Profile cover photo
Profile photo
Niskaa Solutions
We provide services to meet your security needs
We provide services to meet your security needs


Post has attachment
A day in the life of IT security 
#Niskaa   #ITSecurity   #Security  
Add a comment...

Post has attachment
The new cyber warfare

Cyber threats continue to plague governments and businesses around the world. These threats are on the rise as #cyber criminals increase their focus and know-how. The problem demands an international solution. ISO/IEC 27001 provides a management framework for assessing and treating risks, whether #cyber-oriented or otherwise, that can damage business, governments, and even the fabric of a country's national infrastructure.

#Information_security incidents are on the rise as cyber criminals increase their focus on both large and small businesses. An in-depth study of the state of information security by the Department for Business, Innovation & Skills has highlighted the scale of information security threats in the UK. The study – The 2013 Information Security Breaches Survey – reveals that attacks against small businesses have increased by 10 % in the past year, costing up to 6 % of their turnover.

Companies have no choice but to protect themselves.

Surprised? Don't be. The threat landscape of mobile security is moving at a very rapid pace. Mobile hackers are on the prowl, cooperating with cyber criminals to pass on stolen private and business information. What's more, threats in the mobile landscape are becoming smarter and targeting mobile devices. According to reports from CNN Hong Kong and NQ Mobile, the dramatic growth in mobile malware is intensifying, estimated to be up by 163 %. An astounding figure by no measure.

Identity thieves have also regained the upper hand, suggests a 2013 survey released by fraud research firm Javelin Strategy & Research. The firm's annual survey reports that, in 2012, identity fraud incidents increased by more than one million victims and fraudsters stole more than USD 21 billion, the highest amount since 2009.

More and more organizations are embracing online opportunities to promote their business and solidify their position in the marketplace through the use of mobile devices and apps, not to mention social networking sites. In so doing, these companies are magnifying the number and sophistication of threats targeted at them. Today's companies have no choice but to protect themselves by implementing the ISO/IEC 27001 standard.

Used internationally since 2005, ISO/IEC 27001 has helped thousands of organizations boost their information security. The popular management system standard has recently been updated and is now available in a new and improved version – ISO/IEC 27001:2013. This second edition takes account of past user experiences, improvements in security controls apt for today's IT environment, namely identity theft, risks related to mobile devices and other online vulnerabilities, and aligns with other management systems.

Business boom and bust

Cyber security is not just an IT challenge, it is critical to the running of any business.
According to Prinya Hom-anek, President of ACIS, Thailand, the benefits of using a framework for managing cyber risks cannot be overstated: “To tackle the cyber problem, we not only need more robust technical solutions, we need management solutions to improve the business processes to handle the risks to confidentiality, integrity and availability of information and, very importantly, to improve the awareness and skills of staff and users to achieve this protection."

    Attacks against small businesses increased by 10 % in the past year, costing up to 6 % of their turnover.

He also notes: "ISO/IEC 27001 […] has helped us to improve our defences against cyber-attacks and, in turn, enabled us to offer better security in the services we provide our customers. As a result, our customers have greater trust and confidence in us as a secure business partner.”

Cyber risks cause much harm to online markets by compromising electronic transactions and inflicting costly damage. For José Renato Hopf of GetNet, one of the suppliers of managed technology solutions and business services for electronic transactions in Latin America, it is important for companies to stay ahead of the cyber security game: "GetNet decided to implement an effective Information Security Management System (ISMS), based on ISO 27001:2013, to protect its Data Centre located in Campo Bom, Rio Grande do Sul (Brazil), against threats and vulnerabilities, and to preserve the confidentiality, integrity and availability of its information.

In addition to the adoption of the best information security practices […] ISO 27001:2013 will increase the confidence of our clients, partners and others interested parties.”

Service and security combined

Establishing and maintaining customer confidence is key to all successful businesses. Organizations such as CINDA, one of the big-four asset management companies representing the financial industry in China, have benefited commercially from building customer confidence through the combined use of an information security management system based on ISO/IEC 27001 with an IT service management system based on ISO/IEC 20000-1.

Jioa Yuan, General Manager at CINDA's IT Department, comments: “In the financial sector, CINDA was the first company to gain the two management standards certifications from both domestic and international certification bodies. Our ISMS has been improved continually to meet business development and to adapt to the corporate culture. With the establishment and operation of the ISMS, the company has been constantly improving its corporate information management security, and helping to win the confidence of customers and regulators.”

    In 2012, identity fraud incidents increased by more than one million victims (the highest amount since 2009).

The broad applicability and usefulness of ISO/IEC 27001 provides unlimited business opportunities for managing risks and building customer confidence. According to Brendan Smith, Chief Information Security Officer at Fujitsu, the benefits of using integrated management systems makes for a win-win situation: “Fujitsu Australia uses ISO/IEC 27001 for internal security management, as well as integrating it with ISO/IEC 20000 to provide secure services to our managed clients. We appreciate having a framework that can cover both scenarios, and enable a single management overview of the state of our security implementation."

"As a global organization, we deliver services from diverse locations. A key benefit of using an internationally recognized standard such as ISO/IEC 27001 is that it gives our clients the assurance that we have implemented security management to a common level."

And there's more. Fujitsu builds communities of security professionals at executive and management levels within a common framework defined by ISO/IEC 27001. In the long term, Fujitsu Australia will continue to improve the implementation and use of ISO/IEC 27001 (and related standards) throughout its business areas including information services and cloud computing.

Market enabler

Organizations that manage their information security risks through ISO/IEC 27001 certification are well recognized by the marketplace. Tony Plummer of Stralfors UK explains how ISO/IEC 27001 establishes credibility and allows the company to differentiate itself from competitors.

    The threat landscape of mobile security is moving at a very rapid pace.

“ISO/IEC 27001 certification has come to be regarded as a prerequisite for the vast majority of existing and prospective clients. Simply put, our qualification to ISO/IEC 27001 provides us with a ‘ticket to the game’. This may be evidenced by the fact that certification is mandatory for organizations like Stralfors that wish to print or personalize cheques. There is no doubt that compliance to ISO/IEC 27001 has seen us improve our own approach to all aspects of information security and physical security. In addition to this, particular benefits have been seen in colleague awareness and supplier selection and management.”

Weapon of choice

ISO/IEC 27001 has become synonymous with information security. It has been an outstanding success in the business community, reaching out to provide protection and benefits to organizations across all sectors, regardless of size and nature of business.

The businesses questioned above are just the "tip of the iceberg". Thousands of organizations around the world use ISO/IEC 27001 to manage their information security risks. And in a world increasingly plagued by cyber-attacks and other threats, anything else would be unthinkable.

Follow us on:   1. 
Add a comment...

Post has attachment
Cisco says chat client vulnerable to man-in-the-middle attack

Californian tech giant #Cisco has released an advisory statement explaining that its chat client Jabbar is currently vulnerable to a man-in-the-middle attack.
Found in the #Windows client of Jabbar, the vulnerability could allow an unauthenticated, remote attacker to perform a STARTTLS downgrade attack.
Discovered by Renaud Dubourguais and Sébastien Dudek from Synacktiv, a French cyber-security firm, versions affected include the 10.6.x, 11.0.x, and 11.1.x releases.
Currently the client does not verify that the Extensible Messaging and Presence Protocol (XMPP) connection has been established with Transport Layer Security (TLS).
XMPP enables the near-real-time exchange of structured yet extensible data between any two or more network entities.
Speaking to, Renaud Dubourguais explained, “ #Cisco Jabber is installed on an employee's computer and configured to connect to a Jabber server deployed by the company. During the connection process, a XMPP negotiation occurs to decide if they have to use a secured communication (TLS) or not which is where the vulnerability is. Once the negotiation is done, the client sends the company login details through XMPP messages to authenticate the employee and chats can start."
This means that subsequently, the attacker could cause the client to establish a plaintext XMPP connection. The report from Synacktiv says, “A successful exploitation could allow anyone to wiretap communications, steal user credentials, but also tamper messages sent between the client and the Jabber gateway.”
Cisco has released software updates that address this vulnerability, but as there are currently no workarounds available, the only way to make sure end users are protected would be to make sure their Jabber client is fully patched and up to date.
Gavin Millard, chief technical officer EMEA at Tenable Network Security commented, “To finish off the year of multiple downgrade attacks against SSL/TLS, the recently announced Cisco Jabber client issue is similar to many we've experienced in 2015. 
"As with many of the downgrade vulnerabilities, an attacker could manipulate the communication path to force a lower level of encryption between the client and server, making it easier to gain visibility into the data flow. What is of concern in this particular example though, is the fact the downgrade is to cleartext rather than a less secure implementation of SSL.”

Source: scmagazine

Follow us on:   1. 
Add a comment...

Post has attachment
The What, Why, and How of Energy Management

This article explains what "energy management" is, why it's important, and how you can use it to save energy.

We'll start with the "what", and then move on to the "why", and the "how":

What is #energy_management?

"Energy management" is a term that has a number of meanings, but we're mainly concerned with the one that relates to saving energy in businesses, public-sector/government organizations, and homes:

The energy-saving meaning

When it comes to energy saving, energy management is the process of monitoring, controlling, and conserving energy in a building or organization. Typically this involves the following steps:

1- Metering your energy consumption and collecting the data.
2- Finding opportunities to save energy, and estimating how much energy each opportunity could save. You would typically analyze your meter data to find and quantify routine energy waste, and you might also investigate the energy savings that you could make by replacing equipment (e.g. lighting) or by upgrading your building's insulation.
3- Taking action to target the opportunities to save energy (i.e. tackling the routine waste and replacing or upgrading the inefficient equipment). Typically you'd start with the best opportunities first.
4- Tracking your progress by analyzing your meter data to see how well your energy-saving efforts have worked.
(And then back to step 2, and the cycle continues...)

To confuse matters, many people use "energy management" to refer specifically to those energy-saving efforts that focus on making better use of existing buildings and equipment. Strictly speaking, this limits things to the behavioural aspects of energy saving (i.e. encouraging people to use less energy by raising energy awareness), although the use of cheap control equipment such as timer switches is often included in the definition as well.

The above four-step process applies either way - it's entirely up to you whether you consider energy-saving measures that involve buying new equipment or upgrading building fabric.

Other meanings

Aircraft energy management isn't relevant to this article, but it does make for a good picture...
It's not just about saving energy in buildings - the term "energy management" is also used in other fields:

- It's something that energy suppliers (or utility companies) do to ensure that their power stations and renewable energy sources generate enough energy to meet demand (the amount of energy that their customers need).

- It's used to refer to techniques for managing and controlling one's own levels of personal energy. We're far from qualified to say anything more about this!

- It also has relevance in aviation – it's a skill that aircraft pilots learn in some shape or form. We know nothing about aircraft energy management, but we can at least manage a picture of a man on a plane...

Anyway, from now on we will pay no more attention to these other definitions - all further references to "energy management" will be to the energy-saving sort described above.

Home energy management

Whilst energy management has been popular in larger buildings for a long time, it has only recently started catching on in homes. Most home owners aren't even aware of the term, and take more of a haphazard, flying-blind approach to reducing their energy consumption...

But the monitoring- and results-driven approach used by professional energy managers is just as effective in the home as it is in larger buildings.

So, if you're a homeowner looking to save energy, don't be put off by the fact that this article focuses more on non-residential buildings. Most of the principles that apply to businesses and other organizations are also applicable to homes. Certainly the four-step process introduced above and detailed below is entirely applicable to home energy management.

Why is it important?

Energy management is the key to saving energy in your organization. Much of the importance of energy saving stems from the global need to save energy - this global need affects energy prices, emissions targets, and legislation, all of which lead to several compelling reasons why you should save energy at your organization specifically.

The global need to save energy

If it wasn't for the global need to save energy, the term "energy management" might never have even been coined... Globally we need to save energy in order to:

- Reduce the damage that we're doing to our planet, Earth. As a human race we would probably find things rather difficult without the Earth, so it makes good sense to try to make it last.
- Reduce our dependence on the fossil fuels that are becoming increasingly limited in supply.

Controlling and reducing energy consumption at your organization

Energy management is the means to controlling and reducing your organization's energy consumption... And controlling and reducing your organization's energy consumption is important because it enables you to:

- Reduce costs – this is becoming increasingly important as energy costs rise.
- Reduce carbon emissions and the environmental damage that they cause - as well as the cost-related implications of carbon taxes and the like, your organization may be keen to reduce its carbon footprint to promote a green, sustainable image. Not least because promoting such an image is often good for the bottom line.
- Reduce risk – the more energy you consume, the greater the risk that energy price increases or supply shortages could seriously affect your profitability, or even make it impossible for your business/organization to continue. With energy management you can reduce this risk by reducing your demand for energy and by controlling it so as to make it more predictable.
On top of these reasons, it's quite likely that you have some rather aggressive energy-consumption-reduction targets that you're supposed to be meeting at some worrying point in the near future... Your understanding of effective energy management will hopefully be the secret weapon that will enable you to meet those aggressive targets...

How best to manage your energy consumption?

We identified four steps to the energy-management process above. We'll cover each of them in turn:

1. Metering your energy consumption and collecting the data

As a rule of thumb: the more data you can get, and the more detailed it is, the better.

The old school approach to energy-data collection is to manually read meters once a week or once a month. This is quite a chore, and weekly or monthly data isn't nearly as good the data that comes easily and automatically from the modern approach...

The modern approach to energy-data collection is to fit interval-metering systems that automatically measure and record energy consumption at short, regular intervals such as every 15-minutes or half hour. There's more about this on our page about interval data.

Detailed interval energy consumption data makes it possible to see patterns of energy waste that it would be impossible to see otherwise. For example, there's simply no way that weekly or monthly meter readings can show you how much energy you're using at different times of the day, or on different days of the week. And seeing these patterns makes it much easier to find the routine waste in your building.

2. Finding and quantifying opportunities to save energy

The detailed meter data that you are collecting will be invaluable for helping you to find and quantify energy-saving opportunities. We've written an article that explains more about how to analyze your meter data to find energy waste.

The easiest and most cost-effective energy-saving opportunities typically require little or no capital investment.

For example, an unbelievable number of buildings have advanced control systems that could, and should, be controlling HVAC well, but, unbeknown to the facilities-management staff, are faulty or misconfigured, and consequently committing such sins as heating or cooling an empty building every night and every weekend.

(NB "HVAC" is just an industry acronym for Heating, Ventilation and Air Conditioning. It's a term that's more widely used in some countries than others.)

And one of the simplest ways to save a significant amount of energy is to encourage staff to switch equipment off at the end of each working day.

Looking at detailed interval energy data is the ideal way to find routine energy waste. You can check whether staff and timers are switching things off without having to patrol the building day and night, and, with a little detective work, you can usually figure out who or what is causing the energy wastage that you will inevitably find.

And, using your detailed interval data, it's usually pretty easy to make reasonable estimates of how much energy is being wasted at different times. For example, if you've identified that a lot of energy is being wasted by equipment left on over the weekends, you can:

Use your interval data to calculate how much energy (in kWh) is being used each weekend.
Estimate the proportion of that energy that is being wasted (by equipment that should be switched off).
Using the figures from a and b, calculate an estimate of the total kWh that are wasted each weekend.
Alternatively, if you have no idea of the proportion of energy that is being wasted by equipment left on unnecessarily, you could:

Walk the building one evening to ensure that everything that should be switched off is switched off.
Look back at the data for that evening to see how many kW were being used after you switched everything off.
Subtract the target kW figure (ii) from the typical kW figure for weekends to estimate the potential savings in kW (power).
Multiply the kW savings by the number of hours over the weekend to get the total potential kWh energy savings for a weekend.
Also, most buildings have open to them a variety of equipment- or building-fabric-related energy-saving opportunities, most of which require a more significant capital investment. You are probably aware of many of these, such as upgrading insulation or replacing lighting equipment, but good places to look for ideas include the Carbon Trust and Energy Star websites.

Although your detailed meter data won't necessarily help you to find these equipment- or building-fabric-related opportunites (e.g. it won't tell you that a more efficient type of lighting equipment exists), it will be useful for helping you to quantify the potential savings that each opportunity could bring. It's much more reliable to base your savings estimates on real metered data than on rules of thumb alone. And it's critically important to quantify the expected savings for any opportunity that you are considering investing a lot of time or money into – it's the only way you can figure out how to hone in on the biggest, easiest energy savings first.

3. Targeting the opportunities to save energy

Just finding the opportunities to save energy won't help you to save energy - you have to take action to target them...

For those energy-saving opportunities that require you to motivate the people in your building, our article on energy awareness should be useful. It can be hard work, but, if you can get the people on your side, you can make some seriously big energy savings without investing anything other than time.

As for those energy-saving opportunities that require you to upgrade equipment or insulation: assuming you've identified them, there's little more to be said. Just keep your fingers crossed that you make your anticipated savings, and be thankful that you don't work for the sort of organization that won't invest in anything with a payback period over 6 months.

4. Tracking your progress at saving energy

Once you've taken action to save energy, it's important that you find out how effective your actions have been:

- Energy savings that come from behavioural changes (e.g. getting people to switch off their computers before going home) need ongoing attention to ensure that they remain effective and achieve their maximum potential.
- If you've invested money into new equipment, you'll probably want to prove that you've achieved the energy savings you predicted.
- If you've corrected faulty timers or control-equipment settings, you'll need to keep checking back to ensure that everything's still working as it should be. Simple things like a power cut can easily cause timers to revert back to factory settings - if you're not keeping an eye on your energy-consumption patterns you can easily miss such problems.
- If you've been given energy-saving targets from above, you'll need to provide evidence that you're meeting them, or at least making progress towards that goal...
- And occasionally you might need to prove that progress isn't being made (e.g. if you're at your wits' end trying to convince the decision makers to invest some money into your energy-management drive).
Our article on energy-performance tracking explains how best to #analyze your metered energy data to see how well you're making progress at saving energy. Like step 2, this step is one that our Energy Lens software has been specifically designed to help with.

Managing your energy consumption effectively is an ongoing process

At the very least you should keep analyzing your energy data regularly to check that things aren't getting worse. It's pretty normal for unwatched buildings to become less efficient with time: it's to be expected that equipment will break down or lose efficiency, and that people will forget the good habits you worked hard to encourage in the past...

So at a minimum you should take a quick look at your energy data once a week, or even just once a month, to ensure that nothing has gone horribly wrong... It's a real shame when easy-to-fix faults such as misconfigured timers remain unnoticed for months on end, leaving a huge energy bill that could have easily been avoided.

But ideally your energy-management drive will be an ongoing effort to find new opportunities to target (step 2), to target them (step 3), and to track your progress at making ongoing energy savings (step 4). Managing your energy consumption doesn't have to be a full-time job, but you'll achieve much better results if you make it part of your regular routine.

Source: energylens

Follow us on:
Add a comment...

Post has attachment
New to Lean Six Sigma?

If you're just beginning to learn about Lean Six Sigma, MoreSteam has many free resources to assist you.

- This page covers the following topics:
- What is "Six Sigma"?
- The Five Phases of Six Sigma
- Then what is "Lean"?
- So how did it become Lean Six Sigma?
- What are "Belts"?
- And what is Design for Six Sigma?
- Statistics, Tools and Techniques

What is "Six Sigma"?

Six Sigma is a comprehensive and flexible system for achieving, sustaining and maximizing business success. Period.
What makes Six Sigma different? Six Sigma is uniquely driven by a close understanding of customer needs, disciplined use of facts, data, and statistical analysis, and diligent attention to managing, improving, and reinventing business processes (from the book The Six Sigma Way by Pande, Neuman, and Cavanagh).
The Six Sigma methodology is based on the concept that "process variation" (e.g., customer waiting times at a call center waiting varying between ten seconds and three minutes) can be reduced using statistical tools.

The ideal goal is to fix a process so that it will be 99.9997% defect free or produce only 3.4 Defects per million opportunities or less!
For example, this could mean 3-4 broken light bulbs in one million produced, or 3-4 customer calls with waiting times more than one minute. From a statistical standpoint, this means that a process centered at the target has six Standard Deviations (sigma) between the process mean (the target) and the nearest specification limit.

The Five Phases of Six Sigma
Six Sigma projects are built on a DMAIC framework of five phases: Define, Measure, Analyze, Improve, Control.

These phases each contain a set of tools and techniques that guide the problem solver through the improvement process from start to finish.

Then what is "Lean"?

Lean (also referred to as Lean Methods or Lean Speed) is a set of tools developed to reduce the waste associated with the flow of materials and information in a process from beginning to end.

The goal of Lean is to identify and eliminate non-essential and non-value added steps in the business process in order to streamline production, improve quality and gain customer loyalty.

So how did it become Lean Six Sigma?

Using more problem-solving techniques can help solve a larger number and variety of business problems. Starting in the 1980's, consultants trained in both techniques realized the synergy between Lean and Six Sigma and began to push for the combination of the different tools of Six Sigma (focused on improving quality) and Lean (focused on removing waste).
Thus, Lean Six Sigma (LSS) was born.
A combined management approach, LSS amplifies the strengths and minimizes the weaknesses of both approaches when used alone.
Increasingly popular, Lean Six Sigma first emphasizes the use of Lean methodologies and tools to identify and remove waste and increase process velocity, then follows that with the use of Six Sigma methodologies and tools to identify and reduce or remove process variation.

Most deployments (organizations that run quality initiatives within a company) now choose to use Lean Six Sigma rather than just one or the other methodology.

What are "Belts"?
Lean Six Sigma Belts
A "Belt" signifies experience. Practitioners are given a "Belt" title (Black Belt, Green Belt, Yellow Belt) that corresponds to their level of experience.
This roughly corresponds to their hierarchy in martial arts, with darker colored belts indicating more experience (more training, more knowledge and skills). For a visual example of what this looks like, visit our Belt comparison page.
Black Belt
A Black Belt has expert knowledge and skills related to the DMAIC methodology, Lean methods, and team leadership.
Black Belts should be able to lead any team across the organization in executing Lean Six Sigma projects. Black Belts may also conduct Lean Six Sigma training and act as coaches and mentors to other Belts-in-training.
Black Belt training can be obtained from a variety of sources but is typically between 140 and 160 hours in duration and includes instruction in the use of statistical data analysis, designed experiments, team leadership, and project management.
Black Belt Certification - the recognition of both knowledge and the practical application of skills - is offered by MoreSteam, the American Society for Quality (ASQ) and other organizations and consulting firms.
Green Belt
A Green Belt has strong knowledge and skills related to the DMAIC methodology and Lean methods, but typically does not have experience with advanced statistical tools such as design of experiments (DOE).
Green Belts may lead simple projects under the guidance of a Black Belt or may work as a team member on a large project team.
Green Belt training can be obtained from a variety of sources, but is typically less than 100 hours in duration and includes instruction in the basic use of statistical data analysis, with emphasis on team problem-solving techniques.
Green Belt Certification - the recognition of both knowledge and the practical application of skills - is offered by MoreSteam, the American Society for Quality (ASQ) and other organizations and consulting firms.

Yellow Belt
A Yellow Belt is trained in the general Lean Six Sigma concepts and basic tools.

A company deploying Lean Six Sigma may choose to designate project team members as Yellow Belts after completing a required training course, or may use the designation for employees responsible for data collection for a Green Belt or Black Belt project.
The Yellow Belt body of knowledge is defined quite differently by different organizations. In some cases, it may represent only the most basic concepts and language of Six Sigma, with an overview of the DMAIC process. In other cases, Yellow Belts are trained in a more complete set of basic tools, typically representing 15 to 25 hours of training.


A project Champion is a high-ranking manager who will work with a Black Belt to ensure that barriers to project success are removed and the project team has the organizational support it needs to be effective.

Champions are not expected to be experts in the statistical tools or even experts in the project's specific subject matter. Instead, they must possess a breadth of organizational knowledge to ensure that the project team's work is aligned with the organization's strategic objectives and interfaces effectively across the organization. A champion must also have the organizational clout to 'make things happen.'

White Belt

A White Belt has received a small amount (several hours) of awareness training. Enough to be dangerous!
Most White Belts are executives or staff who need to know the very basics of process improvement. White Belt training is used to assist change management and cultural buy-in from professionals who won't use the tools but may be impacted by projects.

And what is Design for Six Sigma (DFSS)?

Lean Six Sigma tries to fix broken processes that already exist. But what if there were a way to create higher quality processes at the design stage?

A variant of Six Sigma, Design For Six Sigma (DFSS) is a methodology used to design from scratch or re-design a product or process to one that meets customer requirements and has an expected quality level of Six Sigma.

DFSS is about "getting it right the first time" instead of improving later (the focus of DMAIC Six Sigma). That's the point where the cost of change is lowest and the ease of implementation is the highest.

Design for Lean Six Sigma (DFLSS)?

That's where Lean is added to the mix, so it's all the tools and techniques put together. A growing number of deployments are describing their efforts as DFLSS.

Statistics, Tools and Techniques

The LSS methodology relies on an impressive number of tools and techniques, many of which (e.g., Fishbone Diagrams, Statistical Process Control Charts, 5S) have been collected from earlier quality methodologies.

This makes LSS familiar to many quality practitioners and easy to learn. The DMAIC framework is used to organize the tools into the appropriate order for use in project work.
LSS also relies on statistical tools and tests to better understand the trends in process metrics and data. In training, Six Sigma practitioners learn to calculate many of these statistics by hand or with a calculator, but in actual project work, they rely on tools such as EngineRoom® to help automate and simplify the statistics and provide statisticians and non-statisticians alike with data analysis tools and templates.

Source: moresteam

Follow us on:
Add a comment...

Post has attachment
Understanding ISO 13485

ISO 13485: 2003 represents the requirements that medical device manufacturers must incorporate into their management systems. The current document supersedes its 1996 incarnation as well as EN 46001, EN 46002 and ISO 13488. Though based on ISO 9001, 13485 removes 9001’s emphasis on continual improvement and customer satisfaction. In its place is an emphasis on meeting regulatory as well as customer requirements, risk management and maintaining effective processes.

Though based on ISO 9001, 13485 removes 9001’s emphasis on continual improvement and customer satisfaction. In its place is an emphasis on meeting regulatory as well as customer requirements, risk management and maintaining effective processes, namely the processes specific to the safe design, manufacture and distribution of medical devices.

13485 is in part designed to produce a management system that facilitates compliance to the requirements of customers and-preeminently-various global regulators. While being certified to 13485 does not fulfill the requirements of either the FDA or foreign regulators, the certification aligns an organization’s management system to the requirements of the FDA’s Quality System Regulation (QSR) requirements as well as many other regulatory requirements found throughout the world. Therefore, 13485 certification serves to create a management system that can be thought of as a framework on which to build compliance to various regulatory and customer requirements.

Christian Lupo, general manager of Ann Arbor, MI-based NSF International Strategic Registrations states, “If the proper management system framework is in place it should facilitate the identification and implementation of country-specific requirements for the management system of medical device manufacturers. ISO 13485 is not specific enough to contradict country specific requirements, and should serve as a baseline management system for all.”

13485 dictates that risk management must be thoroughly documented and conducted throughout a product’s entire lifecycle, from initial concept to delivery and post-delivery. However, the standard leaves the specifics to a related standard, ISO 14971: 2001, Application of Risk Management for Medical Devices. While 13485 states that a manufacturer’s management team is charged with the management of device-related risks and the development of risk management plans, 14971 defines a list of steps to be taken by management in order to fulfill risk-related requirements. While it is not mandatory that a manufacturer be 14971 certified in order to attain 13485 certification, being certified to the former standard can ease the attainment of certification to the latter.

“The fact that ISO 13485 counsels the application of ISO 14971 speaks to its importance for those seeking 13485 certification,” says Mairead Ridge, marketing associate for IBS America (Lexington, MA). “Compliance programs for both standards, when implemented together, can help manufacturers build an enterprise program for risk management and quality assurance.” Evidencing the consistent assessment and mitigation of risks throughout all stages of a product’s lifecycle is important for achieving certification to both 13485 and 14971.

Issues and Trends
The purpose of 13485 certification is sometimes misunderstood. 13485 certification does not fulfill the requirements of 9001, nor is it equivalent to or have the ability to take the place of any country-specific requirement for medical device manufacturers. As previously mentioned, the standard is in part meant to serve as a means to the creation of a management system that aligns with the requirements of various regulators.

Phillip C. Dobyns, technical manager for Wayne, PA-based HSB Registration Services, elaborating on this idea, says, “The ISO 13485 accomplishes a harmonization by writing specific medical device requirements in a generic framework that allows any specific or unique needs of local regulation to be addressed.”

Medical device manufacturers also should realize the importance that risk management bears in a 13485 management system. “A lot of places typically look at risk management only at the design and development function and they don’t carry it through the entire lifecycle of the product or process,” says Nadia Perreault, medical device technical manager for National Quality Assurance USA (NQA, Acton, MA). “People think that it is just a little snippet in time during the design and development phase.”

While Perreault points out that medical device manufacturers are not giving risk management its due gravity in their management systems, IBS’ Ridge reports that the recognition of the need for thorough enterprise-wide risk management practices is growing. “Risk assessments have become a key activity that manufacturers perform throughout the product lifecycle, whether they are designing new products, choosing suppliers, inspecting finished goods or performing corrective actions based on customer complaints,” says Ridge. A combination of increased regulation and technological advances is forcing medical device manufacturers to couple their management systems with enterprise-wide risk management programs.

13485 is no longer thought of as pertaining solely to finished medical device manufacturers. Today, such manufacturers are requiring their sub-tier suppliers to also attain 13485 certification. Of this phenomenon, Arlen Chapman, quality systems director for NQA, notes, “Medical device manufacturers want to realize better products and better services. I see it more from the financial standpoint for them-for cost savings, making sure they have good suppliers, that they’re communicating with them properly and managing them properly.” This is risk management enacted to establish supplier quality, as it is difficult for a manufacturer to single-handedly regulate the quality programs of its suppliers.

The Certification Process

Like any ISO certification, medical device manufacturers wishing to obtain 13485 certification first need to educate themselves on the requirements of regulators and customers, as well as what a 13485-compliant management system will entail. Then a management system that conforms to the standard’s requirements needs to be implemented within the organization.

The first step to creating the management system should be drafting a quality manual; the quality manual outlines an organization’s goals, processes and procedures for compliance and quality management. An employee with the know-how to develop and implement such a program can create the management system internally; otherwise, a hired consultant with an expertise in the 13485 market can be used. After the quality manual has been written and a management system has been implemented, the organization needs to seek a certification body it is comfortable with.

When seeking a certification body, the organization needs to be sure that the registrar is accredited by an accrediting body to include 13485 certification in their scope. The organization seeking certification should ask to see credentials and references from a prospective registrar. For example, in North America, certification bodies will be accredited through an organization such as ANSI/ASQ National Accreditation Board (ANAB). There are accreditation boards in every major country that review certification bodies to ensure they meet requirements.

It also is important to keep the target market in mind. For instance, if a medical device manufacturer wants to sell in North America, it should seek certification through a registrar accredited by a North American accreditation body to ensure they will meet country-specific or customer requirements.

Lupo notes that countries are reluctant to accept 13485 registration from another country’s accreditation body. “For example, Health Canada and the European Union do not accept an accredited registration from an ANAB accredited registrar,” says Lupo. “ANAB is part of the IAF MLA, yet U.S. accreditations are not accepted anywhere except for medical device manufacturers that only trade in the United States.”

If a consultant is required, the organization needs to be sure that the prospect has expertise in 13485, and requesting referrals from an accredited registrar also can aid in finding the right match. It is important that the consultant understands the organization’s business, that the consultant has dealt with organizations of a similar size before and has had experience with similar product lines.

Also, an organization should be wary of consultants that endeavor to radically change a management system that is already performing well. Steve Upton, medical device business unit manager for NQA, states, “The consultant should come in and align their knowledge with your requirements and the customer requirements, and that will work time after time.”

The steps to attaining 13485 certification are similar to those of 9001, with some type of off-site document review followed by a preassessment and then assessment. After certification, an organization will be subject to on-going surveillance by its certification body. The duration of the assessment is contingent on an organization’s scope-its size, number of personnel, and type and complexity of products manufactured. Taking these elements into consideration, an organization can expect an assessment to last anywhere from a couple of days to more than a month.

The frequency of surveillance assessments will be determined by an organization’s scope as well as its performance, though they will usually be conducted annually or semi- annually. However, organizations should expect a complete reassessment three years after initial certification. A surveillance assessment takes into account concerns such as the fulfillment of management responsibilities, the execution of internal audits and how an organization is performing in relation to the state of the industry and customer expectations.
Add a comment...

Post has attachment
ISO 9000: What Is It and How Will It Impact You?

Executive Summary of Article. Because ISO 9000’s focus was primarily initiated within the manufacturing industry, especially the automobile and airline industries, many contractors have not given it much thought. However, it has expanded and will continue to expand to service providers and the construction industry. Read this article to learn about ISO 9000 and how it could impact your operations.

ISO 9000 Benefits. “An ISO 9000 certified contractor is credited for its procedures not for the products or facilities it produces.”

“The benefits to a contractor include an increased top line and real cost to operations as a result of the efficiencies created.”

In 1987, the International Organization of Standardization published (ISO) 9000. The original purpose of ISO 9000 was to demonstrate a commitment and ability to provide uniform quality assurance standards for product manufacturing and has since expanded to service providers. When an organization becomes ISO certified, that organization has demonstrated a commitment to its procedures and the total quality of the product or service by establishing an effective quality management system.

ISO 9000 is effectively the establishment of a quality system. A quality system has a good organizational structure and identifies responsibilities, procedures, processes and resources required to achieve stated management goals and objectives.

ISO 9000 does not guarantee product or service quality, but it is a quality system standard. An ISO certified entity is credited for its procedures, not its products. As such, a contractor’s product is not guaranteed. However, if a company is ISO certified, owners can be assured the company maintains a quality focus to ensure its products or services are the best that can be provided to consumers.

Quality Standards

There are different types of ISO quality standards. Those quality standards can be classified as primary, secondary and support standards and are generally defined as follows:

- Primary standards are quality requirements for external quality assurance and quality management guidance.
- Secondary standards provide guidance for the selection and application of primary standards.
- Support standards provide quality technology and support in the development and implementation of a quality system.
ISO 9000 requires that documentation be made of procedures for performing work that affects the product or service quality. It also requires the work be performed in accordance with the documentation. In addition, records of activities should be retained as evidence of compliance and to compare actual results with what was planned. Lastly, a program should be in place to improve any inefficiencies identified. In reality, this should be occurring on a routine basis in order for the company to utilize past performance to more accurately estimate future projects.

The best approach is to structure a quality system in steps:

The first step is creating and documenting policies to satisfy each of the standard requirements by developing a quality manual. The manual should describe the quality policy statement, organization, responsibilities and policies for each element of the organization. A well-written manual should act as an advertisement for the quality of the products or services of the company.

The second step is to document system procedures. This describes the purpose and scope of an activity including what will be done, by who, when, where and how. Further descriptions may include the equipment and documentation required and how it shall be controlled.

The third step includes identifying the word instructions, specific procedures, forms, records, inspections, test plans and quality plans. Adequate documentation is essential for contractors — as turnover can be high and several people may perform the same tasks. With power documentation and ISO certification, a company can be assured that procedures will be followed in accordance to specific requirements whether your employees are new or have worked for you in the same job for years.

The Certification Process

A third-party assessment is performed by an accredited ISO 9000 representative or independent registrar. The focus of the onsite review is to evaluate the company’s documented procedures to ensure compliance. The microscope is on the contractor’s systems and processes, not the end product. The ISO 9000 goal is not to tell you how to do your business, but to ensure that a consistent and well-documented process is in place.

The registration process can take on to two years to complete and costs for the independent registrar range from $12,0000 to $25,000. In addition, you will likely incur consulting costs. The certification is valid for three years and can be renewed. Certainly, the time and effort incurred during the initial certification process will not be repeated during the renewal stage. The more extensive a contractor’s existing documentation and quality assurance program, the easier the certification process.

IS ISO 9000 Really for #Contractors ?

Most contractors become ISO 9000 certified because certain project owners or customers require it. Contractors on the front end of the ISO 9000 certification process include those in the electrical or mechanical field. It may be a matter of time before most construction operations are certified. This may occur as a result of a pass through requirement, from those contractors that are certified, whereby non-certified, lower tier contractors will not be contracted by prime contractors.

Benefits to ISO 9000 Certification

Beyond meeting project owner or prime contractor requirements, certification can produce benefits that the contractor can enjoy. These include:

· Higher perceived quality of customer service
· Improved customer satisfaction
· Competitive edge over non-certified competitors
· Increased market share
· Greater quality awareness
· Improved employee morale
· Better documentation

Additionally, the processes for #ISO certification will provide management with information regarding the operations and efficiencies of the organization they might otherwise take for granted.

These benefits to the contractor can actually increase the top line and reduce cost in certain areas as a result of the efficiencies created. The ultimate result is an improved bottom line.

The certification process can be an expensive task. However, savings over the long run resulting from eliminating unnecessary procedures, as well as using the certification process as a marketing tool can very quickly pay for the certification expenses.

Source: constructionrisk

Follow us on:
Add a comment...

Post has attachment
5 Big Improvements in Wireshark

Nmap was not the only popular open source network security tool to receive a recent upgrade. Wireshark 2.0.0 , an open source tool used for network sniffing and packet analysis, also got a major update in November.

The new release of Wireshark (formerly known as Ethereal) is important because if you want to keep your #network #secure you need a way to see and #analyze the traffic that passes through it at the individual packet level.

To do that, you need a packet sniffer and analyzer. The open source Wireshark is the de-facto industry standard tool for this. Once up and running on a machine attached to your network, it presents a live window on much of the traffic flowing over it.

Since 2010 the Wireshark project has been sponsored by Riverbed Technology, a California-based #WAN optimization hardware vendor.

Proprietary alternatives to #Wireshark exist, such as Microsoft's Message Analyzer, TamoSoft's CommView, Codenomicon's Clarified Analyzer and Savvius's OmniPeek . Some of these tools are available with specialized hardware for high speed capture, and in general they may be more suitable than Wireshark for large scale "capture everything" projects or for decoding some proprietary protocols.

Reasons to Use Wireshark

But most of these run on Windows only or on a limited range of platforms, while open source Wireshark runs on many platforms including Windows, OS X, Linux and Solaris. Wireshark is also free, and many networking and security professionals have experience working with it.

Perhaps the best reason to use Wireshark is that it is the tool that a hacker will almost certainly be using. Thus, using Wireshark puts you on an equal footing.

The improvements to Wireshark in its new release are more subtle than the new features of Nmap, another popular open source network security tool that got a refresh in November, but all are designed to make packet analysis more efficient.

Wireshark's Top 5 Improvements

Improved packet capture options. Setting packet options lies at the heart of using Wireshark, and in previous versions they were spread out across many windows. These have been simplified and are now easier to access from one of just two places (Capture Options or Manage Interfaces).

Information about related packets. Information about related packets (such as a DNS request and reply packets, or SYN and ACK packets) is now shown in the main window. For example, an ACKed TCP SYN packet will have a small check mark symbol displayed alongside it in the packet list. This should make it considerably easier to follow protocol "conversations."

Better, more consistent interface. The Wireshark 2.0.0 user interface looks very similar to the old one, but behind the scenes things have changed. The UI has been rewritten using the Qt application framework, and streamlined so that it will work faster in every platform.

Multi-language support. The new interface supports multiple languages. Wireshark ships with Chinese, French, German, Japanese, Polish and Italian as well as English, and more languages will be supported soon.

Improved statistics dialogues. In the Statistics and Telephony menus, the backend code has been consolidated so that most of Wireshark's statistics now share common internal logic. This should allow workflow improvements and a much more consistent interface, according to the developers.

Source: esecurityplanet

Follow us on:
Add a comment...

Post has attachment
Introduction to Hybrid Identity from Microsoft 
Add a comment...

Post has attachment
Best Practices for Building High-Visibility Security Solutions

Ray Menard is one of the top security architects in #IBM #Security , and he took a break from his global travel schedule to offer some tips on how to keep your security team from drowning in data and ensure your networks are protected from malicious activity. With over a decade of experience in the security industry, Menard has helped countless clients navigate the complex world of network security.

A summary of Menard’s words of wisdom about the risks of shortsighted purchase decisions are below, and you can hear his full remarks in his on-demand webinar.

Question: Security spending seems to be at an all-time high, yet many companies don’t discover a breach until it’s too late. Why is that?

Answer: When we look at recent attacks, the reason for the attack is rarely attributed to poor security; businesses are investing and trying to do security correctly. Many security teams and tools are in place to look at structured log data, but we now have waves of unstructured data from places like social media coming into the organization.

The sheer volume of data really requires people to rethink their tool sets and operational models. You need to be sure that if you allocate budget to a security solution today, you know exactly what problem that will solve in the short and long term.

How should companies evaluate what type of solution they need?

Over the years, I’ve seen people try to shortcut the process of defining requirements and, in the end, they spend more money than they need to. Let me explain some common traps that teams fall into:

Making a decision only on cost: If you’re facing a compliance audit, and you allow the focus to be just passing the audit, you’ll likely be pressured to buy the cheapest solution available. However, you’ll likely survive the audit but then realize what you have isn’t quite right. Don’t allow the business to pressure you to focus only on cost.
Taking a narrow focus: You may be tempted to solve for a point problem, but take the time to really define your full set of requirements. Then make sure all stakeholders understand the requirements. After everyone understands the full scope of issues, you may find you can solve multiple problems with one solution. And when you solve multiple problems for a broad set of functions such as networking, databases and security, your total cost of ownership is lowered.

Force-fitting what you have: It’s tempting to try to use something that you already have to solve a new security problem. Examine your situation carefully before you attempt to do this. It’s likely that it will take a significant amount of work, time and skills to adapt what you have, and often after a short period of time, something goes wrong. Make an honest assessment of how difficult it is to incorporate new requirements into what you have and then make the effort to explore all your options.

What are some of the risks of just using what you have to solve new types of security problems?

It’s human nature to default to what we know. However, that’s risky in this industry. While it’s easy to default to a solution that you may have learned in college or used at prior job, you need to step back and take a wide view. Define your requirements and what you want to accomplish first. Don’t commit budget to a project until you understand all the options.

Another scenario I come across is when an organization hires someone that knows a single technology and then builds an entire operation around it. If the solution is complex, training costs can skyrocket and negatively impact your time to value. And in the worst possible scenario, that person leaves the company for a new job and you’re left with a large gap. Ensure any solution that you adopt doesn’t require an army of specialists to run it. The more people you have maintaining a solution, the fewer people you have focused on actually doing security.

What’s important to look for in a solution?

The focus is really on speed and flexibility. The threat is constantly changing, so the security intelligence solution needs to be able to quickly adapt to the new landscape. Today, it’s taking teams too long to discover a breach, sometimes over 200 days. In some cases, your customers will discover the breach before you do, which results in loss of confidence and even loss of business.

Automating the #analytics and reducing the time spent maintaining the security intelligence solution are force multipliers and add resource power to your organization so you can detect threats faster. This is what true security intelligence solutions should do.

Source: securityintelligence

Follow us on: 
Add a comment...
Wait while more posts are being loaded