NIST Cybersecurity Framework: Keeping Your Business Safe in an Unsafe IT Ecosystem

The Rising Strategic Risk of Cyberattacks

As the world continues to embrace technology and its many advantages, business also has begun to rely more and more on technology, storing large amounts of sensitive data electronically. The ease at which computers can store and access information is a major reason for the shift toward massive electronic storage and with the efficiencies that computers bring to the market, a new area of risk has been inadvertently created.

Evidently, cyber criminals today are increasingly leveraging malware, bots and other forms of sophisticated threats to attack organizations for various reasons – financial gain, business disruption or political agendas. In many cases, they often target multiple sites and organizations to increase the likelihood of an attack’s initial success and viral spread. With new variants of malware being generated on a daily basis, many companies struggle to fight these threats separately and the majority of attacks are often left undetected or unreported.

Cybercriminals are also no longer isolated amateurs. They belong to well-structured organizations with money, motivation and goals, often employing highly skilled hackers that execute targeted attacks. Such organizations can deploy considerable threat intelligence, time and resources in order to execute attacks that can cost cybercrime victims significant amounts of money. Unfortunately, this trend is only growing more complex as businesses experience a surge in internet use, mobile computing and the cloud, creating more channels of communication and vulnerable entry points into the network.

Cybersecurity – A Global Business Concern 

More and more business value and personal information worldwide are rapidly migrating into digital form on open and globally interconnected technology platforms. As that happens, the risks from cyberattacks become more and more distressing.

Based on 2014 McKinsey and World Economic Forum Research, companies are continuously struggling with their capabilities in cyber risk management and believe that they are losing ground to attackers as visible breaches incessantly occurs in growing scale and severity.

Their findings show that 70% of executives from financial institutions believe that cybersecurity is a strategic risk to companies and considered internal threats (their employees) as big risk as external attacks.  Similarly, product companies such as high-tech firms see the leaking of proprietary knowledge about production process as more damaging than leaks of product specifications given the pervasiveness of “teardown” techniques and the legal protections afforded to product designs. Service companies on the other hand, are more concerned about the loss and release of identifiable information on customers and about service disruptions.

Equally worrisome, executives from various industries perceived that cyber attackers will continue to increase their leads and pace over corporate defenses – more quickly than the ability of institutions to defend themselves, thus, making cybersecurity the top priority of every business of all kinds.

 Why Does Cybersecurity Matter?

If you still haven’t developed a plan to safeguard your company’s information assets, here are the top 5 reasons why cyber security matters:

1 – Your reputation will be at risk.

If your business has an exposure to cyber risk, you can be sure people will find out about it. The fallout can be devastating. Customers may doubt their data is safe with you, prompting them to shop elsewhere as a result. After all, if you’ve had one breach, what are the chances you might have another?

A data breach could even make your vendors wary of working you. Network connections you share with them—for processing payroll, for example, or for transferring email campaign lists—could suddenly be suspect. They have their own data to protect, and a breach might identify your business as the weakest link in the security chain.

– Breaches are a financial burden.

When a breach is discovered, systems are often taken offline to plug the security hole. During that time, you may not be able to process customers’ orders or continue operations. New equipment or software may need to be purchased to prevent a recurrence of the breach.

3 – It’s not a matter of “if,” but “when.”

With the pace of breaches occurring in our hyper-connected, data-intensive world, no business, industry or region is immune. Rather than hoping to simply avoid a data exposure, businesses are learning smarter to protect themselves and be prepared to meet hackers head on.

4 – Insider threats are real.

Dangers may lurk within an organization that is just as disturbing as any cyber criminal. Resentful employees can inflict tremendous harm if they choose to take revenge on the business or a coworker by divulging sensitive information. The same holds true for employees facing financial difficulties who may see the sale of confidential data as a way to solve their money problems. One of the most challenging aspects of an insider threat is how difficult it can be to identify who presents a risk and who doesn’t. Employers often aren’t aware to the danger until a breach has occurred.

5 – A cyber attack puts your customers and partners at risk.

Breach victims could suffer financial losses through the theft of payment card and bank account numbers. It’s also possible they could fall prey to identity fraud later if criminals use their personal information to open new accounts in their name. But the damage doesn’t stop there. With a name or a Social Security number, someone could commit a crime using the victim’s identity, putting that person’s livelihood and reputation in serious jeopardy. Given the danger identity theft and fraud post, protecting customers’ data is part of being a good business.

Some of the largest breaches during the past few years have been due to small businesses serving as vendors to larger companies. As part of the larger business ecosystem, small businesses will be scrutinized for data best practices so long as they serve as third party vendors for other companies.

 Cybersecurity Landscape

Attacks on sensitive IT systems and data increased in 2015, many of which caused substantial financial and reputational damage to the companies involved. Still, a successful attack on the underpinnings of the nation’s critical infrastructure would have far more catastrophic impacts than this.

Based on ISACA 2015 Global Cybersecurity Status Report, 83% of ISACA members across 129 countries say cyberattacks are among the top three threats facing their organization today, and only 38 percent say they are prepared to experience one.

IT departments often found themselves unprepared to patch and mitigate these threats – monetization of credit card data or financial records, rapid replication of product or process, access to strategic or customer information, leaving the window for exploitation wide open and leading to a perfect storm of zero-day attacks, system infiltration and subsequent data loss for many organizations.

Here are the Must Know Cyber Security Statistics in 2015


According to 2015 IBM Business Intelligence Index Report, 55% of attacks came from the people who has physical or remote access to a company’s assets – hard copy documents, disks, electronic files and laptops—as well as non-physical assets, such as information in transit. Although the insider is often an employee of the company, he or she could also be a third party. Think about business partners, clients or maintenance contractors, for example. They’re individuals you trust enough to allow them access to your systems.


Still, it’s important to note that more often than not, breaches caused by insiders are unintentional. In fact, over 95% of these breaches are caused by human error. That can mean accidentally posting information on the company’s public-facing website, sending information to the wrong party via email, fax, or mail, or improperly disposing of clients’ records.

But insiders who set out to take advantage of the company they work for can be much more dangerous. It’s more difficult to thwart these insiders’ malicious actions because they’re willing to take extraordinary measures to circumvent access controls and are typically unconcerned with corporate policies or the potential consequences of their actions.

Taking Action: NIST Cybersecurity Framework

The NIST Framework for Cybersecurity for Critical Infrastructure was approved in February 2014 and is intended to help establish guidelines and best practices for ensuring that our critical systems are adequately protected. Although it is a voluntary framework, it is expected that it will be adopted by many companies in order to strengthen their security posture.

The Framework provides an assessment mechanism that enables organizations to determine their current cybersecurity capabilities, set individual goals for a target state, and establish a plan for improving and maintaining cybersecurity programs. It comprises three primary components: Core, Implementation Tiers, and Profile.

NIST framework

Framework Core – A set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Core represents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level.

The functions included in the Core include:

  • Identify – develop the organizational understanding to manage cybersecurity risk to systems, applications, and data
  • Protect- implement safeguards to ensure the secure delivery of infrastructure services
  • Detect – implement the appropriate activities to take action on a cybersecurity event.
  • Recover- maintains plans for resilience and to restore any services impacted by a cybersecurity event.

Framework Implementation Tiers – Describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework. There are four tiers that can be used to identify the “current state” of your cybersecurity effort.

These tiers and their brief characteristics include:

  • Tier 1 (Partial): Informal cybersecurity risk management practices, ad hoc and reactive approach to risk management.
  • Tier 2 (Risk Informed): Management –approved risk management processes, awareness of risk at organizational level, but lack of organization of organization-wide approach.
  • Tier (Repeatable): Risk management processes expressed as policy, organization-wide approach to manage cybersecurity risk, risk-informed policies, processes and procedures.
  • Tier 4 (Adaptive): Adaptable cybersecurity practices based on lessons learned and predictive indicators, continuous improvement incorporating advanced technologies and practices, active sharing of information with partners both before and after cybersecurity events.

Framework Profile – Describes outcomes based on the business need and risk assessment that the organization has selected from the Core. This information enables you to identify opportunities for improving cybersecurity by moving from “current state” to “target state”. To develop a Profile, an assessment, determine which are most important. The Current Profile can then be used so support prioritization and measurement of progress towards the Target Profile. It can also be used to support communication within the organization.

Benefits beyond Improved Cybersecurity

The NIST Framework was designed with a very high degree of flexibility for organizations that would like to follow its guidelines. It is also technology – neutral, and incorporates existing industry standards and best practices – no “re-inventing the wheel”.  Most importantly, it enables each organization to profile its own cybersecurity efforts, define a target profile, and then put in place a plan to reach that goal.

In this regard, its guidelines should be considered not as requirements but as scorecards that are based on the unique business needs, risk appetite, and security demands for each environment and provide a guide for continuous improvement based on changing risk and threat dynamics.

For most organizations, whether they are owners, operators, or suppliers for critical infrastructure, the NIST Cybersecurity Framework may be well worth adopting solely for its stated goal of improving risk-based security. But it also can deliver ancillary benefits that include effective collaboration and communication of security posture with executives and industry organizations, as well as potential future improvements in legal exposure and even assistance with regulatory compliance.

Effective collaboration hinges upon open and meaningful dialogues. To that end, the Framework has created a common language to facilitate conversation about cybersecurity processes, policies, and technologies, both internally and with external entities such as third-party service providers and partners.

Looking Ahead

New technologies, well-funded and determined cyber – attackers, and interrelated business systems have joint to increase your exposure to cyberattacks. Your critical and most confidential digital assets are being targeted at an exceptional rate and the potential impact to your business has never been greater.

NIST Cybersecurity Framework represents a tipping point in the evolution of cybersecurity, one in which the balance is shifting from reactive compliance to proactive risk-management standards. This framework is voluntary and when you successfully adapt, you do more than protect your business, you have the potential to reap bottom line benefits.


ISO 20400 – Sustainable Procurement: Purchasing Greener and More Sustainable Products from Greener and More Sustainable Companies

Philippine Procurement Today

The overall consumer expenditure in the Philippines increased to ₱ 1,342,297 Million in the fourth quarter of 2015 from ₱ 1,321,980 Million in the third quarter of 2015. Shifting that spending towards more sustainable goods and services can help drive markets in the direction of innovation and sustainability, thereby enabling transition to a green economy.

Traditional procurement focuses upon value-for-money considerations. Nowadays, procurement go beyond the traditional purchasing criteria of price, performance and quality, taking account also of the environmental and social impacts of your purchasing choices, reducing adverse impacts upon health, social conditions and the environment, thereby saving valuable costs for organizations and the community at large.

Society’s Receptiveness on Sustainable Procurement

Thinking about our purchasing decisions and making informed choices can significantly reduce our environmental and social impacts. Our purchasing power can be used to positively influence supply chains, promoting the productive use of resources and materials and the engagement of ethical and socially responsible suppliers.


According to 2014 Nielsen Report, 55% of global online consumers across 60 countries say they are willing to pay more for products and services provided by companies that are committed to positive social and environmental impact. Asian-Pacific region was the most willing to pay more for products with social-good benefits, surpassing the global average at 64%.

These sustainability-minded consumers based their choice of goods and services on:


Benefits of Responsible Purchasing

Consumers are not the only ones interested in purchasing greener, healthier products. Many organizations from large to small enterprise are looking to make more sustainable choices.

For many of these organizations, responsible purchasing is more than “doing the right thing.” Green purchasing priorities are frequently connected with specific business objectives like:

  • Enhanced Brand Image:An organization that has gone green is seen as a good corporate citizen. This increases its image in the eyes of the public.
  • Customer Satisfaction:An organization that goes green in response to customer concerns increases its levels of customer satisfaction, a key point in customer retention.
  • Reduced Risk:Not only is any company that does not go green risking a run in with the law by failing to comply with green regulations but it is also maintaining more liability than it needs to. Hazardous chemicals are just accidents, and lawsuits, waiting to happen. With green purchasing, you can offset financial and environmental risk, rather than just inheriting it from your suppliers.
  • Cost Reduction:Going green doesn’t cost more. Most of the time it actually saves money, especially when the new products use less energy, generate less waste, and last longer. Plus, sometimes green products work better than their lethal counterparts. Going green can reduce the following costs, among others:
    • hazardous material management costs
    • operational costs
    • repair and replacement costs
    • disposal costs
    • health & safety costs (which often come in the form of liability insurance and expensive settlements)
  • Increased Shareholder Value:A better brand with happy customers who keep coming back and drive up sales while costs keep falling results in significant ROI, interest more shareholders to invest in your company.

ISO 20400 – Sustainable Procurement: Purchasing from Greener and More Sustainable Companies

A purchasing entity, regardless of its location in the world, can now no longer exempt itself from accountability for what occurs at its suppliers. Now, given multiple levels of subcontractors and cross-border procurement, a globally accepted standard will be needed to regulate the best practices of responsible purchasing.

ISO 20400, a standard for Sustainable Procurement provides guidelines on purchasing greener, healthier and more sustainable products from greener and more sustainable companies. Its development started in 2013 with a proposal of France and Brazil. At the moment 33 countries are participating and 7 liaison organizations while 13 countries are observing.

The ISO 20400 Standard is based on several principles, many of which share the intent of SPLC’s Principles for Leadership in Sustainable Purchasing and this includes:

Understanding – Understanding the relevant environmental, social, and economic impacts of its purchasing.

Commitment – Taking responsibility for the relevant environmental, social, and economic impacts of its purchasing by committing to an action plan.

Results – Delivering on its commitment to improve the relevant environmental, social, and economic impacts of its purchasing.

Innovation – Actively promoting internal and external innovation that advances a positive future.

Transparency – Soliciting and disclosing information that supports a marketplace of innovation..

The four main parts of the guidance standard consists of:


Clause 4: Fundamentals

This clause is primarily written for use by top management of an organization to help define the strategy and policies in connection with sustainable procurement. As a result it considers what sustainable procurement is, what the main organizational sustainability issues and drivers are, and how sustainability should be integrated into procurement policies and strategies.

Clause 5: Integrating Sustainability into the Organization’s Procurement Policy and Strategy (Policy and Strategy)

This clause provides guidance about how sustainability considerations should be integrated at a strategic level within the procurement function of an organization to ensure that the intention, direction and key sustainability priorities of the organization are documented and understood by all parties involved in sustainable procurement. This clause is applicable to all but help top management define sustainable procurement policy and strategy.

Clause 6: Organizing the Procurement Function towards Sustainability (Enablers)

Clause 6 is primarily written for use by procurement management and describes the conditions that need to be created and management techniques that should be employed to enable sustainable procurement to be successfully implemented and continually improved. These conditions are key to successfully integrating sustainability considerations into the procurement process described in clause 6. Five enablers are discussed: priority setting, enabling people, governing procurement, engaging stakeholders and measuring performance.

Clause 7. Integrating Sustainability into the Procurement Process (Procurement Process)

This clause addresses the procurement process and is intended for individuals who are responsible for the actual procurement within their organization. This clause may also be of interest to those in associated functions.

When adopting sustainable procurement, it should be integrated into existing procurement process steps like: planning, specifications, supplier selection, contract management and contract review and lessons learnt.

Looking Ahead

Buying greener, healthier, more sustainable products is one way we can all improve our own lives while building a better world. To strengthen this initiative, ISO 20400 was created and launched for a consultation to a wider audience than the experts from the mirror committees of the involved countries. The vote terminates on 2nd of December, 2016 and the final version of the standard is expected to be released on the early 2017. 


ISO 9001:2015 – Shifting Gears in the New Quality Management Standard

Moving from ISO 9001:2008 to ISO 9001:2015

ISO 9001 is a standard designed for organizations looking to optimize their operational excellence. It helps businesses and organizations to be more efficient and improve customer satisfaction. A new version of the standard, ISO 9001:2015, has just been launched, taking over the previous version.


ISO standards are reviewed every five years and revised if needed to ensure that it maintains its significance in today’s market place. This revision will also serve to bring ISO 9001 up to relevancy with regard to both challenges and opportunities that arise from changing technologies, globalization, and a reinforcement of a risk based approach, as well as structuring the standard to deal with future changes.

What are the Major Differences?

The new ISO 9001 standard aligns with high-level organizational structure, requiring all new ISO management system standards to be aligned on a high-level structure with a set of common requirements. Additionally, there is a greater emphasis on risk-based thinking as a basis for the management system, more focus on achieving value for the company and its customers, increased flexibility regarding use of documentation, and a more approachable structure for service businesses.

There are 10 clauses within the standard and here are the changes clause by clause:

Clause 1 is very similar to the 2008 version covering the scope of the standard and there has been very little change to this clause.

Clauses 2 and 3 cover normative references and term and definitions, both these clauses reference ISO 9000, Quality Management System – Fundamental and vocabulary which provides valuable guidance.

The remainder of the clauses includes some new key elements which need to be considered when implementing the new standard.

Clause 4: Context of the Organization

This is a new clause that in part addresses the depreciated concept of preventive action and in part establishes the context for the QMS.

Clause 5: Leadership

This clause places requirements on top management to demonstrate commitment to the QMS through taking accountability for the effectiveness of the QMS, establishing policies, objectives and promotion of continual improvement.

Clause 6: Planning

When planning the QMS, the organization will need to consider the external and internal issues along with needs and expectations of interested parties.

Clause 7: Support

The organization shall determine and provide the necessary resources to establish, implement, maintain and continually improve the QMS.

Clause 8:  Operation

This clause deals with the execution of the plans and processes that enables organization to meet their quality policy and quality objectives.

Clause 9:  Performance Evaluation

This clause sublimates all requirements for monitoring and measurement related to quality performance and effectiveness of their QMS.

Clause 10:  Improvement

The organization must determine the opportunities for improvement to continually improve the organization’s QMS.


Impact of the New Standard

ISO 9001:2015 is now taking off to replace ISO 9001:2008. Organizations who are already ISO 9001 certified should begin tracking their progress of the revision process and familiarize themselves with the various changes made. To maintain your certification to ISO 9001, you will need to upgrade your quality management system to the new edition of the standard and seek certification to it. You have a three-year transition period from the date of publication (September 2015) to move to the 2015 version. This means that, after the end of September 2018, a certificate to ISO 9001:2008 will no longer be valid.

According to the International Accreditation Forum (IAF), there are a number of recommended actions that organizations can take to successfully transition to the new requirements of ISO 9001:2015. These include:

  • Conduct a gap analysis

Identifying the gaps between current practices and the new requirements is the most effective way to evaluate the changes that are required in your current QMS.

  • Develop an implementation plan and timetable

A formal implementation plan and schedule will help your organization address the required changes within the anticipated three-year transition period.

  • Provide appropriate training for all parties

Ongoing education and training for all relevant personnel are critical to achieving the goals of your transition plan. More important, educated stakeholders are vital in ensuring ongoing compliance once the transition is complete.

  • Update existing QMS documentation

Clear and thorough documentation is essential to demonstrate compliance with the requirements of the revised standard and to help reduce the risk of nonconformities.

  • Involve your certification partner early in the process

An experienced certification body can provide invaluable assistance in the process of transitioning to the requirements of ISO 9001:2015. Its early involvement can help your organization save time and money.


In a nutshell, there are new areas that organization need contemplate in the implementation of the new standard, but it provides opportunity to review your current approach and modify it if necessary. This can help your business to grow, increase profitability and increase customer satisfaction. It is now a powerful business improvement tool for all sizes and types of organizations to help them remain irrepressible and achieve sustainable growth.


Confidence on the Cloud – A New Cloud Privacy Standard (ISO 27018)

The Cloud Today

The growing marketplace of cloud computing.

Cloud computing’s growth in use and popularity has been soaring at a great pace! According to Gartner (2013), the marketplace for cloud computing will grow ~20% to USD 131 billion in 2017 from USD 111 billion in 2012.

What’s more?

2016 will be a defining year for cloud as this cutting-edge technology will just get more sophisticated in the next few years.

The Cloud Landscape

Cloud computing started as an in-house infrastructure established by companies such as Microsoft, Google and Amazon to serve their individual business needs. This consists of a set of technologies and service models that focus on Internet-based use and delivery of IT applications, processing capability, storage and memory space.

But now it has evolved into a platform that most part of our daily life is dependent on. While public and private cloud offers one means to differentiate the infrastructure sharing options, SaaS (Software as a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service) have come to define the extent and level of control held by the cloud service provider (CSP) vs. the cloud user.

According to National Institute of Standards and Technology (NIST), the “cloud” is composed of five essential characteristics.

  1. the on-demand self-service which implies that a customer can order service via the web or some other method at any point in time, to become immediately available for his or her use.
  2. the broad network access, in the sense that services are available over the network and are accessed through standard mechanisms (mobile phone, tablet, laptop, etc.).
  3. Other characteristics are the rapid elasticity of the cloud capabilities and the fact that it is a measured service – means additional capacity remains available and accessible on an ‘as needed’ basis and customers are automatically billed for their consumption.
  4. Last but not least, resource pool, meaning the provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand.

The Confidence for Tomorrow – ISO 27018

The massive courses of data across cloud computing services are becoming ever more complex. Identifying and protecting personal data in those flows is becoming a daunting issue for many cloud service providers and cloud users. Given the substantial data protection risks, cloud computing measures need to be undertaken in order to mitigate their effect to the benefit of the cloud computing industry and its clients.

While there are several laws and regulations around it, a common benchmark or standard was lacking for some time. ISO 27018:2014 – Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors is the first set of international privacy controls launched.

Following and using the privacy controls foreseen in ISO 27018 offers greater assurance for service providers that they are doing the right thing and doing everything recommended to protect customers’ personal information. This mechanism also offers beneficial effect for both cloud providers and cloud users – if a consumer is buying cloud services, it can help them to identify the requirements for selecting a cloud provider and in defining contractual clauses and for cloud service provider, it can provide them with a unique selling proposition to potential clients because as more clients become familiar of the standard, the more that they will see it in their request proposal.

ISO 27018 has taken into account as a public policy from around the world as it integrates input from many regional regulators. A cloud service provider and it’s conformation to the standard makes the whole job of compliance to particular legislation in one country or region that much easier. The standard provides a common set of guidelines for the whole industry and adds needed protections to improve PII security and defiance in an increasingly cloud-based information environment.

ISO 27018 – Quick Overview

Key Elements of the Standard

ISO 27018 is a standard out forward by Internal Organization for Standardization (ISO) that seeks to create a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a data processor. In order to fulfill the standard, cloud service providers must understand the following key elements:

  1. Personally Identifiable Information (PII) instead of Personal Data

Scope of “personal data” is not only about the information that “can be used” or “linked” to a PII principal/ data subject, but “any information” relating to an identifiable natural person 

  1. Cloud Providers as Data Processors

In ISO/IEC 27018 the client is regarded as PII controller and the cloud service provider is the PII processor.

  1. Personal Data Protection Principles

The ISO/IEC 27018 contains a comprehensive set of controls regarding:

  • Information security policies
  • Organization of information security
  • Human resource security
  • Asset management
  • Asset control
  • Cryptography
  • Physical and environmental security
  • Operations and communications security
  • System acquisition, development and maintenance
  • Supplier relationships
  • Compliance
  • Information security aspects of business continuity management.

As the PII processor enables the cloud service client to comply with its regulatory obligations (data protection), through this controls, PII processor conforms to its own obligations, either legal or contractual.

  1. Accountability and Certification

Elements of the principle of accountability are incorporated into the standard, in particular the data breach notification, privacy by design, audits and certifications. In general, the standard may be seen as an instrument that assists the PII processor to comply with the principle of accountability requirements. Key to the demonstration of compliance in the context of the principle of accountability is third party certification. The cloud service provider that implements the new standard may ask for a conformity assessment, in order to be certified for complying with the standard.

In order to comply with the standard, participating cloud service providers must provide transparency in the following practices:

  • only process personal data in accordance with the customer’s instructions;
  • only process personal data for marketing or advertising purposes with the customer’s express consent;
  • be transparent around the use of sub-processors (which will include providing the names of, and any possible locations where the data may be processed by, any sub-processors);
  • ensure that staff who have access to personal data enter into confidentiality agreements and receive appropriate staff training;
  • make required disclosures to law enforcement authorities and/or regulators only when legally bound to do so;
  • assist cloud customers to comply when individuals assert their access rights; and
  • help cloud customers comply with their notification obligations in the event of a data breach.

Top 10 Things to Know about Cloud Security and ISO 27018

Way Forward

The current landscape for cloud security standard is best characterized as immature but emerging. ISO 27018 provides a transparent guidance for cloud service providers to establish privacy protection and allows businesses to make careful decisions about the cloud. But even with the present guidelines that ISO 27018 provides, it can also serve as reference point for standards’ future improvement. As the first international standard dedicated for cloud privacy, it initiated CSPs interchange of ideas on providing the best practice on data privacy and security.  ISO 27018 is an important step to protecting PII in the cloud, it emerges from previous ISO guidelines and it will continue to evolve along with cloud service providers’ technology to provide more secure services for the growth and success of businesses.

ECC International is a leading process improvement solutions provider in Southeast Asia, focused on process consulting, automation solutions and learning outsourcing services. We help companies achieve performance excellence by assisting them implement management systems and international standards/best practices across multiple domains and industries.

Our partnerships with nest-in-class technology companies help drive sustained excellence for our customers. As a solutions provider with instructional design capability and subject matter expertise in niche areas, we help organizations implement learning strategies and design learning content for improved performance.

APEX Global (The Academy for Professional Excellence) is the learning solutions arm of ECCI – the leading process improvement solutions provider in Southeast Asia.

Our sole aim is to promote performance excellence among professionals. We help our customers achieve greater success through effective, experiential and result – oriented training delivery.

Empowered with a strong pool of expert trainers and facilitators having expertise in a niche array of domains and a strong regional presence, we provide an extensive portfolio of excellent industry specific and functional programs coupled with high quality training materials to provide best –in – class services for professionals around.

We are a market leader when it comes to Information Security and Risk Management solutions (in the form of training, consulting and GRC solutions- in SE Asia.

To learn more about cloud security, ISO 27018 guidelines and requirements, correlation with existing standards such as ISO 27001 and EU Data Protection Laws, join us at the Confidence on the Cloud- Data Security Best Practices based on ISO 27018 training program.




50 Sensor Applications for a Smarter World

50 Sensor Applications for a Smarter World

Smart Cities

  • 01 Smart Parking

    Monitoring of parking spaces availability in the city.

  • 02 Structural health

    Monitoring of vibrations and material conditions in buildings, bridges and historical monuments.

  • 03 Noise Urban Maps

    Sound monitoring in bar areas and centric zones in real time.

  • 04 Smartphone Detection

    Detect iPhone and Android devices and in general any device which works with WiFi or Bluetooth interfaces.

  • 05 Eletromagnetic Field Levels

    Measurement of the energy radiated by cell stations and and WiFi routers.

  • 06 Traffic Congestion

    Monitoring of vehicles and pedestrian levels to optimize driving and walking routes.

  • 07 Smart Lighting

    Intelligent and weather adaptive lighting in street lights.

  • 08 Waste Management

    Detection of rubbish levels in containers to optimize the trash collection routes.

  • 09 Smart Roads

    Intelligent Highways with warning messages and diversions according to climate conditions and unexpected events like accidents or traffic jams.

See Related Articles


Smart Environment

  • 10 Forest Fire Detection

    Monitoring of combustion gases and preemptive fire conditions to define alert zones.

  • 11 Air Pollution

    Control of CO2 emissions of factories, pollution emitted by cars and toxic gases generated in farms.

  • 12 Snow Level Monitoring

    Snow level measurement to know in real time the quality of ski tracks and allow security corps avalanche prevention.

  • 13 Landslide and Avalanche Prevention

    Monitoring of soil moisture, vibrations and earth density to detect dangerous patterns in land conditions.

  • 14 Earthquake Early Detection

    Distributed control in specific places of tremors.

See Related Articles


Smart Water

  • 15 Potable water monitoring

    Monitor the quality of tap water in cities.

  • 16 Chemical leakage detection in rivers

    Detect leakages and wastes of factories in rivers.

  • 17 Swimming pool remote measurement

    Control remotely the swimming pool conditions.

  • 18 Pollution levels in the sea

    Control realtime leakages and wastes in the sea.

  • 19 Water Leakages

    Detection of liquid presence outside tanks and pressure variations along pipes.

  • 20 River Floods

    Monitoring of water level variations in rivers, dams and reservoirs.

See Related Articles


Smart Metering

  • 21 Smart Grid

    Energy consumption monitoring and management.

  • 22 Tank level

    Monitoring of water, oil and gas levels in storage tanks and cisterns.

  • 23 Photovoltaic Installations

    Monitoring and optimization of performance in solar energy plants.

  • 24 Water Flow

    Measurement of water pressure in water transportation systems.

  • 25 Silos Stock Calculation

    Measurement of emptiness level and weight of the goods.

See Related Articles


Security & Emergencies
  • 26 Perimeter Access Control

    Access control to restricted areas and detection of people in non-authorized areas.

  • 27 Liquid Presence

    Liquid detection in data centers, warehouses and sensitive building grounds to prevent break downs and corrosion.

  • 28 Radiation Levels

    Distributed measurement of radiation levels in nuclear power stations surroundings to generate leakage alerts.

  • 29 Explosive and Hazardous Gases

    Detection of gas levels and leakages in industrial environments, surroundings of chemical factories and inside mines.

See Related Articles



  • 30 Supply Chain Control

    Monitoring of storage conditions along the supply chain and product tracking for traceability purposes.

  • 31 NFC Payment

    Payment processing based in location or activity duration for public transport, gyms, theme parks, etc.

  • 32 Intelligent Shopping Applications

    Getting advices in the point of sale according to customer habits, preferences, presence of allergic components for them or expiring dates.

  • 33 Smart Product Management

    Control of rotation of products in shelves and warehouses to automate restocking processes.

See Related Articles



  • 34 Quality of Shipment Conditions

    Monitoring of vibrations, strokes, container openings or cold chain maintenance for insurance purposes.

  • 35 Item Location

    Search of individual items in big surfaces like warehouses or harbours.

  • 36 Storage Incompatibility Detection

    Warning emission on containers storing inflammable goods closed to others containing explosive material.

  • 37 Fleet Tracking

    Control of routes followed for delicate goods like medical drugs, jewels or dangerous merchandises.

See Related Articles


Industrial Control

  • 38 M2M Applications

    Machine auto-diagnosis and assets control.

  • 39 Indoor Air Quality

    Monitoring of toxic gas and oxygen levels inside chemical plants to ensure workers and goods safety.

  • 40 Temperature Monitoring

    Control of temperature inside industrial and medical fridges with sensitive merchandise.

  • 41 Ozone Presence

    Monitoring of ozone levels during the drying meat process in food factories.

  • 42 Indoor Location

    Asset indoor location by using active (ZigBee) and passive tags (RFID/NFC).

  • 43 Vehicle Auto-diagnosis

    Information collection from CanBus to send real time alarms to emergencies or provide advice to drivers.

See Related Articles


Smart Agriculture

  • 44 Wine Quality Enhancing

    Monitoring soil moisture and trunk diameter in vineyards to control the amount of sugar in grapes and grapevine health.

  • 45 Green Houses

    Control micro-climate conditions to maximize the production of fruits and vegetables and its quality.

  • 46 Golf Courses

    Selective irrigation in dry zones to reduce the water resources required in the green.

  • 47 Meteorological Station Network

    Study of weather conditions in fields to forecast ice formation, rain, drought, snow or wind changes.

  • 48 Compost

    Control of humidity and temperature levels in alfalfa, hay, straw, etc. to prevent fungus and other microbial contaminants.

See Related Articles


Smart Animal Farming

  • 49 Hydroponics

    Control the exact conditions of plants grown in water to get the highest efficiency crops.

  • 50 Offspring Care

    Control of growing conditions of the offspring in animal farms to ensure its survival and health.

  • 51 Animal Tracking

    Location and identification of animals grazing in open pastures or location in big stables.

  • 52 Toxic Gas Levels

    Study of ventilation and air quality in farms and detection of harmful gases from excrements.

See Related Articles


Domotic & Home Automation

  • 53 Energy and Water Use

    Energy and water supply consumption monitoring to obtain advice on how to save cost and resources.

  • 54 Remote Control Appliances

    Switching on and off remotely appliances to avoid accidents and save energy.

  • 55 Intrusion Detection Systems

    Detection of windows and doors openings and violations to prevent intruders.

  • 56 Art and Goods Preservation

    Monitoring of conditions inside museums and art warehouses.

See Related Articles



  • 57 Fall Detection

    Assistance for elderly or disabled people living independent.

  • 58 Medical Fridges

    Control of conditions inside freezers storing vaccines, medicines and organic elements.

  • 59 Sportsmen Care

    Vital signs monitoring in high performance centers and fields.

  • 60 Patients Surveillance

    Monitoring of conditions of patients inside hospitals and in old people’s home.

  • 61 Ultraviolet Radiation

    Measurement of UV sun rays to warn people not to be exposed in certain hours.

See Related Articles





Maximize the synergies between ITIL and DevOps


This white paper describes the synergies between ITIL® best practices and DevOps (development  and operations) practices. ITIL focuses on the lifecycle of services, from inception to retirement, and provides best-practice guidance ®for IT service management (ITSM). The ITIL service lifecycle includes the development and operation of services. DevOps is a movement, inspired by lean methodology andagile development practices, which aims to achieve seamless workflow for product synchronization  between all possible organizational functions – especially development and operations groups. A DevOps  approach tries to reconcile the different priorities and processes of these groups, all for the purpose of  facilitating greater business agility and delivering more value to the end user. In some organizations, this  work is performed by virtual teams from different groups. ITIL describes rapid application development in the service design book as using agile software development.

Most IT organizations are struggling to remove silos that hamper their ability to work collaboratively.  Failure to collaborate interferes with the effective use of an organization’s capabilities and resources, leading to inflexibility and inefficiency in the delivery and support of services. When that happens, the reputation of IT can suffer. Most companies – also not-for-profit organizations – are entirely dependent  on the internet for their core businesses and the speed to innovation there is staggering. That means the  ability of a business to react to market dynamics is based to a large degree on the agility and flexibility  of their IT department.

Since so many organizations rely on ITIL as the foundation of their service management processes, understanding the synergies between ITIL and DevOps is essential to improving organizational performance and business outcomes. As many recent examples have shown, IT organizations that fail to confront and reconcile the widening gap between their development and operations teams stand to lose their footing in today’s competitive business environment.


To get a complete perspective of the depth of best practices that ITIL addresses, organizations should  understand the key frameworks and standards that apply to ITSM. These include, for example, the following: ITIL, ISO/IEC 20000, ISO/IEC 27001, CMMI®, COBIT®, PRINCE2®, PMBOK®, M_o_R®, eSCM-SP™, eTOM® and Six Sigma™. For best-practice guidance, DevOps processes can turn to ITIL as the foundation architecture, referencing other standards and frameworks as needed to solve particular
business issues.

These proven practices also can be combined with organizational-specific practices for competitive advantages and improvement of the practices themselves. ITIL, because it isa non-proprietary and non-prescriptive approach, helps with the construction of enterprise-specific frameworks. ITIL guidance enables you to modify your own processes and address the DevOps gaps based on IT service management best practices. (See Figure 1.)

ITIL describes the application management process in the service operation publication as having the following activities – requirements, design, build, deploy, operate and optimize (Figure 2). ITIL  is interested in the overall management of applications within the application management function. Alignment between development and operations of the applications needs to be accomplished. Applications development should be involved in all stages of the ITIL service lifecycle at various levels of engagement. The ITIL application management lifecycle does not replace any software development lifecycle but is meant to show collaboration between application management and operation management.

It is important to remember the ITIL service lifecycle stages are dynamic. This dynamic nature can be applied for decision support. For example, although you may be focused on one stage of the lifecycle in your job function, you may have to make decisions related to another stage – such as a developer working with the release and deployment process in service transition having to make service design decisions before building the release.The requirements stage is active during service design stage of the lifecycle. The design stage translates requirements into specifications for the application, environment and operational model. In the build stage the application is coded or acquired; and with the operational  model are made ready for deployment. Build and deploy are a part of the release and deployment process in the service transition stage of the lifecycle. Release includes build and test; deployment includes installation and training for the application. Early life support (ELS) helps with deployment to operation success. When the service or application is in operation value can be realized and the service can be monitored for continual improvement of optimization. The key performance indicators (KPIs) obtained including user satisfaction can direct further development improvements and provide a DevOps practice with factual information for development and operation coordination and collaboration.

DevOps uses agile and lean methodologies to improve or expedite solutions through development to operations stages for value realization. Agile methods depend on interactions and collaboration among people, processes and technology. The specific process areas of configuration management, change management and release and deployment are very important in an agile environment. Just as in ITIL,
the process integrations help foster agility. The success of agile methods (particularly when addressing the DevOps gap), while sometimes measured by the increased volume of deliveries, is best measured by customer satisfaction, given the continual delivery of needed solution and services.

Continual delivery of developed service solutions needs to be in synchronization with the ability of the consumer to absorb the benefit. Services that are delivered too slowly cannot meet the needs of the consumer and services delivered too fast cannot be utilized. Service solutions should also leverage the consumer’s service value chain and be continuously integrated to avoid the necessity for the creation of manual procedures where once automation existed.

A DevOps strategy that facilitates aforementioned continual delivery and continuous integration should leverage technology that has integrated and automated application-release capabilities. This technology  should provide the following major capabilities based on ITIL best practices:

  • a real-time, end-to-end, actionable view with comprehensive visibility of releases as they progress through their individual processes
  • control over environment configurations to eliminate inconsistencies, unauthorized changes and misconfigurations
  • integration of automation and human-oriented workflows 
  • diagnostics and root-cause analysis
  • seamless integration with change management to track changes during a release


This section reviews ITIL architecture and how it applies to DevOps. ITIL consists of five service lifecycle stages, and key processes described in five core publications (see Figures 3,4 and 5):

  • service strategy
  • service design
  • service transition
  • service operation
  • continual service improvement.

Continual service improvement is integral in all other lifecycle phases, each stage of the lifecycle is dynamic and supports the other stages. ITIL focuses on utilizing people, processes, products and partners for the effective, efficient, and economic delivery and support of services. Each publication focuses on particular process areas to support the decisions that must be made within that stage of the service lifecycle. The entire service lifecycle is relevant for DevOps because it focuses on service delivery and defining the overall service relationship between the customer and supplier.


  • Strategy management for IT services
  • Service portfolio management
  • Financial management for IT services
  • Demand management
  • Business relationship management


  • Design coordination
  • Service catalogue management
  • Service level management
  • Availability management
  • Capacity management
  •  IT service continuity management
  • Information security management
  • Supplier management


  • Transition planning and support
  •  Change management
  • Service asset and configuration management
  • Release and deployment management
  • Service validation and testing
  • Change evaluation
  • Knowledge management


  • Event management
  • Incident management
  • Request fulfillment
  • Problem management
  • Access management


  •  Seven-Step Improvement Process


The definition of service management is “a set of specialized organizational capabilities for providing value to customers in the form of services”. Services are supported by service assets which are organizational capabilities and resources. Suppliers and customers have service assets. The relationship between the customer and the supplier is defined how the service asset work in an exchange fashion to  deliver the service. For example, a customer has an asset such as a person that needs to use a supplier  IT infrastructure asset. Figure 6, illustrates that the practice of service management is simply to provide
service assets to customers and to eliminate any constraints in the use of the service for maximum performance to support business outcomes. DevOps, in this case, becomes an enabler for increasing the maturity of the service management practice within a supplier’s organization by removing constraints to service delivery performance and can be thought of as an organizational strategy for this purpose.

The service structures in the value network play a key role in service management and the stages of organizational development. IT service management is actually a value network within an organization and has patterns of collaborative exchanges. This exchange of information in an agile, collaborative manner between development and operations is in line with the spirit of DevOps.

The stages of organizational development are: network, direction, delegation, coordination and collaboration – and they are related to a management style. Network organizations, for example, often have no specific structure, specific governance or defined processes. Collaborative groups, at the other end of the spectrum, have service governance and many defined processes and are highly skilled in teamwork. DevOps functions best in a collaborative structure because of the increased responsiveness to changing customer needs.

All the stages of the ITIL service lifecycle must support the service strategy. Activities, resources and capabilities needed for DevOps must support the overall business strategy. For example, if you develop any application, a DevOps approach supports service performance and the way you go to market with the services that you deliver. This helps the organization run the business better by becoming more efficient and effective with usage of service resources focused on providing value to the end consumer.

This can also help the organization grow their business in the markets that they serve or new markets because of the cost savings from the efficiencies gained which can be reinvested into new services. The key DevOps concept that supports this is the improvement in the relationship between development and operations.1


ITIL positions the application management development function within operations as a function that works across the service lifecycle, collaborating with other functions throughout the process – which is very much in the spirit of DevOps. For example, in service design, this collaboration involves helping with build-or-buy decisions. If the decision is to build the solution, the service assets (including people) must work collaboratively as members of the service design team to coordinate efforts and produce a
service design plan (SDP) or service requirements plan. The SDP describes application-related outcomes and the business relevance as well as the underpinning activities and capabilities needed.

The SDP can become a critical document for decision support with DevOps activities because it basically describes the scope of the developed application. Not setting user application capability expectations can result in incidents related to non-features of the application resulting in reactive development efforts with little or no supplier value. These requests should be treated as requests to inspire strategic thinking on the overall value of request to customer and supplier, appropriate cost model for financial recovery, development strategy and many other concerns for overall value creation and realization. DevOps practices enforce working in a service oriented fashion instead of a misguided reactive siloed fashion, ITIL as a foundation can help with this focus.


Service transition enables a key capability needed within a DevOps environment: collaboration. The primary purpose of service transition is risk management and knowledge management. The specific process areas that enable service transition are transition planning and support, change management, knowledge management, asset and configuration management, change evaluation, service validation and testing. Service transition supports the service strategy organizational structure and development  phases. Also crucial to service transition is building the appropriate service to support business outcomes. Development should ensure that any application updates delivered will provide value to the  business customer and the service provider. (See the ITIL publications for more information about value creation and value realization.)

Application management works with the service transition release and deployment process areas to build, test and implement the new service and to be available for early life support (ELS), helping IT achieve expectations and reduce incidents related to the service. The overall planning and coordination  of services is accomplished through transition planning and support, configuration, change, release and
deployment management.

Service transition can be reactive or proactive. Reactive service transition can implement a change to prevent an immediate risk. Proactive service transition focuses more on trends and future business needs. Both are relevant in a DevOps environment. Understanding the relationship of service transition policies and processes to reactive and proactive behavior can enhance service agility and DevOps. Being proactive is helpful but usually not enough, since proactive behavior can still impact quality of service,  the service experience and service relationship. Sometimes IT organizations adopt a DevOps approach because they need to improve overall customer satisfaction. IT must also ensure that the organization is service focused to mitigate service risk. The next step in maturity for an organization that adopts a DevOps approach and ITIL is to focus on service alignment.

In the service transition stage, application management and operations management meet. Service transition best practices help enable agility and, therefore, help enable DevOps as a practice. The practice of DevOps supports the organizations overall practice of ITSM. Organizational maturity, especially as it relates to people roles and responsibilities in service transition is the organizational challenge that must be met for DevOps to become a reality for improved value.


A key principle in ITIL service operations is managing stability versus responsiveness. Operations want stability; development wants to be responsive to customer needs. Business and IT requirements are constantly changing, requiring agility in producing application functionality while at the same time  maintaining IT stability for application performance. ITIL’s service lifecycle approach helps organizations agree to desired changes, take advantage of the existing infrastructure and understand what it takes to
deliver the changes for value realization in operations.

Service operation process areas can provide valuable input into DevOps. When events, incidents, problems, requests and system access tickets are created, as well as the key performance indicators created, these processes can give direction to further continuous service improvement for DevOps. Integration of service operation and DevOps can help improve overall customer satisfaction and service usability. Service automation of these ITIL process areas coordinated with DevOps, especially event and incident management, will help improve overall service delivery performance.

IT organizations sometimes need to transform their services and applications quickly to meet customers’ needs or risk becoming optional and having more services outsourced. Adopting a DevOps approach and ITIL service operation best practices helps organizations be more responsive to business needs without affecting operational stability. While at the same time support the organizational service strategy.


Every approach can always be improved to increase overall performance and business value. DevOps methodology is intended, among other things, to apply the principles of continuous delivery and continuous integration to improve the performance of application development efforts. ITIL’s seven-step improvement process (Figure 7) can help facilitate this improvement. This process, and its relationship to DevOps, are described as follows:

  • Identify the strategy for improvement.
    • A DevOps approach should support a business outcome.
    • Strategy as well as tactical and operations goals need to be understood.
  • Define what you will measure.
    • Conduct a gap analysis for achieving DevOps integration with ITSM.
    • An example key measurement in DevOps could be the following: customer satisfaction and end-user performance as related to number, quality and frequency of releases.
    • Critical success factors (CSF) and key performance indicators (KPI) must be defined for DevOps.
  • Gather the data.
    • DevOps should focus on gathering data from service transition and service operation.
  • Process the data.
    • DevOps CSF and KPI data are processed and turned into information.
  • Analyze the data
    • Understand trends.
    • Transform information into knowledge for decision support to realize improvement
    • Understand user and supplier perspectives.
  • Present and use the data.
    • Understand the business improvements of implementing a DevOps approach
    • Create plan for improvement.
  • Implement improvements.
    • Implement lean and agile improvements.
    • Improve and correct the DevOps approach.

As an organization matures, its focus should be on business outcomes which are defined in the seven-step process. Adopting ITIL best practices will help organizations that are utilizing a DevOps approach become more service aligned with application releases.

The ultimate goal for application development is to take a business service management (BSM) approach. BSM simplifies and automates IT processes and prioritizes and orchestrates work according to business needs. Adopting a DevOps way of thinking helps achieve higher levels of BSM and provides greater service value.

ITIL’s balanced approach to focusing on people, processes, partners and products for efficiency and service effectiveness will help an organization create a holistic approach to DevOps. The people in the IT organization might need to change the way DevOps is adopted and provide improved maturity to the DevOps strategy. Process relationships between development and operations might need to be improved.  Partners should be considered in the overall value network. Products should support processes with improved capabilities for automation of the synergies between development and operations.

ITIL provides architecture for ITSM and includes guidance for organizational functions and roles, processes and activities within processes. ITIL also includes suggestions for technology capabilities that support processes and organizational roles. DevOps should leverage these ITIL capabilities for organizational coordination, collaboration and decision support.


Service handovers should be collaborative and more iterative in order to quickly respond to customers. IT’s efforts should be continual to support the end user’s consumption of IT in the manner that meets the end user’s expectations and provides the greatest value to the business. An environment lacking collaboration has few or no formal processes (as discussed earlier in “Service strategy” and illustrated in
(Figure 8). Collaboration between development and operations must exist for this to work (see Figure 9).

In most organizations, the development and operations handoff is defined in some way, but support for an ongoing, agile, two-way relationship is not defined. Failure to improve these processes can result in  incidents and problems with deployments because of product changes. The concept of early life support,  as defined by ITIL, helps bridge the capability gap between the supporting relationships of development  and operations to achieve consumer value realization. Agile methods define an ongoing collaborative relationship at the earlier stage of the handover for a quick fix or turnaround of a consumer service for value or, in ITIL terms, for overall service utility. DevOps with ITIL best practices supports agile development and consumer value.


Both ITIL and a DevOps approach are intended to support the delivery of quality services to consumers. A DevOps approach should not be implemented without reference to ITIL best practices and maturity improvements should be coordinated and collaborative to realize value. Organizations need to understand that services are defined relationships between the customer and the supplier of the service. A mature DevOps and ITIL approach helps improve the relationship between IT and its customers. Each discipline working together helps with continual service improvement and organizational performance.

DevOps and infrastructure as code (IaC) can be supported with the asset and configuration management process in the service transition lifecycle phase. Tools such as the configuration management database (CMDB), which maps the IT infrastructure, can help influence and support DevOps application designs. The infrastructure architecture knowledge can help with DevOps decisions related to designing and implementing the most efficient, agile and effective DevOps-style release processes. This knowledge can
support infrastructure as a service (IaaS) cloud development and deployment of DevOps capabilities as a service (SaaS) solution.

Service design processes should be coordinated with DevOps-oriented release management processes. This effort includes design coordination, change management, release and deployment and service  validation and testing (SVT). It also includes service design and transition policies, such as the creation of service design packages (SDP) and early life support (ELS). This coordination and collaboration during service transition helps ensure value realization and an enhanced user experience and engagement for
developed products or services.

Service operation processes help ensure overall support for developed solutions. Since ITIL is dynamic in its relationship with other service lifecycle stages, feedback to service transition will occur — including feedback to DevOps for continual service improvement.


ITIL and other best practices can help you increase the value of your DevOps initiatives and avoid DevOps becoming siloed within your organization. Lean methodology, foundation to DevOps and agile  development, says that increasing the delivery volume of application updates to your users is not  enough. Users don’t want just a lot of updates; they want updates that are responsive to their needs and  increase the value of the production application or service. Application updates should enhance the user experience, increase service utility and add value to the service provider. Organizations are adopting  DevOps to improve the delivery and the delivered value of application solutions to the end consumer  while lowering the organizational stresses involved in that delivery or a reduction in the IT friction.

ITIL establishes the best practices for IT service management that have been adopted by organizations all over the world to help improve performance focused on needed service outcomes. The combination  of the two disciplines will help you improve your service relationships and service outcomes as well as  help you provide agile service delivery.

For more information about ITIL, visit For more information about  DevOps, visit


About the Author

Anthony Orr is director in the Office of the CTO and a member of the Thought Leadership Council at BMC Software. Anthony has worked for BMC for more than 15 years in various managerial, consulting, marketing and technical positions. He is an author of the ITIL v3 2011 publication update, ITIL MALC exam book and a senior examiner with responsibilities for the ITIL v3 certification examinations. Anthony is currently a board member of itSMF Houston Local Interest Group (LIG). He participates regularly as a speaker and expert panel member for itSMF events globally. Anthony has more than 30  years of IT experience and has held various roles in other companies prior to joining BMC including roles in development and operations. In his roles, he has been responsible for strategy, architecture, implementation and management of numerous service management disciplines and processes. Anthony is a frequent speaker on best practices at industry events and BMC customer forums. He has authored numerous white papers, pamphlets, podcasts, videos and blog posts on service management topics.

About BMC

BMC helps leading companies around the world put technology at the forefront of meaningful business change, improving the delivery and consumption of digital services. From mainframe to cloud to mobile,  BMC delivers innovative IT management solutions that have enabled more than 20,000 customers  to leverage complex technology into extraordinary business performance—increasing their agility and  exceeding their expectations.

Today, flawless interconnected digital experiences will define business relevancy and success. BMC is  committed to helping companies explore and profit from the New IT, a vanguard operating model that responds to complex business and customer needs with digital transformation, combining traditional technology with groundbreaking capabilities.


AXELOS are a joint venture company, created by the Cabinet Office on behalf of Her Majesty’s Government in the United Kingdom and Capita plc to run the global best practice portfolio, including the ITIL and PRINCE2® professional standards.

The goals of AXELOS are many and varied, each one aimed at helping businesses and individuals reachsuccess, empowering them to truly stand out in a competitive market.

  • We continually promote and advocate quality training.
  • We strive to encourage growth, development and progress.
  • We always look for innovative new solutions to improve best practice standards and processes across the board.

The result is improved skills that are relevant to the industry as a whole, and enhanced employability for all, benefiting the global economy. The benefit to you and your business in particular: better trained employees, streamlined operations, and the peace of mind of knowing that you are working with an industry-leading organization, which provides products and services with a long-standing reputation for setting the industry benchmark.


Our White Paper series should not be taken as constituting advice of any sort and no liability is accepted for any loss resulting from use of or reliance on its content. While every effort is made to ensure the accuracy and reliability of the information, AXELOS cannot accept responsibility for errors, omissions or inaccuracies. Content, diagrams, logos, and jackets are correct at time of going to press but may be subject to change without notice.



Orr, A. (2014, August 14). Maximize the synergies between ITIL® and DevOps. Retrieved November 3, 2014, from

PH greenhouse emissions growing

Philippine Daily Inquirer
3:31 PM | Friday, April 11th, 2014

MANILA, Philippines—The contribution of the Philippines to global warming is only a drop in the bucket of the world’s total greenhouse gas (GHG) emissions, but that drop may get bigger in the future.

“Though it currently contributes less than 0.35 percent of global GHG emissions, its share will spike due to economic and population growth coupled with rapid urbanization,” the World Wide Fund for Nature (WWF)-Philippines said on Friday.

WWF-Philippines Project Manager Philline Donggay said this is why it is important for developing nations like the Philippines to begin serious steps toward climate mitigation and adoption of renewable energy to sustain its needs.

“Climate change mitigation reducing country emissions is critical because Asian economies are in full swing,” Donggay said in a news release.

Asia is the world’s fastest growing economic region and the largest continental economy by gross domestic product. Globally, six in ten people live in Asia, according to WWF-Philippines.

In the same release, WWF-Philippines announced its Building Momentum for Low Carbon Development project, which presents plans to synergize national development objectives with climate change mitigation strategies.

The project presents a path for the Philippines to transition from a fossil-fuel dependent economy to one that uses 100 percent renewable energy (RE) by 2050, the environmental organization said.

WWF-Philippines recommended increasing investments in both RE and energy efficiency (EE), while eliminating the country’s dependence on imported fossil fuels like coal and oil.

The Philippines is a fossil fuel-poor country and is vulnerable to the volatility of international fossil fuel prices, it noted.

“We have one of the highest power rates in Asia, mostly because of inefficiencies in the power sector and our reliance on imported fossil fuels,” WWF-Philippines Climate and Energy Programme Head Angela Ibay said.

“With coal and oil prices rising from increased demand, we will pay even more in the coming years – unless we invest in indigenous Renewable Energy now,” she added.

WWF-Philippines said Earth has already heated up by about 1 degree Celsius in the last two centuries, with an expected jump of 0.8 degree from atmospheric heat stored by the oceans.

“Beyond 4 degrees, up to 30 percent of all known plant and animal species will die — and intense storms, droughts and other climate effects will become nearly unmanageable for less-developed nations,” it said.

Today, the three largest emitters of greenhouse gases are energy generation, transportation and agriculture, WWF-Philippines said.

Read more:
Follow us: @inquirerdotnet on Twitter | inquirerdotnet on Facebook