules of thumb, which provide guidance on actions to mitigate risks from deliberate human threats:

When vulnerability (or defect, weakness) exists
 ➞ Implement assurance techniques to diminish the likelihood of a vulnerability’s being exercised.

When a vulnerability can be exercised
➞ put on layered protections, architectural designs, and administrative controls to reduce the risk of or prevent this incidence.

When the attacker’s cost is a smaller amount than the possible gain
➞ apply protections to decrease an attacker’s incentive by increasing the attacker’s cost (e.g., use of system controls such as restraining what a system user can access and do can considerably reduce an attacker’s gain).

When loss is too excessive
➞ apply design principles, architectural designs, and technical and nontechnical shields to limit the range of the attack, thereby reducing the likely for loss.

The strategy sketched above, with the exclusion of the third list item (“When the attacker’s cost is a smaller amount than the possible gain”), also applies to the mitigation of risks rising from environmental or unintended human threats (e.g., system or user errors). Because there is no “attacker,” no motivation or gain is involved. Software companies in India have started believing in risk mitigation process and it has proved to be a drastic risk reducing and controlling factor for them.

Friday, 10 March 2017

ITIL Service Design

software development company

The scope of Service Design covers the design of new IT services, as well as modification, changes and improvements made to the existing ones.

The activities included in Service design are :
  • To design the IT services to meet Business Objectives of a software development company.
  • To design Secure & flexible IT Infrastructure.
  • To analyze, identify and remove the risks associated with the IT services before they go live.
  • To create & maintain the IT plans, processes, policies and frameworks.
  • To design methods & metrics for the measurement of the effectiveness of processes.
  • Design Effective & efficient processes for design, transition & operation phases

The Service Design includes different phases, namely :
  1. Design Coordination
  2. Service Catalogue Management
  3. Service Level Management
  4. Availability Management
  5. Capacity Management
  6. Supplier Management
  7. Information Security Management
  8. Service Continuity Management
  9. Risk Management
  10. Compliance Management
  11. Architecture Management
DESIGN COORDINATION
Design Coordination handles all processes in the Design stage and acts as the center point of all the communication.
It governs all designing activities and make sure that the consistent design of IT services is aligned with the service strategy.

Five Sub processes of the Design Coordination includes :
  • Design Coordination Support
  • Service Design Planning
  • Service Design Coordination and Monitoring
  • Technical and Organizational Service Design
  • Service Design Review and RFC Submission
SERVICE CATALOGUE MANAGEMENT

Service Catalogue Management includes the IT Services which are ready to be used and implemented.

The objective of the Service Catalogue Management includes :
  • Creating and maintaining the Service Catalogue.
  • Keeping the Service Catalogue updated with the latest trends and information.
  • There has to be Continual Improvement in Management of Service Catalogue.
Service Catalogue :

The service catalogue is defined as the single source of information for all the offerings of IT services. It includes Operational & in Transition Services. Service catalogue is considered as a part of Service Portfolio. Service Catalogue emphasizes on what kind of IT service software development company would would like to offer to its customers based on the needs of the customers.

The different types of Service Catalogue are given as :
  • Business Service Catalogue
  • Technical Service Catalogue

AVAILABILITY MANAGEMENT


The Availability Management ensures that the IT services are working as agreed upon.

The objective of the Availability Management includes :
  • To ensure agreed Availability Level is continuously met or not and check whether it has exceeded the expected level or not.
  • To ensure that a defined level of IT services are accessible to customer in a cost effective way.
  • The availability management ensures Availability
  • The availability management ensures Reliability
  • The availability management ensures Maintainability
  • The availability management ensures Serviceability
  • The availability management ensures Fault Tolerance
Three sub-processes of Availability Management includes :
  • Design Services for Availability Process
  • Availability Testing Process
  • Availability Monitoring and Reporting.
SERVICE LEVEL MANAGEMENT

The Service Level Management covers the negotiation & service level agreement with the clients on the various IT service provided.

The objective of the Service Level Management includes :
  • It focuses on the negotiation, agreement and documentation of the agreed levels of the IT Services.
  • Maintaining the balance between expectation of the customers and the capabilities of an IT organization.
  • Emphasizes on continual improvement and maintaining of the agreed IT service levels
  • It looks onto managing the performance as per the agreed service level norms.
  • Maintain the customer relationship is given importance.

Four Service Level Management sub-processes includes :
  • Maintenance of the SLM Framework Objective
  • Identification of Service Requirements Objective
  • Agreements Sign-Off and Service Activation
Service Level Monitoring and Reporting Process

CAPACITY MANAGEMENT


The Capacity Management ensures IT services are sized in very cost effective manner and at the optimum level.

Mapping and ensuring that the capacity of IT services with the IT infrastructure is able to deliver the agreed service level targets in a cost effective and timely manner.
It ensures that the IT infrastructure is utilized to its optimum level.
Capacity plan should be regularly produced and updated.

Four Sub processes of the Capacity management includes :
  • Business Capacity Management
  • Service Capacity Management
  • Component Capacity Management
  • Capacity Management Reporting
SUPPLIER MANAGEMENT

The role of the Supplier Management in an IT organization is to manage Supplier Relationship & Performance and maintain it for the advantage of the organization on the ease of resource availability.

The objectives of the Supplier Management includes :
  • To enhance and maintain the supplier relationship & performance
  • To Ensure the relevant and correct contracts with the supplier of the IT services
  • To manage and maintain the contracts throughout the supplier management lifecycle
  • To create and maintain the database of Supplier Policy and Contracts
Six Sub Processes of Supplier management includes :
  • Providing the Supplier Management Framework
  • Evaluation of new Suppliers and Contracts
  • Establishing new Suppliers and Contracts
  • Processing of Standard Orders Process
  • Supplier and Contract Review Process
  • Renewal or Termination Process
INFORMATION SECURITY MANAGEMENT

Information Security Management is the way to protect the data and information of the IT organization against the vulnerabilities of the natural or environmental factors. 

The objectives of the Information Security Management includes :
  • To prevent  against the unauthorized access
  • To provide various effective security measures at different levels : Strategic, planned & Operational organizational Levels
  • To match and comply with the Information Security Requirements as per Service Level Agreement
Four Sub Processes of the Information Security Management includes :
  • Design of Security Controls
  • Security Testing
  • Management of Security Incidents
  • Security Review
SERVICE CONTINUITY MANAGEMENT

The Service Continuity Management process focuses on the continuation and the recovery  of the IT services even after the disaster and ensuring that they work in the same fashion as before as per the  agreed & applicable SLA

The objectives of the service continuity management includes :
  • To create & manage IT service continuity & recovery plans
  • To reduce potential disaster occurrence
  • Balance SLAs & Cost factors while planning for service continuity
Four sub processes of the service continuity management includes :
  • ITSCM Support Objective
  • Design Services for Continuity
  • ITSCM Training and Testing
  • ITSCM Review.
Conclusion: The service design helps to an IT organization to design new services and increasing the relationship with the IT service providers and the supplier along with maintaining the relationship with the customer thereby increasing the value of the IT organization. It helps to maintain the existing IT Services as well as implementing new services.

References :

http://wiki.en.it-processmaps.com/index.php/ITIL_Service_Design

Wednesday, 8 February 2017

Types of Network Security

Software development companiesNetwork scanning is a scanning used to define vulnerabilities in a network. A scan can be used by security experts to shield the security of a network from an external attack. Hackers may use a scan to find vulnerabilities. Different types of scanning are as under,



Three–Way Handshake

TCP is connection-oriented, which indicates connection establishment is principal prior to data transmission between applications. This connection is possible using the process of the three-way handshake. The three-way handshake is applied for establishing the connection between protocols.

The three-way handshake procedure goes as follows:
  • To launch a TCP link, the source sends a SYN packet to the destination (10.0.0.3:21).
  • The destination, on getting the SYN packet, i.e., sent by the source, responds by referring a SYN/ACK packet back to the source.
  • This ACK packet checks the arrival of the first SYN packet to the source.
  • The source sends an ACK packet for the ACK/SYN packet sent by the receiver.
  • This triggers an "OPEN" connection agreeing communication between the source and the destination, until any of them send a "FIN" packet or a "RST" packet to close the connection.
The TCP protocol keeps stateful connections for all connection-oriented protocols across
the Internet, and works the same as a normal telephone communication, in which one picks up a telephone receiver, hears a dial tone, and dials a number that generates ringing at the receiver end until a person picks up the receiver and tells, "Hello."

Stealth Scan(Half-Open Scan)

Stealth scan sends a single frame to a TCP port without any TCP handshaking or extra packet transfers. This is a scan type that leads a single frame with the expectation of a single response. The half-open scan partly opens a connection, but stops midway. This is also known as a SYN scan because it only directs the SYN packet. This stops the service from ever being reported of the incoming connection. The three-way handshake approach is also implemented by the stealth scan. The variation is that in the last stage, remote ports are recognized by examining the packets entering the interface and dismissing the connection before a new initialization was activated.

The process preludes the following:
  • To start initialization, the client forward a single "SYN" packet to the destination server on the matching port.
  • The server initiates the stealth scanning process, depending on the response sent.
  • If the server forwards a "SYN/ACK" response packet, then the port is in "OPEN" state.
  • If the response is advanced with an "RST" packet, then the port is in a "CLOSED" state.

NULL Scan

NULL scans direct TCP packets with all flags turned off. It is expected that closed ports will return a TCP RST. Packets received by open ports are rejected as invalid. It sets all flags of TCP headers, such as SYN, ACK, FIN, RST, URG and PSH, to NULL or unassigned. When any packets reach at the server, BSD networking code notifies the kernel to drop the incoming packet if a port is open, or sends an RST flag if a port is closed. This scan uses flags in the opposite fashion as the Xmas scan, but gives the similar output as FIN and Xmas tree scans. Many network codes of major operating systems can behave inversely in terms of responding to the packet, ex, Microsoft versus UNIX. This method does not helpful for Microsoft operating systems. Command line for null scanning with NMAP is " -sN"
Advantage:
It evades IDS and TCP three-way handshake.
Disadvantage:
It is helpful only for UNIX.

Network scanning scans networks for vulnerabilities in the security of that network. If there is a vulnerability with the safety of the network, it will give a report back to a hacker who may use this information to exploit that network bug to gain entry to the network or for other malicious actions.

Tuesday, 10 January 2017

Introduction to Project Management

Software development companies

What Is a Project?

A project is defined as a temporary attempt undertaken to make a unique product, service. The project achieves when its objectives are met or when the project has been terminated. The time taken to complete a particular project depends upon its size. It can be a large or small project. Software development companies define the project similarly except that the objectives are different and business oriented.

Project Attributes

The attributes of project includes a unique purpose for which the task is undertaken. To carry out a project different resources are required from different domain or areas.
Projects are temporary and they should have a sponsor or a primary customer. There is always an uncertainty attached with a project.

The project sponsor is the person who is responsible for providing the direction and funding for the project.

Project and Program Managers

Project managers work with the entire Project Team, Project Sponsors, and all the other people involved in a project to meet project goals and objectives whereas a Program is defined as group of related projects managed in a coordinated way to obtain benefits and control not available from managing them individually

What is Project Management?

Project management is the use of knowledge, skills, various tools and techniques to achieve goals and meet the requirements of the project. The triple constraints of project management are scope, time and cost.

The project stakeholders are part of project. They are the people involved and affected by the various activities carried out in the project. Stakeholders can be the project sponsor, project manager, project team, clients/customers, users and suppliers.

The key competencies required by project managers are described by the Knowledge areas.

The four core knowledge areas are scope, time, cost, and quality. They lead to some specific project objectives. The other four facilitating knowledge areas through which the project objectives are achieved are given as HR, communication, risk, and Procurement management.

To assist project manager, various Project management tools and techniques are used. Some specific tools and techniques include Project charter, Scope and Work Breakdown Structure, the Gantt charts, Network diagrams, Critical Path and chain scheduling. The knowledge are taking into cost are given as cost estimates and Earned Value Management (EVM).

As a part of Project management, Super tools have high use and potential for improving project success and achieve project goals such as Task scheduling software, Scope statements, various requirement analysis, and the report for the lessons learnt.

Tools, as suggested by some software development companies in India, which are extensively used and found to improve the importance of project includes the project progress reports, scheduled Kick-off meetings and Change requests.

The following points should be taken care for a successful project. They are given as:
  • Support from Executives
  • There should be continuous User involvement
  • Experienced project manager
  • Clearly defined Business objectives
  • Minimized and focused scope
  • Standard Software infrastructure
  • Formal Methodologies
  • Reliable cost and resource estimates
  • Other criteria such as milestones, proper project planning, competent and reliable staff.

Most Important Skills and Competencies for Project Managers for a successful projects :
  • People skills
  • Leadership skill to guide and lead all the people working in the project.
  • Listening skills to take better decisions to achieve project goals.
  • Should be strong at building trust
  • Verbal communication
  • Managing and Building project teams
  • Project manager should be an ideal decision taker to Conflict resolution, conflict management.
  • They should have a Critical thinking to carry out effective and unique project.
  • Project manager should have problem solving skills to manage the problems arising during the project development.