ITIL and its impact on your business

Economics of IT industry has capped supply whereas the demand is infinite, unlike other markets where ideally demand is equal to supply. Demand in IT is only restricted to what one can imagine and apply. Still most of the organizations have a limited budget allocated to its IT needs.

Most organizations today rely upon IT to enable them to achieve their company vision, business strategy and goals. Investing into IT, for a manager of an organization, as a part of its service strategy is normally governed by the typical Return on Investment (RoI) and Return on Value (RoV). The quality of an organization’s IT is reflected in its reputation and brand, and has direct impact upon sales and revenue. For an IT investment to provide benefit, the resulting IT service must be well planned, well designed, well managed and well delivered. That is what the practice of IT service management is about.

ITIL (Information Technology Infrastructure Library) is a set of practices for ITSM (IT service management) that focuses on aligning IT services with the needs of business. It is non-proprietary best practice that can be adapted for use in all business and organizational environments. ITIL provides an extensive body of knowledge, capabilities and skills. It is accessible through publications, training, qualifications and support tools.

There are various advantages of adopting ITIL for an organization:

• Reports coming out of ITIL help compare effectiveness of organizational processes with best in the industry and thus reaffirm the value of ITSM practices
• IT services help align business priorities and objectives, to help business achieves more in terms of its strategic objectives
• It ensures the business better plans its finances
• Increased business productivity, efficiency and effectiveness, because IT services are more reliable and work better for the business users
• Financial savings from improved resource management and reduced rework
• More effective change management, enabling the business to keep pace with change and drive business change to its advantage
• Improved user and customer satisfaction with IT
• Improved end-customer perception and brand image.

ITIL helps an organization to align its business strategy and reassure that the processes are at par with industry standards. It helps the higher management to connect the IT Service Management to the budget cycle and ultimately set priorities for the business area.

About Author:

Harsh Saraogi is consultant and part of Systems Plus Pvt. Ltd. He is a part of consulting team that delivers Sourcing and Vendor Management Office projects. He can be contacted at: harshvardhan.s@spluspl.com

Pre – Requisites for any Agile project!

What is Agile?

• Agile management is a continual and incremental method of managing the design and building activities for constructing a new product or service development projects in a highly flexible and interactive manner.
• It is a framework that is used to design, plan, and control iterative and incremental development, where requirements and solutions emerge through association between self-organizing and cross-functional teams.

Agile management provides opportunities to check the direction of the project throughout the development lifecycle and this is achieved through regular cadences of work, known as Sprints at the end of which teams should present a potentially product increment. Agile methodology has been described as ‘Iterative’ and ‘incremental' because the focus is on the repetition of abbreviated work cycles as well as the functional product that they yield, agile. In traditional or any other method, development teams get only one chance to see or correct each aspect of a project. In an agile model, every aspect of development — requirements, design, etc. — is continuously revisited. The team re-evaluates the direction of a project every two weeks by working on the changes required. Also there’s time to steer the project in another direction.

By adapting this approach of development greatly reduces the development costs and time as it helps the team to develop the software at the time of requirement gathering as team’s work cycle is limited to few weeks, also the business users get numerous chances to align releases for projects success in the real world. Agile development helps organizations build the right product. Carrying out to market software that hasn’t been written yet, agile allows teams to continuously re-plan their release to enhance its value throughout development, allowing them to be as competitive as possible in the marketplace. Agile development conserves a product’s critical market importance and guarantees team’s work doesn’t wind up on a shelf.

Pre-Requisites for Agile Projects

Client:

Use of Agile assures to reduce the amount of time spent on costly rework, but this depends largely on maintaining an open discussion with business stakeholders and end users to structure and formulate requirements throughout the project lifecycle. Stakeholders should be introduced to agile concepts and business value so as to demonstrate the importance of their participation throughout the project. Involvement of multiple stakeholders with decision-making authority helps in minimizing the time required by any individual with their ongoing feedback. Clients should be available for the daily meetings (Preferably face to face through video conferencing). They should accept a different way of checking up the progress on the project. They should also provide a product owner who can help us with the requirements for the product.

Team:

Teams should start off with a set of core agile principles, and develop efficiencies by customizing them to be applied to the relevant project. Unlike any other method of development which calls for process standardization, implementing Agile successfully across different teams and project types requires flexibility to break down high-level agile concepts down into several methods for teams to master the skills. Also they should be able to work with the customer, end-user and other Non-IT people (interviews, workshops).

Organization work environment:

Iterations and flexible requirements are two chief agile concepts that organizations inculcate early among agile teams. As teams gain experience in executing projects, capture the causes of inconsistency from the project plan to incorporate those into future planning and re-evaluates the requirements backlog to ensure prioritization of the most valuable features.

Daily meetings are essential:

The daily stand-ups are essential within the SCRUM development method are valued highly within the Agile Software Management method. The few minutes of meeting at the start of each day is experienced as a positive and helpful in all aspects of the process. By effective and practical assessment, future problems can be avoided and existing problems can be solved.

Backlog administration requires regulation:

We have seen that strict documentation of all tasks is still difficult to achieve. Although the Product Software management can play a useful role in controlling process and keeping track of the progress of a sprint, the desire to keep the current set of tasks and the amount of time spent on a tasks timely is still lacking. However, one of the agile principles is facilitating the individuals and interactions over processes and tools which means as long as the work gets done, project administration becomes less important.

Agile software development stresses rapid iterations, small and frequent releases, and evolving requirements facilitated by direct user involvement in the overall development process. Hence it is subjective and substantial which development cycle to follow. In most of the cases agile proves to be one of the best methodologies used to implement the project cycle.

About Author:

Nisha Bhatt is a consultant in Systems Plus Pvt. Ltd. Within Systems Plus, she actively contributes to the areas of Technology and Information Security. She can be contacted at: nisha.bhatt@spluspl.com

Project Management: Limelight on Business Value!!

A famous quote by Warren Buffet says - “Price is what you pay. Value is what you get.”

What did this project teach us? :

Post-project reviews are conducted to determine what were the lessons learnt from the project and how we could have done better. The successes and shortcomings are also listed down which would be helpful in future projects. There are surveys circulated with the project stakeholders and key project matrices are evaluated to understand are we meeting customer needs, did we have required participation and so on.

This is the traditional way of evaluating projects in the end and it’s an excellent way of retrospection with the team where we ask various questions to each other and document our findings. This definitely helps in knowing what can change going ahead. And thus it is beneficial for future projects. But have we pondered that what about the current project, can this process be helpful in any manner for the current one? Because there is no way you can go back in time and make changes. And is this method alone giving you the correct value about the project? These questions definitely do bother me when I look at the process from start to end. And at many times people consider this as the only time to assess the project and give feedback on its success or failure.

Oh Yes, another Successful Project! : 

Another important facet linked to this procedure is the measurement of project success. The historical view on this would be ‘meeting the triple constraint’ – budget, scope and time. I am sure most of us have surpassed this definition and expanded our vision to measure the true success. The evolution to this is - to determine value the project delivers to the organization. I recently also read that - The new definition of project success is that a project can exceed its time and cost estimates so long as the client determines that it is successful by whatever criteria they use.

Now, I would like to get to back to where I started this blog with the famous quote by Warren Buffet. So as we understand - a thorough post project review and completing a project within the triple constraint are not the factors to guarantee that the necessary business value will be there at project completion. The correct business value is when the customer feels assured that the product / service is worth paying for. And thus another parameter to add to success would be when desired business value is achieved.

Does your customer feel ‘Engaged’ in the project? :

Let’s now understand what would be an additional way of evaluating our projects and determining the success. There should be continuous reviews throughout the project life cycle with the customers to make sure project value is being met. This is from personal project management experience that having stakeholder meetings at regular planned intervals is extremely beneficial. We have weekly status meetings with the business and IT management and agenda includes –

• Status of project
• Quick preview of selected functionality
• Setting up priorities for upcoming implementations
• Discussing limitations of any kind 
• Brainstorming issues on hand
• Instant feedback on functionalities delivered
• Any other discussions / concerns brought forward 

‘Engagement’ of personnel - who would be determining the true value of project, in the entire life cycle, is the smart way to monitor and make changes on the go. Should customer satisfaction be only obtained by end of project? If we can give benefit to the project or our customer why not give all the while. This is being observed in every walk of our life. I recently visited a luxurious resort for a holiday. On my second day, the general manger came to us and asked how it is going for us in every aspect of our stay. I would say this is definitely a good trend in customer service where they did not wait for us to fill out a feedback survey in the end to fix something in next stay. Why not make current experience better with continuous engagement.

It is observed that in long term projects, statement of work (SOW) is not always well-defined. This less adds more uncertainty in the outcomes of the projects with no guarantee of value at the end.

Who defines value in your project? 

• Sponsors
• Higher management
• Or the person - what value it brings to them

How can managers achieve this value?

• Communication – As I said before customer is part of the project and not an outside on-looker. So remain engaged with continuous reviews.
• Initial goal alignment – The manager can also understand in initial stages that what is project success for them and this would be a good start to along with this vision in mind.
• Lot of Interactions with all stakeholders reduces the risk of any surprises in the end. It keeps all involved and feel important as part of the project. It could be like a mind-set shift for people following the waterfall model or project management standards alone.
• Deliver on promises – Since you are engaging the customer all the while, seeking feedback too, make sure you deliver as promised.
• Focus on Actual Customer too - Focusing on people who getting benefit and recipients of deliverables is also key factor. Customer is someone who is getting the actual deliverable in the end. In some scenarios, the product or service is bought by a party who is not the actual user but they in turn give to third party for use. It is like a company buying a website or web application for their users to use. In such case, the product owner is not the end user.
• Customer Satisfaction Scores – Managers can adapt a scoring mechanism on monthly basis with some basic questions for the customers while the project is on. The questions can be something like – How is the delivery going? Is the project well planned? Any major issues? Etc.

What Project Managers will need?

• Team Education: The team is aware about the process being followed and the value achieved through the same.
• Team Culture: Develop a culture of communication within team too. Enabling them to be positive, focused, communicative with each other, accountable, courageous to take decisions.
• Manage expectations through communication
• Soft skills for the Manager – Being judgmental for situation/person, confidence, emotional intelligence, decisive, strong articulation.
• Team empowerment to satisfy customer - Teams are accountable for project results, quality improvements and on total customer satisfaction. Make your team empowered to do so.

In order to make the customer feel the value of they are paying, keep them engaged. Some might argue that this is possible in Agile Management only. But this can also be laying down agile principles on waterfall methodologies. Customer embedded in project process brings transparency in project, build trust and confidence, customers are educated, limitations are discussed, and issues are agreed.

About Author:

Kruti Gala is a lead consultant in Systems Plus Pvt. Ltd. Within Systems Plus, she actively contributes to the areas of Technology and Information Security. She can be contacted at: kruti.g@spluspl.com

Different levels of Application Support

One of the confusing things about help desk management is that people don’t understand what Level 1, Level 2, and Level 3 help desk is. Many even don’t know that Level 0 and Level 4 support exist as well because not everyone talks about. The levels are designed to group support personnel based on their abilities and subsequently pay. Here’s my quick briefing on what each of these support level executive do.

1. Level 0 support – Level zero is automated or self-service solutions that users can access themselves without the aid of the helpdesk.  E.g. automated password resets
2. Level 1 support – Level 1 support are generally phone and email ticket responders. They are the first responders and have the ability to resolve basic queries that can be addressed directly. They filter help desk calls and provide basic support and troubleshooting such as password reset, printer configurations, break/fix instructions, ticket routing and escalation to Level 2 and Level 3 support. Level 1 team gathers and analyzes information about the user’s issue and determines the best way to resolve their problem. Level 1 may also provide support for identified Level 2 and Level 3 issues where configuration solutions have already been documented.
3. Level 2 support – Level 2 support is expected to handle basic system administration tasks and coordinate with level 1 support operators to resolve customer issues. This is generally reserved for desktop, laptop, and other user device support but it may also share work with Level 3. Level 2 generally handles break/fix, configuration issues, troubleshooting, software installations, hardware repair. They handle escalated issues that Level 1 support is not equipped to handle. Level 2 will sometimes escalate to Level 3, depending on the issue and the way the help desk operates. Depending on the help desk organization, a level 2 team may either
1. be limited to only solving known issues and escalate new issues to level 3;
2. be authorized to research and implement fixes for new issues and only escalate to Level 3, if it is out of their skill set or ability to solve.
4. Level 3 support – Level 3 is a SME group that covers the staff trained to resolve the problems which cannot be handled by Level 2 support personnel. Staff in the Level 3 classification are generally expected to have a solid working knowledge of the companies systems and software and use that skill base in conjunction with innate problem solving skills. Troubleshooting, configuration, database administration, and repair for server, network, infrastructure, data center, email, file shares, and other infrastructure issues. Besides always having the ability to deploy solutions to new problems, a Level 3 person usually has the most expertise in a company and is the go-to person for solving difficult issues.
5. Level 4 support – Not a commonly used term. Level 4 refers to those people outside the organization that you can escalate issues to. This usually involves hardware and software vendors, such as vendor software support, printer and copier maintenance, heavy equipment maintenance, depot maintenance, etc. Level 4 support is contracted by an organization for specific services, but they are not part of the organization generally. It consists of senior administrators who are often called on to assess the abilities of new hires, train employees, and often report on the state of a companies IT infrastructure in addition to handling very specialized support functions. 

Application support is very essential for all software products as it provides the potential customers assurance that any queries related to the application will be addressed and resolved. The support providers must be trained and efficient in resolving any user queries and have a thorough knowledge of the product. Products with better application support sell better as the customers are assured assistance in case they face any queries.

About Author:
Manish Chandak  is social media enthusiast and works as consultant with Systems Plus Pvt. Ltd. He actively contributes to the areas of technology and Information security. He can be contacted at: manish.c@spluspl.com

Physical Security in Corporate

As organizations are growing, their assets in terms of employees, data, IT hardware / software and other fixed assets are growing.  To protect the IT assets which includes database, applications, networks and hardware devices etc. there are various software security methods like firewall, passwords, encryption which are commonly used. However, the number of thefts of data and IT products (Hardware and Software) has not gone down and is continuously rising. Organizations have realized that software security or logical security is not sufficient and adequate to take care of these thefts. Hence, to reduce these theft and data loss, physical security can be implemented, updated and managed by organizations. If implemented properly and efficiently it can completely eradicate such incidents. Physical security can be distinguished into two main categories Preventive security and Curative / detective security.

Preventive Security: Preventive security can be implemented using various methods which would avoid any security breach from taking place.

Some of the major methods and types of preventive physical security are as listed below:

1. Swipe card access

2. Thump impression or Bio metric controls

3. Regular training sessions on security

4. Infrastructure

1. Swipe Card Access:  This is a physical security method which has gained importance in recent years. This involves providing access card to its employees and having access lock deployed on all the doors or to certain restricted areas. Also, this access can be defined based on the designation of the employee in the organization. Whenever access card is swiped at any door the swipe date time along with the employee ID is recorded in the system which can then be used for analysis through generating reports. Thus, it helps reduce the chances of unauthorized access in restricted and office areas.
2. Thumb Impression / Bio Metric controls: This is another method similar to the swipe card method. It is much more evolved as it unlocks the door only through thumb impression or eye scanner of respective employees. In case, of access card, if it is lost then it can be misused. Thumb / palm impression or other bio metric controls is much more reliable and safe physical security method as compared to Access card as there is no question of misplacing the control !! The equipment used for Bio metric controls are expensive as compared to access card and hence it is only used for high security areas or to areas where the most valuable assets of the organizations are placed / deployed.
3. Infrastructure: Last but not the least this an important high level physical security method which needs to be implemented during constructions or renovation of the office. This can be implemented by keeping in mind points like there should be less number of walls, surveillance should be easy, emergency exit should be easily accessible, need to have one or two areas which can be kept hidden from others where important and valuable assets can be maintained / deployed etc.

Other avenues to areas to be covered in physical security are 

1. Regular training sessions on security: This is another important method of implementing and managing physical security. All your physical security methods will not provide desired results if this method is not implemented and users are not trained regularly. This includes training employees periodically on security. These training may include managing access card, login passwords, lockers and drawers, handling of data and valuable assets of the organization etc.  These sessions can be held regularly and it is required to make sure that no employee is skipping these training sessions. Also ensure that third party contractors / vendors who may be impacted are also covered through the trainings.
2. Security Guards:  This physical security method involves human beings who are hired and deployed as security guards. This is a difficult method to deploy as it involves human beings which can violate their rights at any point in time. Thus, before deploying a security guard it is mandatory to do their background verification, so that the respective security guard can be tracked incase of breach of security. Along with deploying security guards, it is important to deploy them at right places, train them well and manage them in such a way that no guard is over worked or physically strained due to work.

Curative / detective security: Curative security can be implemented using various methods which would identify the reason / individual responsible for the theft. The common control for detection is CCTV Cameras.

1. CCTV Cameras: This is a technology which has now become mandatory for all the organization. It is been implemented by all the organization as and when they acquire new office or branch. This can be done by implementing CCTV Cameras (Closed Circuit Television Cameras) strategically such that minimum units are used and maximum areas are covered under surveillance. There are steady as well as rotating camera units which can be implemented keeping in mind that no area is missed out. The connections of all these cameras throughout the organization are terminated at a central location called as the control room where a responsible employee monitors the overall organizations using this facility. Also, these recordings are stored in discs which can be used as evidence whenever required. 

Thus it can be seen that for an organizational success and growth security is important. However, along with software, physical security is also very important for protection of assets and reducing thefts.  Physical security can be implemented successful by implementing all or some of the above mentioned method based on the nature of your business and type of your organization.

About Author:

Amol Bhembre is a consultant in Systems Plus Pvt. Ltd. Within Systems Plus, he actively contributes to the areas of Technology and Information Security. He can be contacted at: amol.b@spluspl.com

SQL Server & Data Security

Security is a crucial part of any mission-critical application. Best practices for setting up and maintaining security in SQL Server.

Authentication:

SQL Server supports two modes of authentication: Windows Authentication and Mixed Mode Authentication. In accordance with SQL Server security best practices, always choose Windows Authentication for your SQL Server installation unless legacy applications require Mixed Mode Authentication for backward compatibility and access. Windows Authentication is more secure than Mixed Mode Authentication and, when enabled, Windows credentials are trusted to log on to SQL Server. Windows logins use a number of encrypted messages to authenticate SQL Server and the passwords are not passed across the network during authentication. Moreover, Active Directory provides an additional level of security with the Kerberos protocol. As a result, authentication is more reliable and managing it can be reduced by leveraging Active Directory groups for role-based access to SQL Server. In comparison to Windows Authentication mode, Mixed Mode Authentication supports both Windows accounts and SQL-Server-specific accounts to log into SQL Server. The logon passwords of SQL logins are passed over the network for authentication, which makes SQL logins less secure than Windows logins.

Note: If you select Mixed Mode Authentication during setup, you must provide and then confirm a strong password for the built-in SQL Server system administrator account named sa. The sa account connects by using SQL Server Authentication.

Secure sysadmin account:

The sysadmin (sa) account is vulnerable when it exits unchanged. Potential SQL Server attackers are aware of this, and it makes hacking one step easier if they take control of this powerful account. To prevent attacks on the sa account by name, rename the sa account to a different account name. To do that, in Object Explorer expand Logins, then right-click sa account and choose Rename from the menu. Alternatively, execute the following T-SQL script to rename the sa account:

USE [master] GO        ALTER LOGIN sa WITH NAME = [<New-name>] GO

Membership of sysadmin fixed-server role and Control Server permission:

Carefully choose the membership of sysadmin fixed-server roles because members of this role can do whatever they want on SQL Server. Moreover, do not explicitly grant CONTROL SERVER permission to Windows logins, Windows Group logins and SQL logins because logins with this permission get full administrative privileges over a SQL Server installation. By default, the sysadmin fixed-server role has this permission granted explicitly.

Disable SQL Server Browser Service:

Make sure that SQL Server Browser Service is only running on SQL Servers where multiple instances of SQL Servers are running on a single server. SQL Server Browser Service enumerates SQL Server Information on the network, which is a potential security threat in a lock-down environment.

Disabling certain system stored procedures:

SQL Server comes with various system stored procedures such as xp_cmdshell or sp_send_dbmail that interact with operating system or execute code outside of a normal SQL Server permissions and may constitute a security risks. Thus such stored procedures should be specially treated.

Secure SQL Server Error Logs and registry keys:

Secure SQL Server Error Logs and registry keys using NTFS permissions because they can reveal a great deal of information about the SQL Server instance and installation.

Additional Instructions: Use SQL Server Surface Area Configuration to enforce a standard policy for extended procedure usage.

• Document each exception to the standard policy.
• Do not remove the system stored procedures by dropping them.
• Do not DENY all users/administrators access to the extended procedures.

Hardening the network connectivity:

A default installation of SQL Server 2005/ 2008 use TCP port 1433 for client requests and communications. These ports are well known and are common target for hackers. Therefore it is recommended to change default ports associated with the SQL Server installation.

Following are these steps to change the default port using SQL Server Manager Configuration tools:

1. Choose Start, All Programs, Microsoft SQL Server 2005/2008, Configuration Tools, SQL Server Configuration Manager.
2. Expand the SQL Server 2008 Network Configuration node and select Protocols for the SQL Server instance to be configured.
3. In the right pane, right-click the protocol name TCP/IP and choose Properties.
4. In the TCP/IP Properties dialog box, select the IP Addresses tab.
5. There is a corresponding entry for every IP address assigned to the server. Clear the values for both the TCP Dynamic Ports and TCP Port for each IP address except for the IP addresses under IPAll.
6. In the IPAll section for each instance, enter a new port that you want SQL Server 2008 to listen on.
7. Click Apply and restart the SQL Server Services.

SQL Data Security

Prevent SQL Injection Attacks:

SQL, or the Structured Query Language, is the command-and-control language for relational databases such as Microsoft SQL Server, Oracle, and MySQL. In modern web development, these databases are often used on the back end of web applications and content management systems – meaning that both the content and behavior of many web sites is built on data in a database server. A successful attack on the database that drives a website or web application can potentially give a hacker a broad range of powers, from modifying web site content ("defacing") to capturing sensitive information such as account credentials or internal business data.

Defending Against SQL Injection Attacks:

The good news is that there actually is a lot that web site owners can do to defend against SQL injection attacks. Although there is no such thing as a 100 percent guarantee in network security, formidable obstacles can be placed in the path of SQL injection attempts.

Comprehensive data sanitization;

 Web sites must filter all user input. Ideally, user data should be filtered for context. For example, e-mail addresses should be filtered to allow only the characters allowed in an e-mail address, phone numbers should be filtered to allow only the characters allowed in a phone number, and so on.

• Use a web application firewall. A popular example is the free, open source module Mod Security which is available for Apache, Microsoft IIS, and nginx web servers. Mod Security provides a sophisticated and ever-evolving set of rules to filter potentially dangerous web requests. Its SQL injection defenses can catch most attempts to sneak SQL through web channels.
• Limit database privileges by context. Create multiple database user accounts with the minimum levels of privilege for their usage environment. For example, the code behind a login page should query the database using an account limited only to the relevant credentials table. This way, a breach through this channel cannot be leveraged to compromise the entire database.
• Avoid constructing SQL queries with user input. Even data sanitization routines can be flawed. Ideally, using SQL variable binding with prepared statements or stored procedures is much safer than constructing full queries. Any one of these defenses significantly reduces the chances of a successful SQL injection attack. Implementing all four is a best practice that will provide an extremely high degree of protection. Despite its widespread use, your web site does not have to be SQL injection's next victim.

About Author:

Amit Gupta is technology lead in Systems Plus Pvt. Ltd and keen to resolve challenges using his technical skills. He actively contributes to technology and can be contacted at: amit.gupta@spluspl.com