Quality Assurance

Quality Assurance (QA) refers to a program for the systematic monitoring and evaluation of the various aspects of a project, service, or facility to ensure that standards of quality are being met.

It is important to realize also that quality is determined by the program sponsor. QA cannot absolutely guarantee the production of quality products, unfortunately, but makes this more likely.

Two key principles characterize QA: "fit for purpose" (the product should be suitable for the intended purpose) and "right first time" (mistakes should be eliminated). QA includes regulation of the quality of raw materials, assemblies, products and components; services related to production; and management, production and inspection processes.

It is important to realize also that quality is determined by the intended users, clients or customers, not by society in general: QA is more than just testing the quality of aspects of a product, service or facility; it analyzes the quality to make sure it conforms to specific requirements and comply with established plans.

    1. When should QA testing start in a project? Why?
      1. QA is involved in the project from the beginning. This helps the teams communicate and understand the problems and concerns, also gives time to set up the testing environment and configuration. On the other hand, actual testing starts after the test plans are written, reviewed and approved based on the design documentation.

    2. What is Software Testing?
      1. Software testing is oriented to "detection". It's examining a system or an application under controlled conditions. It's intentionally making things go wrong when they should not and things happen when they should not.

    3. What is Software Quality?
      1. Quality software is reasonably bug free, delivered on time and within budget, meets requirements and/or expectations, and is maintainable.

    4. What is Software Verification and Validation?
      1. Verification is preventing mechanism to detect possible failures before the testing begin. It involves reviews, meetings, evaluating documents, plans, code, inspections, specifications etc. Validation occurs after verification and it's the actual testing to find defects against the functionality or the specifications.

    5. What is Test Plan?
      1. Test Plan is a document that describes the objectives, scope, approach, and focus of a software testing effort.

    6. What is Test Case?
      1. A test case is a document that describes an input, action, or event and an expected response, to determine if a feature of an application is working correctly. A test case should contain particulars such as test case identifier, test case name, objective, test conditions/setup, input data requirements, steps, and expected results.

    7. What is Good Software Coding?
      1. Good code is code that works according to the requirements, bug free, readable, and expandable in the future and easily maintainable.

    8. What is a Good Design?
      1. In good design, the overall structure is clear, understandable, easily modifiable, and maintainable. Works correctly when implemented and functionality can be traced back to customer and end user requirements.

    9. What is a Walkthrough?
      1. Walkthrough is quick and informal meeting for evaluation purposes.

    10. What is Software Life Cycle?
      1. The Software Life Cycle begins when an application is first conceived and ends when it is no longer in use. It includes aspects such as initial concept, requirements analysis, functional design, internal design, documentation planning, test planning, coding, document preparation, integration, testing, maintenance, updates, retesting, phase-out, and other aspects.

    11. What is Software Inspection?
      1. The purpose of inspection is trying to find defects and problems mostly in documents such as test plans, specifications, test cases, coding etc. It helps to find the problems and report it but not to fix it. It is one of the most cost effective methods of software quality. Many people can join the inspections but normally one moderator, one reader and one note taker are mandatory.

RISK MANAGEMENT

The continued rise of new technologies and systems being introduced to the workplace on a daily basis results in a broad spectrum of risk for businesses. This risk can manifest itself in operational challenges, vulnerabilities and Internet threats. Businesses must also consider the risks posed to their operations from legacy systems, established business processes, partner supply chains and existing applications. Organizations can easily become mired in risk management problem-solving without achieving real results. To date, the information security industry has contributed to this problem with new point security solutions to address specific risks to distinct network assets. Unfortunately, the rate of technological change moves so quickly that no amount of ad hoc security solutions will be able to keep up with evolving threats and new applications.

To truly reduce risk, businesses need a methodology that allows them to anticipate problems, take corrective action and actually show results. Tackling risk management as a business process will bring organizations greater value in terms of technology efficiency, resource allocation and compliance.


1) Business Security Policy and Asset Considerations

The first three steps of the Risk Management Methodology suggest defining policy, assessing the current assets and assigning their value.

Establish a Security Policy

A successful risk management program starts with an effective information security policy. The security policy should be reviewed periodically to ensure that current IT projects are in line and to make adjustments based on changing business requirements. It should also be widely communicated and enforced among employees so that business unit owners, system owners and system users become a critical part of the asset value chain. By creating, maintaining and exposing employees to a security policy, an organization is one step closer to reducing and eliminating risks to critical business systems and information.

Determine Assets

While listed as step two in the process, asset determination goes hand in hand with defining security policy. In this step, the organization discovers and inventories every business system that accesses the network and requires protection. Asset determination is not purely technical and also requires interviews with system owners, business unit owners and critical users to determine how they access and use IT assets. The discovery process must be thorough to include all IT assets, users and applications that access the network or manipulate business information.

Asset determination must also consider the process flows between systems, users, customers and business partners. This step examines how users and customers interact with business systems and how one information system interacts with another. This exhaustive process reveals what an organization must consider as part of its risk management efforts and leads directly into the next step - assigning value to each asset.

Assign Value

Once business assets are identified, value must be assigned to them based on the value of the information they contain and process, not on the cost to acquire hardware and software licenses. Asset value considers the cost to the business if information is lost, compromises or disclosed to unauthorized parties. It also considers the cost of critical business systems suffering downtime, and the cost of recovery efforts should an incident occur. Additionally, these assets should be functionally grouped for ease of operations. Once value has been assigned, it becomes the core of all future actions and decisions related to information and systems security.


2) Acceptable Business Risk

Acceptable business risk, simply stated, is the risk that an organization deems necessary to properly conduct business. In order to determine "acceptable business risk" an organization must consider the business they are in, the assets that are critical to the business, and the people, processes and technologies involved. Building on the previous steps, understanding overall risk involves discovering vulnerabilities, determining threats, evaluating protection and calculating risk.

Discover Vulnerabilities

Not all vulnerabilities are created equal, which is why a defined security policy that considers all business assets and their value to the organization is so critical. Though two systems might share a common vulnerability, the reality of risk to the organization can actually be quite different. By applying the business value of an asset as part of the vulnerability discovery process, an organization is able to determine which vulnerabilities should have a higher priority and how remediation efforts should be applied.

Tying vulnerability discovery to asset value helps organizations approach remediation in a controlled, strategic manner. By following this process, the differences between a vulnerability scanner and a complete vulnerability management system will be readily apparent.

Determine Threats

Once vulnerabilities are discovered, the threats posed to those vulnerabilities must be considered. Various Internet threats can affect vulnerabilities in different ways. In many cases, security technologies or services can make these determinations. Organizations should rely on the asset discovery findings from step two to determine which systems could be impacted by specific threats.

Current Protection

Since the Risk Management Methodology is designed to maximize value in security technology, organizations must consider what current protection is in place before adding additional layers. By including the current countermeasures, an organization can usually determine if threats are already prevented, or if assets remain vulnerable. Then they can focus new protection on only the areas that require it.

Calculate Risk

Organizations can apply the data collected thus far to the formula below to properly assess the level of acceptable business risk in their environment. In this equation, a vulnerable asset exposed to a threat is protected with an appropriate countermeasure. The equation takes the value of the asset into account in order to calculate the actual level of risk.

R=A*(V/C)*(T/C)


R = RISK

A = ASSET VALUE

V = VULNERABILITY EXISTENCE

T = THREAT EXISTENCE OR PROBABILITY

C = COUNTERMEASURES

While this calculation could be completed manually, various security products and services have inherent capabilities to associate vulnerabilities and threats across critical assets as they are discovered in a production environment.


3) Properly Protect Critical Assets First

Once an organization has discovered and determined its current risk, those responsible for security decisions can make educated choices about what actions to take in what order. Using the Risk Management Methodology organizations can approach security in the most efficient manner possible - making proper use of limited staff resources and maximizing the investment in current solutions. Protection efforts include prioritizing actions, applying additional protection if necessary and ensuring remediation.

In addition to prioritizing actions, an organization must also consider if they have the right number of the right people to properly manage the process. As stated earlier, security is not technology alone, it is a merging of people, processes, and technology. With educated and experienced people being the key.

An action at this point might be to either find the right number of qualified people or outsource some of the security processes to an organization that has the experience to not only monitor the technology, but also analyze the data and information generated by the technologies and products used.

Prioritize Actions

This can't be achieved with technology alone, and requires human interaction and expertise. Some organizations may prefer to prioritize actions in-house. For others, expert consultants can advise them about the current threat and vulnerability landscape, discuss emerging technologies, take critical business processes into account and help establish an action plan for current and future security needs.

Ensure Remediation

After actions are prioritized and any additional protection is put in place, it will be necessary to ensure that the actions taken are effective. Vulnerability management services, vulnerability assessment solutions and security experts can all produce reports on actual vulnerabilities that have been remediated, effectively reducing risk to the organization.


4) Measure Compliance Success

By the time organizations are ready to review results, their actions from the previous 10 steps of the process should have produced noticeable changes to the overall security posture without any negative effect on business process. Results must be collected and then reviewed against the security policy to measure compliance.

Review Results

Reviewing the results of the Risk Management Methodology to this point is primarily administrative. Organizations should assess whether they are more secure than when they began the process, and quantify security's impact to their technology, people and processes.

Measure Compliance

To truly measure the level of compliance, organizations must review results against the security policy created in the first step. In doing so, they will determine if actions taken during the course of the risk management lifecycle achieved the goals, objectives and requirements set forth in the policy.

The title of this section is not to be confused with specific legislative or regulatory compliance requirements, rather they should be considered during the first step when establishing security policy.

There are many considerations to take into account during compliance review, but most importantly, organizations must use their own goals and objectives as the ultimate measuring stick. Once they have determined if initial goals were met, they can then take any additional action necessary, such as instituting tighter controls, changing policy or altering the environment.

Security is a process, not an end goal. By following the Risk Management Methodology, organizations should be able to protect critical information assets while maximizing efficiency and existing technology. Plus, their security should be more adaptive when new technologies, people and processes are introduced to the business environment.

employeeportal employeeportal employeeportal

newsbar

Recent News

08.14.12

Technet Logo

21CTI Exhibitor at Technet Land Forces East in Baltimore, MD, Aug 14-16 Booth #1515

more

04.11.12

GSA Expo Logo

21CTI Exhibitor at GSA Expo 2012 in San Antonio, TX May 15-17 Booth #715

more

08.01.11

GSA Logo

21CTI Awarded STARS II GWAC

more




View Past Events