Wednesday, 19 April 2017

Management involvement in risk assessment


Abolishing negative impact on any organization and necessity for sound basis in decision making are the fundamental reasons software companies in India implement a risk management process for their IT systems. Risk management is a management responsibility.

This article describes the key roles of the personnel who should support and participate in the risk management process.
Senior Management
Senior management, under the standard of due caution and crucial responsibility for mission accomplishment, must make sure that the necessary resources are effectively applied to develop the competences needed to complete the mission. They must also assess and fit in results of the risk assessment actions into the decision making process. An actual risk management program that assesses and alleviates IT-related mission risks requires the support and contribution of senior management.

Chief Information Officer (CIO).
The CIO is accountable for the agency’s IT planning, accounting, and performance including its information security modules. Decisions made in these areas should be grounded on an effective risk management program.

System and Information Owners.
The system and information owners are accountable for ensuring that proper controls are in place to address integrity, confidentiality, and availability of the IT systems and data they possess. Typically the system and information owners are liable for alterations to their IT systems. Thus, they usually have to support and sign off on changes to their IT systems (e.g., system enhancement, key changes to the software and hardware). The system and information owners must therefore realise their role in the risk management process and completely support this process.

Business and Functional Managers. 
The managers accountable for business operations and IT procurement process must take an active role in the risk management process. These managers are the folks with the authority and responsibility for making the trade-off decisions vital to mission accomplishment. Their involvement in the risk management process empowers the achievement of proper security for the IT systems, which, if managed appropriately, will deliver mission effectiveness with a minimal expenditure of resources.
ISSO
IT security software package managers and computer security officers are in charge for their organizations’ security programs, including risk management. Consequently, they play a prominent role in introducing an appropriate, structured methodology to aid identify, evaluate, and minimize risks to the IT systems that support their organizations’ missions. ISSOs also perform as major consultants in support of senior management to make sure that this activity takes place on a continuing basis.
IT Security Practitioners
IT security practitioners (e.g., network, system, application, and database administrators; computer consultants; security analysts; security consultants) are in authority for proper implementation of security necessities in their IT systems. As changes happen in the existing IT system environment (e.g., growth in network connectivity, modifications to the existing infrastructure and organizational policies, introduction of innovative technologies), the IT security practitioners must support or utilize the risk management process to recognize and assess new probable risks and implement new security controls as required to safeguard their IT systems.
Security Awareness Trainers (Security/Subject Matter Experts)
The organization’s personnel are the operators of the IT systems. Use of the IT systems and data according to an organization’s policies, guidelines, and rules of behaviour is serious to mitigating risk and protecting the organization’s IT resources. To reduce risk to the IT systems, it is essential that system and application users be delivered with security awareness training. Therefore, the IT security trainers or security/subject matter professionals must know the risk management process so that they can develop appropriate training materials and add in risk assessment into training programs to educate the end users.

Software companies in India need an extensive management as well as personnel support in order to execute risk management program with sheer success resulting into abolishment of uncertainty and risks along with suitable backup plans.

Friday, 10 March 2017

ITIL Service Transition

http://www.ifourtechnolab.com/

Service Transition   
The ITIL Service Transition helps to plan and deploy IT services. Service Transition ensures that the changes made to IT services and Service Management are carried out in a synchronous way.
The Service Transition includes different phases, namely :
  • Service Asset &Configuration Management
  • Change Management
  • Change evaluation
  • Transition planning and support
  • Release & Deployment Management
  • Knowledge Management
  • Service validation and testing

SERVICE ASSET AND CONFIGURATION MANAGEMENT
The objective of the Service Asset and Configuration Management includes :
  • Identify, Record and provide accurate information of the Configuration Items (CI = IT components)
  • Provide the Logical Model for IT infrastructure correlating the IT services & their components
  • Protect Integrity of the CIs
  • To create, implement and maintain Configuration Management System
  • Manage Service Assets
  • Perform regular audits / status accounting activities for all the CIs

CHANGE MANAGEMENT
The objective of the Change Management includes :
  • Study the adverse Impact of change & minimize it
  • Create & maintain a Change Management process
  • Prevent Unauthorized changes
  • Prepare Change Management Plans
  • Post Implementation Reviews of Changes
  • Maintain a record of all changes
Activities :
  • Record RFC
  • Review RFC
  • Assess & Evaluate Change – 7 R s of Change
  • Authorize Change
  • Issue Change Plan (to R& D Team)
  • Support/Coordinate Change Implementation
  • Post Change Review

CHANGE EVALUATION

To assess major Changes, like the introduction of a new IT service or a change to an existing service, before those Changes are allowed to proceed to the next phase in their life cycle.

Change Evaluation prior to Planning
  • To assess a proposed major Change before authorizing the Change planning phase.
Change Evaluation prior to Build
  • To assess a proposed major Change before authorizing the Change build phase.
Change Evaluation prior to Deployment
  • To assess a proposed major Change before authorizing the Change deployment phase.
Change Evaluation after Deployment
  • To assess a proposed major Change after authorizing the Change deployment phase.
The next process of the Service Transition is

RELEASE AND DEPLOYMENT MANAGEMENT
  • The objective of the Release and Deployment Management includes :
  • Implementing the authorized changes as per Change Management plan
  • Plan, Design, Build, Test & Install Hardware & Software components
  • Skills & Knowledge Transfer to enable
    -- Customers & users the optimum use of service
    -- Operations & support staff to run & support the service
SERVICE VALIDATION AND TESTING
The objective of the Service Validation  and testing includes :
Service Validation and Testing ensure that the deployed releases and the resulting services meet customer expectations, and to verify that IT operations is able to support the new service.
  • Test Model Definition
  • Release Component Acquisition
  • Release Test
  • Service Acceptance Testing
KNOWLEDGE MANAGEMENT

The objective of the Knowledge Management includes :
Improve the efficiency by reducing the need to Re-discover the knowledge
Create, Maintain & update Service Knowledge Management System
Ensure that correct & up-to-date information is available at on the right time for organization’s requirements.

TRANSITION PLANNING AND SUPPORT

This process of Service Transition (Project management) deals with planning the resources to deploy major     release within predicted cost, time and quality estimates.
  • Project Initiation
    To define stakeholders of the project, responsibilities and resources available to the project, and documenting risks, constraints and various assumptions affecting the project.
  • Project Planning and Coordination
    To ensure the Service Transitions projects are planned in accordance with the software organization’s guidelines of the Project management, and to coordinate activities and resources across projects.
  • Project Control
    To monitor project progress and resource consumption
  • Project Reporting and Communication
    An overall summary of all planned or ongoing Service Transition projects as information for customers and other Service Management processes
Conclusion :
Thus, the IT software development should use and implement the Service Transition to plan, implement and manage the changes of an IT service as a part of ITIL processes. Managing the risk for the new as well as existing IT services and changes made to IT services will protect the product environment. This eventually leads to deliver business value along with the customer relationship management.

References :

http://wiki.en.it-processmaps.com/index.php/ITIL_Service_Transition

Tuesday, 7 February 2017

IT Outsourcing – Local in comparison with Global

ASP DOT NET software companies in India


The latest trend for localised outsourcing includes hiring local employees which abolish language barriers and cultural difference. Software companies in India don’t have to go to another country to find a bargain, a better resource, a better product, better service. Overall cheaper package can occasionally be found on doorstep, localised outsourcing can deliver all of these advantages and is coming to be seen as an increasingly attractive preference.

With businesses facing mounting costs with uncertain global economic steadiness, localised outsourcing has become a new cost saving measure that is seeing increased up-take. ASP DOT NET software companies in India have moved to publicise and invest in SMEs, with the advancement of SMEs as suppliers being a key part of their strategy, in seeking to move the revenue out from recession. 

Numerous popular offshore outsourcing destinations are becoming increasingly expensive, even outsourcing within the same country can present logistical complications. Local outsourcing can present proficiencies and levels of convenience that even in a digital are simply not present elsewhere.

Repeatedly multi-national or global companies will seek proficiencies and employ local services around different sites. A hybrid approach is becoming very popular, with huge business adopting the advantages of both local and distant outsourcing. 

Individual customers may have precise reasons for wishing to keep specific services onshore – such as data-protection and security – but it is more than likely that for other services, location selections will depend largely on the vendor’s verdict that conditions are suitable.

Localised outsourcing can sometimes be problematic to employ successfully. Popular areas for outsourced overseas services can often include countries with developing economies. Political burdens and conflicts can be a risk of localised outsourcing. Social and political disturbance, particularly in many developing markets, and subsequently in software companies in India, has validated the geopolitical risk of locating business services abroad. 

Global business can recruit localised services around sites in numerous geographic locations. While this can be allowed for increased competency, lowering procurement costs, and taking benefit of local resources, such as; cultivated workforce, low cost labour and swift transport times, the employment of localised services can give upswing to cultural differences. These can sometimes be a hindrance if not effectively planned for.  Essential dissimilarities in culture that exist from one nation to another. These differences can have an important manner on how procurement does business and builds relationships with suppliers.

Centralised procurement can debatably lead to a more consistent and persuasive message while leveraging economies of scale, however, these paybacks hinge on the relationship between central decision-makers and local markets. 

Problems regarding cultural differences can be evaded through forward planning and an understanding of cultural backgrounds. Having a project manager or workers within the team who have a link to the cultural environment in proximity to an outsourcing project can assist to provide simplicity in transition and create robust links, which in turn increases the proficiency of localised outsourcing.  

Some c# software companies in India quest for a smooth, singular global model is unintentionally creating links in their own supply chain. Yet, it doesn’t have to be this way. If only local managers were involved and engaged from the commencement, global category managers would find that they could escape weeks of indecisive negotiations with their colleagues and agency suppliers.

Localised outsourcing can have difficulties and have crystal clear limitations, however the employment of a hybrid model permits businesses to take full benefit of the efficiencies on offer. The benefits of localised outsourcing to businesses are being familiar by majority of asp.net software companies in India. With planning, users can escape potential risk and attain the likes of cost savings, overall efficiency, detailed overview, with the swift delivery of services.

Friday, 13 January 2017

Side-channel Attack 

asp.net software companies in india

In cryptography, a side-channel attack is any attack created on information gained from the physical execution of a cryptosystem, rather than brute force or theoretical weaknesses in the procedures of organizations including asp.net software companies in india as well. For example, timing information, power feeding, electromagnetic leakages or even sound can offer an extra source of info, which can be used to break the system. Some side-channel attacks need technical knowledge of the inner operation of the system on which the cryptography is applied, although others such as differential power analysis are efficient as black-box attacks.

Classifications of Side Channel Attacks
Side channel attacks are usually classified in literatures along the subsequent three orthogonal        axes: 
  • Categorizations depending the control over the computation process; 
  • Categorizations depending on the way of accessing the module;
  • Categorizations depending on the method used in the analysis process.
Controls over the Computation Process
Depending on the control on the computation process by attackers in asp.net software companies india, SCA attacks can be broadly classified into two main categories: passive attacks and active attacks. We raise passive attacks to those that do not prominently interfere with the operation of the target system; the attacker increases some information about the target system’s operation, but the target system acts exactly as if no attack occurs. In active attack, on the other hand, the rival exerts some influence on the behavior of the target system. While the vigorously attacked system may or may not be able to detect such influence, an outsider viewer would notice a difference in the operation of the system. It is vital to note that the distinction between active attacks and passive attacks has further to do with the intrinsic nature of the attack than the invasiveness of a physical execution of the attack.
Ways of Accessing the Module
When analyzing the safety of a cryptographic hardware module for asp.net software company in india, it can useful to perform a methodical review of the attack surface — the set of physical, electrical and logical boundaries that are unprotected to a potential opponent. According to this observation, Side Channel attacks are divided into the subsequent classes: invasive attacks, semi-invasive attacks and non-invasive attacks.

Invasive Attacks

An Invasive attack includes DE packaging to get direct access to the internal mechanisms of cryptographic units or devices. A distinctive example of this is that the attackers may open a hole in the passivation layer of a cryptographic module and place a penetrating needle on a data bus to see the data transfer.
Tamper resistant or responsive instruments are usually implemented in hardware to effectively pawn invasive attacks. For example, some cryptographic modules of higher safety level will erotize all their memories when tampering are detected [116]. 

Semi-invasive Attacks  
This kind of attack includes access to the device, but without damaging the passivation layer or creating electrical contact other than with the official surface. For example, in a fault-induced attack, the attacker may use a laser beam to ionize a device to alter some of its memories and thus alter the output of this device. 

Non-invasive Attacks 
A non-invasive attack includes close observation or handling of the device’s operation. This attack only uses externally available info that is often accidentally leaked. A classic example of such an attack is timing analysis: calculating the time consumed by a device to perform an operation and correlating this with the computation executed by the device in order to deduce the worth of the secret keys.

Methods Used in the Analysis Process
Depending on the approaches used in the process of examining the sampled data in c#.dot net companies in india, SCA attacks can be separated into simple side channel attack and differential side channel attack. In a SSCA, the attack uses the side-channel output mostly depending on the achieved operations. Normally, a single trace is used in an SSCA analysis, and so the secret key can be directly read from the side-channel trace.
Differential side-channel attacks uses the link between the data and the instantaneous side-channel leakage of the cryptographic device. As this link is usually very small, statistical methods must be used to exploit it effectively. In a differential side-channel attack, an attacker uses a hypothetical model of the device beneath attack. The quality of this model depends on the abilities of the attacker.

Conclusion:
Cryptology may be appreciated as a constant struggle between cryptographers and cryptanalysts. Attacks on cryptography have a similarly long history. The safety of cryptographic modules for providing a practical degree of safety against white-box (total access) attacks should be observed in a totally un-trusted implementation environment.