Microsoft tools can be very effective in task management provided the right tools are used for the right purpose. Here, i will be taking you through a few of the most used tools for task management.

Microsoft Outlook

Microsoft Outlook is mainly an email application that allows you to send and receive emails. In addition to emails, it combines calendar, contacts, and tasks in one place.

If there are a few email tasks and work items to be handled, then Outlook can be used for task management using the tasks option. Outlooks tasks directly integrate with Outlook email, allowing you to create tasks from emails. In case of Outlook 365 you can access the Tasks option from the sidebar under the More Apps as shown in the figure below.

Once the tasks option is selected, you will be at the next screen wherein you will see the list of all your tasks that is created by you or shared with you.

Microsoft Calendar

As the number of email tasks, work items increase, the Outlook Tasks App might not be the right tool since the visibility on the progress of tasks might be time consuming to ascertain. This is where the MS Calendar comes handy. Navigate to the Calendar option from the sidebar. In this screen, access the Home > Task option to create a new task.

If you are creating a task from an email, just drag and drop the email on to the calendar icon in the side bar. In the next screen you can set the start, end date and time for the email task.

Microsoft ToDo

In case of Outlook 365, the Microsoft ToDo is integrated with Outlook. Click on the ToDo icon in the sidebar to open the MS ToDo app as shown in the figure below.

Use the “My Day” feature to focus on tasks you want to complete today. ToDo is great for quick task entry and managing personal ToDos. You can create separate lists of tasks for different projects and share them with others for collaborative task management. Since this tool syncs with Outlook tasks, all the Outlook tasks will appear in MS ToDo and viceversa.

Microsoft Planner

At present, there is no integration of Planner with Outlook 365, but you can find this integrated with Microsoft Teams. From the sidebar on MS Teams, click on the Planner icon to open the app as shown in the figure below.

This tool is a combination of MS ToDo and Planner combined into one. At its core, Microsoft Planner is a task management application. You can easily create to-do lists, checklists and projects. The Kanban, charts and calendar views are intuitive for anyone to use and give a clear view of the tasks at hand. Although the features are fewer than other project management tools, they are effective for simple projects.

MS Planner is easy to use, so you won’t have much of a learning curve even if your team hasn’t used Kanban boards before. Kanban boards visually depict work at various stages of a process using cards to represent work items and columns to represent each stage of the process.

The above Microsoft tools if used efficiently can help transform Task Management , thus improving your productivity.

Further Reading :

• Navigating Jira : From Basics to Advanced
• Useful Tools for IT Professionals
• Few More Useful Tools for IT Professionals
• Useful Microsoft Outlook Tips & Tricks
• Useful Microsoft Teams Tips & Tricks

Slash Commands

In the Teams app search box area, you can type in commands preceded by a slash character. This will be helpful to quickly navigate the various options on Teams like changing the status, chatting with a specific person, checking all the @mentions to you etc. You can input the command, irrespective of the tab that you are in on the side bar. Some of the frequently used commands are as follows.

• Status commands : /available, /busy, /dnd, /brb, /away, /offline
• Check all your @mentions : /mentions
• Check all your bookmarked messages : /saved
• Chat with a specific person : /chat <person> <message>
• Jump to a Team/Channel : /goto <Team/Channel>

Captions, Transcription & Recording

Some people prefer to have subtitles or captions during meetings. MS Teams has this feature that when enabled, captions will be visible to the person who activates it. Once in a meeting as the organizer or as an attendee, navigate to the ellipsis icon(…) and click on “Turn on live captions” option to enable the captions.

The point to note here is that the captions setting done above will not save the captions for further reference after the meeting. This is where the transcription feature helps. Once the “Start transcription” option is selected under the ellipsis icon, the live transcription starts and the whole meeting will be saved as a file that can be used for later reference or sharing after the meeting . The point to note here is that only the organizer or the presenters within the same organization can start the transcription. Once the transcription is started, it will be visible to all the attendees as well.

The next option is helpful if you want to save the whole meeting session in the form of a video. The recording can be done only by the organizer or presenters of the meeting. Just select the “Start recording” option under the ellipsis icon to record the meeting. Once the meeting is complete, the recorded file will be accessible to all the attendees in the meeting chat.

Mute/Unmute

This section is about the mute or unmute settings available in teams meeting. Once you join a meeting as an organizer or as a presenter you have the permission to mute or unmute others in the meeting. An organizer can make the “Who can present?” setting under “meeting options” before the start of the meeting so that specific people can be set as presenters. However, with this setting, though the non-presenters or attendees cannot mute/unmute others but can unmute themselves. If you are in a meeting with disturbing background noise of attendees, you can make appropriate setting that will not let the attendees unmute themselves. This is available as “Allow mic for attendees” option under “meeting options”.

Collaborate & Share

Microsoft Teams provides an interactive whiteboard in the form of Microsoft Whiteboard app that can be used to brainstorm, share ideas and collaborate in an organization. On Teams channel or group, click on the add a tab(+) icon, search for the Whiteboard app and add the new Whiteboard tab so that the whole team/channel can access it. The collaborate feature can also be made use of during remote meetings. Once you start a meeting, navigate to the share tray and select the “Microsoft Whiteboard” option. In the next window you need to select either the present or collaborate option to start using the app based on your needs.

Bookmark

The option to bookmark a chat post publicly or privately is available on Teams. In order to bookmark an item from a conversation, hover over the post, then click on the more option ellipsis on the right side of the emoji bar. Click “Save this message” or “Pin” . If you select the “Save this message” option, the message will be bookmarked privately to you that can later be accessed by navigating to your profile icon at the top right and clicking on the “Saved” option. You can remove the bookmark by clicking on the “Unsave this message” option on the bookmarked post.

The other way to bookmark is to click on the “Pin” option. Any chat participant can pin a message to the top of the chat or unpin the pinned message if they don’t like it. There’s no way to lock a pinned chat to stop someone else deciding that it’s not so important and unpin the message. Even channel conversations support pinning.

Other useful features include the Task Management using Tasks by Planner and To Do app, Polling using Microsoft Forms app, Immersive reader, Channel notifications on/off, Dark Mode etc.

Further Reading :

• Minimalism : The COVID-19 lockdown takeaways for work and life
• Microsoft Forms : Getting Started Guide
• Useful Microsoft Outlook Tips & Tricks
• OneNote : Basic to Advanced Guide
• Data Analysis using Excel

The author of this book, David Allen has been called as one of the world’s most influential thinkers on productivity. The personal productivity system, Getting Things Done (GTD) was developed by him and published in this book. The GTD method rests on the idea of moving all items of interest, relevant information, issues, tasks and projects out of one’s mind by recording them externally and then breaking them into actionable work items with known time limits. This avoids recalling each task intuitively that may result in missing out on certain things.

The book starts off with the problem, i.e., most of the people have too much to handle and not enough time to get it all done. These people are to some degree frustrated and perplexed about how to improve the situation. Neither our standard education, nor the traditional time management models, nor the plethora of organizing tools available has given us a viable means of meeting the new demand for speed, complexity, and changing priority. There is a great need for new methods, technologies, and work habits to help us get on top of our world. When you feel out of control, stressed out, unfocused, bored and stuck, the methodology of GTD will show you how to get back to “mind like water”, with all your resources and faculties functioning at the maximum level.

In the next chapter, the author explains about the core process or five stage method for managing workflow. No matter what the setting, there are five discrete stages that we go through as we deal with our work. In this management of horizontal aspect of our lives, we incorporate everything that has our attention at any time.

Collect things that command Your attention

It is important to know what needs to be collected and how to collect it most effectively so you can process it appropriately. You must be sure that at some point in the near future you will process and review all of it. There are several types of tools that you can use to collect the open loops or incompletes. Tools that can serve as in-basket are the physical ones like the trays that can collect the paper based materials, note taking devices like the paper writing pads, electronic note taking devices like the PDAs, Voice recording devices, Email application. These collection tools should become part of your life style so that you can collect your thought anytime & anywhere.

Process what they mean and what to do about them

The most important question to ask here is what’s the next action? This is the critical question for anything you have collected. If you answer it appropriately, you will have the key substantive thing to organize. The “next action” is the next physical visible activity that you need to engaged in, in order to move the current reality towards completion.

Organize the results

For nonactionable items, the possible categories are trash, incubation tools and reference storage. If no action is needed on something, you toss it, reassess it later, or file it so you can find the topic that you need to refer to at a later time. However for actionable things, you will need a list of projects, storage or files for project plans and materials, a calendar, a list of reminders of next actions, and a list of reminders of things you are waiting for.

Review the result as options for what we choose to do

Its one thing to write down a task and another to actually execute it. You need to be able to review the whole picture of your life and work at appropriate intervals and appropriate levels. After checking your calendar, it is good to turn to “Next actions” list. If you have organized the list by context, they will come into play only when those contexts are available. Everything that might potentially require action must be reviewed on a frequent enough basis to keep your mind from taking back the job of remembering and reminding.

Perform the action

The basic purpose of this workflow management process is to facilitate good choices about what you are doing at any point in time. If you have collected, processed, organized and reviewed all your current commitments, you can galvanize your intuitive judgement with some intelligent and practical thinking about your work and life.

A functional workspace is critical. Be it office or home, everyone must have a dedicated workspace and in-basket to start with. This serves as a physical locus of control from which to deal with everything else. It is imperative that you have your own work space, or at least your own in basket and a physical place in which to process paper. Some of the basic processing tools that you will need are paper holding trays, paper, pen or pencil, post-it, paper clips, binder clips, a stapler & staples, scotch tape, rubber bands, an auto labeler, file folders, a calendar, wastebasket.

The author suggests everyone to maintain their own personal, at hand filing system. The following are the guidelines as suggested by the author to make your filing effective.

• Keep your general reference files at hand’s reach
• One Alpha Filing system – Ex: Manila folder system with A-Z and nothing else
• Have lots of fresh folders to process the in-basket
• Keep the drawer less than three quarters full always
• Label your file folders with an Auto Labeler
• Get high-quality mechanics file cabinet
• Purge your files at least once a year

In the subsequent chapters, the author goes into the detail of each of the core process starting with collection or getting all your incompletes into one place ,i.e., your in-basket. The first activity is to search your physical environment for anything that doesn’t belong where it is, the way it is and put it into your in-basket. Start your activity with your desk at home/office, drawers, inside the cabinets, floor, walls, furniture etc. Once you have collected all the physical things, you will want to collect anything else that may be residing in your mind that has your attention. In this instance, go for the quantity instead of quality so as to avoid missing out on anything. Often you may just need a walk to unearth something lurking in a corner of your mind. Remember, when something occurs to you, write it on a piece of paper or pad and toss it into your in-basket.

The next chapter is about the processing or the review part. When you have finished processing the in-basket you will have trashed what you don’t need, completed any less than 2minute actions, handed off to others anything that can be delegated, set reminders of actions that require more than 2minutes, identified any larger commitments. The key processing question that needs to be asked when processing each item in the in-basket is “What’s the next action?”. If there is a next action it, that may be either to do it, delegate it or defer it. In case of no actions required for the items, the categories that they fall into will be either trash, incubate or reference.

In the next chapter on organizing, the author writes about the primary types of things that everyone needs to track and manage from an organizational perspective.

• A Project list
• Project support material
• Calendarized actions and information
• “Next Actions” list
• A “Waiting For” list
• Reference material
• A “Someday/Maybe” list

The above categories must be visually, physically and psychologically separate. If the above categories begin to blend, much of the value of organizing will be lost. The best way as per the author to be reminded of an “as soon as I can” action is by the particular context required for that action ,i.e., either the tool or the location or the person needed to complete it. Like the reminders of actions, you need to set reminders of all the things that you are waiting to get back from or get done by others have to be sorted out too. In this case, “Waiting For” list is the best to use, similar to the “Next actions” reminder list. As per the author, your calendar can be a very handy place to park reminders like the triggers for activating projects, events you might want to participate in, decision catalysts. The timely reminder from outlook calendar will make it sure that you remember your tasks on time.

In the next chapter about review, the author says that if everything is completely collected, processed and organized you will take only a few brief moment to access your system for day to day reminders. Your most frequent review will probably be your daily calendar followed by the list of all the actions you could possibly do in the current context. As per the author, the magic key to sustainability of the whole process is the weekly review. Weekly review is simply whatever you need to do to get your head empty again. It builds in some capturing, reevaluation and reprocessing time to keep you in balance.

When you start to perform any action, the choices can be made based on the criterion of context, time available, energy available and priority.

There is much more to these simple techniques and models than may appear at first glance. Indeed, they offer a systematic method to keep your mind distraction free, ensuring a high level of efficiency and effectiveness in your work. Getting things done, and feeling good about it, means being willing to recognize, acknowledge, and appropriately manage the things that have your consciousness engaged. The author says that your life and work are made up of outcomes and actions. When your operational behavior is grooved to organize everything that comes your way, at all levels, a deep alignment occurs and wondrous things emerge. This results in you becoming highly productive.

Further Reading :

• Useful Tools for IT Professionals
• Useful Microsoft Outlook Tips & Tricks
• OneNote : Basic to Advanced Guide
• Minimalism : The COVID-19 lockdown takeaways for work and life
• Rules to Live By to Thrive at Life/Work

Company Internal Documents

In the corporate world, documentation is very important. The internal documents are intended for use within a company for communication or information exchange. This should result in improving the efficiency of work, implementing new ideas etc. In the following section let us try to understand the various types of internal documents and the purpose of each.

Hierarchical

The following documents follow a top-down or bottom-up flow within an organization.

日報・週報・月報（Daily & Weekly & Monthly Report ）

A daily report is typically a document prepared by each of the team member / team lead to submit to their supervisors. A standard report contains details on how they spent their work day, including any achievements or challenges that they encountered. It gives information about the work an individual / a team has done for the day and how it contributes to a team’s or company’s overall accomplishments.

A weekly report outlines the main points of the week’s projects and tasks, including team and individual accomplishments, completed projects and future work overviews. It is a great way to monitor employee performance and ensure that projects stay on track.

A monthly report provides a summary of all the activities that have occurred and are in progress on a project during a given month. Project Managers use monthly reports to inform the client / the higher management about scope creep, risks to the schedule, budget, or resources, and other issues.

届出書・申請書（Notification Form）

This form is used to report to the company about your current status. Also this can be an application that you submit to your company for approval. This form will be helpful to the company (concerned department) for a smooth execution of the necessary processes. Usually a standard format in word or excel will be provided by the company that needs to be filled and submitted. Some of the frequently used forms are change of address form, commutation expense reimbursement form, certification expense reimbursement form etc.

顛末書（A Circumstantial Report）

In case of an incident or trouble at work, a written statement needs to be submitted that explains the status of the trouble or the cause of occurrence. Also the mitigation steps need to be mentioned before submitting the report to the supervisor.

辞令（Appointment Notice）

This notification is issued by the HR department to an employee, based on the instruction from higher management in case of transfer, promotion etc. This is different from the everyday work instruction sent by an incharge to the team. This document contains changes to employee information like location, wages, position, job profile etc.

通達（Official Notice）

This is usually a notification mail or document sent by the person incharge to a team or all the employees w.r.t matters relating to work or any specific instruction. Some of the official notice examples are change in work timings, new year holiday calendar etc.

Non Hierarchical

The following documents are mostly used between the subordinates, between the concerned members or used by an individual to improve work efficiency.

管理台帳（Management Register）

This is a record to precisely manage the various office equipment, office supplies, IT (software & hardware) etc. Some of the frequently used records are the inventory management record, asset management record, change management record etc. Usually, this is used by multiple people with shared usage permissions while performing a task. Mostly, Excel tool or online database is used for this purpose rather than a sheet of paper.

一覧表・名簿（List & List of names）

Literally ichiranhyō means a chart or a table. This term is frequently used to refer to any list that you prepare at work including names. However meibo refers to a list or directory of people only.

手順書（Procedure Manual）

This document tells us about the steps to be followed to execute a process or task. Anyone who goes through this document should be ready to execute the actions instantly. This document will be helpful while executing a task, when the task is being assigned to another person, while training a new employee, in case any improvements are to be made to a process.

予定表・スケジュール表（Schedule）

This refers to timetable or calendar that lists events and times at which they take place. Some of the frequently used ones are the Outlook calendar, work/shift schedule, task schedule etc.

議事録（Record of Proceedings）

This is also known as minutes of a meeting that provides instant written record of a meeting or hearing. Minutes may include agenda, date & time, place, list of attendees, outline, issues & responses, comments.

チェックリスト（Checklist）

A checklist helps to reduce mistakes by compensating for potential limits of human memory and attention. It aids to ensure consistency and completeness in carrying out a task. A simple example is a To-Do list that can be used at workplace to enlist the tasks to be carried out in a day/week, enlist the steps to be carried out in order to execute a task successfully.

伝言メモ（Message Memo）

A message memo is used frequently when the concerned incharge is absent. On behalf of the incharge, necessary information is taken note of inorder to convey when the concerned person gets back.

Company External Document

These documents are either business related or invitation/notification issued to clients. Among other types there are etiquette and legal documents as well. Hence these documents need to be polite and should be carefully written.

Business Related

見積書（Quotation）

This document is submitted during the bidding process and will contain details like the price, conditions etc.

請求書（Invoice）

An invoice is a simple document with a list of all products, price descriptions, tax breakups that establishes an obligation on the buyer/client to pay the seller for the purchased goods or services.

注文書（Purchase Order）

A purchase order is an official document that buyers/customers send to sellers to document the sale of products and services to be delivered at a later date.

Invitation/Notification

案内状（Invitation Letter）

This is a document to invite the customers to an event that is to be held at your company.

通知状（Notification）

This document is used to notify a candidate about the acceptance or rejection of candidature or used for communicating any administration related information.

Socializing

挨拶状（Greeting Card）

This is sent to convey good wishes to the customer. Usually, greetings are sent to the customers during the new year, summer time, new business unit opening, transfer etc., This is used within a company to greet each other as well.

礼状（Letter of Thanks）

This is sent to customers or to any superior at your company from whom you have received a favor.

Legal

契約書（Agreement）

A negotiated and typically legally binding arrangement between parties as to a course of action.

Further Reading :

• Important documents information for those employed in Japan
• Japanese Work Culture
• Good to know rules for those employed in Japan
• Japanese Workplace Etiquette
• A View of Japan Business Environment

Structure

For this blog post i have taken the OneNote for Windows 10 as reference. In the android or Mac versions of OneNote few of the features may not be available. OneNote is comprised of three main hierarchical levels: notebooks, sections, and pages. Notebooks are the main files for OneNote that hold all pieces inside. Sections are the dividers in the notebooks and the next levels in the hierarchy. Pages are within each section as the notes, lists, and planners.

Multiple notebooks can be created for different purpose with the above structure. Each notebook can have a section group that can hold multiple sections. Each section can hold single or multiple pages based on your requirement.

In the above picture, kumar’s Notebook contains three sections, namely, Quick Notes, Blogs and Personal. The Quick Notes section contains three pages, namely, Title A, Title B and Title C.

Features

There are a lot of useful features in OneNote that can be made use of based on your need. I have highlighted a few of the features that i found to be useful as follows.

Note Taking

Notes can be taken in various forms ,i.e., as text, image, audio and video. The below picture provides an example of the various note taking formats available. The text can be directly entered at any point randomly inside the page. I have not come across any such application till now except for the MS Excel spreadsheet. You can attach files at any point in the page either as an attachment, as a link of the file uploaded to OneDrive or as an inline printout of the contents of the file. The inline printout of the contents can be set as background to the page for marking or note taking.

Other note taking options include inserting an image through the Pictures option under Insert. You can insert pictures directly from the phone camera, scanner(MS Lens), file or online. Even own audio can be recorded using the Audio option. Links of other pages online or other notebooks can also be used using the Link option. You can use the Online Video option to provide a video link that enables video viewing directly from the page. Office Dictation option under Home menu provides voice to text functionality that can be utilized based on your need.

Organize Notes

Once you start taking notes, various features like checklist, tags, bullets, fonts/font sizes, tables, stickers, indentation etc. will be really helpful to organize notes. The below picture depicts a few of the major features.

The checklist icon, bullets, indentation, font size/font change, strikethrough, Tags – Important/star, Question mark, Remember for later are available under the Home menu. Table, Stickers option are available under the Insert option. Use the Show Search option at the left to search for any tags used in any Notebook.

Password Protection

OneNote provide an easy way to secure confidential data. You can apply passwords to any number of sections within a notebook. The 128-bit AES encryption is used to secure password-protected notebook sections. Due to the high level of encryption, no one will be able to unlock your notes for you if you forget your password. To keep your notes secure, OneNote automatically locks password-protected sections after a few minutes of inactivity.

Right click on any section to set the password. Once you set the password, a lock mark appears next to the section name. Check the above picture on how to access the add password option.

Integration with Office Suite

You can automatically save emails to OneNote under the sections as a page by sending a mail to me@onenote.com . However, in order to use the facility you need to register at the following link using the button “Set up email to OneNote”.

https://www.onenote.com/emailtoonenote

Once you enter the login credentials, the following page appears. Confirm your email id and specify the location in your OneNote to save the mails and you are done. The point to note here is either your Microsoft email id or any non-Microsoft email id can be setup.

Another useful feature is that once you login to the web version of outlook, you can find the OneNote feed at the top right of the screen. You can use the feed to take notes or refer to an earlier note while checking mails.

One more useful feature is to connect Outlook to OneNote for taking meeting minutes. Just login with your work email account by clicking the Meeting Details option under the Insert menu on OneNote. Once logged in all the meetings for any particular selected date will show up. Select any meeting that you plan to attend and start taking notes instantly.

Misc.

• Immersive Reader : This feature is helpful when you want OneNote to read out the text entered in a page. Just open the page that you want OneNote to read out, navigate to View > Immersive Reader and click on play button at the bottom of the screen to start the reader. You can adjust voice using the voice setting option.
• Translate : This is another useful feature to translate selected text or the whole page to an available local language or international language. Select a text in a page or a page, navigate to View > Translate and select the option Selection/Page to start the translation.
• Send to OneNote : When you print any document on a OneNote installed PC, an additional printer “OneNote for Windows10” will show up under the select printer section. Using this printer you can print directly to your selected section on OneNote.
• Delete Notebook : If you want to delete any Notebook on OneNote, the Close this Notebook option will only move the Notebook under the More Notebooks area. Delete the notebook directly on OneDrive to delete it completely.
• Sync & Share : When you use OneNote on multiple devices the Sync option helps to synchronize a single notebook/all notebooks with the latest updates if any. You can use the Share option available on the top right of the OneNote window to share a notebook with anyone using their email address.

Further Reading :

• Useful Tools for IT Professionals
• Useful Microsoft Outlook Tips & Tricks
• Data Analysis using Excel
• Understanding Google Sheets Basics
• Minimalism : The COVID-19 lockdown takeaways for work and life

Business manner is the basic necessity in-order to work smoothly in a society or a workplace environment. So if the foundation of business manner is strong, trust with others can be built easily leading to a good workplace environment. If a person is highly skilled it doesn’t mean that he/she will be assigned a job or project immediately, only after the foundation of trust is built he will be assigned a proper job. The trust factor here comes from a proper display of business manner which is based on the human skills like pro-activeness, judgemental power and expressiveness. The main thing expected out of a person in the business world is maintaining good people relations which is dependent upon the expressiveness of the person ,i.e, proper judgement of situations and proactively reacting to it.

So, in Japan a person who has gained the trust and has sufficient skill set will be called a true professional or a capable business man.

Important requirements for a working professional

Relationship

Good relationships start with good people skills,i.e, how well you collaborate, communicate and deal with conflict.
There are several characteristics that make up good, healthy working relationship:

・Trust
This is the foundation of every good relationship. When you trust your team and colleagues, you form a powerful bond that helps you to work and communicate more effectively. If you trust the people you work with, you can be open and honest in your thoughts and actions, and you don’t have to waste time and energy “watching your back.”

・Mutual Respect
When you respect the people who you work with, you value their input and ideas, and they value yours. Working together, you can develop solutions based on your collective insight, wisdom and creativity.

・Mindfulness
This means taking responsibility for your words and actions. Those who are mindful are careful and attend to what they say, and they don’t let their own negative emotions impact the people around them.

・Open Communication
We communicate all day, whether we’re sending emails and IMs, or meeting face to face. The better and more effectively you communicate with those around you, the richer your relationships will be. All good relationships depend on open, honest communication.

Understanding Business manner is about knowing the ‘activity model’ of social ethics or people relationship. Here, one needs to identify the morals and associated people relations with one’s heart. It is most important to connect the heart with human relationships which forms the core of business manner understanding. The word heart refers to concern and consideration.

Find below a couple of examples related to right attitude w.r.t human relationship and applying heart w.r.t human relationship:

1) No matter how close a person is to his colleague or senior at workplace, he needs to behave with the basic workplace etiquette in mind.
2) A newly appointed manager regarding whom there is negative feedback from various sources, should not be dealt with based one others feedback but with one’s viewpoint.

Manner

This is one of the basics of good business manner. To be considerate and have concern towards your subordinates and superiors. When this thoughtful behavior reverberates in your coworker’s heart it leads to smooth interactions and a pleasant working environment.Also the considerate nature always reflects in one’s bowing posture,business card exchange or in other behavioral attitude towards a client. So we can conclude that, when considerate nature reflects in a form or posture we have business manner put into practice.

Find below few examples of various instances which can be referred to as basic skills or core values of business manners in Japan:

・Greeting Manners

• Greeting everyone with a loud voice in the mornings when one enters the office.
• When leaving office in the evening one needs to wish the senior who is still working.

・Posture Manners
The three basic postures are shown in the figure below:

1. Eshaku – The body is bent 15 degrees in this posture and used to greet a subordinate or senior in the office in the morning and evening. Also can be 　a used as a casual way of greeting anyone at office in a day.
2. Keirei – The best situation to use this posture of bending the body 30 degrees is after introducing ourselves during customer visits.
3. Sai-keirei – The best case of using this posture of bending the body 45 degrees is while seeing off the customers which expresses gratitude.

・Manners when going out on a client Visit

• The appointment date and time should be prioritized as per client need.
• When client enters the meeting room, one needs to getup from one’s seat and greet. Later on introduce self(in case of first meeting) and hand over   the business card followed by the Keirei posture.In case of receiving the business card as well the same flow should be followed ending with the Sai-keirei posture which shows deep gratitude towards the client.

・Manners when client visits us

• In case of guiding client inside an elevator, one needs to enter first and press the open button and destination floor button and guide the client inside. However in cases wherein there are people already inside the elevator, one needs to hold the door with one hand and guide the client inside first and later enter. While getting off the elevator one needs to press the open button and guide the client outside first and later move out of the elevator.
• It is a good practice to knock the door of meeting room before entering. Also in case of door which opens on the inside of the room one needs to enter first and invite the clients inside. However in case of door which opens outside, one needs to hold the door and show the client inside first and later enter the room.

・Seating Manners
Seating manners are also too important in Japanese business. Refer to the various instances as displayed in the below figure.

The Senior most person will be given the seat farthest from the door in a meeting room while the junior most will be seated near to the door. In case of a taxi, senior most employee will be given the seat behind the driver while the junior most employee will be seated on the passenger seat next to the driver. In a train or aeroplane, senior most person will be given the seat next to the window in the direction of motion. Finally the position in a elevator will be behind the junior most person who will operate the panel. The 1,2,3,4,5 numbers in the below picture refer to the employees from the senior most to the junior most position in the order.

Communication style

All good relationships are dependent on how much we respect the other person’s thinking or values and his position. This considerate nature is the starting step in building a satisfactory communication.Lets get to know more about the considerate nature communication style used to connect with people.

Understanding the connection between communication style and relationships

“To make or mar depends on the telling” is the translation of a famous Japanese proverb. This simply means that, people may or may not get offended by the way you speak and mentioning “i didn’t mean that” might be too late to say once one is offended. However, if one is considerate and gentle towards others feelings even the unsaid things can be understood leading to a communication style which touches the other person’s heart. This considerate nature improves people relationships resulting in strong bonds and high efficiency within teams at workplace.

• Points to be taken care of when listening to others
  1) Make agreeable responses in order to make the person feel at ease
  2) Look the person in eye while making the agreeable response
  3) Listen to the person till the end of his conversation without interrupting
• Points to be taken care of when talking to others
  1) Use respectful words as much as possible even while speaking to a colleague or coworker
  2) When asked about a topic which one is not well versed about, avoid creating false impressions and convey your true knowledge
  3) Do not deny a person’s opinion outright.

Knowledge of the basic Keigo/ Honorifics

Keigo is the verbal expression of one’s respect towards the other person’s position or standpoint. We can say that keigo is the basic human skill required because incase our respect towards a person doesn’t match in words there is an imbalance which needs to be addressed to with high priority. There are some rules to use the Keigo which we will learn in this section.

Keigo consists of following types, which uses different expressions for different situations;

1. Honorific language (Sonkeigo)
   Sonkeigo, or the respectful form, is used to show respect to someone of higher position. This can be somebody in the same company of higher rank or a client for example.
2. Humble language (Kenjougo)
   When referring to him or herself in business, the Japanese will use a form called Kenjougo.The form essentially tries to show respect by deliberately referring to oneself lower than the listener (who typically are of higher rank or position).
3. Polite language (Teineigo)
   Teineigo is perhaps the easiest and the most commonly used by everybody (including native Japanese speakers). This is because the Teineigo is usually the first form of Keigo that is taught to students learning the Japanese language.

Below picture gives a pictorial representation of the above forms;

Refer below the Keigo list of various verbs;

Basic knowledge of situation based communication style

A true professional or a capable business person chooses different communication style for situations like reporting or explanation, requests, trouble resolution etc. The main motive here is the same as point number one above ,i.e, relating communication style to relationships. Planning of communication techniques based on positive response from the audience in-order to develop good relationships.

・Reporting
The purpose of reporting is to provide information. There are various types here like business reporting, management reporting, office reporting etc. The basic idea in all the reporting types is to communicate the information as it is in a simple and understandable way. The main point here is to start from the conclusion or summary and elaborate on that thereby giving priority to the superior’s time. This is the true quality of a considerate business person.

・Explanation
The purpose of explanation is to make the audience understand your point. Instances like explanation of new features of a product to the customer, explaining one’s point of view in a meeting, explaining the work procedure to one’s team etc are a few cases which requires explanation from a business perspective. The important thing here is to use simple words and be specific so that the other party can understand your viewpoint easily.

・Requesting
Where every one in the team is involved in their routine work, in addition to that if we need cooperation from the team on another task at hand we need to make a request. The way to request is, first ask about the status of the current work and express one’s understanding regarding the same.On top of that explain about the new task on hand and check the team’s co-operation on get involved.So the gist is to first understand the other person’s current status and get a frank reply regarding cooperation on the new task at hand. This is the way to make a request in-order for the other party to get involved wholeheartedly.

・Grievance Redressal
Whenever there are claims or complaints from the clients, first thing is to accept it and take the responsibility. The next important thing is to rebuild the confidence of one’s organization by wiping off the distrust factor. This is the main purpose behind grievance redressal. In most of the cases whenever there is a complaint we can see people replying as “not a problem with our product” or put the blame on handling the product etc. Here the first thing is to apologize followed by expression of gratitude towards instructions from the customer. By this way of communication we are trying to rebuild the confidence of customer w.r.t our company.

Socializing activities

Of the many socializing activities of a business person in Japan greeting colleagues and customers during end and start of the year, wining and dining with the customers, sending gifts to seniors to express gratitude, thanking a person who was of help are some of the instances during which consideration towards the other person are expressed.

The socializing activities mentioned here are w.r.t to work or business. Hence the person representing the company will be required to show a dignified behavior or business manner. The polite greeting towards the end or start of the year, hospitality shown through corporate entertainment, the gratitude shown by sending summer gifts(chuugen) or winter gifts(seibo) to seniors, the words of concern expressed during visit to a sick coworker or client are all dignified ways of showing one’s heartfelt considerate nature.

Other necessary skills

Information handling

Information gathering, organizing and communicating form the main components of business information cycle. Information here comprises of vital data which may be used for business related activities. The motto of information handling is to have fast access to precise information.

Though clients are the main source of information, we have occasions like business get together parties and pan-industry social events wherein important information can be gathered w.r.t to new business etc. The business manner to be displayed here is to listen patiently to the person providing information in-order to extract the precise information which we want.

The main intention behind organizing information is easy and quick access when needed. Information like business cards, sales or development documents etc are vital data relating to business, when handled properly is a proof that one is seriously involved in one’s work. Also the information managed by us should not be limited to us but must be actively utilized by all concerned in-order to maximize the gains. So organizing of information is vital.

Communicating the actual information in a proper way is of prime importance. The information provided here should be of value to the customer as well. Hence the routine gathering and organizing of information is vital to sharing the needed information to the customer. Also the information limited to us will be of little value when compared to information shared within the team thereby increasing the efficiency of the team. Information like business related documents, problem points etc can be of real help to anyone in the team.

Document management

It is common at workplace to communicate information in writing when the same can be done through a call like an order or notice. The reason behind this can be thought of as to keep a record of transactions, to communicate the point precisely, to communicate the information to multiple people at a time etc.

Communication in writing,i.e, documentation can be broadly divided into internal and external documents.The internal documentation or the document circulated within the company should prioritize on the efficiency aspect rather than politeness. Whereas an external document to be sent to a client should follow a specific format and must consist of polite words. Here we are following a writing format which keeps the recipient in high esteem.

The format above shows the layout of an internal document like a notice and the below format picture depicts an external document like a letter sent to a client.

One more section which falls under this section of necessary skill is meetings, regarding which we had discussed earlier in the situation based communication style and seating manners part.

To sum it up, i have tried my maximum to write in simple words regarding workplace practices expected out of a professional in Japan. I hope you find it useful!

Sources :
ビジナス実務マナー検定 受験ガイド(Business Practice Manner Test Guidebook), Work Experience

The most common cause of workplace accidents or industrial accidents is often attributed to human error such as operational error, judgmental error, and job-related error, all of which are caused by human characteristics. Human behavioral characteristics, such as mistakes and carelessness, are called “human characteristics,” and errors caused by human characteristics are called “human errors.”One more major effect of human error is that it leads to interruption of services to customer, resulting in loss of trust and/or compensation for damages.

Work is always accompanied by issues related to human error, and unsafe behavior accounts for about 90% of all accidents, including those caused by inexperienced and unskilled workers.Most of the human errors are said to be associated with psychological factors affecting human behavior like carelessness and assumption based work.

Specific safety methods were developed so that workplaces can take steps on preemptive action for safety which includes hazard prediction training and pointing and calling. Activities incorporating these methods in a unified manner are called hazard prediction activities and will result in improved customer satisfaction.

Below points need to be kept in mind while doing any work;
• Take appropriate measures beforehand in order to counter risk after identification.
• Recheck at each of the important stages of work.
• Do the things that are obvious and need to be done.
• Human error reduction through Team work and communication.

Human Error and Hiyari Hatto

Human Error : An inappropriate or undesirable human behavior or decision that reduces, or has the potential for reducing, effectiveness, safety, or system performance resulting in trouble, accident or escalations.

Undesirable or inappropriate human behavior can be anything concerned with human nature like misjudgement, mishearing, verbal slip-up, misunderstand, carelessness. Even risk taking factors like rule violation wherein difficulty to abide, probability that it is ok to violate as others are doing can also be categorized as inappropriate behavior.

Hiyari Hatto (HH) : An inappropriate or undesirable human behavior or decision that reduces, or has the potential for reducing, effectiveness, safety, or system performance but didn’t result in trouble, accident or escalations.

Hiyari Hatto is a Japanese term. It means Experience of Almost Accident situation. Hiyari Hatto (HH) is a System to
• Identify the possible danger through Team members experience
• Develop the countermeasure utilizing their expertise and
• Implement the same in consultation with Team members supervisor

It is a pro-active exercise but not post mortem after accident.

What is HEZ Activity/Campaign

Each and every individual human being is irreplaceable. The HEZ(Human Error Zero) Campaign aims for zero accidents in the workplace resulting in increased customer satisfaction.The Campaign builds on the three principles of zero accidents, preemptive action, and participation to implement the KY activity in order to prevent human errors and bring about increased customer satisfaction.

The three principles

The following are the three basic principles.

The principle of zero accidents
“Zero accidents” means to achieve an accident free workplace (not only no fatal accidents or accidents causing absent from work, but also no accidents, including industrial accidents, occupational illness, or other accidents) by detecting, understanding, and solving all hazards (problems) in everybody’s daily life as well as potential hazards existing in workplaces and work and should be implemented 100%.

The principle of preemptive action
“Preemptive action” means to prevent all accidents and industrial accidents by detecting, understanding, and solving all hazards (problems) in everybody’s daily life as well as potential hazards existing in workplaces and work in order to create a brighter and more vigorous workplace with zero accidents and zero diseases as an ultimate goal.

Here the basic understanding is that, counter measures need to be developed for hiyari hatto which may lead to accidents or trouble. On the other hand, unsafe actions which may lead to hiyari hatto should also be identified beforehand and appropriate counter measures be taken. Also in situation where accident has happened already, the causes need to be found out in order to avoid re-occurrence.

As per Heinrich’s findings for every accident that causes a major injury, there are 29 accidents that cause minor injuries and 300 accidents that cause no injuries or “near misses.” He felt that because accidents share many common root causes, addressing the commonplace accidents will help eliminate major injuries or fatalities down the road. Heinrich also believed from his findings that 85 to 95% of all workplace accidents stem from unsafe actions by individuals.

The principle of participation
“Participation” means to make a concerted effort by managers, supervisors, staff, and workers to detect, understand, and solve potential hazards (problems) existing in workplaces and work. It requires the voluntary effort and commitment of all those involved in actions for problem-solving.

Hazard Prediction Activity(KY Katsudo)
*KY Katsudo (K: kiken (hazard), Y: yochi (prediction), Katsudo: Activity)

Hazard Prediction(KY) Activity is a brainstorming drill to discuss, mutually consider and understand all potential human error factors in advance. The potential human errors can rise out of human trait like carelessness (misjudgement, mishearing etc) and risk taking activities like rule violation(follow the crowd, assumption based work etc). The purpose of KY activity is to detect possible human errors beforehand or even in the case of human error should not result in affecting customer services. This activity is used in the promotion of HEZ campaign.

Here you can find a sample of KY Activity chart used during the brainstorming drill, just before start of work.

HE Preventive Measures

In order to tackle accidents caused by human error the following three preventive measures must be ensured:

Hardware (equipment, facilities, and other tools)
It is important to push ahead with safety and health measures in terms of Fail Safe or Fool Proof hardware (facilities, machinery, working environment, and raw materials) for the prevention of accidents caused by human error.

Software (human beings as well as hardware)
In addition to the above measures, it is necessary to improve the working environment including the relationship between workers and hardware as well as work from the perspective of a man-machine system. Here necessary procedure document should be created with checklist sections for the creation, implementation and confirm operations. An environment wherein 4S is implemented would be the best.

Humanware
Humanware incorporates the safety and health management of both hardware and software. Effective humanware hazard prediction activities incorporate countermeasures against human error and include the Health KY, the hazard prediction training (KYT), pointing and calling and the Hiyari hatto.

All the three,i.e., Hardware, Software and Humanware countermeasure put together will result in achieving the goals of HEZ campaign.

HEZ Activity in detail

Here i will take you through the specific actions which must be performed in-order to create a Human Error Zero environment.

(1) HEZ training to all the employees of a company

Appropriate HEZ training to all the employees at different levels of a company needs to be provided. This can go a great way in creating awareness and reduce the Human error at work and eventually make it reach the ideal zero figure.

(2) Strict adherence to the code of conduct at work

While any work is done with the elementary action items being put into practice, the must be adhered to rules should be kept in mind and is known as the code of conduct at work. In any organization, the code of conduct will be released and distributed as either a booklet or a card along with a briefing session regarding the same. The code of conduct document will contain the code of conduct items, concrete examples relating to code of conduct and the definition of terminologies.

The elementary action items are nothing but the consolidated number items of any organization based on the past occurrences of operation error or accidents and is the compilation of preventive measures with respect to the same. A few of the elementary action items are KY drill before start of work, work to be executed as per the procedure document, pointing and calling at each of the important points, contact concerned authority in case of ambiguity or insecurity or abnormality after stopping the work etc.,

(3) Hiyari Hatto activity

In order to target zero HE, the potential accident causing condition should be grasped in advance and procedure should be established to report as many as such cases to the management as possible. Also let’s ensure that countermeasures are taken to all HH in-order to make work place safer, pleasant and easy to work. The below flow chart shows a sample pictorial representation of the HH activity work flow.

(4) Pointing and Calling in every day activity

This activity involves pointing at target objects by stretching your arm and stating out loud, “Such and such is OK” at important points in the work in order to proceed with work safely and correctly. Pointing and calling are methods for raising the consciousness level of workers and confirming that conditions are regular and clear, increasing the accuracy and safety of work.By raising the consciousness level, accidents resulting out of human characteristics of carelessness like misjudgement, mishearing etc., can be avoided.

A few illustrations of the pointing and calling are as follows;
Eg 1) email address confirmation before sending a email – abc@xyz.com address Yoshi!
Eg 2) Cabinet confirmation before leaving your work desk at break time – 1/2/3 desk cabinet/s locked Yoshi!
Eg 3) Tidiness confirmation after finishing work at the end of day – clear desk Yoshi!
Eg 4) Avoiding forgetfulness before moving out –  possess a/b/c Yoshi!

The results of proof testing conducted by the Railway Technical Research Institute in 1994 showed that the rate of work-related errors decreased to less than one-sixth when conducting pointing and calling as compared with doing nothing.

(5) Hazard Prediction Training(KYT) at workplace

Hazard prediction training called ” Kiken-Yochi Training ” (KYT) in Japanese can be defined as a role-play based training method, in which staff members first observe photos/videos or illustrations of everyday scenes in a workplace, and then those scenes are discussed within a group for detection of potential hazards, countermeasures against hazardous issues , and, finally, slogans or messages are created and directed at risk avoidance (ensuring of safety). It was invented in 1974 in Japan for prevention of occupational accidents, and, since the late 1970s, has spread from the manufacturing industry to the entire industrial world. A systematic review reported that KYT reduced the occupational accident rate significantly. Thereafter, KYT was introduced into safety education programs across industries, leading to a significant reduction in accidents.

The KYT Basic 4-Round Method forms the foundation for this activity. Participants openly discuss the hidden hazards depicted in the illustrations of the workplace and work conditions and solve problems by proceeding through the four rounds step by step.

Round 1: What are the hidden hazards? (Understanding the actual situation)
Round 2: These are the danger points. (Investigating the reality)
Round 3: What would you do? (Establishing countermeasures)
Round 4: These are the danger points. (Setting targets)

The KYT method increases the motivation of workers to practice in teams. It uses meetings to sharpen awareness of what constitutes danger. Workers share information on hazards and improve their problem solving capabilities by working on finding solutions in meetings. And they improve their powers of concentration by practicing pointing and calling activities in all of the important points in the work.

In order to maintain long term consistency in the implementation of KYT learnings, the following points should be kept in mind and executed during everyday activities.
1) Sensitivity towards the hazard points
2) Rise the concentration level through pointing and calling
3) Improve problem resolution through KY activity
4) Fire up the motivation through KY activity
5) Display teamwork in detection, understanding and resolution of problems during KY activity
6) Think the problems as your own

(6) Morning and Evening Assembly

In order to perform any task safely and avoid human errors one more important component would be to actively take part in the morning and evening assembly sessions. Other than being an integral part for the execution of everyday activities, here we can find various teams sharing their experiences which may include accident reporting, hiyari hatto incidents, new learnings etc. and thus serves as a place for self development.

KY cycle is a structure wherein Health and safety is integrated as part of everyday activities which includes the morning and evening assembly sessions. Here we can find the various safety techniques included in every work performed as well. Each KY cycle is divided into 3 parts ,i.e, safety measures taken before work, while doing work and after work activities and promotion of human error zero activity is done.

The above picture gives you the description of KY cycle of every day work and relates to every work performed in a day.

(7) Repetition & Reporting

Sometimes the output of our work may differ from the instructions received which was not cross checked. Also there may be times when we may have been asked about the status of work which was not reported. These two are instances wherein the repetition of the instruction received in the former case and reporting of the work status in the latter case are not adhered to.

Repetition(Before start of work)
This is a way of making sure the instruction is received correctly by repeating the instruction contents loudly. So we can get started with the work avoiding any potential human errors with respect to receiving instructions.

Reporting(After work)
This is a way to inform about the progress of work with respect to the instruction received. By this was both the receiving and instructing side can fell safe about the proper progress or completion of work.

(8) 4S(seiri, seiton, seiso, seiketsu)

4S is a workplace organization method abbreviated from the Japanese words seri for “Sort”, seiton for “Set in order”, seiso for “Systematic cleaning” and seiketsu for “Standardize”. Organizing the workplace leads to a safe and healthy environment.

• Sorting — separating the needed from the unneeded. Sorting activities aim to eliminate unneeded items from the work area and to perform an initial cleaning.

• Set in order — a place for everything and everything in its place, clean and ready for use. Simplifying arranges the workplace to ensure safety and efficiency.

• Systematic Cleaning — cleaning for inspection. Systematic daily cleaning and inspection of work areas and equipment help you understand current conditions and determine if corrective action is required.

• Standardize — developing common methods for consistency. Standardizing assures that everyone knows what is expected .It aims to make abnormal conditions noticeable and to document agreements to ensure consistency and sustainability.

The 3 main pillars of the HEZ activity

Implementation of the HEZ Campaign requires three important pillars: the positive attitude of the top management, the complete management of the safety and health system by line managers and supervisors, and the promotion of voluntary activities in the workplace. The HEZ Campaign depends on the mutual relationships and assistance of these three pillars.

1) The positive attitude of the top management
The starting point of safety and health activity is a tough attitude held by top management towards zero accidents and zero diseases.The campaign starts with a determined commitment by the senior management to respect every single worker and ensure no injuries.

2) The complete management of the safety and health system by line managers and supervisors
In order to promote safety and health in the workplace, it is essential for line managers and supervisors to lead by example by integrating safety and health activities into day-to-day work, making safety and health part of the line management.

3) The activation of voluntary activities in the workplace
Human error plays a part in most workplace accidents, and each and every employee needs to be fully aware that responsibility cannot be shifted to others. Employees must engage in small group activities for zero accidents with the awareness that their existence is irreplaceable for their families and dependents and safety and health is their own and their co-worker’s own problem.

Conclusion

The philosophy of the HEZ Activity is to respect human life. Specific safety methods are developed so that workplaces can take steps on preemptive action for safety. Activities incorporating these methods in a unified manner are called hazard prediction(KY) activities. As the system is operated by human beings, so, to make it function properly, it requires the motivation and enthusiasm of all of the people involved in it, namely the top management, the line managers, and the team members.

Sources:
危険予知訓練(KY Training), experience

ISO refers to International Organization for Standardization. It is headquartered in Geneva, Switzerland and is a non-governmental organization. A total of 163 countries are affiliated with the organization. In order to smoothen international transactions with respect to any product or service, concerned authorities from different countries come together to define a set of standards so that same quality and level of a deliverable can be maintained anywhere in the world.

The ISO membership is one organization per country. Majority of the ISO members are a part of the country’s government organization or have been entrusted the responsibility by the government organization of a country.
There are three types of membership types with different privileges as follows;

• Regular Member – Has all the privileges starting from participating in development of standards, taking part in policy making, selling publications and ISO standards with copyrights or with ISO title and logo and finally to be part of the ISO management group. Most of the countries in the world are regular members.

• Correspondence Member – Has all the privileges except, being part of the ISO management group, which is not allowed. A few countries are with this kind of membership.

• Paid Member – Has the privilege for only taking part in the development of standards. As few as three to four countries in the world are with this kind of membership.

The standard organizations is Japan are JISC(Japan Industrial Standards Committee), JAB(Japan Accreditation Board) etc., based on the type of businesses and represent Japan at the ISO. The websites of JIS and JAB provide a detailed information on the various standards released by the respective organizations.

Development of Standards

There are 5 stages in the development of standards;

• Working Draft(WD) development – Vague idea suggested by different groups about a standard to be developed.

• Committee Draft(CD) development – The working draft will be analyzed further by a committee to check for the acceptability world over.

• Draft International Standard(DIS) development and circulation– Once the draft reaches this stage we have a draft standard which can be circulated with other member countries for voting during which suggestions and other feedbacks can be expected and appropriate updations are done. This process usually takes a long time period of one to two years depending upon the completeness of the draft. The ‘OK’ vote should be received from all the participating countries to arrive at the final draft.

• Final Draft International Standard(FDIS) circulation– The DIS will be circulated with all the participating countries for a final confirmation and review before the release.

• Release of International Standard – With the approval of the FDIS by the participating countries, the International Standard with be released.

The ISO can be classified into the following two categories mainly;

1) Standards applicable to objects (pictorial symbols, dimensions)
A few examples are as follows;
ISO 7010/JIS 8210     Emergency exit symbol(Japan design used world over)
ISO/IEC 7810               Card sizes
ISO 68                           Nut size etc.,

2) Standards applicable to management systems
A few examples are as follows;
ISO 9001                      Quality Management System
ISO 14001                    Environment Management System
ISO 27001                    Information Security Management System etc.,

Management System standards and certification

A management system is the way in which an organization manages the inter-related parts of its business in order to achieve its objectives. These objectives can relate to a number of different topics, including product or service quality, operational efficiency, environmental performance, health and safety in the workplace and many more.

The level of complexity of the system will depend on each organization’s specific context. For some organizations, especially smaller ones, it may simply mean having strong leadership from the business owner, providing a clear definition of what is expected from each individual employee and how they contribute to the organization’s overall objectives, without the need for extensive documentation. More complex businesses operating, for example, in highly regulated sectors, may need extensive documentation and regulation in order to fulfil their legal obligations and meet their organizational objectives.

ISO management system standards (MSS) help organizations improve their performance by specifying repeatable steps that organizations consciously implement to achieve their goals and objectives, and to create an organizational culture that reflexively engages in a continuous cycle of self-evaluation, correction and improvement of operations and processes through heightened employee awareness and management leadership and commitment.

There are various management system standards based on industry types and businesses. The type of ISO standard to be implemented entirely depends upon the client requirements or internal risk reduction requirements of a company. Considering Japan in our study, the following three are the major ISO certification standard sought after by most of the companies in Japan.

• ISO 9001
ISO 9001 sets out the criteria for a quality management system and is the only standard in the family that can be certified to (although this is not a requirement). It can be used by any organization, large or small, regardless of its field of activity.

This standard is based on a number of quality management principles including a strong customer focus, the motivation and implication of top management, the process approach and continual improvement. Using ISO 9001 helps ensure that customers get consistent, good quality products and services, which in turn brings many business benefits.

• ISO 14001
ISO 14001 specifies the requirements for an environmental management system that an organization can use to enhance its environmental performance. ISO 14001 is intended for use by an organization seeking to manage its environmental responsibilities in a systematic manner that contributes to the environmental pillar of sustainability.

ISO 14001 is applicable to any organization, regardless of size, type and nature, and applies to the environmental aspects of its activities, products and services that the organization determines it can either control or influence considering a life cycle perspective. ISO 14001 does not state specific environmental performance criteria.

• ISO/IEC 27001
ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

The logos of the above three management systems certified by the JQA(Japan) are as follows;

The ISO management system standards (MSS) is revised once every five years. Though the time period specified is 5 years once, the update may happen based on convenience and state of affairs. For example in case of ISO 9001, the last update happened in 2015 and is named as ISO 9001 : 2015 version. The previous version to 2015 was ISO 9001 : 2008.

In case of an organization wishing to certify to a certain management system (For ex: ISO 14001), the readiness of an organization to the system will first be checked by the JQA(Japan Quality Association) organization. JQA is a body to provide testing and certification service for the various ISO standards as part of quality management system activity.Thus we can say that as JQA checks for the conformity to the various standards and provides the ceritifcation, they have to work in close co-ordination with the various Standards organizations like the JAB, JISC etc.,

The IAF or International Accreditation Forum develops a single worldwide program of conformity assessment which reduces risk for business and its customers by assuring them that accredited certificates may be relied upon. Accreditation assures users of the competence and impartiality of the body accredited. IAF members, i.e., the certifying bodies of member countries(JAB/JISC.. incase of Japan) or registration bodies issue certificates attesting that an organization’s management, products or personnel comply with ISO standard.

Merits of ISO certification

Certification can be a useful tool to add credibility, by demonstrating that your product or service meets the expectations of your customers. For some industries, certification is a legal or contractual requirement. The following points describe the actual merits behind ISO certification.,

1) To gain the trust of customers
In order to demonstrate that a product exported to foreign countries or sold in the domestic market meets a certain level of quality, is safe to the environment and maintains the confidentiality of user data, a 3rd party certifying authority like the ISO is used as a tool.

2) Gaps or Problem identification from a 3rd Party perspective
In case of audit done by an internal party, the seriousness compared to a certifying external body will not be there. So, when the audit is done by a 3rd party body like the ISO, issues or gaps unable to be identified or overlooked by the organization can be certainly expected. Also the auditing ISO personnel will be auditing from a customer’s position so issues unidentified from the customer viewpoint may be also found out.

3) Continuous improvement
Organizations which get certified with the ISO Management System Standards, will have a review yearly once by the concerned ISO authorities. At the end of each yearly audit, the auditors suggest the organization improvement plans with respect to the problems identified. As a result of these continued yearly audits, continued improvement of the organization can be brought about.

The PDCA cycle is the most used methodology to implement a continuous improvement system in a company or organization. The PDCA methodology describes the four essential steps that should be carried out systematically to achieve continuous improvement, defined as a continuous way to improve the quality of products and processes (decrease failures, increase effectiveness and efficiency, problem solving, avoid potential risks etc., ).

The PDCA/Deming Cycle is composed for four cyclic steps as above, so that once we have finished with the final stage we have to start again with the first one, and repeat the cycle again. Doing that in a company, the activities are reevaluated periodically to incorporate new enhancements. The application of this methodology is primarily intended to be used for companies and organizations, but you can also use it in any other situation.

One special characteristic of ISO Management Standard System is the Internal Audit. The internal audit is basically used to check(PDCA) whether the management system built by the organization is functioning properly or not. Also in case of suggestion for changes, a trial period to verify the development of the new process is established. If the improvement does not achieve the initial expectations we will have to modify the process again to obtain the desired objectives.

In other words internal audit is used,
1) To check for the management system functionality.
2) To Identify problems or improvement points.
3) By the concerned manager to implement the audit suggestions in management system improvement.

The internal audit is an indispensable activity as part of the continuous improvement of an organization.

The management systems specify the requirements but do not mention “how to” attain those requirements. So, it is upto the organizations to decide how to attain and to what level based on their targets with respect to the continuous improvement plan. This can be a set of lower level targets before targeting the higher level expectancy of the management system.

Management systems of the future

One of the main changes in the new version of ISO 9001:2015 is the adoption of the High-Level Structure (HLS). That sounds innovative, but it is important because this High-Level Structure means that in the future, all management system standards will be aligned. The core text in the High-Level Structure will be used in every management system standard whether it be for quality, work health and safety, the environment, food safety or another discipline. This common factor also applies to the text of requirements description wherever applicable.  Also, common terminologies will be used in every management system with the same definition.

This common structure is possible because basic concepts such as management, customer requirements, planning, performance, control, monitoring, measurement, auditing, corrective action, and nonconformity are common to all management system standards. Whilst the standards have always had common elements, they have been described and organized differently, making effective integration difficult.

The High-Level Structure will ensure that future management system standards support each other. They will be easier to read and understand, and it will aid greatly in the integration of multiple standards within the one organization. The resulting improved linkages in processes and activities will deliver better value and efficiency.

Conclusion

• In order to smoothen international transactions with respect to any product or service, a set of ISO standards have been set up to maintain the quality and level of a deliverable.
• The ISO standards can be classified as “Standards applicable to Objects” and “Standards applicable to Management systems”.
• The ISO management system is a useful tool to reduce the management risks of each organization.
• The ISO brings about step by step continuous improvement, thus strengthening the organization.
• The common factors as part of future management systems will bring about better integration of multiple standards within an organization resulting in better value and efficiency.

Sources:
Online learning(www.schoo.jp)

Although data center designs are unique, they can generally be classified as internet-facing and enterprise (or internal) data centers. Internet-facing data centers usually support relatively few applications, are typically browser-based, and have many users, typically unknown. In contrast, enterprise data centers service fewer users, but host more applications that vary from off-the-shelf to custom applications.

The main purpose of a data centre design is to run core business or mission critical applications and store operational data as well as providing Disaster Recover (DR) facilities. Typical applications will be enterprise software systems such as Enterprise Resource Planning (ERP) and Customer Relationship Management (CRM) services. Data center architectures and requirements can differ significantly.
For example, a data center built for a cloud service provider like Amazon EC2 satisfies facility, infrastructure, and security requirements that significantly differ from a completely private data center, such as one built for the Pentagon that is dedicated to securing classified data.

Why data centers are business-critical

Most data center deployments are carried out for the following reasons:
•Availability: Maximizing the availability of IT services to the organization.
•Business continuity: The redundancy, monitoring and infrastructure provided by most data centers means that the potential for business  interruption is very low.
•Lower total cost of ownership: Where an organization has several silos of data, it can combine resources and reduce the amount of separate data servers required.
Staff overhead is reduced as administrative operations are simplified, whilst energy and floor space costs are reduced.
•Agility: Centralizing IT infrastructure within a data center creates greater agility since new deployments do not have to be rolled out to multiple physical locations.

Basically, an effective data center operation is achieved through a balanced investment in the facility and equipment housed. The elements of a data center break down as follows:

Facility – the location and white space or usable space, that is available for IT equipment. Providing round-the-clock access to information makes data centers some of the most energy-consuming facilities in the world. A high emphasis is placed on design to optimize white space and environmental control to keep equipment within manufacturer-specified temperature/humidity range.

Support infrastructure – equipment contributing to securely sustaining the highest level of availability possible.
Some components for supporting infrastructure include:
•Uninterruptible Power Sources (UPS) – battery banks, generators and redundant power sources.
•Environmental Control – computer room air conditioners (CRAC), heating, ventilation, and air conditioning (HVAC) systems, and exhaust systems.
•Physical Security Systems – biometrics and video surveillance systems.

IT equipment – actual equipment for IT operations and storage of the organization’s data. This includes servers, storage hardware, cables and racks, as well as a variety of information security elements, such as firewalls.

Operations staff – to monitor operations and maintain IT and infrastructural equipment around the clock.

Data centers have evolved significantly in recent years, adopting technologies such as virtualization to optimize resource utilization and increase IT flexibility. As enterprise IT needs continue to evolve toward on-demand services, many organizations are moving toward cloud-based services and infrastructure. A focus has also been placed on initiatives to reduce the enormous energy consumption of data centers by incorporating more efficient technologies and practices in data center management. Data centers built to these standards have been coined green data centers.

Data Center Solutions

So, what exactly do data centers offer? What’s so great about them versus doing everything in-house.Below is a list of some of the services offered:
•Colocation Services
A colocation data center lies on the opposite spectrum of the in-house data center. Colocation facilities are third party organizations that are multi-tenant accessible, meaning that multiple businesses of any size or industry may house their equipment within the data center. Customers are able to select from a variety of solutions to accommodate the specific requirements for their business.

•Cloud Services like Iaas, Paas, Saas

•Disaster Recovery
This is a flexible and scalable service to enable the recovery or continuation of vital technology infrastructure and systems following a natural or human-induced disaster. Disaster recovery focuses on the IT or technology systems supporting critical business functions,as opposed to business continuity, which involves keeping all essential aspects of a business functioning despite significant disruptive events. Disaster recovery is therefore a subset of business continuity.

•Managed Services
Managed hosting service provider is a company or individual that remotely manages a customer’s IT infrastructure.Many small and medium sized businesses tend to use the services of a managed service provider for web servers and website management.

Managed providers will each specialize in a different area of IT. Some may be experts in managed colocation services whereas others are more focused on business connectivity and cloud services.

•High Availability
High availability in the data center refers to systems and components that are continuously operational for a long time. It typically means the systems have been thoroughly tested, are regularly maintained and have redundant components installed to ensure continuous operation.

These services and much more are managed professionally by IT administrators who stay up-to-date with the latest technology and ultimately help a data center’s overall efficiency.

Data center administrators have a long to-do list when it comes to infrastructure monitoring. From server and equipment monitoring — and in some cases, mainframe monitoring — it’s a practice that’s often difficult to juggle, especially if you work in a large data center. But monitoring is an essential task. By obtaining the data you need, you can increase security and scalability, efficiently automate and better align resources with capacity needs.

Instead of scrambling to fix a problem after it occurs, data center admins should strive to be proactive, anticipating issues before end users even notice. But that can be difficult to do without the right data center monitoring tools and strategy.Trends such as mobility, virtualization adoption, new and increasing compliance and governance requirements, and the need to modernize existing infrastructure add further complication to managing the IT environment.

To make information across the enterprise readily available requires an enterprise infrastructure that is managed as an integrated whole. The go to ITSM tool(Example:Opsmart, Remedy etc.,) should provide a flexible, scalable, and open solution.Also the tool should align ITSM resources to support customer business objectives.These services create a centralized operations and support center, providing the customer a cohesive approach to integrate process optimization, systems development and support, and network and service desk management across the business enterprise.

Moving Forward

Due to the cloudification of data centers, current situation is such that it is no longer reserved for any specific type of organizations any longer; they’ve become accessible to almost anyone. Even if in-house IT operations are conceivable for small or large companies, wise IT administrators are choosing to outsource some portions of IT management. In the long run, it saves time, money, and manpower and it’s much less of a headache.

Service Desk Operations

Operations staff have direct responsibility for the availability of computer services; nonetheless, they also have direct contact with users and decision makers. One part of the Operations ,i.e,the service desk also known as the “help desk” is the single point of contact for users to report incidents. Without the service desk, users will contact support staff without the limitations of structure or prioritization. This means that a high-priority incident may be ignored while the staff handles a low-priority incident.

IT Infrastructure Library, ITIL is a set of best practices for an effective IT Service management, ITSM is followed across companies of all sizes.
ITIL enables businesses to handle IT issues and service requests efficiently by assigning clear roles and responsibilities. It helps individuals and organizations to realize business growth and transformation.

ITIL Service Life cycle

ITIL service lifecycle consists of five stages. Each stage has a set of ITIL processes and it is significant to understand the purpose of each process before implementing. However, companies may selectively implement few processes that are necessary.

• Service strategy – Service strategy involves clear understanding of customer’s and market’s needs. This advocates a long-term market driven approach to deliver IT support. Service strategy include strategy management for IT services, service portfolio management, demand management, financial management for IT services and business relationship management that focuses on customer satisfaction.

• Service design – This is an holistic approach to design a support service. The right service design approach translates to higher customer satisfaction and usability. Some of the ITIL service design processes include service level agreement, service catalog management, availability management and IT service continuity management.

• Service Transition – This stage ensures changes in service lifecycle are handled with minimum risk and impact so that there is minimal or no downtime. Some of the processes here include change management, release management, configuration management database, knowledge management.

• Service Operation – ITIL service operation ensures seamless service in day to day business activities. Actual delivery and consumption of services happen during this stage. This has a direct impact on the productivity of end users. Typical processes include incident management, request fulfillment, problem management.

• Continual Service Improvement – CSI aims for process review and improvement throughout the service lifecycle. This is applicable to all service stages including strategy, design, transition and operation. Metrics definition and performance review happen at this stage which help companies to revisit existing process.

Incident Management

ITIL defines an incident as an unplanned interruption to or quality reduction of an IT service. The service level agreements (SLA) defines the agreed-upon service level between the provider and the customer. Incident management focuses solely on handling and escalating incidents to the next level as they occur to restore defined service levels. Incident management does not deal with root cause analysis or problem resolution. The main goal is to take user incidents from a reported stage to a closed stage.

The below figure depicts a sample incident management flow.

The Alerts and incident calls may be related in cases where the incidents result in Alerts on the monitoring tool. However, Alert may occur on tool independently and follows the flow 1 – 3 – 4 – 5 and finally closure of the ticket raised w.r.t to the Alert generated on tool.

The other case is when the Client or user calls up regarding a service disruption issue or a service enhancement support. In such cases, the flow 1 or 2 – 3 – 4 – 5 – 6 is followed. Here as well, once the issue is resolved the concerned ticket is closed.

Operational incident management requires several key pieces:
1.A service level agreement between the provider and the customer that defines incident priorities, escalation paths, and response/resolution time frames
2.Incident models, or templates, that allow incidents to be resolved efficiently
3.Categorization of incident types for better data gathering and problem management
4.Agreement on incident statuses, categories, and priorities
5.Establishment of a major incident response process
6.Agreement on incident management role assignment

Incident statuses

Incident statuses mirror the incident process and include:
•New
•Assigned
•In progress
•On hold or pending
•Resolved
•Closed

The new status indicates that the service desk has received the incident but has not assigned it to an agent.
The assigned status means that an incident has been assigned to an individual service desk agent.
The in-progress status indicates that an incident has been assigned to an agent but has not been resolved. The agent is actively working with the user to diagnose and resolve the incident.
The on-hold status indicates that the incident requires some information or response from the user or from a third party. The incident is placed “on hold” so that SLA response deadlines are not exceeded while waiting for a response from the user or vendor.
The resolved status means that the service desk has confirmed that the incident is resolved and that the user’s service has restored to the SLA levels.
The closed status indicates that the incident is resolved and that no further actions can be taken.

Incident management follows incidents through the service desk to track trends in incident categories and time in each status. The final component of incident management is the evaluation of the data gathered. Incident data guides organizations to make decisions that improve the quality of service delivered and decrease the overall volume of incidents reported. Incident management is just one process in the service operation framework.

Sources:
Work Experience, Online Learning

Here the focus will be on protecting devices, creating strong passwords and safely using wireless networks. Also maintaining the data securely will be looked into.

Protect Computing Devices

Your computing devices store your data and are the portal to your online life.
Below is a short list of steps you can take to protect your computing devices from intrusion:

• Keep the Firewall On – Whether it is a software firewall or a hardware firewall on a router, the firewall should be turned on and updated to prevent hackers from accessing your personal or company data.
• Use Antivirus and Antispyware – Antivirus software is designed to scan your computer and incoming email for viruses and delete them. Sometimes antivirus software also includes antispyware. Keep your software up to date to protect your computer from the newest malicious software.
• Manage Your Operating System and Browser – Hackers are always trying to take advantage of vulnerabilities in your operating systems and your web browsers. To protect your computer and your data, set the security settings on your computer and browser at medium or higher. Update your computer’s operating system including your web browsers and regularly download and install the latest software patches and security updates from the vendors.
• Protect All Your Devices – Your computing devices, whether they are PCs, laptops, tablets, or smartphones, should be password protected to prevent unauthorized access. The stored information should be encrypted, especially for sensitive or confidential data.

IoT devices pose an even greater risk than your other computing devices. While desktop, laptop and mobile platforms receive frequent software updates, most of the IoT devices still have their original firmware.If vulnerabilities are found in the firmware, the IoT device is likely to stay vulnerable.The best way to protect yourself from this scenario is to have IoT devices using an isolated network, sharing it only with other IoT devices.

Use Wireless Networks Safely

Wireless networks allow Wi-Fi enabled devices, such as laptops and tablets, to connect to the network by way of the network identifier, known as the Service Set Identifier (SSID). To prevent intruders from entering your home wireless network, the pre-set SSID and default password for the browser-based administrative interface should be changed.Furthermore, you should encrypt wireless communication by enabling wireless security and the WPA2 encryption feature on the wireless router. Even with WPA2 encryption enabled, the wireless network can still be vulnerable.

Use Unique Passwords for Each Online Account or Passphrase

You probably have more than one online account, and each account should have a unique password. That is a lot of passwords to remember. However, the consequence of not using strong and unique passwords leaves you and your data vulnerable to cyber criminals.

To prevent unauthorized physical access to your computing devices, use passphrases, rather than passwords. It is easier to create a long passphrase than a password, because it is generally in the form of a sentence rather than a word. The longer length makes passphrases less vulnerable to dictionary or brute force attacks. Furthermore, a passphrase maybe easier to remember, especially if you are required to change your password frequently.

Encrypting, Back up or Deleting Your Data permanently

Your data should always be encrypted. You may think you have no secrets and nothing to hide so why use encryption? Maybe you think that nobody wants your data. Most likely, this is probably not true.Malicious application infects your computer or mobile device and can steal potentially valuable information, such as account numbers and passwords, and other official documents. That kind of information can lead to identity theft, fraud, or ransom. Criminals may decide to simply encrypt your data and make it unusable until you pay the ransom.

Your hard drive may fail. Your laptop could be lost. Your smart phone stolen. Maybe you erased the original version of an important document. Having a backup may prevent the loss of irreplaceable data, such as family photos. To back up data properly, you will need an additional storage location for the data such as online storage and you must copy the data to that location regularly and automatically.

When you move a file to the recycle bin or trash and delete it permanently, the file is only inaccessible from the operating system. Anyone with the right forensic tools can still recover the file due to a magnetic trace left on the hard drive.To prevent the recovery of deleted files, you may need to use tools specifically designed to do just that like SDelete from Microsoft and Shred for Linux and Secure Empty Trash for Mac OSX.

Different types of Authentication

• Two Factor Authentication
Popular online services, such as Google, Facebook, Twitter, LinkedIn, Apple and Microsoft, use two factor authentication to add an extra layer of security for account logins. Besides the username and password, or personal identification number (PIN) or pattern, two factor authentication requires a second token, such as physical (phone number) or biometric(finger print) authentication.Even with two factor authentication, hackers can still gain access to your online accounts through attacks such as phishing attacks, malware, and social engineering.

• OAuth 2.0
Open Authorization (OAuth) is an open standard protocol that allows an end user’s credentials to access third party applications without exposing the user’s password. OAuth acts as the middle man to decide whether to allow end users access to third party applications. For example, say you want to access web application XYZ, and you do not have a user account for accessing this web application. However, XYZ has the option to allow you to log in using the credentials from a social media website ABC. So you access the website using the social media login.

Ultimately, it is your responsibility to safeguard your data, your identity, and your computing devices. When you send an email, should you include your medical records? The next time you browse the Internet, is your transmission secure? Just a few simple precautions may save you problems later.

Protecting the Organization

Here we cover some of the technology and processes used by cybersecurity professionals when protecting an organization’s network, equipment and data. First, we briefly cover the many types of firewalls, security appliances, and software that are currently used, including best practices.

Next, we will get to know about botnets, the kill chain, behavior-based security, and using NetFlow to monitor a network. The last section discusses about different approaches to cybersecurity, including the CSIRT team and the security playbook.

Firewalls, Security Appliances and best practices

• Firewall Types

A firewall is a wall or partition that is designed to prevent fire from spreading from one part of a building to another. In computer networking, a firewall is designed to control, or filter, which communications are allowed in and which are allowed out of a device or network.
A firewall can be installed on a single computer with the purpose of protecting that one computer (host-based firewall), or it can be a stand-alone network device that protects an entire network of computers and all of the host devices on that network (network-based firewall).

• Port Scanning

Port-scanning is a process of probing a computer, server or other network host for open ports. In networking, each application running on a device is assigned an identifier called a port number. This port number is used on both ends of the transmission so that the right data is passed to the correct application. Port-scanning can be used maliciously as a reconnaissance tool to identify the operating system and services running on a computer or host, or it can be used harmlessly by a network administrator to verify network security policies on the network.

For the purposes of evaluating your own computer network’s firewall and port security, you can use a port-scanning tool like Nmap to find all the open ports on your network. Port-scanning can be seen as a precursor to a network attack and therefore should not be done on public servers on the Internet, or on a company network without permission.

• Security Appliances

Today there is no single security appliance or piece of technology that will solve all network security needs. Because there is a variety of security appliances and tools that need to be implemented, it is important that they all work together. Security appliances are most effective when they are part of a system. Security appliances can be stand-alone devices, like a router or firewall, a card that can be installed into a network device, or a module with its own processor and cached memory. Security appliances can also be software tools that are run on a network device.

Security appliances fall into these general categories:

1. Routers –  Have many firewall capabilities besides just routing functions, including traffic filtering, the ability to run an Intrusion Prevention System (IPS), encryption, and VPN capabilities for secure encrypted tunneling.
2. Firewalls – Capabilities of an ISR router, as well as, advanced network management and analytics.
3. IPS – Dedicated to intrusion prevention.
4. VPN – Appliances equipped with a Virtual Private Network (VPN) server and client technologies are designed for secure encrypted tunneling.
5. Malware/Antivirus – Advanced Malware Protection (AMP) comes in next generation Cisco routers, firewalls, IPS devices, Web and Email Security Appliances and can also be installed as software in host computers.
6. Other Security Devices – This category includes web and email security appliances, decryption devices, client access control servers, and security management systems.

• Detecting Attacks in Real Time

Software is not perfect. When a hacker exploits a flaw in a piece of software before the creator can fix it, it is known as a zero-day attack. Due to the sophistication and enormity of zero-day attacks found today, it is becoming common that network attacks will succeed and that a successful defense is now measured in how quickly a network can respond to an attack. The ability to detect attacks as they happen in real-time, as well as stopping the attacks immediately, or within minutes of occurring, is the ideal goal. Unfortunately, many companies and organizations today are unable to detect attacks until days or even months after they have occurred.

• Real Time Scanning from Edge to Endpoint –
  Detecting attacks in real time requires actively scanning for attacks using firewall and IDS/IPS network devices.
• DDoS Attacks and Real Time Response –
  DDoS is one of the biggest attack threats requiring real-time response and detection. DDoS attacks are extremely difficult to defend against because the attacks originate from hundreds, or thousands of zombie hosts, and the attacks appear as legitimate traffic.
• Protecting Against Malware –
  How do you provide defense against the constant presence of zero-day attacks, as well as advanced persistent threats (APT) that steal data over long periods of time? One solution is to use an enterprise-level advanced malware detection solution that offers real-time malware detection.
  Network administrators must constantly monitor the network for signs of malware or behaviors that reveal the presence of an APT.

• Security Best Practices

Many national and professional organizations have published lists of security best practices. The following is a list of some security best practices:

• Perform Risk Assessment – Knowing the value of what you are protecting will help in justifying security expenditures.
• Create a Security Policy – Create a policy that clearly outlines company rules, job duties, and expectations.
• Physical Security Measures – Restrict access to networking closets, server locations, as well as fire suppression.
• Human Resource Security Measures – Employees should be properly researched with background checks.
• Perform and Test Backups – Perform regular backups and test data recovery from backups.
• Maintain Security Patches and Updates – Regularly update server, client, and network device operating systems and programs.
• Employ Access Controls – Configure user roles and privilege levels as well as strong user authentication.
• Regularly Test Incident Response – Employ an incident response team and test emergency response scenarios.
• Implement a Network Monitoring, Analytics and Management Tool – Choose a security monitoring solution that integrates with other technologies.
• Implement Network Security Devices – Use next generation routers, firewalls, and other security appliances.
• Implement a Comprehensive Endpoint Security Solution – Use enterprise level antimalware and antivirus software.
• Educate Users – Educate users and employees in secure procedures.
• Encrypt data – Encrypt all sensitive company data including email.

Botnets, Kill chain and behavior based security

• Botnet

A botnet is a group of bots, connected through the Internet, with the ability to be controlled by a malicious individual or group. A bot computer is typically infected by visiting a website, opening an email attachment, or opening an infected media file. A botnet can have tens of thousands, or even hundreds of thousands of bots. These bots can be activated to distribute malware, launch DDoS attacks, distribute spam email, or execute brute force password attacks. Botnets are typically controlled through a command and control server. Cyber criminals will often rent out Botnets, for a fee, to third parties for nefarious purposes.

• The Kill Chain in Cyberdefense

In cyber security, the Kill Chain is the stages of an information systems attack. Developed by Lockheed Martin as a security framework for incident detection and response, the Cyber Kill Chain is comprised of the following stages:

1. Reconnaissance – The attacker gathers information about the target.
2. Weaponization – The attacker creates an exploit and malicious payload to send to the target.
3. Delivery – The attacker sends the exploit and malicious payload to the target by email or other method.
4. Exploitation – The exploit is executed.
5. Installation – Malware and backdoors are installed on the target.
6. Command and Control – Remote control of the target is gained through a command and control channel or server.
7. Action – The attacker performs malicious actions like information theft, or executes additional attacks on other devices from within the network by working through the Kill Chain stages again.

To defend against the Kill Chain, network security defenses are designed around the stages of the Kill Chain.
These are some questions about a company’s security defenses, based on the Cyber Kill Chain:

• What are the attack indicators at each stage of the Kill Chain?
• Which security tools are needed to detect the attack indicators at each of the stages?
• Are there gaps in the company’s ability to detect an attack?

According to Lockheed Martin, understanding the stages of Kill Chain allowed them to put up defensive obstacles, slow down the attack, and ultimately prevent the loss of data.

• Behavior-Based Security

Behavior-based security is a form of threat detection that does not rely on known malicious signatures, but instead uses informational context to detect anomalies in the network. Behavior-based detection involves capturing and analyzing the flow of communication between a user on the local network and a local, or remote destination. These communications, when captured and analyzed, reveal context and patterns of behavior which can be used to detect anomalies. Behavior-based detection can discover the presence of an attack by a change from normal behavior.

• Honeypots – A Honeypot is a behavior-based detection tool that first lures the attacker in by appealing to the attacker’s predicted pattern of malicious behavior, and then, when inside the honeypot, the network administrator can capture, log, and analyze the attacker’s behavior. This allows an administrator to gain more knowledge and build a better defense.

• NetFlow – NetFlow technology is used to gather information about data flowing through a network. NetFlow information can be likened to a phone bill for your network traffic. It shows you who and what devices are in your network, as well as when and how users and devices accessed your network. NetFlow is an important component in behavior- based detection and analysis. Switches, routers, and firewalls equipped with NetFlow can report information about data entering, leaving, and traveling through the network. Information is sent to NetFlow Collectors that collect, store, and analyze NetFlow records.

CSIRT Team, Security Playbook , Misc

• CSIRT Team

Many large organizations have a Computer Security Incident Response Team (CSIRT) to receive, review, and respond to computer security incident reports. The primary mission of CSIRT is to help ensure company, system, and data preservation by performing comprehensive investigations into computer security incidents.

There are various types of CSIRTs. An internal CSIRTs is assembled as part of a parent organization, such as a government, a corporation, a university or a research network. National CSIRTs (one type of internal CSIRT), for example, oversee incident handling for an entire country. Typically, internal CSIRTS gather periodically throughout the year for proactive tasks such as DR testing, and on an as-needed basis in the event of a security breach.

• Security Playbook

Technology is constantly changing. That means cyberattacks are evolving too. New vulnerabilities and attack methods are discovered continuously. Security is becoming a significant business concern because of the resulting reputation and financial impact from security breaches. Attacks are targeting critical networks and sensitive data. Organizations should have plans to prepare for, deal with, and recover from a breach.

One of the best way to prepare for a security breach is to prevent one. There should be guidance on identifying the cybersecurity risk to systems, assets, data, and capabilities, protecting the system by the implementation of safeguards and personnel training, and detecting cybersecurity event as soon as possible.

When a security breach is detected, appropriate actions should be taken to minimize its impact and damage. The response plan should be flexible with multiple action options during the breach. After the breach is contained and the compromised systems and services are restored, security measures and processes should be updated to include the lessons learned during the breach.

All this information should be compiled into a security playbook. A security playbook is a collection of repeatable queries (reports) against security event data sources that lead to incident detection and response.Ideally the security playbook must accomplish the following actions:

• Detect malware infected machines.
• Detect suspicious network activity.
• Detect irregular authentication attempts.
• Describe and understand inbound and outbound traffic.
• Provide summary information including trends, statistics, and counts.
• Provide usable and quick access to statistics and metrics.

• IDS and IPS

An Intrusion Detection System (IDS), is either a dedicated network device, or one of several tools in a server or firewall that scans data against a database of rules or attack signatures, looking for malicious traffic. If a match is detected, the IDS will log the detection, and create an alert for a network administrator. The Intrusion Detection System does not take action when a match is detected so it does not prevent attacks from happening. The job of the IDS is merely to detect, log and report.

An Intrusion Prevention System (IPS) has the ability to block or deny traffic based on a positive rule or signature match. One of the most well-known IPS/IDS systems is Snort. The commercial version of Snort is Sourcefire. Sourcefire has the ability to perform real-time traffic and port analysis, logging, content searching and matching, and can detect probes, attacks, and port scans. It also integrates with other third party tools for reporting, performance and log analysis.

• Legal & Ethical Issues in Cybersecurity

Cybersecurity professionals must have the same skills as hackers, especially black hat hackers, in order to protect against attacks. One difference between a hacker and a cybersecurity professional is that the cybersecurity professional must work within legal boundaries.The area of cybersecurity law is much newer than cybersecurity itself. Most countries have some laws in place, and there will be more laws to come.

• Personal Legal Issues
  Cybersecurity professionals develop many skills which can be used for good or evil. Those who use their skills within the legal system, to protect infrastructure, networks, and privacy are always in high demand.
• Corporate Legal Issues
  Most countries have some cybersecurity laws in place. They may have to do with critical infrastructure, networks, and corporate and individual privacy. Businesses are required to abide by these laws.In some cases, if you break cybersecurity laws while doing your job, it is the company that may be punished and you could lose your job. In other cases, you could be prosecuted, fined, and possibly sentenced.
• Ethical Issues in Cybersecurity
  In addition to working within the confines of the law, cybersecurity professionals must also demonstrate ethical behavior.
• Personal Ethical Issues
  A person may act unethically and not be subject to prosecution, fines or imprisonment. This is because the action may not have been technically illegal. But that does not mean that the behavior is acceptable. Ethical behavior is fairly easy to ascertain. It is impossible to list all of the various unethical behaviors that can be exhibited by someone with cybersecurity skills.
•  Below are just two. Ask yourself:
• • Would I want to discover that an IT technician whom I trusted to fix my network, told colleagues personal information gained while working on my network?
• • Would I want to discover that someone has hacked into my computer and altered images in my social network sites?
  If your answer to any of these questions was ‘no’, then do not do such things to others.
• Corporate Ethical Issues
  Ethics are codes of behavior that are sometimes enforced by laws. There are many areas in cybersecurity that are not covered by laws. This means that doing something that is technically legal still may not be the ethical thing to do. Because so many areas of cybersecurity are not (or not yet) covered by laws, many IT professional organizations have created codes of ethics for persons in the industry.Below is a list of three organizations with Codes of Ethics:
  • The CyberSecurity Institute (CSI).
  • The Information Systems Security Association (ISSA).
  • The Association of Information Technology Professionals (AITP).

Sources :
Online Certification on Cybersecurity(www.netacad.com)
情報セキュリテイマネジメント試験  教科書（IT Security Management Test Textbook）
Online Learnings