Monday, 25 April 2016

Firewall Design: Strengths & Weakness

software application development companies

Introduction

Firewalls may be software based or, more commonly, purpose-built appliances. Sometimes the firewalling functions are actually provided by a collection of several different devices. The specific features of the firewall platform and the design of the network where the firewall lives are key components of securing a network. It is important for software application development companies to have a proper placement of firewall. To be effective, firewalls must be placed in the right locations on the network, and configured effectively. Best practices include:

  • All communications must pass through the firewall. The effectiveness of the firewall is greatly reduced if an alternative network routing path is available; unauthorized traffic can be sent through a different network path, bypassing the control of the firewall. Think of the firewall in terms of a lock on your front door. It can be the best lock in the world, but if the back door is unlocked, intruders don’t have to break the lock on the front door—they can go around it. The door lock is relied upon to prevent unauthorized access through the door, and a firewall is similarly relied upon to prevent access to your network. 
  • The firewall permits only traffic that is authorized. If the firewall cannot be relied upon to differentiate between authorized and unauthorized traffic, or if it is configured to permit dangerous or unneeded communications, its usefulness is also diminished. 
  • In a failure or overload situation, a firewall must always fail into a “Deny” or closed state, under the principle that it is better to interrupt communications than to leave systems unprotected. 
  • The firewall must be designed and configured to withstand attacks upon itself. Because the firewall is relied upon to stop attacks, and nothing else is deployed to protect the firewall itself against such attacks, it must be hardened and capable of withstanding attacks directly upon itself.

Firewall Strengths and Weaknesses

A firewall is just one component of an overall security architecture. Its strengths and weaknesses should be taken into consideration when designing network security at various software application development companies in India

Firewall Strengths 

Consider the following firewall strengths when designing network security:

  • Firewalls are excellent at enforcing security policies. They should be configured to restrict communications to what management has determined and agreed with the business to be acceptable. 
  • Firewalls are used to restrict access to specific services. 
  • Firewalls are transparent on the network—no software is needed on end-user workstations. 
  • Firewalls can provide auditing. Given plenty of disk space or remote logging capabilities, they can log interesting traffic that passes through them. 
  • Firewalls can alert appropriate people of specified events.


Firewall Weaknesses 

You must also consider the following firewall weaknesses when designing network security:

  • Firewalls are only as effective as the rules they are configured to enforce. An overly permissive rule set will diminish the effectiveness of the firewall. 
  • Firewalls cannot stop social engineering attacks or an authorized user intentionally using their access for malicious purposes. 
  • Firewalls cannot enforce security policies that are absent or undefined. 
  • Firewalls cannot stop attacks if the traffic does not pass through them.


Firewall Placement 

A firewall is usually located at the network perimeter, directly between the network and any external connections. However, additional firewall systems can be located inside the network perimeter to provide more specific protection to particular hosts with higher security requirements. 

Firewall Configuration 

When building a rule set on a firewall, consider the following practices:

  • Build rules from most to least specific. Most firewalls process their rule sets from top to bottom and stop processing once a match is made. Putting more specific rules on top prevents a general rule from hiding a specific rule further down the rule set. 
  • Place the most active rules near the top of the rule set. Screening packets is a processor-intensive operation, and as mentioned earlier, a firewall will stop processing the packet after matching it to a rule. Placing your popular rules first or second, instead of 30th or 31st, will save the processor from going through over 30 rules for every packet. In situations where millions of packets are being processed and rule sets can be thousands of entries in length, CPU savings could be considerable. 
  • Configure all firewalls to drop “Impossible” or “Unroutable” packets from the Internet such as those from an outside interface with source addresses matching the internal network, RFC 1918 “private” IP addresses, and broadcast packets. None of these would be expected from the Internet, so if they are seen, they represent unwanted traffic such as that produced by attackers. The software development companies must keep a check on such unwanted traffic produced by attackers.



Author Signature:  Sanika Taori

Saturday, 23 April 2016

Issues in Mobile Application Development


1. Introduction

While application development for mobile devices goes back at least 10 years, there has been exponential growth in mobile application development since the iPhone AppStore opened in July, 2008. Since then, device makers have created outlets for other mobile devices, including Android, BlackBerry, Nokia Ovi, Windows Phone, and more. Industry analysts estimate that there are more than 250,000 applications available through the various stores and marketplaces, some of which are available for multiple types of devices. We have recently conducted a small survey of mobile developers, using available mobile developer forums to solicit respondents. A key goal of the survey was to gain a better understanding of development practices for mobile applications for custom application development companies. Our conclusions included the following points: 

1) most of the applications were relatively small, averaging several thousand lines of source code, with one or two developers responsible for conceiving, designing, and implementing the application;  
2) there was a sharp divide between “native” applications, those that run entirely on the mobile device, and web applications, which have a small device-based client with execution occurring on a remote server.

There are numerous comprehensive programming environments available for the major mobile platforms. Apple’s iOS Dev Center offers the Xcode package, which includes an Interface Builder, an iPhone emulator, and a complete development environment that can be used across all Apple products. For Android, developers can use the Android Development Tools plug-in for the Eclipse programming environment. For Windows Phone, developers can use a specialized version of Microsoft’s Visual Studio environment. Similarly, there are application development tools for BlackBerry, Symbian, and other platforms. In addition, there are now some cross-platform development tools, such as RhoMobile’s Rhodes, MoSync, and PhoneGap, which can be used to create native applications on various brands of Smartphones. Along the same lines, Netbiscuits, Appcelerator, Kyte, and other companies provides tools and frameworks to support the creation of mobile web and hybrid sites using their SDK or one of the previously mentioned environments. These powerful development tools and frameworks greatly simplify the task of implementing a mobile application. However, they are predominantly focused on the individual developer who is trying to create an application as quickly as possible. 

Considering custom application development companies, for small and medium-sized mobile applications that can be built (and easily updated) by a single developer, they represent a vast improvement on the previous generations of tools, and encourage developers to adhere to the important principles of abstraction and modularity that are built into the platform architectures. However, as mobile applications become more complex, moving beyond inexpensive recreational applications to more business- critical uses, it will be essential to apply software engineering processes to assure the development of secure, high-quality mobile applications. While many “classic” software engineering techniques will transfer easily to the mobile application domain, there are other areas for new research and development. The remainder of this paper identifies some of these areas.

2.1 What Makes Mobile Different? 

In many respects, developing mobile applications is similar to software engineering for other embedded applications. Common issues include integration with device hardware, as well as traditional issues of security, performance, reliability, and storage limitations. However, mobile applications present some additional requirements that are less commonly found with traditional software applications, including: 

1) Potential interaction with other applications – most embedded devices only have factory-installed software, but mobile devices may have numerous applications from varied sources, with the possibility of interactions among them; 

2) Sensor handling – most modern mobile devices, e.g.,  “smartphones”, include an accelerometer that responds to device movement, a touch screen that responds to numerous gestures, along with real and/or virtual keyboards, a global positioning system, a microphone usable by applications other than voice calls, one or more cameras, and multiple networking protocols;   

3) Native and hybrid (mobile web) applications – most embedded devices use only software installed directly on the device, but mobile devices often include  applications that invoke services over the telephone network or the Internet via a web browser and affect data and displays on the device; 

4) Families of hardware and software platforms – most embedded devices execute code that is custom-built for the properties of that device, but mobile devices may have to support applications that were written for all of the varied devices supporting the operating system, and also for different versions of the operating system. An Android developer, for example, must decide whether to build a single application or multiple versions to run on the broad range of Android devices and operating system releases 

5) Security – most embedded devices are “closed”, in the sense that there is no straightforward way to attack the embedded software and affect its operation, but mobile platforms are open, allowing the installation of new “malware” applications that can affect the overall operation of the device, including the surreptitious transmission of local data by such an application.  

6) User interfaces – with a custom -built embedded application, the developer can control all aspects of the user experience, but a mobile application must share common elements of the user interface with other applications and must adhere to externally developed user interface guidelines, many of which are implemented in the software development kits (SDKs) that are part of the platform. 

7) Complexity of testing – while native applications can be tested in a traditional manner or via a PC-based emulator, mobile web applications are particularly challenging to test. Not only do web application development companies have many of the same issues found in testing web applications, but they have the added issues associated with transmission through gateways and the telephone network 

8) Power consumption – many aspects of an application affect its use of the device’s power and thus the battery life of the device. Dedicated devices can be optimized for maximum battery life, but mobile applications may inadvertently make extensive use of battery-draining resources.


Author Signature: Shreyans Agrawal (ifour.shreyans.agrawal@gmail.com)

Thursday, 21 April 2016

Trends in Mobile Application Development - Part 2

software development companies

4. Implications for Developers

Hereafter we analyze the implication for developers of the three market trends presented in the previous section. In fact, the centralization of portal changes the way developers can distribute their application and reach a mass-market of consumers. The technological openness implies that developers at software development companies would use different standards to develop their application and somehow work in a more collaborative mode. Then, highly-integrated platforms offer more possibilities to develop more sophisticated applications and services. These trends can be seen as opportunities but also threats for developers. Therefore, it is crucial that developers have a good understanding of the possible implications of each trend. They need to be able to choose the platform for which they want to develop knowing all the implications.

4.1 Implications of portal centralization

Portal centralization is a major shift for developers. It allows them to reach all potential customers through one shop, which takes care of the administrative tasks, such as billing and advertising. On top of these deployment facilities comes the fact that platforms providing centralized portals count on application sales to increase their revenue and therefore heavily promote application downloads and thus widely increasing the pool of potential consumers. This promotion is mostly done through advertising, but more importantly through greatly enhanced user interfaces. Before the emergence of centralized portals it took a expert user to download and install third-party applications, usually involving an internet search and a credit card payment, on a personal computer and then a file transfer via Bluetooth. Now it has become a “one-click” operation directly executable on the mobile device. Moreover, platforms can leverage on user communities which also promote applications using the reviewing features of the shops. A negative side of strong centralization for developers is that they might have to conform to certain rules defined by the portal provider. This problem can be observed with Apple’s AppStore, which rules over which applications will be sold and which will be banned based on non-transparent criteria. To overcome these restrictions, the developer community has built alternative portals (Installer, Cydia) where developers can publish their applications. Unfortunately, only tech-savvy customers shop on such black markets, since phones must undergo a “jailbreak” procedure before they can access them.

4.2 Implications of technological openness

It is important for software development companies to know the implications of a move towards open source software offers two kinds of opportunities for application developers. First, as mentioned previously, moving towards open technology allows platform providers to reduce development costs and possibly increase the number of consumers. A greater number of platform consumers imply a greater number of potential application consumers for developers. Second, an open source project can provide career opportunities for developers willing to contribute to the platform development.

4.3 Implications of platform integration

The emergence of fully integrated end-to-end ecosystems, where the same people sell applications, manufacture devices and create their operating system, creates a coherent end-to-end approach, which makes it easier for applications to be developed, published, purchased, and used. There is less compatibility issues, which is a major problem in heterogeneous systems, where applications have to be fine-tune for specific devices with different display size for example. A drawback of high integration is the lack of alternatives if the solutions proposed by the platform do not suit the developer.

5. Conclusion 

In this paper, we described the implications that different market and technology trends have on the mobile and custom application development companies. The current evolutions show that the game for the developers has changed dramatically. There are many new opportunities for them to develop, distribute, and generate significant revenues with the emerging mobile application portals. Since the mobile application development landscape has substantially changed over the past several years, mobile development platforms have become more integrated and generally play the role of application portal, device manufacturer or both. As discussed in the paper, application portals tend to become more centralized, facilitating the link between developers and consumers. Moreover, several new platforms entered the open source community to lower their costs and possibly extend their consumer market by lowering prices and as a consequence increase their developer pool. In this changing environment, choosing for which platform to develop reveals to be challenging and we proposed three simple criteria: market size and accessibility, career opportunities, and creative freedom.


Author Signature: Shreyans Agrawal (ifour.shreyans.agrawal@gmail.com)

Trends in Mobile Application Development - Part 1

custom application development companies

Over the past few years, we have observed that the relatively stable market has evolved in three distinct directions. First, there seems to be a strong trend towards portal centralization. Second, there is increased number of actors providing open source technology. Third, platforms are moving towards a higher level of integration. It is important for custom application development companies to be aware of the trends in mobile application development. Following explains the same :

1. Towards portal centralization

Prior to the introduction of Apple’s AppStore and more recently Google’s Android Market, platforms did not have a central portal. With the introduction of its AppStore, Apple has proven that a mobile application market should not be underestimated and can represent an important revenue stream. According to CEO Steve Jobs, the AppStore has generated revenue of a million dollars a day in its first month of existence. There are currently 15000 applications on the portal, which have been downloaded a total of 500 million times. Note that these figures grew by 50% in the last month. Following Apple’s lead; traditional platforms like Nokia, RIM and Microsoft seem to be moving in this direction. Nokia is pushing its OVI portal and RIM has developed its own Application Center. Microsoft is also planning to launch its own version of the AppStore called Sky Market with the next version of Windows Mobile (WM7)

2. Towards technological openness

Among the major mobile platforms, LiMo used to be the only player in the open source field. Nokia has moved in this direction after acquiring Symbian OS. Google has also followed this trend. The transition phase from a closed to an open architecture will be critical for the future success of the platform. The shift, depicted in Figure 4, of this major player towards openness means that from a situation with mostly closed systems, we have moved to a situation with a small majority of devices running an open source system. Nevertheless, this shift does not indicate that other platforms will follow. Among the closed platforms, RIM is probably the only one that might go open source, since Microsoft and Apple are strong advocates of proprietary software. So far, it is still hard to evaluate what impact open-source software might have on the current mobile application developments. The successful model that Apple established does not suffer from the proprietary software clauses. The other platforms hope that the open-source option could help them to better compete in the platform war.

3. Towards full integration

Another trend is the emergence of more integrated platforms. Before the introduction of Apple’s platform, there was no fully integrated mobile platform. Moreover, there was no platform with portal integration before the introduction of Google’s platform. Symbian OS is an example of the trend towards integration since it started as a platform with no integration, before it was integrated by Nokia to become a device integrated platform and finally by launching OVI, it became fully integrated. RIM is also expected to soon become fully integrated with the introduction of its Application Center. Furthermore, with Microsoft moving towards portal integration there will be no major platform left without integration. Some leading software application development companies have also hinted that an intermediary could play an integrating role in the mobile development industry. The more surprising observation is the fact that mainly phone manufacturer companies and software development companies have played this integration role and not so much MNOs as was the intuition of most of these scholars.



Author Signature: Shreyans Agrawal (ifour.shreyans.agrawal@gmail.com)

Wednesday, 20 April 2016

Empowering People in Safety - Part 2

Software development companies

Principle 4.  Focus on Positive Consequences to Motivate Behavior. 

Control by negative consequences reduces perceptions of personal freedom and responsibility. Think about it.  Do you feel freer or empowered when you are working to avoid an unpleasant consequence or working to achieve a pleasant consequence? Unfortunately, the common metric used to rank companies on their safety performance is “total recordable injury rate” (or an analogous count of losses) which puts people in a reactive mindset of “avoiding failure” rather than “achieving success.” PBS provides proactive measures employees can achieve in order to prevent occupational injury. These days, Software development companies are focusing on People-Based Safety (PBS) as well.

We can often intervene to increase people’s perceptions that they are working to achieve success rather than working to avoid failure.  Even our verbal behavior directed toward another person, perhaps as a statement of genuine approval or appreciation for a task well done, can influence motivation in ways that increase perceptions of personal freedom and empowerment.  Of course, we can’t be sure our intervention will have the effect we intended unless we measure the impact of our intervention procedures.  Hence, the next basic premise of PBS. 

Principle 5.  Apply the Scientific Method to Improve Intervention. 

People’s actions can be objectively observed and measured before and after an intervention process is implemented.  This application of the scientific method provides critical feedback upon which to build improvement.   The acronym “DO IT” says it all:  D = Define the target action to increase or decrease; O = Observe the target action during a pre-intervention baseline period to identify natural environmental and interpersonal factors influencing it (see Principle 1), and to set improvement goals; I = Intervene to change the target action in desired directions; and T = Test the impact of the intervention procedure by continuing to observe and record the target action during and after the intervention program. 

The systematic evaluation of a number of DO IT processes can lead to a body of knowledge worthy of integration into a theory.  This is reflected in the next principle. 

Principle 6.  Use Theory to Integrate Information. 

After applying the DO IT process a number of times, you will see distinct consistencies. Certain intervention techniques will work better in some situations than others, by some individuals than others, or with some work practices than others.  You should summarize relationships between intervention impact and specific interpersonal or contextual characteristics.  The outcome will be a research-based theory of what is most cost-effective under given circumstances.  By doing this you are using theory to integrate information gained from systematic behavioral observation.   

Principle 7.  Consider the Internal Feelings and Attitudes of Others. 

Feelings and attitudes are influenced by the type of intervention procedure implemented, and such relationships require careful consideration by those who develop and deliver the intervention.  This is the essence of empathic leadership taught by PBS.   

The rationale for using more positive than negative consequences to motivate behavior (Principle 4) is based on the different feeling states resulting from using positive versus negative consequences to motivate behavior. Likewise, the way an intervention process is introduced and delivered can increase or decrease perceptions of empowerment, build or destroy interpersonal trust, and facilitate or inhibit an interdependent teamwork. 

Conclusion:

The PBS principles reviewed here provide a perspective that improves how people view injury prevention and talk about this challenge to themselves and to others.  Besides providing a paradigm that improves the quality and increases the quantity of safety conversations, PBS provides specific tools and methods, which software development companies are using extensively, for increasing safe behaviors, decreasing at-risk behaviors, and motivating participation in safety-related activities.   



Author Signature: Shreyans Agrawal (ifour.shreyans.agrawal@gmail.com)

Empowering People in Safety - Part 1

Software development companies in India

Introduction

Behavior modification… safety management…. attitude adjustment… behavior based safety… culture change… cognitive alignment… person-based safety… human engineering… social influence.  All these terms used to address the human dynamics of injury prevention.  Each of these can be linked to a set of principles, procedures, or a consultant’s service which defines a particular approach to managing the human side of occupational safety. Software development companies in India are implementing these set of principles in order to manage the human side of occupational safety.  

 All of these terms, and most of the accompanying materials, are insufficient.  They are either too narrow and restricting, or too broad and nondirective.  Some focus entirely on behavior change, while others attempt to target vague and unobservable aspects of other people, like attitudes and thoughts.  Still others have the grand notion of directly targeting culture change. 
  
 All of these approaches are well-intentioned and none are entirely wrong.  The human dynamics of an organization include behaviors, attitudes, cognitions, and the context (or culture) in which these aspects of people occur.  However, some of these approaches are too equivocal or ambiguous to be practical, while others may be practical but are not sufficiently comprehensive. 

Systematic evaluations of our implementations have enabled successive refinements of procedures, as well as the discovery of guidelines for increasing effectiveness and the long-term impact of our interventions.  We also developed research based and practical support materials for the behavior-change and culture-enrichment process. 

Today we call this approach “People-Based Safety” (PBS).  It strategically integrates the best of behavior-based and person-based safety in order to enrich the culture in which people work, thereby improving job satisfaction, work quality and production, interpersonal relationships, and occupational safety and health.   

 This article is the first of a five-part series in which I explain the essential principles and procedures of PBS.  Here are the seven underlying principles of PBS.   

Seven Basics of People-Based Safety 

Principle 1: Start with Observable Behavior. 

Like behavior-based safety, PBS focuses on what people do, analyzes why they do it, and then applies a research-supported intervention strategy to improve what people do.  The improvement of others results from acting people into thinking differently rather than targeting internal awareness or attitudes so as to think people into acting differently.   However, unlike behavior-based safety, PBS considers that people can observe their own thoughts and attitudes.  Thus, people can think themselves into safer actions.  In other words, self-management requires self-dialogue or thinking as well as self-directed behavior.  

Principle 2.  Look for External and Internal Factors to Improve Behavior. 

We do what we do because of factors in both our external and internal worlds.  While behavior-based safety deals with only external factors, PBS teaches people how to address their internal thoughts, perceptions, and attitudes related to injury prevention.  A behavioral analysis of work practices can pinpoint many external factors that encourage at-risk behavior and hinder safe behavior.  But, it’s also possible for individuals to conduct a self-evaluation of their own self-talk and selective perception regarding safety related behavior, and choose to make appropriate adjustments. Safety is of utmost importance for all the software development companies and hence they attempt to identify external and internal factors to improve behavior.

Principle 3.  Direct with Activators and Motivate with Consequences. 

Activators (or signals preceding behavior) are only as powerful as the consequences supporting the behavior.  In other words, activators tell us what to do in order to receive a pleasant consequence or avoid an unpleasant consequence.  This reflects the ABC model, with “A” for activator, “B” for behavior, and “C” for consequence.  This principle is used to design interventions for improving behavior at individual, group, and organizational levels. 


Author Signature: Shreyans Agrawal (ifour.shreyans.agrawal@gmail.com)

Tuesday, 19 April 2016

Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013 - Part 2

software development companies

Clause 4: Context of the organization 

This is a new clause that in part addresses the depreciated concept of preventive action and in part establishes the context for the ISMS. It meets these objectives by drawing together relevant external and internal issues (i.e. those that affect the organization’s ability to achieve the intended outcome(s) of its ISMS) with the requirements of interested parties to determine the scope of the ISMS. 

It should be noted that the term ‘issue’ covers not only problems, which would have been the subject of preventive action in the previous standard, but also important topics for the ISMS to address, such as any market assurance and governance goals that the organization might set for the ISMS. Further guidance is given in Clause 5.3 of  ISO 31000:2009.

Note that the term ‘requirement’ is a ‘need or expectation that is stated, generally implied or obligatory’. Combined with Clause 4.2, this in itself can be thought of as a governance requirement, as strictly speaking an ISMS that did not conform to generally-accepted public expectations could now be ruled nonconforming with the standard.

The final requirement (Clause 4.4) is to establish, implement, maintain and continually improve the ISMS in accordance with the requirements the standard.

Clause 5: Leadership 

This clause places requirements on ‘top management’ which is the person or group of people who directs and controls the organization at the highest level. Note that if the organization that is the subject of the ISMS is part of a larger organization, then the term ‘top management’ refers to the smaller organization. The purpose of these requirements is to demonstrate leadership and commitment by leading from the top. 

A particular responsibility of top management is to establish the information security policy, and the standard defines the characteristics and properties that the policy is to include. This is important for software development companies.

Finally, the clause places requirements on top management to assign information security relevant responsibilities and authorities, highlighting two particular roles concerning ISMS conformance to ISO/IEC 27001 and reporting on ISMS performance.

Clause 6: Planning 

Clause 6.1.1, General: This clause works with Clauses 4.1 and 4.2 to complete the new way of dealing with preventive actions. The first part of this clause (i.e. down to and including 6.1.1 c)) concerns risk assessment whilst Clause 6.1.1 d) concerns risk treatment. As the assessment and treatment of information security risk is dealt with in Clauses 6.1.2 and 6.1.3, then organizations could use this clause to consider ISMS risks and opportunities.

Clause 6.1.2, Information security risk assessment: This clause specifically concerns the assessment of information security risk. In aligning with the principles and guidance given in ISO 31000, this clause removes the identification of assets, threats and vulnerabilities as a prerequisite to risk identification. This widens the choice of risk assessment methods that an organization may use and still conforms to the standard. The clause also refers to ‘risk assessment acceptance criteria’, which allows criteria other than just a single level of risk. Risk acceptance criteria can now be expressed in terms other than levels, for example, the types of control used to treat risk.

The clause refers to ‘risk owners’ rather than ‘asset owners’ and later (in Clause 6.1.3 f)) requires their approval of the risk treatment plan and residual risks.

In other ways the clause closely resembles its counterpart in ISO/IEC 27001:2005 by requiring organizations to assess consequence, likelihood and levels of risk. Assessment of consequences, likelihood and levels of risk is essential for software development companies.
Clause 6.1.3, Information security risk treatment: This clause concerns the treatment of information security risk. It is similar to its counterpart in ISO/IEC 27001:2005, however, it refers to the ‘determination’ of necessary controls rather than selecting controls from Annex A. Nevertheless, the standard retains the use of Annex A as a cross-check to make sure that no necessary control has been overlooked, and organizations are still required to produce a Statement of Applicability (SOA). The formulation and approval of the risk treatment plan is now part of this clause.

Clause 6.2, Information security objectives and planning to achieve them: This clause concerns information security objectives. It uses the phrase “relevant functions and levels”, where here, the term ‘function’ refers to the functions of the organization, and the term ‘level’, its levels of management, of which ‘top management’ is the highest. The clause defines the properties that an organization’s information security objectives must possess. This lets software application development companies to move from ISO 27001:2005 to ISO 27001:2013.


Author Signature: Shreyans Agrawal (ifour.shreyans.agrawal@gmail.com)

Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013 - Part 1

software application development companies

ISO/IEC 27001:2013 is the first revision of ISO/IEC 27001. First and foremost, the revision has taken account of practical experience of using the standard: there are now over 17,000 registrations worldwide. However, there have been two other major influences on the revision. The first is an ISO requirement that all new and revised management system standards must conform to the high level structure and identical core text defined in Annex SL to Part 1 of the ISO/IEC Directives. Conformance to these requirements will have a tendency to make all management system standards look the same, with the intention that management system requirements that are not discipline-specific are identically worded in all management system standards. This is good news for software application development companies that operate integrated management systems, i.e. management systems that conform to several standards, such as ISO 9001 (quality), ISO 22301 (business continuity) as well as ISO/IEC 27001. The second influence was a decision to align ISO/IEC 27001 with the principles and guidance given in ISO 31000 (risk management). Again, this is good news for integrated management systems as now an organization may apply the same risk assessment methodology across several disciplines.

The result is that structurally ISO/IEC 27001:2013 looks very different to ISO/IEC 27001:2005.In addition, there are no duplicate requirements, and the requirements are phrased in a way, which allows greater freedom of choice on how to implement them.  A good example of this is that the identification of assets, threats and vulnerabilities is no longer a prerequisite for the identification of information security risks. The standard now makes it clearer that controls are not to be selected from Annex A, but are determined through the process of risk treatment. Nevertheless, Annex A continues to serve as a cross-check to help ensure that no necessary controls have been overlooked.

Clause 0: Introduction 

This is a much shorter clause than its predecessor. In particular the section on the PDCA model has been removed. The reason for this is that the requirement is for continual improvement (see Clause 10) and PDCA is just one approach to meeting that requirement. There are other approaches, and organizations are now free to use them if they wish. Many software application development companies are adopting such approaches.

The introduction also draws attention to the order in which requirements are presented, stating that the order does not reflect their importance or imply the order in which they are to be implemented. 

Clause 1: Scope 

This, too, is a much shorter clause. In particular there is no reference to the exclusion of controls in Annex A.

Clause 2: Normative references 

The only normative reference is to ISO/IEC 27000, Information technology — Security techniques — Information security management systems — Overview and vocabulary.

Clause 3: Terms and definitions 

There are no longer any terms or definitions in ISO/IEC 27001:2013. Instead, readers are referred to ISO/IEC 27000. However, please ensure that you use a version of ISO/IEC 27000 that was published after ISO/IEC 27001:2013 otherwise it will not contain the correct terms or definitions. This is an important document to read. Many definitions, for example ‘management system’ and ‘control’ have been changed and now conform to the definitions given in the new ISO directives and ISO 31000. If a term is not defined in ISO/IEC 27000, please use the definition given in the Oxford English Dictionary. This is important, otherwise confusion and misunderstanding may be the result.


Author Signature: Shreyans Agrawal (ifour.shreyans.agrawal@gmail.com)

Monday, 18 April 2016

Security System Development Lifecycle

software development companies in India

The Systems Development Life Cycle 

Information security must be managed in a manner similar to any other major system implemented in an organization. The one approach for implementing an information security system in an organization with little or no formal security in place is to use a variation of the systems development life cycle (SDLC): the security systems development life cycle (SecSDLC). Many software development companies in India are implementing security systems development life cycle (SecSDLC). Also to understand a security systems development life cycle, we must first understand the basics of the method upon which it is based.

Methodology and Phases 

The systems development life cycle (SDLC) is a methodology for the design and implementation of an information system. A methodology is a formal approach to solving a problem by means of a structured sequence of procedures. Also using a methodology ensures a rigorous process with a clearly defined goal and increases the probability of success. Once a methodology has been adopted, the key milestones are established and a team of individuals is selected and made accountable for accomplishing the project goals. The traditional SDLC consists of six general phases. If you have taken a system analysis and design course, you may have been exposed to a model consisting of a different number of phases. The SDLC models range from having three to twelve phases, all of which have been mapped into the six presented here. At the end of each phase comes a structured review or reality check, during which the team determines if the project should be continued, discontinued, outsourced, postponed, or returned to an earlier phase depending on whether the project is proceeding as expected and on the need for additional expertise, organizational knowledge, or other resources. Once the system is implemented, it is maintained (and modified) over the remainder of its operational life. Any information systems implementation may have multiple iterations as the cycle is repeated over time. Only by means of constant examination and renewal can any system, especially an information security program, perform up to expectations in the constantly changing environment in which it is placed. The following sections describe each phase of the traditional SDLC.20

The first phase, investigation, is the most important. What problem is the system being developed to solve? The investigation phase begins with an examination of the event or plan that initiates the process. During the investigation phase, the objectives, constraints, and scope of the project are specified. A preliminary cost-benefit analysis evaluates the perceived benefits and the appropriate levels of cost for those benefits. At the conclusion of this phase, and at every phase following, a feasibility analysis assesses the economic, technical, and behavioral feasibility of the process and ensures that implementation is worth the organization’s time and effort.

Analysis 

The analysis phase begins with the information gained during the investigation phase. This phase consists primarily of assessments of the organization, its current systems, and its capability to support the proposed systems. Analysts begin by determining what the new system is expected to do and how it will interact with existing systems. This phase ends with the documentation of the findings and an update of the feasibility analysis.

Logical Design 

In the logical design phase, the information gained from the analysis phase is used to begin creating a systems solution for a business problem. In any systems solution implemented at any software development company, it is imperative that the first and driving factor is the business need. Based on the business need, applications are selected to provide needed services, and then data support and structures capable of providing the needed inputs are chosen. Finally, based on all of the above, specific technologies to implement the physical solution are delineated. The logical design is, therefore, the blueprint for the desired solution. The logical design is implementation independent, meaning that it contains no reference to specific technologies, vendors, or products. It addresses, instead, how the proposed system will solve the problem at hand. In this stage, analysts generate a number of alternative solutions, each with corresponding strengths and weaknesses, and costs and benefits, allowing for a general comparison of available options. At the end of this phase, another feasibility analysis is performed.

Physical Design 

During the physical design phase, specific technologies are selected to support the alternatives identified and evaluated in the logical design. The selected components are evaluated based on a make-or-buy decision (develop the components in-house or purchase them from a vendor). Final designs integrate various components and technologies. After yet another feasibility analysis, the entire solution is presented to the organizational management for approval.

Implementation 

In the implementation phase, any needed software is created. Components are ordered, received, and tested. Afterward, users are trained and supporting documentation created. Once all components are tested individually, they are installed and tested as a system. Again a feasibility analysis is prepared, and the sponsors are then presented with the system for a performance review and acceptance test.

Maintenance and Change 

The maintenance and change phase is the longest and most expensive phase of the process. This phase consists of the tasks necessary to support and modify the system for the remainder of its useful life cycle. Even though formal development may conclude during this phase, the life cycle of the project continues until it is determined that the process should begin again from the investigation phase. At periodic points, the system is tested for compliance, and the feasibility of continuance versus discontinuance is evaluated. Upgrades, updates, and patches are managed. As the needs of the organization change, the systems that support the organization must also change. It is imperative that those who manage the systems, as well as those who support them, continually monitor the effectiveness of the systems in relation to the organization’s environment. When a current system can no longer support the evolving mission of the organization, the project is terminated and a new project is implemented.

Securing the SDLC 

Each of the phases of the SDLC should include consideration of the security of the system being assembled as well as the information it uses. Whether the system is custom and built from scratch, is purchased and then customized, or is commercial off-the-shelf software (COTS), the implementing organization such as software development company is responsible for ensuring it is used securely. This means that each implementation of a system is secure and does not risk compromising the confidentiality, integrity, and availability of the organization’s information assets. The following section, adapted from NIST Special Publication 800-64, rev. 1, provides an overview of the security considerations for each phase of the SDLC.


Author Signature: Shreyans Agrawal (ifour.shreyans.agrawal@gmail.com)

Thursday, 14 April 2016

Implementing ISO 27001 - Part 2

Software development companies

Implementation Phases

An organization needs to have the detailed understanding of PDCA implementation phases to manage the costs of the project. Software development companies adopt PDCA cycle to implement international standards. Cycle of the PDCA is consistent with all auditable international standards: ISO 18001, 9001 and 14001. ISO/IEC 27001:2005 gives the following PDCA steps for an organization to follow:
  • Define an ISMS policy.
  • Define the scope of the ISMS.
  • Perform a security risk assessment.
  • Manage the identified risk.
  • Select the controls to be implemented and applied.
  • Prepare an SOA.


Phase 5—Prepare an Inventory of Information Assets to Protect, and the Rank Assets According to the Risk Classification Based on Risk Assessment

The various companies, such as software development companies, needs to create a list of information assets to be protected. The following are suggested steps:
  • For the assets classify the key CIA impact levels: high, medium and low.
  • Identify the risks, and also classify them according to their severity and vulnerability.
  • After complete identification of the risks and the levels of CIA, do assign the values to the risks.


Phase 6—Manage the Risks, and Create a Risk Treatment Plan

To control the impact associated with risk, the organization must accept and avoid and transfer or reduce the risk to an acceptable level using risk mitigating controls. Then the next stage is performing the gap analysis with the controls provided in the standard to create an RTP and an SOA and it is also important to obtain management approval of the proposed residual risks.
The RTP also provides:
  • Acceptable risk treatment (accept, transfer, reduce, avoid)
  • Identification of operational controls and additional proposed controls with the help of gap analysis


Phase 7—Set Up the Policies and Procedures to Control Risks

For the controls adopted, shown in the SOA the organization will require the statements of policy or a detailed procedure and responsibility document to identify user roles for consistent and effective implementation of policies and procedures. And the documentation of policies and procedures is a requirement of ISO/IEC 27001. Also the list of applicable policies and procedures depends on the organization’s structure, the locations and the assets.

Phase 8—Allocate Resources, and Train the Staff

The ISMS process highlights one of the important commitments for the management: sufficient resources to manage, develop, maintain and implement the ISMS. And also it is very essential to document the training for audit.

Phase 9—Monitoring the Implementation of the ISMS

The periodic internal audit is a must for monitoring and review. The internal audit review consists of testing of controls and identifying corrective/preventive actions. In order to complete the PDCA cycle all the gaps identified in the internal audit must be addressed by identifying the corrective and preventive controls needed and the company’s compliance based on a gap analysis.

Also to be effective, the ISMS need to be reviewed by management at periodic and planned intervals. This review follows the changes and improvements to the policies, procedures, the controls and staffing decisions. It is a very important step in the process is project management review. Thus the results of audits and periodic reviews are documented and maintained.

Phase 10—Preparation for the Certification Audit

In order for the organizations, such as software development companies, to be certified it is very essential that it conduct a full cycle of internal audits and management reviews and activities in the PDCA process and that it retains evidence of the responses taken as a result of those reviews and audits. The ISMS management should review risk assessments, the RTP, the SOA, and the policies and procedures at least annually.

An external auditor will first examine the ISMS documents to determine the scope and content of the ISMS and the objective of the review and audit is to have sufficient evidence and review/audit documents sent to an auditor for review. Thus the evidence and documents will demonstrate the efficiency and effectiveness of the implemented ISMS in the organization and its business units.

Phase 11—Conducting Periodic Reassessment Audits

The follow-up reviews or periodic audits confirm that the organization remains in compliance with the standard.

The certification maintenance requires periodic reassessment audits to confirm that the ISMS continue to operate as specified and intended. Thus with any other ISO standard the ISO 27001 follows the PDCA cycle and assists ISMS management in knowing how far and how well the enterprise has progressed along this cycle. It directly influences the time and cost estimates related to achieving compliance.

Conclusion

The true success of ISO 27001 is its alignment with the business objectives and effectiveness in realizing those objectives. For software development companies the IT and other departments play an important role in implementing ISO 27001. Implementing ISO 27001 is an exercise toward better understanding an existing inventory of IT initiatives, information availability and ISMS implementation phases. An organization also needs to have the detailed understanding of PDCA implementation phases. 

Without a well-defined and well-developed ISO 27001 project plan, implementing ISO 27001 would be a time- and cost-consuming exercise. To achieve the planned return on investment (ROI), the implementation plan has to be developed with an end goal in mind. Training and internal audit are major parts of ISO 27001 implementation. ISO 27001 certification should help assure most business partners of an organization’s status with respect to information security without the necessity of conducting their own security reviews. 



Author Signature: Shreyans Agrawal (ifour.shreyans.agrawal@gmail.com)

Implementing ISO 27001 - Part 1

Software development companies

Implementation Phases

An organization needs to have the detailed understanding of PDCA implementation phases to manage the costs of the project. Software development companies adopt PDCA cycle to implement international standards. Cycle of the PDCA is consistent with all auditable international standards: ISO 18001, 9001 and 14001. ISO/IEC 27001:2005 gives the following PDCA steps for an organization to follow:


  • Define an ISMS policy
  • Define the scope of the ISMS
  • Perform a security risk assessment
  • Manage the identified risk
  • Select the controls to be implemented and applied
  • Prepare an SOA


Phase 1—Identify Business Objectives

Stakeholders must buy in; identifying and prioritizing objectives is the step that will gain management support. The primary objectives can be derived from the company’s mission, the strategic plan and IT goals. The objectives are:


  • Increased marketing potential
  • Complete assurance to the business partners of the organization’s status with respect to information security
  • Both Increased revenue and profitability by providing the highest level of security for customers’ sensitive data
  • Identification of the information assets & effective risk assessments
  • Compliance with industry regulations


Phase 2—Obtain Management Support

Management must make a commitment to the establishment, planning, the implementation, the operation, monitoring, review, improvement and maintenance of the ISMS. The commitment must also include activities such as ensuring that the proper resources are available to work on the ISMS and that all employees affected by the ISMS have the proper training, competency and also awareness. The following activities/initiatives show management support:


  • An information security policy
  • The information security objectives & the plans
  • The roles & responsibilities for the information security or a segregation of duties (SoD) matrix that shows the list of the roles related to information security
  • Sufficient resources for managing, developing, maintaining and implementing the ISMS
  • The determination of acceptable level of risk
  • The management reviews of the ISMS at planned intervals
  • Assurance that personnel affected is also affected by the ISMS are provided with training
  • Appointment of the competent people for the roles and responsibilities that they are assigned to fulfill


Phase 3—Select Proper Scope of Implementation

ISO 27001 states that any scope of implementation may cover all or part of an organization. According to it for the software company or any other company the scope of the ISMS, the processes, business units, external vendors or contractors falling within the scope of implementation must be specified for certification to occur.

The standard also thus requires companies to list any scope exclusions and the reasons why they were excluded.

Identifying the scope of implementation can save the organization time, money. The following points should be considered:


  • Selected scope helps to achieve all the identified business objectives.
  • The organization’s over all scale of operations is an integral parameter needed to determine the compliance process’s complexity level.
  • To find out appropriate scale of operations, organizations need to consider the number of employees, business processes, work locations, and products or services offered.


Phase 4—Define the appropriate Method of Risk Assessment

To meet the requirements of ISO/IEC 27001, the companies need to define & document the method of risk assessment. The ISO/IEC 27001 standards do not specify the risk assessment method that can be used. The following all points should be considered:


  • The method that can be used that can assess the risk to identified information assets
  • Which risks are intolerable therefore, that need to be mitigated
  • Managing the residual risks through carefully considered policies, the procedures and controls
  • Choosing a risk assessment method is one of the most important parts of establishing the ISMS and use of the following will be helpful:
  • NIST Special Publication (SP) 800-30 Risk Management Guide for Information Technology Systems
  • Sarbanes-Oxley IT risk assessment
  • Asset classification, data classification documents (determined by the organization)
  • ISO 27001 needs risk evaluations based on levels of confidentiality, integrity and availability (CIA):
    • Confidentiality—Clause 3.3: Ensuring that information is accessible only to those authorized to have access
    • Integrity—Clause 3.8: Safeguarding the accuracy and completeness of information and processing methods
    • Availability—Clause 3.9: Ensuring that authorized users have access to information and associated assets when required


Conclusion

The true success of ISO 27001 is its alignment with the business objectives and effectiveness in realizing those objectives. For any software development company, IT & the other departments play an important role in implementing the ISO 27001. Implementation of ISO 27001 is an exercise toward better understanding an existing inventory of IT initiatives & the information availability and ISMS implementation phases. The organization also needs to have the detailed understanding of PDCA implementation phases. 

Without a well-defined and well-developed ISO 27001 project plan & implementing ISO 27001 would be a time- and cost-consuming exercise & to achieve the planned return on investment (ROI), the implementation plan has to be developed with an end goal in mind. Training and internal audit are major parts of ISO 27001 implementation. ISO 27001 certification should help assure most business partners of an organization’s status with respect to information security without the necessity of conducting their own security reviews. 


Author Signature: Shreyans Agrawal (ifour.shreyans.agrawal@gmail.com)

Wednesday, 13 April 2016

Planning for ISO 27001 - Part 2

Software application development companies

ISMS—Planning for ISO

ISO/IEC 27001 has detail 133 security measures, which are then organized into 11 sections and 39 control objectives. These sections specify the best practices for:
• Business continuity planning
• System access control
• System acquisition, development and maintenance
• Physical and environmental security
• Compliance
• Information security incident management
• Personnel security
• Security organization
• Communications and operation management
• Asset classification and control
• Security policies

The ISMS may be certified as compliant with ISO/IEC 27001 by a number of accredited registrars worldwide. Also the ISO/IEC 27001 certification, similar to other ISO management system certifications, that usually involves a three-stage audit process:

Stage 1—The Informal review of the ISMS that includes checking the existence and completeness of key documents such as the: – Organization’s security policy and the Risk treatment plan (RTP) and  Statement of applicability (SOA)

Stage 2—Independent tests of the ISMS against the requirements specified in ISO/IEC 27001. The certification audits are conducted by ISO/IEC 27001 lead auditors.

Stage 3—Follow-up reviews or periodic audits to confirm that the organization (eg. Software application development companies) remains in compliance with the given standard. And the certification maintenance requires periodic reassessment audits to confirm that the ISMS continue to operate as specified and intended. Independent assessment necessarily brings some rigor and formality to the implementation process, and it also must be approved by management. The ISO/IEC 27001 certification helps to assure most business partners of the organization’s status regarding information security without the business partners having to conduct their own security reviews.


Planning

As in all compliance and the certification initiatives, and the consideration of the organization’s size, nature of its business, and the maturity of the process in implementing ISO 27001 and commitment of senior management are essential. Most important departments and activities that will be vital to the
success of the project include:

Internal audit—In the initial planning phase, the input from internal audit will be useful in developing an implementation strategy, and early involvement of internal auditors will be useful during the later stages of certification that require review by management.

IT—The IT department will have to dedicate resources and time to the activities associated with the ISO 27001 initiatives. The inventory of existing IT compliance initiatives, the procedures and the policies, and maturity of existing IT processes and controls will be useful to gain an understanding of how the existing processes align with ISO 27001 requirements.

Although implementation of policies and procedures at software companies is largely perceived as an IT activity, the other departments play a very important role in the implementation. For e.g., facilities management is largely responsible for physical security and access controls.


Decision Making

The decision of when and how to implement the standard may be influenced by a number of factors such as:
         Business objectives and priorities
         Existing IT maturity levels
         User acceptability and awareness
         Internal audit capability
         Contractual obligations
         Customer requirements
         The firm’s ability to adapt to change
         Adherence to internal processes
         The existing compliance efforts and legal requirements
         Existing training programs



Author Signature: Shreyans Agrawal (ifour.shreyans.agrawal@gmail.com)