Compliance
When you're compliant or certified to the appropriate standard, the businesses that work with you know that quality objectives, continuous improvement, Information security and customer satisfaction are your goals. An example is like many companies require that their suppliers are ISO 9001 compliant; therefore, once you're certified, your opportunities increase. Similarly companies comply to ISO 27001 to demonstrate their eagerness to protect critical and confidentail information.
ISO (International Organization for Standardization) is the world's largest developer of standards. The standards contribute to making the development, manufacturing and supply of products and services more efficient, secure, safer and cleaner, while making trade between countries easier and fairer.
They provide governments with a technical base for health, safety and environmental legislation. They aid in transferring technology to developing countries. ISO standards also safeguard consumers and users of products and services, as well as making life simpler.
ISO is a non-governmental organization occupying a special position between the public and private sectors. It's a bridge across which consensus can be reached on solutions that meet both the requirements of business and the broader needs of society. ISO standards are voluntary, market-driven, are based on consensus of interested parties and are technical agreements that provide the framework for compatible technology worldwide
British Standards are produced by BSI British Standards, a division of BSI Group that is incorporated under a Royal Charter and is formally designated as the National Standards Body (NSB) for the UK.
ISO 27001, also known as "Information Security Management System", is the replacement for BS7799. It is intended to provide the foundation for third party audit, and is 'harmonized' with other management standards, such as ISO 9001 and ISO 14001.

The basic objective of the standard is to help establish and maintain an effective information management system, using a continual improvement approach. It implements OECD (Organization for Economic Cooperation and Development) principles, governing security of information and network systems. The standard itself is to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System". Further, "The design and implementation of an organization's ISMS is influenced by their needs and objectives, security requirements, the process employed and the size and structure of the organization".

The key concept of ISMS is for an organization to design, implementation and to maintain a coherent suite of processes and systems for effectively managing information accessibility, thus ensuring the confidentiality, integrity and availability of information assets and minimizing information security risks.

ISO 27001 has 11 domain areas which covers 39 control objectives and 133 controls in all. The security controls represent information security best practices and the standard suggests that these controls should be applied depending on the business requirements.
The broad content is of course similar to the old BS7799. Included is:
  • Cross reference with ISO 27002 controls
  • Use of PDCA
  • Information Management System
  • Terms and definitions
As with all management processes, an ISMS must remain effective and efficient in the long term, adapting to changes in the internal organization and external environment. ISO/IEC 27001 therefore this incorporates the typical "Plan-Do-Check-Act" (PDCA) Deming approach to continuous improvement:
  • The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls.
  • The Do phase involves implementing and operating the controls.
  • The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS.
  • In the Act phase, changes are made where necessary to bring the ISMS back to peak performance.
Benefits to Organization:
  • Compliance with legal, regulatory, and statutory requirements.
  • ISO 27001 certification is recognized on a worldwide basis.
  • Marked improvement in efficiency and operational performance of the company.
  • Enhance vendor status of your organization.
  • Minimizes internal and external risks to business continuity.
  • Implementation of ISO 27001 results in great security awareness within an organization.
  • Management can be assured of quality of system, business unit if a recognized framework or approach is followed.
For further information contact us and our consultants will be happy to provide a quote / proposal.
Continued operations in the event of a disruption, whether due to a major disaster or a minor incident, is a fundamental requirement for any organization. BS 25999, the world’s first British standard for business continuity management (BCM), has been developed to help you minimize the risk of such disruptions.

By helping to put the fundamentals of a BCM system in place, the standard is designed to keep your business going during the most challenging and unexpected circumstances – protecting your staff, preserving your reputation and providing the ability to continue to operate and trade.

BS 25999 has been developed by a broad based group of world class experts representing a cross-section of industry sectors and the government to establish the process, principles and terminology of Business Continuity Management.

It provides a basis for understanding, developing and implementing business continuity within your organization and gives you confidence in business-to-business and business-to customer dealings. It also contains a comprehensive set of requirements based on BCM best practice and covers the whole BCM lifecycle.

The benefits of BS 25999 are widespread and cover three critical areas:

Resilience:
Proactively improves your resilience when faced with the disruption of your ability to achieve key objectives

Delivery:
Provides a rehearsed method of restoring your ability to supply critical products and services to an agreed level and timeframe following a disruption.

Management:

Delivers a proven capability for managing a disruption and protecting your reputation and brand.

For further information contact us and our consultants will be happy to provide a quote / proposal.
IT is essential to delivering today’s business. However, concerns are increasingly being raised about IT services, both internal and outsourced, not aligning with the needs of businesses and customers.

A recognized solution to this problem is to use an IT Service Management System (ITSMS) based on ISO/IEC 20000, the international standard for IT service management. Registration to this standard enables you to independently demonstrate to your customers that you meet best practice.

ISO/IEC 20000 is based on and replaces BS 15000, the internationally recognized British Standard.

ISO/IEC 20000 is published in two parts:

Part One is the specification for service management which covers the IT service management. It is this part which you can be audited against and it sets out minimum requirements that must be achieved in order to gain certification.

Part Two is the code of practice for service management which describes the best practices for service management processes within the scope of the specification.

Some of the key benefits are listed below:

  • IT service providers become more responsive to services which are business led rather than technology driven.
  • External service providers can use registration as a differentiator and win new business as this increasingly becomes a contractual requirement.
  • Gives you the ability to select and manage external service providers more effectively.
  • More opportunities to improve the efficiency, reliability and consistency of IT services impacting costs and service.
  • Certification audits enable the regular evaluation of the service management processes which helps to maintain and improve effectiveness.
  • The certification process can reduce the amount of supplier audits thereby reducing costs.
  • ISO/IEC 20000 is fully compatible with the ITIL (IT Infrastructure Library) framework of best practice guidance for ITSM processes.
For further information contact us and our consultants will be happy to provide a quote / proposal.
Every organization would like to improve the way it operates, whether that means increasing market share, driving down costs, managing risk more effectively or improving customer satisfaction. A quality management system gives you the framework you need to monitor and improve performance in any area you choose.

ISO 9001 is by far the world’s most established quality framework, currently being used by over ¾ million organizations in 161 countries, and sets the standard not only for quality management systems, but management systems in general.

It helps all kinds of organizations to succeed through improved customer satisfaction, staff motivation and continual improvement.

ISO 9000 series of standards

ISO 9001 is one of a series of quality management system standards. It can help bring out the best in your organization by enabling you to understand your processes for delivering your products/services to your customers.
The ISO 9001 series of standards consist of:
  • ISO 9000 – Fundamentals and Vocabulary: This introduces the user to the concepts behind the management systems and specifies the terminology used.
  • ISO 9001 – Requirements: This sets out the criteria you will need to meet if you wish to operate in accordance with the standard and gain certification.
  • ISO 9004 – Guidelines for performance improvement: Based upon the eight quality management principles, these are designed to be used by senior management as a framework to guide their organizations towards improved performance by considering the needs of all interested parties, not just customers.

Some of the benefits of ISO 9001 are

  • Competitive advantage
  • Improves business performance and manages business risk
  • Attracts investment, enhances brand reputation and removes barriers to trade
  • Streamlines operations and reduces waste
  • Encourages internal communication and raises morale
  • Increases customer satisfaction
For further information contact us and our consultants will be happy to provide a quote / proposal.
ISO 14001 is an internationally accepted standard that sets out how you can go about putting in place an effective Environmental Management System (EMS). The standard is designed to address the delicate balance between maintaining profitability and reducing environmental impact – with the commitment of your entire organization, it can enable you to achieve both objectives.

What’s in ISO 14001:
  • General requirement
  • Environmental policy
  • Planning Implementation and operation
  • Checking and corrective action
  • Management review
This means you can identify aspects of your business that impact on the environment and understand those environmental laws that are relevant to your situation. The next step is to produce objectives for improvement and a management program to achieve them, with regular reviews for continual improvement. We can then periodically assess the system and, if compliant, register your company or site to ISO 14001.

Registering your company's environmental management system to ISO 14001 means that a third party, has assessed it that it meets the requirements set out in the standard.

Certification to ISO 14001 allows you to:
  • Demonstrate a commitment to achieving legal and regulatory compliance to regulators and government
  • Demonstrate your environmental commitment to stakeholders
  • Demonstrate an innovative and forward thinking approach to customers and prospective employees
  • Increase your access to new customers and business partners
  • Better manage your environmental risks, now and in the future
  • Potentially reduce public liability insurance costs
  • Enhance your reputation
For further information contact us and our consultants will be happy to provide a quote / proposal.
PCI DSS is a guideline to help organizations that process card payments prevent credit card fraud, hacking and various other security vulnerabilities and threats. A company processing, storing, or transmitting payment card data must be PCI DSS compliant. Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through an acquirer risk losing their ability to process credit card payments and being audited and/or fined.

The PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive credit card and debit card information. The Standard provides us with a framework for developing a robust account data security process for preventing, detecting and reacting to security incidents. It was authored by The PCI Security Standards Council, which was founded by American Express, Discover, JCB, MasterCard and Visa.

The Standard applies to all merchants and service providers that store, process or transmits cardholder data.

Defigo in association with partner QSA standardized methodology of PCI Certification for all its clients.

PCI benefits are -
  • Increase network security by aligning hardware and software releases, features, and functionality with PCI Data Security Standard specifications.
  • Improve deployment team and operations staff proficiency by providing continuous knowledge exchange throughout service delivery.
  • Mitigate the risk of network downtime and of costs from potential rework and speed implementation and migration of new security solutions and technologies through time-tested design methodologies.
  • Prioritize your remediation strategy and more effectively budget by providing a detailed PCI solution implementation plan
What do I need to do to meet the PCI standards?
The PCI standard comprises two basic steps:
  • Pass quarterly remote vulnerability scans conducted by an a Visa and MasterCard "Qualified Independent Scan Vendor". Scans are required for all Internet connection points whether they are office networks or home/office connections (dial\-up, DSL, cable or wireless) or permanent Internet servers such as your web site and email server, etc.
  • Successful completion of a security self-assessment questionnaire. The self assessment questionnaire asks specific questions about your internal security practices, both on your web site and in your office.
For further information contact us and our consultants will be happy to provide a quote / proposal.
The Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992. COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company.

COBIT 4.1 has 34 high level processes that cover 210 control objectives categorized in four domains: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring and Evaluation. COBIT provides benefits to managers, IT users, and auditors. Managers benefit from COBIT because it provides them with a foundation upon which IT related decisions and investments can be based. Decision making is more effective because COBIT aids management in defining a strategic IT plan, defining the information architecture, acquiring the necessary IT hardware and software to execute an IT strategy, ensuring continuous service, and monitoring the performance of the IT system. IT users benefit from COBIT because of the assurance provided to them by COBIT's defined controls, security, and process governance. COBIT benefits auditors because it helps them identify IT control issues within a company’s IT infrastructure. It also helps them corroborate their audit findings.

Recently, ISACA has released Val IT, which correlates the COBIT processes to senior management processes required to get good value from IT investments.

Are you looking at implementing COBIT? contact us and our consultant will be happy to provide a quote / proposal

For further information contact us and our consultants will be happy to provide a quote / proposal.
In 1996, the US Congress passed the Health Insurance Portability and Accountability Act (HIPAA). It brought into existence for the first time, a set of generally accepted security standards and requirements for protecting health information. In 2009, the scope and depth of HIPAA was extended with the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act. HIPAA and HITECH lay out strict standards governing information security and privacy.

While HIPAA/HITECH may be a boon to the security of healthcare information, they also throw up a number of challenges for covered entities in the form of costs, tracking regulatory changes, extensive documentation, need for an enterprise-wide approach towards compliance management and many other challenges. To implement HIPAA requirements, a clear understanding of organizational risks and vulnerabilities is required. A siloed, ad hoc approach is not only inefficient but ineffective

The Health Insurance Portability and Accountability Act (HIPAA) - Title II sets national standards for electronic health care transactions. The regulation requires security and privacy of health data during electronic data interchange in health care system.

Companies providing health care plan, acting as clearing house for health plan or delivering health care services are identified as "Covered Entities" under the HIPAA regulation. Covered entities have to follow 45 CFR §160, §162, and §164 rules to be HIPAA complaint and have to ensure that their IT systems follow Privacy and Security rules in the regulation. The IT systems have to ensure privacy and security rule of protected health information (PHI) during transmission and maintenance of health information through electronic media.

Hycom's Solution for HIPAA Compliance

Hycom provides a comprehensive framework to help organizations streamline and automate all aspects of HIPAA/HITECH compliance. It helps streamline all aspects of HIPAA compliance such as preparing policies and procedures, assessing and analyzing risks, managing audits, identifying gaps and remedying issues. The solution also enables covered entities to integrate all compliance regulations on a single platform instead of managing them in separate initiatives. A centralized structure can be maintained of the overall compliance hierarchy including processes and assets in scope, risks, controls, policies and procedures and reporting requirements. Hycom offers a comprehensive IT GRC Solution for health care industry to

  • Implement popular IT governance frameworks such as Cobit, ISO 27002 for confidentiality, integrity, and availability of electronic protected health information
  • Comply with Privacy and Security HIPAA rule (45 CFR § 164.304) by adopting control based architecture for administrative, physical and technical safeguards
    • Understand and define the information risk universe for PHI
    • Determine confidentiality, integrity, and availability requirements of PHI
    • Define and implement required controls
    • Develop enforcement, monitoring, and response mechanisms of controls through risk assessment, auditing and incident management
  • Generate reports for HIPAA compliance
  • Achieve cost saving and achieve efficiency in IT GRC program by easily integrating with emerging frameworks and regulations in common GRC platform
    • The Health Information Trust Alliance (HITRUST CSF)
    • Health Information Technology for Economic and Clinical Health Act (HITECH)
    • American Recovery and Reinvestment Act of 2009 (ARRA).

HIPAA requirements
HIPAA is broadly divided into two sections or titles. Title I protects the health insurance rights of workers who change or lose their jobs. It also limits the number of restrictions that health insurance companies can impose on individuals with pre-existing health conditions.

Title II is far more influential. Also known as the Administrative Simplification provisions, it contains rules, standards and guidelines to protect sensitive health information. These rules include the Transaction and Code Sets Rule which streamlines and secures transaction processes among healthcare institutions, and the Unique Identifiers Rule which mandates that all healthcare providers have a National Provider ID to file claims.

While these two rules are extremely important, a lot more attention is being paid to the Privacy and Security Rules, especially as the integrity of data becomes increasingly threatened. Both rules contain extensive provisions and guidelines surrounding the use, protection and disposal of sensitive health information.

The Privacy Rule
The Privacy Rule was instituted to protect all individually identifiable health information that is stored or transmitted. This information, also known as Protected Health Information (PHI) includes any part of an individual's medical record, health status or payment history.

The Privacy Rule provides standards and guidelines concerning the use and disclosure of individual PHI. For instance, it allows information to be disclosed while reporting child abuse or to facilitate a particular treatment. It also enables individuals to control how their health information is used.

According to the HHS, 'A major goal of the Privacy Rule is to assure that individuals' health information is properly protected, while allowing the flow of health information needed to provide and promote high quality healthcare and to protect the public's health and well-being.'

The Security Rule
Unlike the Privacy Rule which pertains to both paper and electronic PHI, the Security Rule focuses solely on the latter, or e-PHI. It contains a number of administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of all e-PHI. These include:

  • Administrative safeguards
    • Define a clear set of policies and procedures to demonstrate compliance with HIPAA requirements; ensure that vendors meet those same requirements
    • Perform a risk analysis to evaluate potential risks and implement the appropriate security measures
    • Train employees on all privacy and security policies and procedures.
    • Establish a contingency plan for disasters, data loss, system failure and other emergencies
    • Appoint officials for developing and implementing policies as well as handling individual complaints and requests for information
  • Physical safeguards
    • Establish effective controls to prevent unauthorized access to healthcare information
    • Monitor equipment containing sensitive data
    • Protect workstations from high traffic and public view
    • Establish guidelines for the proper removal, transfer, disposal and reuse of information media
  • Technical safeguards
    • Prevent unauthorized access to systems through password locks, system encryption, unique user ID, automatic log off etc
    • Ensure data integrity through message authentication and digital signatures
    • Conduct regular internal audits to identify security and privacy violations

Organizations are rapidly turning to the Cloud to reduce costs, provide greater flexibility and quickly ramp up support of business needs. But as more data, applications and infrastructure move to the Cloud, security remains a top concern. In fact, according to the Cloud Security Alliance, security is cited as the number one barrier to adoption of Cloud services among organizations.  
Organizations use the Cloud in a variety of different service models (SaaS, PaaS, IaaS) and deployment models (Private, Public, Hybrid). Regardless of how your organization leverages the Cloud, Hycom can help your organization manage the security, risk and compliance concerns.  
Hycom Cloud Security services include:

  • Cloud Security Strategic Consulting: Establish a strategic direction for gaining the benefits of the Cloud while minimizing risk and improving security. Understand the ramifications of Cloud adoption on your information security program and policies. Integrate Cloud controls into your overall security program.
  • Cloud Security Tactical Planning: Determine the explicit steps that should be taken to securely move a business process to the Cloud. Identify available security controls and how should they be deployed to mitigate risk. Establish control criteria for Cloud providers and different classes of information.
  • Cloud Risk Assessment: Understand the security and compliance risks of a current Cloud deployment and how to manage them. Create a consistent process and cadence around how you manage your risk.
  • Assurance Testing of Cloud Deployments: Evaluate the security model of a Cloud deployment. Test the effectiveness of security controls in the Cloud. Determine if the controls are properly implemented and function as designed. Understand how difficult (or easy) it would be for an attacker to penetrate the defenses and assess the potential impact.
  • Compliance Assessments for the Cloud: Ensure compliance requirements are met when using a Cloud-based resource, approaching your deployment from an auditor’s point of view. Understand how security regulations such as PCI, FISMA, HIPAA, etc. apply to Cloud environments. Identify compliance gaps and appropriate remediation steps.
  • Incident Response and Forensics in Cloud Environments: Understand the impact of Cloud architectures and data flows on your current Incident Response program. Determine the role of your Cloud partner in this process.  Mitigate incidents involving Cloud environments and capture evidence.   
  • Cloud Security Architecture and Design: Develop architecture for securing data and IT assets in the Cloud. Understand the delta between a Cloud environment and your network security architecture. Establish standard architecture for securing Cloud deployments.

The above services can also be provided as part of general security consulting engagements where Cloud services or resources are in scope. If Cloud is a key part of your IT strategy, then including your cloud deployments in broader assessments, testing and compliance auditing is highly recommended.

Security Services for Cloud Providers
As a leading provider of information security services, Hycom can help organizations deliver Cloud-based services securely and satisfy the compliance requirements of their customers. Whether you are building a Cloud environment from the ground up or simply building on top of existing Cloud services, Hycom can provide you with expert guidance and critical security controls to protect your infrastructure, applications and data.

Auditing and Compliance in Cloud
The term “auditor,” according to the Oxford English Dictionary, stems from the historical responsibility of an official examiner to hear oral statements of account from those who held money on others’ behalf. And if you were an auditor listening to oral accounts, you would certainly notice the difference between someone saying “I hold $5,000 belonging to X” and “I used to have $5,000 belonging to Mr. X, but I gave it to Mr. Y to hold for me.” In the second case, you would need to check with Mr. Y to ascertain whether indeed the account was correct, and if those funds were still safe.

These days, auditors not only listen to oral accounts, but also read written records and analyze financial statements. In IT auditing, those records include data dictionaries and network maps. But the underlying concept of the auditor remains the same – to examine statements of account.

Cloud computing is the equivalent to saying, “Mr. Y has the money, not me.” Except in this case, it’s not money, but corporate data. And auditors are less able to get an answer to the all-important follow-up question: “Is it safe?”

Corporate consumers of cloud computing rely entirely upon the attestations of their providers to answer those follow-up questions about the specifics of security. For auditing to be complete and worthwhile, there has to be a handshake between the auditor of the provider and the auditor of the consumer of cloud computing services. The auditor needs to know what security practices are being followed and whether they’re being kept up to date. And the auditor can’t just accept it on hearsay.

In general, whenever business processes cross organizational boundaries, the complexity of auditing and monitoring compliance will increase. Cloud computing layers another dimension to this complexity; it’s not just a single business process being placed into the hands of another entity, but rather it acts as a component that stretches across multiple business processes.


If you were to visualize an organization’s value chain, its adoption of cloud computing wouldn’t replace a single link in the chain, it would change the nature of every single link. If customer data, for example, is held in the cloud, then all practices involved with customer data, from customer acquisition to fulfillment to servicing, have to be re-assessed for compliance purposes.

Yet this need not be a sticking point. For smaller enterprises, a well-prepared supplier often provides higher levels of security, assurance, and process excellence than can be offered by the organization itself, with the increased costs of compliance more than made up by the efficiencies of scale and scope. This is why small-to-medium-sized enterprises have adopted cloud-based applications at a rapid clip.

The problem becomes more challenging when a highly complex entity goes to a smaller cloud technology provider. In this case, the provider has to race to catch up with the compliance obligations of the larger entity. The cost involved with meeting these organization-specific compliance requirements cannot be easily distributed across many clients, which makes the value proposition of enterprise cloud computing harder to achieve. An example would be a security-minded government agency, which would tend to look to a private cloud rather than a public technology provider.

As cloud technology providers become more mature and more able to handle the specific compliance needs of vertical industries, along with the process flexibility to deal with the idiosyncratic requirements of specific enterprises, the auditing process for cloud should become easier. But in the meantime, auditors examining the cloud should listen to their gut instincts. They’ll usually be right.

Nothing is too sensitive for SAAS
Who’s afraid of the Big Bad Hacker? Many of us are, according to recent studies — and for good reason. Lost or stolen data cost companies an average of $7 million last year according to one widely quoted figure, mostly due to customer turnover.

And should important financial data be lost, companies may be forced to pay harsh fines for violating federal securities laws.

So why should any company trust their data, particularly sensitive financial and accounting data, to a third party? It may just be that a solid SaaS provider will do a better job of protecting those assets than your own IT department.

Consider the evidence: Hackers accounted for less than a quarter of the data lost or stolen last year, according to widely quoted recent survey. It turns out employees accounted for the greatest percentage of incidents, including breaches involving email, social networks, and mobile computing devices. Although third parties are said to be responsible for 42 percent of data breaches, to date not a single major incident involving a SaaS provider has been reported.

Have enterprises just been lucky? I think it’s more likely that reputable SaaS providers do a superior job of safekeeping data because they have to. If they don’t, they’re out of business.

Still, there’s no reason to enter into this relationship lightly, especially when it comes to financial and accounting applications. Mitigate your level of risk by asking tough questions of a prospective SaaS provider. If you receive satisfactory responses take the next step of securing those assurances in writing.

Any SaaS provider worth doing business with should be able to give detailed answers to these five questions:

  • What are the data access controls? The best SaaS providers use advanced, multi-layered defensive systems to block unauthorized users.
  • Do you use SSL for any data transmitted between the host and user? SaaS data is transmitted through the public Internet. By using SSL encryption that data, should it be intercepted, is rendered useless.
  • Are the provider’s data centers physically safe? Are they in flood zones, on a fault line, in an area susceptible to hurricanes? If so, there should be backup facilities so that service remains undisrupted and data remains intact.
  • Have the data centers passed a SAS-70 tier 4 compliance test? This is the most rigorous test for systems performance in the industry.
  • Has the SaaS provider passed muster with outside auditors? The provider should be able to show compliance certificates from independent third parties for its security practices.

 

Finally, every enterprise should ask itself an important question. Given the cost savings and the potential to better safeguard sensitive data like financial and accounting applications, can any organization afford not to hire a reputable SaaS provider?

Accelerate Your Journey to the Cloud

Whether you’re just getting started with cloud computing or already have a well-defined plan, Dell™ Cloud Services can help you develop a successful strategy that achieves your unique business goals:

  • Should you choose a public cloud offering, build your own private cloud or develop a hybrid?
  • How do you build security into your private, public or hybrid cloud?
  • Which cloud-based services are right for you?
  • How do you develop new cloud applications or migrate your current applications to a cloud environment?
  • What are the best practices and proven process for implementing cloud technologies that minimize risk and maximize success?

 


Our cloud services range from an overview of cloud technology, to a discussion of your business and IT goals, to an infrastructure assessment and explanation of how you might benefit from cloud. Working together, we can develop and implement a best practice-based strategic plan for cloud computing success in your data center and end-user environment.

Hycom Cloud Services consultants can help you:

  • Understand the value of cloud technologies to your organization through customized workshops
  • Choose a private, public and hybrid cloud based on your current IT and business needs
  • Virtualize your data center to speed up your path to cloud adoption
  • Implement Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) solutions
  • Manage the entire engagement so you can focus on your core business
  • Keep your cloud computing environment running at peak efficiency

 

Data Security What safe for Cloud, what stays In House

Now that cloud computing is either being implemented, or in on every business’s to-do list, some “best practice” thinking is beginning to emerge concerning the security of data and other practices, and whether data security is best administered in the cloud or on in-house systems.
A key factor for almost every company is the nature of the business case for cloud. If the company is a small or medium-sized business (SMB), there are likely to be pressures to offload as many systems (and data) from IT’s plate as possible. The primary goal here is cost containment, or possibly even cost reduction.

With cloud computing, you don’t have to purchase and then record the depreciation of assets in your financials. You also require less floor space and potentially fewer IT personnel to run these systems. SMBs are also likely to be less regulated than their enterprise counterparts, so security is likely to be less rigorous. In the SMB environment, cloud-based data (and systems) can be highly attractive IT options – whether the project is to move a standard office productivity software like word processing or spreadsheets to the cloud, or to migrate a CRM (customer relationship management) system. In some cases, SMBs might even opt to have a cloud services provider with expertise in their particular industry and applications host their mission-critical transaction processing systems, such as customer order taking.

Enterprises, on the other hand, have sophisticated IT infrastructures with decades of investments into the finest toolsets and data security practices for the industries that they are in. They also have stiffer regulatory requirements and greater risk when it comes to safeguarding the security of their data. Unless the business case is extremely compelling, these organizations are likely to use private cloud services for specific business applications and data, and only when they feel some reduced costs can be realized at minimum risk to the security of these applications and data. At the end of the day, most will tell you that their long-term plan is to maintain their mission-critical applications and data – and the disaster recovery and failover capabilities for these assets – internally.
What might be some compelling cases for enterprise IT to move applications and data to the cloud? So far, there appear to be several cloud-favoring scenarios:
A cloud services provider may offer a solution that can take a non-mission-critical application (and data) out of the enterprise’s normal workload, giving IT more time to focus on the core business. An example would be an electronics company that has expertise in design and manufacturing, but not the supply chain that gets the product into the hands of consumers. In this case, the enterprise might select a cloud services provider to host, run, and store supply chain applications and data.
A cloud provider may help an enterprise that is engaged in a global business and can no longer guarantee high service levels to its global customers – because of Internet delays encountered when transactions encounter inter-country firewalls. In this case, the enterprise might opt to apportion its data into “country” zones, hosting each application and its data within the boundaries of the country it is providing service to, so that international data traffic slow-downs can be avoided.
In either case, the enterprise is likely to insist on a private cloud implementation that dedicates specific servers and other assets on the site to the enterprise and to no one else. The enterprise will also insist on a personal visit to the cloud service provider’s data center, and will ask for a copy of the service provider’s latest IT security audit and latest SAS70 report (the latter to guarantee long-term financial viability of the service provider).

As cloud services continue to evolve, so will the business cases that also include the safety and the security of corporate data, whether it is kept in-house or managed in the cloud. The key for cloud services providers will be to continue to tighten data security practices. The key for companies will be to continue to benchmark data security internally and in the cloud as cloud-based services continue to mature.
Cloud ROI harder than it looks
As companies investigate cloud computing, they are obviously eager to apply internal total cost of ownership (TCO) and return on investment (ROI) metrics to these deployments. And many of them are finding it hard to obtain truly useful results.
One reason why is the immaturity of the cloud computing market. There simply isn’t much empirical evidence about cloud costs and returns yet — and companies are also still in the process of learning just how cloud implementations impact their IT operations and cost structures.
At first blush, the process of establishing an ROI for cloud computing looks straightforward. Jobbing out a system or two to cloud providers reduces software licensing costs, cuts your data center footprint and energy use, and eases IT staffing costs. The cloud services provider charges for the service, but in virtually every case, the cloud solution comes across as the best ROI because it comes in with lower costs to implement and to operate.
But evaluating the true ROI of cloud computing (or anything else) shouldn’t stop with the scratch of a sharp pencil on a spreadsheet in the Finance Department. For one thing, up-front cost savings may have a very different impact on ROI gained over an average IT lifetime (say, five years) of an investment. To this end, IT must be sure to extrapolate total costs of the cloud service over the term of the contract, and then compare that to its current view of on-premise IT resource utilization and support costs.

If the cloud service value proposition still looks good at this point, the next step is to perform a total impact analysis on cost of operation. It is already known that a cloud solution will save server and other data center costs, along with expenditures on IT staff used to support the systems being outsourced. But does cloud computing create any new costs? The answer is “yes,” at least potentially, in two areas.

The first area is contract management. At least one IT person at the Project Lead or Manager level will have to be dedicated part-time to manage the details of the contract, the relationships with the vendor, day to day performance of the solution, and communications with end users in the business. This is not a person with an entry-level skill set or an entry-level salary. Chances are good that this person already exists on the IT staff (perhaps in a Program Management Office), but in order to fulfill the new cloud environment management responsibilities, the person will have less time to devote to other projects.

A second area of new costs that the cloud can introduce involves security. An April, 2010 PricewaterhouseCoopers survey of over 12,000 security and IT professionals around the world revealed that 35 percent were “very confident” in their own companies’ security, but only 29 percent felt the same way about the security of their partners and suppliers. Ensuring security compliance (and testing/certifying for it) with third-party cloud providers consumes both time and resources that otherwise could be dedicated to internal IT security. There is also early evidence that network Quality of Service (QoS) performance on third party services is not as high as it is on internal systems. This means that more IT time will likely be needed from senior level security and network professionals — a significant cost and organizational impact that can easily be overlooked in an ROI study.

It is difficult now to predict just how cloud computing ROI will pan out. It is certain, however, that more useful results on the “real” ROI of cloud computing will be available in two or three years, after organizations have had enough runtime with clouds to assess its value. Meanwhile, many companies are making the leap into cloud computing anyway — perhaps out of faith that those long-term benefits really will be there.


Solve Fundamental IT Problems

Key Benefits of Cloud Computing

  • Increase IT responsiveness and efficiency.
  • Reduce capital expenditures and operational overhead.
  • Provide greater business flexibility through an on-demand, pay-as-you-go model that scales with your business.
  • Get more choice in providers — use in-house or third-party vendors.
  • Free up IT resources for innovation.

After years of data center growth and IT evolution, many businesses are left living with complex, overgrown computing platforms that are chronically underutilized. These systems take up valuable data center floor space, depreciate quickly, consume large amounts of power and cooling resources, and can cause management headaches.

What’s more, the IT resources in the typical data center are locked into silos that are dedicated to particular applications. This rigid architecture makes it hard for an IT organization to quickly adapt or respond to changing business demands, and it makes it difficult to share resources throughout an enterprise — to increase utilization and improve efficiency.

By providing resources as a service, cloud computing addresses these fundamental data center challenges.

Many organisations report and make decisions based on information which is unreliable, inconsistent and misleading. There is an increasing burden of external reporting and compliance.
Non-financial performance information is becoming increasingly important to all organisations regardless of sector.  It is widely recognised that short and long term financial performance are predicated on sound performance information. Confidence in performance information is essential as it forms the basis on which key decisions are made by management, Boards and external stakeholders.
We help our clients and their key stakeholders build confidence in their performance information to make well-informed decisions. 

Agility & Effectiveness Drives Business Performance

Performance Assurance is a portion of the quality management process focused on providing confidence that a system or component accomplishes its designated functions. In a global business environment, consumer demand and competitive pressures have compelled organizations to ensure critical business software performs to optimal standards. With more and more business processes being automated by software, its agility and effectiveness drives the performance of business.

The challenge of ensuring your new business applications are production ready and will meet performance expectations is more intense than ever with the ever-increasing size, complexity and integration of business systems. Your organization can proactively address system performance issues using Hycom’s Performance Assurance Services. Our experienced team of professionals utilizes a proven methodology along with automated testing tools to examine the components of your application that drive and impact performance.

Hycom’s Performance Testing Service is a high-quality service comprised of three offering types:

  • Performance consulting
  • Point solutions in performance testing (datacenter and application migration)
  • Core performance testing and benchmarking for load, stress, volume, and endurance

Hycom’s production-like environment for performance testing addresses threats to the production environment and helps organizations correct capacity and performance issues prior to deployment. Hycom is tool agnostic with experience in all available commercial performance testing tools. 

The results of Hycom’s Performance Assurance Services include:

  • Identification of performance bottlenecks before an application is deployed
  • Assurance of new business applications for production readiness
  • Meeting performance expectations of internal and external customers
  • Unplanned costs are kept in check

We can help you by:

  • Advising on controls and process improvement, providing internal comfort that performance information is reported correctly,
  • Providing independent assurance over the process and controls used to manage performance information,
  • Providing assurance to support external (including regulatory), corporate responsibility and carbon reporting, or reporting on third party service providers,
  • Providing third-party assurance using defined reporting standards, and
  • Providing advice and assurance for corporate responsibility and sustainability reporting.

 

Performance Workshop
In our hands-on interactive workshop, we will help your team define performance goals, requirements and test scenarios, complete capacity planning and environment reviews, and define the entire performance test plan.

Typical Duration: 1 — 3 days
Value Proposition:

  • Prompt Planning: aurionPro will help your team plan your performance assurance strategy. We will get deeply engaged with your team and make sure that all performance testing related tasks are properly planned and accounted for.
  • Better Understanding: This workshop will help you to better understand the challenges associated with performance assurance and what to do to make sure they are properly addressed. Working closely with your team, we will define specific and measurable performance testing requirements and goals for your site.
  • Easier Project Planning: Based on our test plan you will be able to accurately schedule all performance assurance tasks. You will also be able to budget for any test environment costs and avoid last minute surprises.

Performance Proof of Concept
The Performance PoC is designed to guide our customers with their selection of vendors. With the data gathered from this offering, our customers will learn how a selected application stack performs, in no uncertain terms, and be able to make informed decisions when moving ahead with their selection of vendors, design, and implementation strategies.

Typical Duration: 2 weeks
Value Proposition:

  • Stack Validation: Our engineers will help you determine the proper use cases to test. We’ll develop realistic load simulations of those use cases and provide you with 3rd party validation of the vendors you are considering.
  • Proactive Decision Making: We’ll deliver the information you need to begin planning your performance assurance strategy.

Performance Audit
The Performance Audit is designed to guide our customers through their capacity planning process, helping them determine how many page views per second their site will need to deliver in order to handle the anticipated peak user load. We also quickly put their site through a series of infrastructure, stress, and baseline tests to measure how close they are to being able to handle their peak user load. With the data gathered from this offering, our customers will learn how their site performs, in no uncertain terms, and be able to make informed decisions when moving ahead with their performance assurance strategy.

Typical Duration: 3 weeks
Value Proposition:

  • Validation: Our engineers will help you determine the proper use cases to test. We’ll develop realistic load simulations of those use cases and quantify your site’s performance characteristics.
  • Cost Reduction: Performance, scalability, and stability defects can be costly to fix, as they sometimes require significant changes to the architecture. The cost of fixing them only increases over time. Let us help you identify them early on.
  • Proactive Decision Making: Find out how your site currently performs. We’ll deliver the information you need, helping you understand how your site performs and what areas of your site require immediate attention.

Readiness Evaluation
A full pass through our proven methodology will ensure that your end users get an outstanding experience. This engagement will help you resolve any issues and will give you the confidence that you need.

Typical Duration: 6-8 weeks
Value Proposition:

  • Prompt Planning & Execution: aurionPro will get deeply engaged with your team and make sure that all performance testing related tasks are properly planned and executed before your site goes live.
  • Root Cause Analysis: When performance, scalability, or stability problems are discovered while testing your site, our team will perform the necessary root cause analysis to make sure the issues get identified and resolved quickly. Our ongoing involvement won’t allow your performance and stability issues to languish, while your engineering team focuses on the functional aspects of the system.
  • Going Live with Confidence: Too many times we've seen that clients fail to plan and test adequately for performance before going live. The downtime required after launch to address performance issues can result in significant revenue loss and higher costs to resolve them. Our Readiness Evaluation enables you to realize measurable improvements and go live with confidence.

Product Benchmarking
This 4-8 week offering is designed to allow software vendors to measure the performance and scalability of their product on a given platform stack. The benchmark report that we produce is often used as a sales tool to provide potential customers the information they need when selecting a vendor or doing capacity planning.

Typical Duration: 4-8 weeks
Value Proposition:

  • 3rd Party Validation: Using our vast experience in testing various applications, our team will be able to independently assess the performance and scalability characteristics of your product. Through rigorous testing methodology that is fully documented, we will ensure the accuracy of the results and analysis. We will also work with your team to improve your product’s performance if needed.
  • Accelerated Sales Cycle: Our benchmark report will provide valuable information about your product performance, scalability and stability that can be used during the sales process. This information can be crucial in reassuring potential clients about the enterprise readiness of your product and speed up the vendor selection process. If you need to get involved in a performance POC, you will be able to quickly set up the benchmark based on the documentation that we have provided and replicate results in the controlled environment.
  • Educated Customers: Sharing the performance and scalability characteristics of your product with your clients will enable you to set their expectations properly and enable them to do capacity planning and tuning. Educated customers are more likely to proactively plan for adequate performance testing of their installation. This will minimize your involvement in resolving customer crisis situations that arise from poor planning and not understanding performance issues.

Rapid Bottleneck Analysis
Get a snapshot of your solution’s current performance characteristics and identify major bottlenecks. In a relatively short time, we have always helped resolve issues leading to significant improvements.

Typical Duration: 2-3 weeks
Value Proposition:

  • Quick Root Cause Analysis: Understand why your site isn’t performing. Our team of performance engineers can help you quickly identify the root cause of your performance and stability issues.
  • Increased User Acceptance and Satisfaction: Today’s users have a low threshold for high response times or sites that are frequently unavailable. Let us help you make sure your site is responsive and available 24x7.
  • Support Cost Reduction: Poorly performing sites create a drag on support teams, flooding them with calls. Your support and operations teams will appreciate our involvement.
  • Revenue and Productivity Improvements: If you are running an e-commerce site, higher throughput equals more sales. If you’re running a corporate intranet, higher throughput equals more employee productivity. Let us help you get there.

Continuous Performance Assurance
Let us help you achieve ongoing success by supporting your software development cycle. Our offering provides year-round performance testing and analysis of all major and minor releases.

Typical Duration: ongoing
Value Proposition:

  • Prompt Planning and Execution: aurionPro will help your team plan and execute your performance assurance strategy properly, making sure you test early and often for all major and minor releases. We will be engaged with your team regularly to make sure that all performance engineering related tasks are properly planned and executed.
  • Timely Root Cause Analysis: If performance related problems arise in your production or test environments, our team of experts will perform the necessary root cause analysis to make sure the issues get identified and resolved quickly. Our ongoing involvement won’t allow your performance and stability issues to languish, while your engineering, operations, and support teams focus on the functional stability of the system.
  • Performance Change Management: To instill continued confidence in the performance, scalability, and stability of your site, our team will continuously regression test your site and perform root cause analysis when any performance, scalability, or stability issues are discovered. This will make sure your live site continues to perform and scale as new features are added. Planned infrastructure upgrades or changes may not be as benign as sometimes hoped, hence sanity-checking your changes before pushing them into production will prove extremely valuable in the long run.
  • Proactive Decision Making: A live system often goes through changes after the launch such as increased content, or surges in user load. In order to make critical decisions in a timely manner before such changes impact performance and stability, constant monitoring and analysis of the system is required. aurionPro’s team provides this service as part of CPA so that your team will learn how your site is being used and keep a vigilant eye on the end user experience. Using suitable 3rd party tools, our team will periodically:
  • Monitor your end user experience
  • Perform trends analysis
  • And provide validation of your SLA with your customers
Learn more about this...
 
HOME   COMPLIANCE   COMPANY   TRAINING   PARTNERS   CONTACT US
 
All Rights Reserved© Hycom Solutions. Website Designed by innovative informatics