This page is powered by Blogger.


  
  corner   



HOME

ARCHIVES

SEARCH

Contacting Us
 Recommendations
Mike Tarrani
Linda Zarate
Kate Hartshorn

Who We Are
 TEAM Zarate-Tarrani

Our main weblog
 Notes from the Field

Our other pages
 Mike's home page
Linda's home page
Kate's home page

Forums
 Simpatico [we]blogs
 Dan Gilmore
Robert X. Cringely
Jakob Nielsen
Julian Bond
Deborah Branscum
Lisa Rein
CamWorld
Ed Yourdon

 

Saturday, March 07, 2009

 
Posted by Mike Tarrani 4:17 PM
I have moved to Process Notes, which is a forum. I may be adding content here from time to time, but the forum is a more interactive vehicle.



Wednesday, May 22, 2002

 
Posted by Mike Tarrani 7:19 AM
Back to Business. If you're exploring the feasibility of employing m-commerce or wireless-enabled systems I recommend reading Mobile Business Strategies: Understanding the Technologies and Opportunities. It's not overly technical, so if you are not up-to-speed in the technology (which is constantly and rapidly evolving) it will allow you to quickly learn the fundamentals. It's written to provide a basic, but complete, introduction to mobile commerce from a business strategy point of view. It helps you answer some fundamental questions, such as:
  • Does mobile commerce make sense as a part of our business strategy?
  • What does it take to implement it?
  • What have other done to be successful?
From the above the most suitable audience consists of upper management on the business side, marketing and IT/IS management. Upper levels of business management who are exploring how to integrate mobile commerce into the value chain, or develop a strategy for competitive advantage that taps into the proliferation of mobile devices (cell phones and PDAs) are going to benefit most from the following chapters: (2) Partnerships—the way to Success in the Mobile Era and (4) Corporate Applications: Aligning Mobile Commerce with your Business Goals.


Marketing will get the most from chapters (3) Consumer Mobile Commerce—Mass Market Solutions with Segmentation and (6) Portals—A Single Plate for Various Dishes. Another book that will serve marketing well is The Mobile Internet: How Japan Dialled up and the West Disconnected by Jeffrey Lee Funk because it provides deep insights into marketing issues, as well as how Japan's NTT DoCoMo became an international success story.

Both business managers and marketing will also gain keen insights from the case studies and scenarios that are used throughout the book to illustrate key points and show how others have successfully employed m-commerce solutions for strategic advantage or as service offerings.

IT/IS management will get a high level overview of the technical underpinnings, issues and factors associated with developing, deploying and maintaining m-commerce systems. The technical details are not deep, but are sufficient to gain a rough understanding of the scope and complexity of implementing and supporting m-commerce enabled systems.

If you are seeking in-depth technical details you will be disappointed. However, if you are among the target audience or have the goals I cited above you'll find this book to be one of the best in its genre for introducing the business and strategic issues surrounding mobile commerce.

If you are pursuing an M-commerce project and need to quickly get your staff trained, but lack the budget, see today's entry in Notes from the Field for an alternative that may meet your training and budget requirements. Also see my 12 May entry there for related resources.



Tuesday, May 21, 2002

 
Posted by Mike Tarrani 7:10 PM
Square Peg in a Round Hole? I usually discuss software engineering topics in Notes from the Field, reserving this weblog for IT management issues. This entry falls into a grey area. I recently evaluated Webgain Studio to determine how viable it is as a development environment. Since product evaluation and cost/benefit are topics that fit here I am going to summarize my findings because I was impressed with the package and its parts.

Webgain Studio is an ideal development environment for start-ups and small organizations that want to cost-effectively implement an entire development environment for Java development and web services. There are a few issues and factors that need to be considered, however, when considering Webgain Studio:

  • If you are not planning to align the many tools (more about them below) to a software engineering process, you'll probably not benefit from this package. This is because the components that ship with it are designed to work together as a process-oriented environment.
  • Some of the components come with single-seat licenses, and the database that ships with it (PointBase) is only licensed for internal use (you have to negotiate separate licenses with PointBase if you want to use it with your product, either for internal end users or external customers.
  • The learning curve is steep because this is really a bundle of tools, many of which come from other vendors.
This bundle includes:
  • Visual Cafe (enterprise edition), which is a J2EE-compliant development environment that supports JSP, EJB and servlet development for multi-platform targets. It also has integrated UML modeling, JSP debugging and code optimizers. It also comes bundled with TurboXML and Dreamweaver Ultradev, rounding out the development environment with all of the major tools for developing web services and large-scale applications. See below for more about Visual Cafe.
  • StructureBuilder, which allows you to model and generate code using UML. It is very tightly integrated into the Visual Cafe suite.
  • Business Designer. This is one of the best features of the Webgain Studio bundle and the one that requires a mature software engineering process in order to realize the full benefits from the bundle. The main purpose is to manage requirements and team collaboration. I've discussed Business Designer 2.0 in more detail below.
  • Quality Analyzer. This is a software auditing and quality assurance tool that collects and analyzes life cycle metrics. It is not an automated test suite, so you are going to need to add those tools to your environment (i.e., WinRunner, etc.). It will do whitebox testing to examine code coverage and has over 50 pre-defined rules for error checking.
  • Bea WebLogic, which has become a standard J2EE execution platform. While the version that ships with this bundle almost self installs, it comes with a steep learning curve. You also get only a single developer seat license. On the value side of the equation, though, if your development plans include WebLogic this feature alone will save you a substantial amount if you invest in Webgain Studio.
Overall, this bundle puts a full-scale, process-oriented development environment within the reach of small companies that are budget constrained. In many ways it compares favorably to IBM's WebSphere and the Rational suite of tools, and certainly gives developers everything they need to be productive. What I like is the fact that Webgain has not just thrown together a collection of tools, many of which are from third parties, but has paid close attention to integrating them. In that respect the whole is greater than the sum of its parts. It supports the Rational Unified Process and other iterative development life cycle approaches, and also provides the tools to support CMM Level 2 key process areas. These reflect how well Webgain thought through the workflow integration as well as the technical integration of the tools.

Key Parts. Visual Cafe 4.5.2 Expert Suite is a full-featured development environment that is the core of Webgain's Studio suite (see that product for more details).

It contains a complete, open J2EE development environment, with debugging tools and VM support for JDK 1.3, 1.2.2 and 1.1.7a. It also comes bundled with TurboXML and Macromedia Dreamweaver Ultradev, which rounds out the development environment.

While Dreamweaver Ultradev is sufficiently well known, TurboXML (by Tibco) is not and merits a description of features. It includes three modules, XML Authority, XML Instance, and XML Console, which combine to provide a standards-compliant development environment for creating and validating schemas and DTDs. In short, it's a complete workbench for XML development and validation, and also supports document conversion.

Visual Cafe also ships with a relational database from PointBase. This is a relatively full-featured rdbms, but you need to be aware that it is only licensed for the Visual Cafe development environment. You will need to negotiate separate licensing directly from the PointBase vendor if you intend to deploy it with end user internal applications or products intended for external customers.

This expert edition of the product allows you to develop J2EE applications and web services. It's suitable for single developers and consultants. The Enterprise edition adds a single-seat license for Bea WebLogic, and an additional product called StructureBuilder, which allows you to model and generate code using UML. However, if you are looking for scalability and a more robust development environment I recommend bypassing the Enterprise Edition and looking instead at Webgain Studio, which contains these added components and much more.

Business Designer is a standalone product that is also bundled with Webgain Studio. It's designed to be a team-oriented requirements management package, as well as an integral part of a process-oriented software engineering approach that can align to the Rational Unified Process or similar iterative development life cycles.

What makes this program shine is the fact that it will integrate with Rational's ClearCase SCM product, as well as CVS and Microsoft's SourceSafe. Moreover, it can be configured to support project and development methodologies and team management. I especially like the role-based access control feature for managing content and code, because this adds a level of security that I have not seen in similar products (Rational's Requisite Pro, for example). The benefit is that you can keep company-sensitive information contained to only those who have a need to know. Considering the fact that many development projects employ consultants and contractors, many of whom are added to the team without extensive background checks, I think this feature sets Business Designer apart from the very few applications in its class.

I especially like the UML based workflow diagrams for business logic, which produce swimlane diagrams and the fact that you can attach files and annotations to them. This is a powerful feature that makes this a team-based requirements tool that captures and displays requirements based on business processes. More importantly, the swimlane diagrams mean something to business users who are major stakeholders, where the UML diagrams will be more meaningful to the developers. This separation of views, which caters to major stakeholder groups, is a major plus in my opinion. The fact that you can also capture business logic means that you can use this tool for business rules management.

Final Note. What I have not thoroughly investigated is the level of support that Webgain provides for the entire package, and that needs to be factored into your purchasing decision. From the features, and especially from the process-oriented design, Webgain Studio does appear to be a viable alternative to WebSphere and even Rational's suite of tools. This is especially the case for small shops or organizations that want to pilot J2EE development and web services projects.



Monday, May 20, 2002

 
Posted by Mike Tarrani 2:21 PM
I just pre-ordered a book called Building Operational Excellence that may be of interest to readers. Amazon has little information about it, but the Addison-Wesley description (including a sample chapter) sold me. Right now Amazon is selling it at 30% below cover price, so if this is a topic that interests you, the risk of pre-ordering sight unseen is mitigated by the cost savings.



Sunday, May 19, 2002

 
Posted by Mike Tarrani 3:53 AM
IT Quality. The recent theme in our sister weblog, Notes from the Field is centered around software testing and test process improvement, and will be addressing software quality assurance and reliability in the next few entries. Notes from the Field is aimed more at the software engineering community, while this weblog is slanted towards project management and service delivery. However, there is inevitable cross-over, which is underscored in a book titled Customer Oriented Software Quality Assurance. I won't go into details here because they are amply given in my 26 January 2001 and Linda's 8 April 2001 reviews on Amazon.

Back to Business. In my last entry I listed resources that enable those of us in IT to better understand what is important to our business customers. Sometimes we have to take the path less traveled with respect to seeking knowledge from books. That path sometimes rewards us by coming full circle back to issues with which we struggle, and we benefit by understanding business issues as well as learning techniques that can be directly applied to IT.

Two such books are:

  1. Integrated Logistics Support Handbook.
  2. Sales Quality Audit.
While it may be immediately obvious how these books will help understand business processes, their value to internal IT may not be as apparent at first glance. To prove that I've not gone completely daft I'll explain.

My motivation for reading Integrated Logistics Support Handbook came from my extensive experience with material maintenance management during my 22 year career in the navy, and subsequent experience with integrated logistics in Department of Defense contracting. I used the first edition of this book as a reference when I was on a proposal team for a DoD contract, and found it to be one of the best references available because it distilled tens of thousands of pages of directives, instructions and related material into less than 500 pages. It covered the topic in sufficient detail to serve as an authoritative reference as well as to get other members of the team up-to-speed in ILS.

During subsequent consulting engagements for commercial clients I used many of the concepts and methods detailed in this book to outline requirements for automated materials and maintenance management systems. In particular, any commercial business domain, such as refinery maintenance or maintenance data collection and analysis are candidates for applying parts of ILS to commercial uses. This book then becomes more valuable to a wider audience than DoD contractors.

A second use for the concepts is the structured and proven approach to an encompassing systems maintenance management initiative within IT. For example, the use of logistics support analysis is a sound approach to planning enterprise-wide maintenance from a cost management perspective. Moreover, using a modified (and shortened) form of logistics support analysis records is a good foundation for enterprise asset management, as well as developing a reliability baseline.

I've been a consultant, both as an employee and an independent, since 1988. Considering the time that consultants spend in the pre- and post-sales portions of the sales cycle the book titled Sales Quality Audit seems like a sensible investment. In just 94 information-packed pages this book manages to not only cover the key points of auditing the sales process, but also gives excellent advice on the act of selling itself. My role was always in support of a professional business development manager, and before I read this book I came to believe that sales was an art and the best sales professionals were born into it. That may have some truth, but an across-the-board improvement in the sales process can be achieved if this book is followed.

The approach itself is straightforward:

  • Perform an "As-Is" analysis.
  • Develop performance standards
    • .
  • Conduct a quality audit
    • .
  • Use audit results to refine and improve.
The book gives critical success factors for sales quality assurance and also provides sales quality guidelines. It's a quick read, which should appeal to busy sales managers and especially the sales staff who probably spend much of their spare reading time trying to keep up with product specifications and industry directions (among other things).

However, this book is equally valuable to the IT professional who is involved with defining or implementing a sales force automation (SFA) system. The clear description of the sales cycle and critical success factors (audit points) are a good baseline for SFA requirements and workflow design. More important, the general sales information in this book will give the IT analyst keen insights into the sales business process area.

Follow the step-by-step procedures in this book and the entire sales organization will benefit - the naturals will not have their creativity or talents stifled, and the average performers will have valid performance standards and a well designed process to aid them in achieving higher sales. A key benefit from the approach is consistent customer satisfaction and ability to deliver as promised.

The moral is that valuable information and knowledge can be found in surprising places - all you have to do is think outside of the box when you find it.



Saturday, May 18, 2002

 
Posted by Mike Tarrani 2:02 PM
Business As Usual. In my 16 May entry I provided links to topics that span the IT and business domains, and are excellent resources for business systems analysts for understanding their business process owner constituents. One of the resources was a PowerPoint presentation on TQM, lean methods and 6-sigma. If that presentation piqued your interest you'll love iSixSigma, which is a portal devoted to 6-sigma. If the term has you scratching your head, you can check the short definition or a longer description.

One of the portal's highlights is the collection of articles that cover every industry and topic. For example, if you're a software engineer or project manager, the article titled Is Software Inspection Value Added? will be of interest. If you're more concerned with business or technical process improvement, the article titled DMAIC Versus DMADV gives insights as to which approach to take. DMAIC stands for Define, Measure, Analyze, Improve and Control. DMADV stands for Define, Measure, Analyze, Design and Verify. While they seem to be nearly identical there are major differences and the article explains them and gives situations in which to use one over the other.

Other interesting resources that business systems analysts, other IT professionals and project managers will find useful include:

The truth is out there. Enjoy the weekend.



Friday, May 17, 2002

 
Posted by Mike Tarrani 4:38 PM
Service and Strategy. I have once again fallen into that vortex of competing priorities swirling around and a negative time warp where I seem to be moving backwards in time with respect to the things I need to accomplish. The good news is this is going to be a terse entry that provides presentations and documents, but little commentary.

Service. The three presentations on service level management vary in depth and quality, but each is worth downloading and reading:

  1. Service Level Management.
  2. Making SLAs Work.
  3. Customer Service Management Architecture for the Internet.
Since my last entry opened the door to business-to-IT alignment, the following three presentations fit that topic area:
  1. Shangrila of ROI.
  2. Performance Measures for IT.
  3. Linkage of Performance to Business.
Good things do come in three's. Enjoy your weekend.



Thursday, May 16, 2002

 
Posted by Mike Tarrani 3:43 AM
First Things First. I've been searching for a Visio diagram that depicts the PRINCE2 Process flow and finally found it. Unfortunately, I do not know the name of the author who took the time to create this excellent resource, and who had the goodness of heart to share it. If you are the author, please let me know so I can give proper credit. I also have a WBS Reference Guide that shows how to develop work breakdown structures, which should be the foundation of any project plan.

More About ERP. Actually, the following presentations and documents are only loosely related to ERP, but are excellent resources for business systems analysts and will bridge that chasm between IT and business by providing insights into the processes with which the business side is concerned:

I sincerely hope that you find this material useful and it promotes closer business-to-IT alignment.



Wednesday, May 15, 2002

 
Posted by Mike Tarrani 6:55 AM
I've written more than a few entries about project management in the past two weeks. This entry is going to combine project management with ERP, and is appropriate because too many ERP projects either fail or cost far more than anticipated. The dependent variable in many cases is project management.

Allen Web's ERP Project Management Basics is a good starting point. He also has an informative page on planning ERP projects and a step-by-step recipe for succeeding in ERP projects. I also like his discussion about project failures and how to avoid them. Overall, the site is filled with general information that anyone who is implementing an ERP system will appreciate. If you're involved in a SAP R/3 implementation you'll want to carefully read his article on SAP R/3 Implementation Concerns.

If ERP architectures interest you the Purdue Enterprise Reference Architecture page is a discussion of the basic concepts for design and execution of enterprise and related systems of all types.

There are a few books that I highly recommend. They cover ERP in general, with no particular bias towards any of the systems on the market. My recommendations are:



Tuesday, May 14, 2002

 
Posted by Linda 12:52 PM
I found three excellent project management resources while following up on some of the links that Mike provided last week:
  1. 9 Essential Project Management Success Factors.
  2. Project Management KnowledgeBank.
  3. SoftwareProjects.org, which has online courses, articles and links that are interesting and worth investigating.



Monday, May 13, 2002

 
Posted by Linda 6:38 PM
Mike has been covering a wide range of topics lately, but his 11 May entry inspired me to give my thoughts about a few of the books he mentioned.

One, CyberRegs, is a complete primer on intellectual property and its value to the enterprise. Key issues that are addressed include:

  • Digital Millennium Copyright Act (DMCA)- this is probably the most important discussion in the book because it continues to be controversial.
  • Complete discussions of all aspects of intellectual property law as it pertains to cyberspace. The clarification of the protections afforded to patent holders that are not given to trademark holders is invaluable. In addition, I learned much about the value of patents and how a business model can be developed around patents alone. I particularly liked the discussion of patent ownership (employee inventor vs. company to which the patent was assigned). This alone makes the book worth reading.
  • Case studies - many of the case studies which are used throughout the book focused on pending court cases when the book was published. Many have now been resolved, the resolution of which open more questions and further cloud issues. I'd like to see an update or second edition that provides closure.
  • Excellent introduction to technical issues. The author has a knack for reducing the key elements into easy-to-understand chunks of information that teach non-technical readers quite a lot about technology.
If you buy one book on intellectual property law from a cyber-business perspective, this is the one to get.

Probably the most influential book, and the one that covers the widest range of topics is Bruce Schneier's classic, Secrets and Lies. This book introduces security and privacy to technical and non-technical readers alike. What I especially like are:

  • Social aspects of security and privacy are addressed using the motives of attackers and broad profiles of attacker types, analysis of threats and countermeasures, and what it all means from legal and social perspectives.
  • Easy introduction to security infrastructures. The author imparts a good deal of technical knowledge without overwhelming non-technical readers.
This book may initially disappoint technical readers who have read Mr. Schneier's earlier book (Applied Cryptography), but I can assure you that the technical underpinnings are only part of the picture. This book gives a complete view of all aspects of security, and is invaluable because it raises awareness of all issues. It's all the more valuable because it can be read and understood by a broad audience. There are two other books that I recommend in addition to this one:
  1. Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community (Mr. Schneier wrote the preface to this book, which Mike reviewed on 11 April 2002 on Amazon).
  2. Richard Hunter's World Without Secrets: Business, Crime and Privacy in the Age of Ubiquitous Computing, which I reviewed on 21 April on Amazon.

Additional material that is related to these books include:

In closing I want to echo Mike's sentiments: we miss you Kate!

 
Posted by Mike Tarrani 5:06 AM
Random Thoughts. This entry has two fuzzy objectives: (1) a warm-up exercise for some work that I need to get done, and (2) fill in missing pieces from the previous entries.

As-Is and To-Be. One mistake I see in one project after another is the quest to document existing systems before defining its replacement. Here are some rules-of-thumb that I use to determine whether or not the 'as-is' analysis needs to be performed. If:

  • The new system (or business process) represents a revolutionary approach (completely toss out the old for something radically different), the 'as-is analysis is wasted effort. Reason: If conditions and requirements have so changed that a revolutionary approach makes sense the last thing you want to do is replicate old methods and processes in the new system. A better approach is to elicit and prioritize requirements for the new system, and these requirements should reflect business functions and imperatives that are driving the need for a revolutionary approach. In other words, approach the requirements phase within the context of business rules and features/functions that are required. If you approach it this way you'll be getting a fresh perspective and making a clean break from the past. Of course, there are technical aspects that need to be analyzed, such as system interdependencies, data structures, operational requirements and the such because rarely will an old system be tossed out and a new one magically take its place. Therefore, the 'as-is' analysis will support requirements for data conversion, batch job synchronization and comparing resource requirements between the old and new system (impact on network, service levels and up- and down-stream systems that will remain).
  • The new system (or business process) is evolutionary (i.e., process improvement, upgrade, etc.), then the 'as-is' analysis does need to be performed to determine how to best improve processes and the way upgrades will require changes in processes or infrastructure.
Considering that many projects are revolutionary in nature time, resources and money are wasted documenting something that is being replaced.

Another fallacy is to document the status quo in preparation for a brand new system or business process. Don't waste your time - it only provides revenue for consultants. The time and money are better spent on tracing requirements to business imperatives and going forward from there.

One other fallacy is to spend time developing documentation for systems when commercial documentation is available. During one engagement I was tasked with writing database administration policies and procedures. At my billing rate the final product ran into the tens of thousands of dollars. Aside from the fact that the document shortly became shelfware, the client could have purchased any of a number of excellent books in the $40-60.00 price range, and decreed that the procedures contained within were to be followed as a matter of policy. Selecting and recommending the best book from the many that were in a local book store would have saved a significant amount of money. Even better would have been to ask the DBAs to agree on the best commercially-available book and use it. The sorry fact is that, as I write this, there are consultants who are developing UNIX, Oracle and [pick your favorite application, database or operating system] documentation when excellent books may already be available.

Learning to Think. The point to the above is that thinking is required. Not problem solving - thinking in a critical manner. Question the status quo and don't be misled by misdirection, fallacious arguments that have logical flaws or appeal to emotion. Perform a mental sanity check on approaches that are normal practices, but waste resources and shareholder value. A few months ago I read a book titled Turning Numbers Into Knowledge: Mastering the Art of Problem Solving. I was expecting a book about quantitative methods and advanced problem solving techniques. What I got, instead, was a book that didn't even discuss numbers until page 111 of a 221 page book, and it was lite on problem solving techniques. Although it was not what I expected it turned out to be one of those rare books that deeply influences and provides fresh perspectives. The book led me on a journey that broke the process of critical thinking into manageable steps. Among the things I learned were:

  • Examine key factors, such as information, attention and action within the context of a cycle of actions that begins with goals, and moves through execution, how events in the external world influence the meeting of those goals, an evaluation and refinement of goals. Then the process starts anew.
  • Structured methods for getting organized. The techniques given are simple, yet powerful.
    • How to collect and critically analyze data and information, common fallacies and how to spot them. Two of my favorite parts that reinforce these are then single-page chart titled "What Scientists Say, and What They Mean", and Chapter 20 (Uncertainty Principle and the Mass Media).
  • The straightforward process of numerical analysis, using relatively simple math techniques to make sense of numbers and turn them into knowledge, is priceless. What makes this part of the book valuable is that the author integrates the preceding chapters that lead you to a critical thinking mindset with common sense and techniques that are within the grasp of high school students. It looks easy, but is testimony to the author's exceptional ability to communicate and inspire.
Overall this book is one of my personal favorites and one that I recommend to colleagues. Another book that complements this one nicely is Systems Thinking: Managing Chaos and Complexity. See Kate's 22 March entry for details about this book.

On that note I am officially starting my workweek. Best regards from Tustin, California.



Sunday, May 12, 2002

 
Posted by Mike Tarrani 5:32 AM
More Project Management Resources. In response to my 9 May entry a few readers recommended the following books, none of which I've read:I have read and reviewed the following books, which I think are important:Late Note 09:06 12 May. For work breakdown structures, as well as general functional decomposition an inexpensive product called B-Liner will simplify what is an onerous task. The web site for this application also has interesting tutorials about work breakdown structure development and project scheduling, as well as how B-Liner can be effectively used.

 
Posted by Mike Tarrani 12:17 AM
Kate's Influence. Although Kate Hartshorn is engaged in other endeavors at the moment and won't be contributing her insights, her influence here has been significant. I am going to attempt to address topics that are in her expertise domain, but more importantly, want to assure everyone that she's doing exceptionally well. If you enjoyed her contributions here and want to show it, you can always surprise her with something from her wish list. Who knows, it may hasten her return.

Among Kate's areas of expertise are copyrights, trademarks and intellectual property. I've collected a number of books and software applications that either explain these important topics or assist in the management of the underlying processes, or both. For background material for the following software applications I strongly recommend that you read CyberRegs: A Business Guide to Web Property, Privacy, and Patents by Bill Zoellick (see Kate's 8 November 2001 review on Amazon for why this book is important) and Cyberlaw and E-Commerce by J. Carl Poindexter and David L. Baumer (see my 18 April 2002 Amazon review for details). These two books will give you the fundamentals of copyright and trademark law in particular, and the much larger picture of intellectual property in general. If copyrights or patents are topics of interest, then you'll want to consider one or both of the following software applications:

  • Official Copyright Software 1.53 by Official Software, LLC. This application makes applying for copyrights as painless as possible (the process will still be painful regardless, but at least you'll be avoiding a large portion of it). This package shields you from the legal mumbo jumbo and leads you through an interactive process of applying for a copyright. It does this using an interviewing process and assists with the completion of the following forms: PA, PA/S, TX, TX/S, VA, VA/S and Form SR, all of which are important and all of which can be completed interactively on your system. You also get Form CA for Corrections & Amplifications, and Form CON Continuation Sheet in the package.
    It also gives key information from Copyright Office circulars to assist you when filling in the form fields, and this is why your finished forms should be checked by an attorney before submission. The value of this program is that you can save many hours of expensive attorney time by doing the up-front work, which will minimize the legal costs of preparing and submitting a copyright application. As an added bonus this program also provides advice about how to use the copyright. The publisher also has specific online forms that can be used with this package that cover everything from music to architecture.
    It also covers copyrights for online works & websites.
  • Official Trademark Software 1.0, also by Official Software, LLC. It uses an interactive interviewing function to step you through the trademark process. The function selects the correct forms that you need, and identifies the classification under which you need to file and lets you know what needs to be included in the submission package.
    It also comes with editable forms from the USPTO, and advice (also from USPTO) for filling in the forms. As you fill in the forms using the interactive interview process you'll be building your submission package. The program also does online searches to ensure that your trademark is available.
If you're interested in both copyrights and patents, you can save by purchasing Official Intellectual Property Suite, which is both of the above programs bundled together. I want to add a caveat - these products allow you to do a lot of the groundwork yourself, but do not replace professional advice of an attorney (I am NOT an attorney, but certainly know better than to wade into shark infested waters without the benefit of legal advice).

If you do web or software development, or contract for these services, you'll greatly benefit from Web and Software Development: A Legal Guide. This book/CD ROM combination covers intellectual property from a developer's (and buyer's) perspective. It is both a tutorial in the basics and is filled with useful advice about all relevant issues, including employee and contractor agreements, trade secret protection, copyright rights (assignment, ownership and related issues), and how to protect all parties in a fair and equitable manner.

It covers contemporary issues such as domain names, web content and multimedia, making it especially useful to technical and non-technical readers.

In addition to clear explanations of complex topics and sound advice, this book comes with a CD ROM with a wealth of forms in RTF format (which can be edited in Microsoft Word and most other word processing programs). These 30 forms cover employee and contractor agreements, software and web development agreements, nondisclosure agreements, copyright assignments and license agreements and how to handle publicity releases and promotional materials in multimedia format. The latter is particularly challenging because not only are names involved, but photos and often voice and video files for which you need permission to use if you don't own it or it becomes a privacy issue. If you perform or contract for web or software development, including content, then you need this book.

If you're only doing software development, a better book is Copyright Your Software because it focuses solely on what you need to know about software copyrights and how to go about obtaining one. In addition to covering the basics of copyrights, you're shown how to sell copyrights, what to do in the event of infringement, and the limits of protection that a copyright affords you. Note that patents offer much stronger protection. This book comes with the following forms:

  • Copyright Application for Software (Forms PA, VA and CA, Request for Special Handling, continuation forms, search request forms and cover sheets that are explained in the book and are required to file for a copyright.
  • Eight sample forms in electronic format that are covered in the book.
The book is up-to-date (published in late 2001), easy to read, especially considering the thorny legal issues involved, and is complete enough to assure some degree of due diligence when researching copyright issues and making business decisions based on that research.

It's not enough to know how to protect your own work, you also need to know how to get permission to use the work of others, which is increasingly important in view of the issues surrounding deep linking and related challenges in a world where a simple HTML tag to someone else's work can bring legal problems. Getting Permission: How to License and Clear Copyrighted Materials Online and Off provides expert guidance that covers how to obtain permission, copyright research, what constitutes fair use, and how to legally use trademarks.

The book also clarifies the definition of "public domain" and what needs to be in a license agreement.

What makes this book especially valuable is that it comes with 32 forms that range from standard photo use and test use permission to linking agreements, interview releases, art for hire and more.

The other side of obtaining permission is controlling permission. We've all signed a nondisclosure agreement at one time or another, but did we understand what we were signing? Another gap is making presentations or providing information that discloses trade secrets, or business-sensitive information that you should be protecting with a nondisclosure agreement. Nondisclosure Agreements: Protect Your Trade Secrets and More covers the topic of NDAs as they are affectionately called in detail. This book explains how to protect you from both employees and competitors, as well as from potential business alliances (contractor/subcontractor, suitors in a merger or acquisition to whom you expose sensitive information, and clients to whom you make presentations and reveal processes and other sensitive information).

Key topics of importance that this book covers include:

  • How much protection an NDA affords you.
  • Remedies available to you in the NDA is violated.
  • Alternatives to NDAs.
It also covers non-compete agreements and their limitations, especially in certain states, and gives example NDAs for specific situations such as beta testing, customer data, etc. The accompanying CD ROM provides fifteen sample forms that can be used with little or no modification (although I recommend that all be checked by an attorney who specializes in intellectual property law and is familiar with nuances of the law in your state).

We're almost coming full circle with NDAs, because the next natural topic is privacy. Kate reviewed Secrets and Lies: Digital Security in a Networked World in 8 November 2001 that I thought was far more cogent and insightful than the 3 January 2001 review that I wrote. If you want to read a book that examples the technical and human aspects of security, this is the best there is. It certainly addresses privacy issues, but that isn't the main theme of the book. A better book on threats to privacy is World Without Secrets: Business, Crime and Privacy in the Age of Ubiquitous Computing, which Linda reviewed on Amazon on 21 April 2002. Where Secrets and Lies covered the social and technical issues, and took a threat identification and risk management approach, World Without Secrets is more focused on social issues surrounding privacy.

Matt Curtin is the author of a book titled Developing Trust: Online Privacy and Security that blends the best of Secrets and Lies and World Without Secrets. This book examines the social, legal and technical issues surrounding online privacy. Not only is the consumer side of privacy examined, but the business side from a marketing point of view is also discussed to present a balanced view of the key issues from both sides of the equation.

Mr. Curtin is an expert in privacy and security issues, as well as cryptography and security technology. The approach he takes in the book is to explain both the theory and concepts of privacy in social and legal contexts, and to examine the threats and exposures. From there he leads you through the design of a solution that starts with principles, then a thorough examination of the underlying online technologies and how they work for and against you. An obvious example of one technical element that works for and against is the 'cookie' which can provide a major convenience (it remembers you and your preferences) and an invasion of your privacy (it remembers you and your preferences - and can also 'stalk' you in a manner of speaking). How to best balance the strengths and weaknesses of not only the technology, but the business imperatives driving commercial uses of the internet are addressed.

This is an important book and earns a solid place alongside the popular Secrets and Lies, and the newer World Without Secrets.

Kate, we miss you.



Friday, May 10, 2002

 
Posted by Mike Tarrani 4:18 PM
PRINCE2. Because I believe in the superiority of PRINCE2 over the PMI approach discussed in my last entry I want to provide a few links to educate readers who are not familiar with the UK standard for project management. As mentioned in my last entry, Linda and I reviewed a book titled Prince 2: A Practical Handbook in which we both discussed how PRINCE2 compares to the PMBOK.

In addition to the official source of PRINCE2 and the PRINCE2 user group given in the last entry, the following are resources which will reveal the inner workings of the method:

The last resource has many interesting documents, including an excellent PRINCE2 Briefing Document available for free download, and a clear description of PRINCE2. You can also purchase Understanding PRINCE2 by Ken Bradley, which is one of the best books I've read on the subject.

A quick overview of PRINCE2 is shown in the following illustrations:

You'll also find information about PRINCE2 on the old Project Management Newsletter page that we haven't updated in ages, but keep around because of the traffic it receives.



Thursday, May 09, 2002

 
Posted by Mike Tarrani 6:30 AM
Project Management: Getting a Handle on Learning How. This entry is going to be long because it's a culmination of answers to frequently asked questions about what should be a straightforward subject.

The Basics. Although we've addressed this topic in many previous entries there are a few basics. First, project management has three elements (PMBOK processes notwithstanding):

  1. Planning - defining scope, developing work breakdown structures, analyzing activities, identifying risks, estimating costs and resources, and identifying stages.
  2. Scheduling - who does what when, ensuring that there are no resource conflicts, and assigning resources in the most efficient manner.
  3. Control - managing cost and schedule against the baselines (planned vs. actuals), resolving issues, managing identified and emergent risks, reporting status and managing quality, deliverable turnover and stage completions.
There are two internationally recognized approaches to project management:
  1. The Project Management Institute's (PMI) Project Management Body of Knowledge (PMBOK) that is described in the Guide to the Project Management Body of Knowledge, which is the American National Standard classified as ANSI/PMI 99-001-2000. Linda and I both reviewed the PMBOK 2000 on Amazon. To an extent the 1996 version remains valid (it remains the Institute of Electrical and Electronic Engineers (IEEE) standard 1490-1998).
  2. PRINCE2, which is the UK standard and, in my opinion, a more effective approach than what is set forth in the PMBOK. Two sources of PRINCE2 information are Official PRINCE2 page that is maintained by the British Government, and the PRINCE2 User Group. If you want a quick summary and to also see how PRINCE2 stacks up against the PMBOK read my and Linda's reviews of Prince 2: A Practical Handbook that we posted on Amazon on 29 and 30 June respectively. In the next few days I will write an entry that is focused solely on PRINCE2.
What Project Management Entails. I won't rehash it here because I wrote a fairly lengthly piece about project management in my Friday, February 22, 2002 entry here.

Resources. The best software and books on project management depend on the types of projects that you manage and your present level of expertise. If you're managing simple projects, such as relocations, upgrades and other common infrastructure projects, you'll find the approach set forth in Getting Started in Project Management by Paula K. Martin and Karen Tate. See Linda's 15 December 2001 or my 17 December 2001 review to see why we so highly recommend this book, especially to occasional project managers. It does not bog you down in unnecessary details or overly complicate project management. Your most effective tools are an Excel spreadsheet and checklists for those kinds of projects. One of the best project management programs for small, uncomplicated projects is CAN-PLAN, which was developed by William McMillan. The software is free, but is commercial quality.

If you're managing complex projects you'll definitely want to read Visualizing Project Management by Kevin Forsberg, Howard Cotterman and Hal Mooz. This is the book that Linda and I recommend to beginners and experienced project managers alike, and is, in our opinions, the best book ever written on the subject. See Linda's 16 March 2001 review (well worth reading) and my 7 December 2000 review for details. Our preferred tool is Project Control Panel, used in conjunction with SureTrak Project Manager. If you're managing complex projects that span the enterprise, or multiple projects, the best tool is Niku Workbench, formerly ABT Project Workbench, and part of a more comprehensive suite of enterprise-strength project and program management applications called Niku Portfolio Manager. This suite is used in IT departments of all of the top international companies and many of the top consulting firms, and is to IT project Management what Primavera's P3 is to the construction industry - the de facto standard.

If you are a seasoned project manager seeking advanced skills I recommend Total Project Control by Stephen A. Devaux. This book extends beyond control to encompass three important areas that begins with project selection, and adds to how projects are planned and scheduled. These areas are:

  1. Set of tools and approach for governance and program management.
  2. Adds profitability as a dimension to project management.
  3. Proves that critical path method (CPM) is not an anachronistic technique - merely one that's misunderstood.
Governance and program management tools that the author introduces are powerful and ensure that project selection is based on profitability and business goals. While there is an entire body of knowledge on project selection techniques, what sets Mr. Devaux's approach apart is his tools are incorporated into the project management process as opposed to merely initiating it. The tools are:
  • [Devaux's] Index of Project Performance (DIPP), which is one of the most powerful project selection and prioritization techniques I've encountered. DIPP is especially applicable to product-based projects because it computes the cost of lost opportunity and the impact of being late to market. For internal projects it provides a clear link to business imperatives, which can bridge the gap between IT and the business.
  • [Devaux's] Removed Activity Gage (DRAG). Overlook the fact that the author loves to name techniques after himself because this is an advanced technique that accurately computes the amount of time an activity adds to a project (or can save if the activity is removed). This technique is a powerful addition to the project manager's array of tools for schedule compression and resource management.
  • Doubled Resource Estimated Duration (DRED) is a measure of resource elasticity; in other words, some activity cannot be shortened by adding resources and others can. DRED allows you to determine the best use of your resources.
  • Cost of Leveling with Unresolved Bottlenecks (CLUB), which is another advanced technique for schedule management, and, used in conjunction with Resource Availability Drag (RAD) and DRAG, give credence to Devaux's argument that the critical path method is a powerful element of project management.
This book also has much to offer to anyone who has just been placed in charge of a program management office (PMO). One note: Devaux is given to hyperbole at times. He makes claims that traditional project management techniques, such as earned value project management are flawed, yet he bases his approach on them. Look beyond this because his approach is powerful and works in practice.

Software Project Management: A Unified Framework by Walker Royce is another source of advanced project management techniques, especially for software project management. If you aren't versed in advanced project management techniques this book will be overwhelming. More important you may pick up misleading information. However, if you are a battle-scared veteran of software development projects and have a full understanding of earned value project management, estimating techniques and development life cycles you'll learn much from this book.

The highlights are:

  • A project life cycle and process framework that is [obviously] closely aligned to the Rational Unified Process (RUP), and can be fitted to any rapid development or iterative approach.
  • An excellent tutorial on effective project controls, with an emphasis on earned value project management.
  • In-depth coverage of estimating techniques, with a lot of material on the constructive cost model (CoCoMo), and current gaps in estimating techniques and to where the craft and science of estimating and software economics needs to evolve in the discussion of next-generation cost models. I especially like his distinction between the use of source lines of code metrics for size and function points for scale. There is middle ground.
    • The treasure trove of metrics, including core project metrics, and the change metrics that are given in Appendix C.
There is one glaring flaw in this book and an experienced project manager will quickly spot it: the proposed approach to basing work breakdown structures on project phases instead of the decomposition of the system to be delivered will not work. Using Royce's approach there is no clear way of integrating the work breakdown structure with the organizational breakdown structure. Using earned value techniques (which is well covered elsewhere in the book) Royce's approach will not align control accounts (sometimes called cost accounts), making his recommendations contrived and unworkable.

This book is better suited for an architecture-centric approach to project management, which means that it's more applicable to product development instead of internal IT projects. See A Practical Guide to Feature-Driven Development for an approach that is better suited for internal projects. That said, I think that this is one of the best books on software project management and one that every seasoned PM should read.

There are two final books that are essential to organizations that are either project-driven or have program management offices:

  1. Strategic Planning for Project Management Using a Project Management Maturity Model by Harold Kerzner. Linda's 15 August 2001 review on Amazon says it all.
  2. Project Management Scorecard by Jack J. Phillips, Timothy W. Bothell and G. Lynne Snead. This book is ROI-focused and integrates the people and process elements of project management with a balanced scorecard approach. One of the authors, Jack J. Phillips, has extensive experience and a large published body of knowledge in the domains of HR, ROI and scorecard development. This book has his touch, and covers the essentials of a mature project organization, what to measure and how to measure it.

    The approach is as follows:

    1. Measure:
      • reaction and satisfaction
      • skill and knowledge churn during the project
      • implementation and progress metrics throughout the project
    2. From the metrics capture:
      • business impact data
      • ROI
    3. Identify both tangible and intangible benefits and apply them to an aggregate 'true cost'
    The book also shows how to translate business metrics to dollar values, build a business case, and communicate status, based on the scorecard, to clients and stakeholders.

    Where Next? We have a number of resources about project management that you're welcome to use. Among the best are a special project management page, the old Project Management Newsletter that Linda and I used to publish, and a project management discussion forum that we established (but doesn't seem to attract much discussion). You should also surf through the other pages that we maintain via our main site. Nearly every one of the single-topic pages has some project management material.



Wednesday, May 08, 2002

 
Posted by Mike Tarrani 9:57 PM
Availability. Linda and I are now available for consulting assignments, either as a team or individually. Marcia Hopkins will be available in early June. A summary of our experience and qualifications is available on the TEAM Zarate-Tarrani page.

 
Posted by Mike Tarrani 4:37 AM
Temporary Absence. Kate Hartshorn will be conspicuously absent for an indefinite period while she is engaged elsewhere. Kate's contributions here were interesting and well-written, and will be sorely missed. I'm looking forward to her return as a constant and permanent addition.

Choices? I read an interesting article by Jason Brooks in the 6 May issue of eWeek titled OpenOffice.org: Serious Suite Alternative. It appears that Sun's StarOffice has an open source sibling called OpenOffice and it's growing into a serious alternative to Microsoft's Office suite of applications.

IT Audit and Security Resources. The following links lead to sites that make available a wealth of material on IT auditing, security, governance and related subjects:

Compass America is another source of whitepapers that I've had bookmarked for a long time. The range of topics is wide and the papers will be appreciated by anyone who is interested in IT process improvement.



Tuesday, May 07, 2002

 
Posted by Mike Tarrani 3:33 AM
One often overlooked aspect of IT security and service delivery is the importance of facilities management. From an IT security point of view the physical security of facilities is as important as the logical security and administrative measures that are the heart of most security strategies. In the service delivery domain facilities play a large role in reliability, which in turn directly affects availability.

Linda's 19 March 2002 Amazon review of Enterprise Data Center Design and Methodology by Rob Snevely touched upon both aspects. A few years ago she and I wrote facilities management policies and procedures for a CLEC (competitive local exchange carrier) and we both wish this book had been available at the time.

Fortunately we did save our research notes, and equally fortunate is the fact that our next assignment together was developing a recovery management whitepaper, which tied many of the pieces together. Linda was the lead consultant for the whitepaper, but she and I jointly did a storyboard, which led to another idea that took the form of survival level objectives, which led to an unfinished idea called BASIS. Along the way we also became interested in reliability and maintainability and the related failure mode effects analysis techniques.

The Odyssey brought us back to facilities, and we have maintained an acute awareness of its importance. To that end there are two documents that will get you up to speed with the complexities, issues and factors associated with data center facilities management:

  1. Building a web site (also available in PDF format). This document covers logical and physical aspects of the data center and associated infrastructure.
  2. Data Center Planning Guide from Sun. This document covers the physical aspects and does into detail about site selection, building characteristics, power, environmental controls and other factors that need to be considered.
As you dig deeper into facilities management you'll encounter the acronym, RCDD, which stands for Registered Communications Distribution Designer. The RCDD certification program is sponsored and governed by BICSI, a not-for-profit telecommunications association that is internationally recognized. If you explore BICSI's site you'll find conference proceedings and presentations, a resource library and links to related sites. If you work in IT security, operations, business continuity planning or infrastructure the material on this site is valuable.



Monday, May 06, 2002

 
Posted by Mike Tarrani 11:20 AM
Sanity and Scaling Back. When I recommended Information Security Policies Made Easy in my 4 May entry someone asked me if I had lost my mind for recommending a $595.00 book. The answer is no, and if I did it's no problem because I have it backed up and stored in secure off-site storage. Seriously, the book will save a significant amount of time and will quickly pay for itself.

However, one can go broke saving money, especially if there are more important priorities that should be funded first. An alternative is to purchase a copy of Writing Information Security Policies by Scott Barman. This $34.99 USD book is a fraction of the price and will give you the information and approach that will assure well-written security policies. Of course you'll have to write them from scratch, but the book's accompanying web site contains a wealth of support material.

Another book that shows the big picture is Thomas R. Peltier's Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management. We've mentioned Mr. Peltier in earlier entries, and this book is one that every security professional should own.

I'll end on that note because I have a scheduled back-up to perform.

 
Posted by Mike Tarrani 12:45 AM
Princely Artifacts. I've discussed the UK project management standard called PRINCE2 in previous entries, and have a large number of PRINCE2 documents on my old Project Management Newsletter page. I've recently come across sample PRINCE2 foundation exam questions and the answers, and sample PRINCE2 practitioner exam questions and the answers that will be useful to anyone who is pursuing certification in PRINCE2. There are good reasons to do so if you're doing business or consulting internationally because PRINCE2 is recognized in countries where the Project Management Institute's Project Management Professional certification is given less weight. In addition I have a glossary of PRINCE2 terms that will prove useful. This Zip archive contains the MS Word glossaries in Arabic, Dutch, English, German, Italian, Japanese, Mandarin and Spanish. Enjoy.



Saturday, May 04, 2002

 
Posted by Mike Tarrani 9:52 PM
Risk management is a much discussed topic here, and one of the better books on this topic that I've recently read is Effective Risk Management: Some Keys to Success. This book is for risk management professionals, or those who work with risk management (project managers, IT security and business continuity professionals and engineers) who want or need to master advanced risk management techniques based on real world issues and factors. Although the book is focused on risk management from a DoD contracting perspective, the material is applicable to commercial organizations as well. The author provides an appendix that compare DoD contracting and commercial environments to ensure that this book has a wide appeal (A Comparison of Risk Management for Commercial and Defense Programs). Obviously if you work in the DoD contracting industry this book is going to be more applicable.

The book begins with an introduction that discusses risk management, why it's needed and what it is. I felt that this material was too basic for an advanced book, but the subsequent chapters quickly got to the heart of the subject by providing the details for an implementation life cycle of an effective risk management process that consists of:

  1. Implementation
  2. Planning
  3. Identification
  4. Analysis
  5. Managing risks
  6. Monitoring
What makes this book valuable for real world practitioners are the pragmatic advice for developing a risk management process that is based on the lessons learned by the author and best practices. In fact, there are over 250 such lessons learned. These alone make the book worthwhile for even the most experienced practitioner because there are sure to be many that you may not have considered. In addition to the best practices, the author provides pitfalls common to risk management and how to avoid them.

Another aspect of this book that adds value is the use of readily available tools, such as Microsoft Excel, and popular simulation software (CrystalBall) to reinforce the techniques that are described in the book. Overall this is one of the best books on risk management that I own because it goes into deep detail and coves advanced topics. It also is practical instead of theoretical, which sets it apart from most risk management books. See my 3 May entry in Notes from the Field for descriptions of tools that you will find useful with the probability computations that are required to effectively compute risks.

 
Posted by Mike Tarrani 11:39 AM
Essential Security Resources. If you develop security policies and procedures you need to seriously consider investing in a copy of Information Security Policies Made Easy. The 1175 policies contained in this book are also provided in soft copy on the accompanying CD ROM, making this one of the most valuable resources to companies that need to cost-effectively develop and implement policies. This book is also particularly valuable for consultants, although the licensing appears to restrict the use of the policies if they are used verbatim. However, each of the policies are too generic to be used as is, so for consultants their value if the key elements and discussion of each.

Unlike other collections of security policies that I've purchased, this collection is up-to-date and address contemporary requirements. Among the specific policies in this collection are those that address:

  • HIPAA (Health Insurance Portability and Accountability Act), which is a high priority requirement in the health care industry
  • Gramm, Leach, Bliley Act for US federal government organizations
  • European Union Data Protection Directive, which makes this book as applicable to European readers as it does to US audiences
In addition, the policy collection addresses issues such as social engineering, digital signatures and public key infrastructures, which show the breadth of topics covered. It also addresses credit card fraud, internet use policies (another hot topic) and network and internet security.

What I like is the fact that the book is much more than a collection of policies - it also discusses implementation and enforcement issues, contains checklists for developing (or tailoring) and implementation of the policies.

On the topic of value: this book contains 18 core policies that should be in place regardless of company type. These alone would take between 150 and 200 hours to develop. Using the fully loaded rate by in-house experts it's easy to make a business case for buying this book because these 18 policies alone would cost more to develop from scratch than the cost of the book. If you are using consultants the cost savings will be dramatic. In addition to this book I recommend investing in the author's other book, Information Security Roles & Responsibilities Made Easy, which completes the picture for developing an effective security organization and posture.

This book, Information Security Roles & Responsibilities Made Easy is the other half of Information Security Policies Made Easy discussed above. What makes this book complement the policy book is that once the policies are written they are useless without defined roles and responsibilities assigned to manage and enforce them.

Included in this book (and in soft copy on the accompanying CD ROM) are organizational mission statements that form the framework for policies, job descriptions for major security role players, and organizational structures with reporting relationships.

The book does not merely present the roles and responsibilities - it goes into the hows and whys, and steps you through the definition and development of a security function in which the roles and responsibilities are defined. More important, the author does not use a canned approach, but provides alternative structures that will allow you to develop and implement the organization that is best aligned to your company. This is one of the most practical and flexible approaches I've seen, and shows the author's extensive experience and realistic attitude. Equally important is the fact that small companies are also addressed, making this book valuable to organizations of all sizes.

You're stepped through the process of identifying your requirements, tailoring the documents provided on the CD ROM to reflect those requirements, and given an idea of the time and resources needed to implement them. In addition to the documented roles and responsibilities and organizational structures provided, this book also covers (and the CD ROM provides) pamphlets to promote security awareness, memos, forms, action plans, a sample security manual and standards, and other documents that will be needed to effectively implement a security organization.

The chapter on common mistakes is worth its weight in gold, as are the appendices, which cover staffing levels, qualifications (this is valuable to HR), and IS security metrics.

Regardless of company size or scope of your security organization, this book will save literally hundreds of hours of research, document development and planning. Even for a small company of 25-100 employees this book will pay for itself many times over, and for a large company the value that this book (and the companion book I mentioned above) represents can run into the tens of thousands of dollars.



Friday, May 03, 2002

 
Posted by Mike Tarrani 5:06 PM
I've been discussing process improvement and business value. I found a book that combines the two in a neat, coherent package: Software Process Improvement: Concepts and Practices. The value of this book is that it examines software process improvement from the perspective of business value instead of why it makes sense from a software engineering process point of view. I found this refreshing because too many books on this topic are focused on the technical advantages and give lip service to business benefits, if they are mentioned at all.

Another interesting aspect of this book is the chapter on using the Capability Maturity Model with small projects and/or in small organizations. The discussion shows how a heavy process improvement approach can be effectively used to good advantage in scaled-down environments. Considering how many large organizations are struggling with implementing the CMM this chapter alone makes buying this book worthwhile because it shows how to get a handle on the daunting task of implementing the CMM.

Parts of the book that I especially like are: Communicating Project Drift Through Cost/Benefit Scenarios and Linking Strategies To Organizational Goals. Another strong chapter is Technical Infrastructure for Process Support, which provides clear direction for implementing a process-based paradigm.

This book is not a primary text on the subject and is probably not the first that someone new to SPI should turn to (I recommend Successful Software Process Improvement by Robert B. Grady as an introductory text), but is full of practical ideas for someone who works with SPI.



Thursday, May 02, 2002

 
Posted by Mike Tarrani 9:04 AM
The newest issue of CrossTalk is out. Although I normally post new issue announcements for this excellent magazine in Notes from the Field, the May issue is more in line with recent discussions here. The top articles in the May 2002 issue are:
  1. Best Practices
  2. Software Engineering
There is also an Open Forum article of interest titled Information Security System Rating and Ranking by Dr. Rayford B. Vaughn Jr., Ambareen Sira, and Dr. David A. Dampier. You can download this article for off-line reading.



Wednesday, May 01, 2002

 
Posted by Mike Tarrani 8:46 PM
It seems that I make an entry and it turns into a series. The MS Word document titled A Business Goal-Based Approach to Achieving Systems and Software Engineering Capability Maturity neatly connects the dots between business processes and software engineering.

Related to process and the earlier series on project management, Measurement Based Guidance for Software Projects adds metrics and process to project management. Measuring Process Improvement is a more general document that is applicable to both IT and business. However, in order to improve processes you must first understand the process being analyzed as a candidate for improvement. One characteristic that most processes share, and one of the more common improvement drivers, is cycle time - how long it takes to complete the process. Time is, indeed, money. The Cycle Time Improvement Guidebook is about engineering process improvement. While it is not strictly a business- or IT-specific guidebook it contains all of the essential information and a strategy for identifying improvement opportunities and how to exploit them.



Tuesday, April 30, 2002

 
Posted by Mike Tarrani 5:06 PM
More on Process. I place process above all else. Tools without processes frequently turn into shelfware and are a monument to poor management practices, abysmal leadership and the major disconnect between IT and business imperatives. Once processes are in place they cannot remain static, or they will soon become monuments themselves - monuments to lethargy, not invented here syndrome and source material for Dilbert cartoons.

There are books, articles and philosophies devoted to process improvement. Pick one. However, if you are sincerely searching for a workable approach The Purpose Driven Process Improvement Guidebook may have what you're seeking. I was impressed with the approach and found the PowerPoint presentation on purpose-driven process improvement to be a quick-start introduction. Another excellent view of process improvement is the 5-step approach by the same authors who created the Purpose Driven Process Improvement Guidebook. Highly recommended.



Monday, April 29, 2002

 
Posted by Mike Tarrani 5:30 PM
Linda and Kate covered service delivery in their recent entries while I addressed project management and metrics. The following documents will, in many ways, tie together these disciplines:



Sunday, April 28, 2002

 
Posted by Mike Tarrani 3:17 PM
My entry on 25 April wrapped up thoughts and associated documents on project management. This entry's theme is metrics. There is a direct relationship between software project management and metrics, as well as between service delivery and metrics. A good place to start is Practical Approach to Software Metrics, which is a primer. Also see previous metrics entries because this is a recurring topic.

Metrics need to be placed within a context of the development life cycle. An interesting approach to life cycles is the hybrid process model that combines the spiral and waterfall life cycles. This is but one example and certainly not the only viable model. However, you have to credit the authors for creativity and some excellent ideas. Armed with a primer and one model that incorporates two common life cycles into a hybrid, the next step is to survey metrics practices. This document presents best practices that you can learn from to develop (or improve) your metrics program. If you want to assess your metrics posture the Excel metrics self-evaluation tool will give you a baseline and the basis for launching a process improvement initiative.



Saturday, April 27, 2002

 
Posted by Linda 2:01 PM
I've dredged up more documents that apply to service delivery in one or more ways. Each is from the GartnerGroup and each is short and focused:



Friday, April 26, 2002

 
Posted by Linda 5:39 PM
Kate's entry caused me to remember that I have recent ITIL resources to share. ITIL Tools to Manage IT is collection of links that all service delivery professionals will find valuable, but are particularly applicable to ITIL practitioners. I also like the way that ITIL-compliant service processes are depicted in the well designed IT services page. It you're a help desk professional you'll probably relate to the article titled Managing IT Rage (Help for the Help Desk). Besides the loud ring of truth, this article combines advice for maintaining composure while delivering the high quality support services that are intended by the ITIL.



Thursday, April 25, 2002

 
Posted by Kate 10:23 AM
In my entry in Notes from the Field today I discussed privacy as it related to presence and availability management. If you read my 25 April entry there you'll see initiatives sponsored by IETF IMPP Working Group and the Presence and Availability Management Forum. Those are not the only two groups that have emerged with privacy-related initiatives and proposed standards. An article titled Implementing privacy/preference policies with P3P introduces the W3C standard titled Platform for Privacy Preferences (P3P). This is an XML standard that describes the privacy and/or user preference policies for a Web site. Personally I applaud the recent activity by these groups to establish standards to assure privacy - something that may be sorely missed if the Liberty and Passport factions proceed unchecked.

Mike and Linda frequently write about the ITIL, service delivery and related topics. Until I joined TEAM Zarate-Tarrani my career path was a straight line in the knowledge management and competitive intelligence areas. Since joining the team I've been more involved in the service delivery domain, and it turns out to be a natural fit. Two documents that gave me the points of reference I needed to change direction are Delivering High Quality Service, which explains the goals of the International Service Management Forum, and a PowerPoint presentation on the ITIL essentials. Where my skill base allows me to fit in and to grow as a service delivery professional are the direct connection between managing knowledge and providing support services, and the process analysis and reporting that service level management requires. The latter is similar to competitive intelligence, with the difference being my information gathering and assessment activities will be directed inward towards the service delivery process. In addition, my competitive intelligence background will serve me well in benchmarking to best practices and the security knowledge areas of the ITIL.

An example of how competitive intelligence relates to service delivery is shown in eShopper Modeling and Simulation. This paper is a classic example of the grey area between competitive and business intelligence, but is also an approach that a skilled service delivery professional would take in establishing business patterns that can be used as the basis for service level objectives. Another example is a typical source document that a competitive intelligence specialist would use: Understanding Web Performance. Yet another competitive intelligence source document that is as applicable to service delivery as it is to surveying best practices and trends is Strategy for Exploiting Improvement. The bottom line is that it's not a great leap between the skills and experience I've accured and those that I'll need to perform effectively as a service delivery professional.

 
Posted by Mike Tarrani 7:26 AM
Ending Notes: Project Management. My last two entries covered various aspects of software project management. I'll end the series (which didn't start out as a series, but managed to become one anyway) with these documents:One of the best books, in my opinion, on software project management is Software Project Management: Unified Approach by Walker Royce. This book is especially valuable if you're using the Rational Unified Process, but will be applicable to any software development project regardless of methodology. My only complaint about the book is the way it addresses work breakdown structures, but I'll go into that particular issue in a future entry in the form of a book review.



Wednesday, April 24, 2002

 
Posted by Mike Tarrani 3:57 AM
More on Project Management. In my last entry I shared documents that will pave the way to sound software project risk management techniques. In this entry I have documents to share that will further strengthen the foundation of software project management. The context for software projects can be captured in software development rules of thumb and software project success factors. These two documents can effectively serve as primary guidelines for all software projects, and if followed will increase your awareness of what does and does not work. Another document that every project manager should read is Prevent Software Project Surprises. This document ties back to my previous entry about project risk management. Forewarned is forearmed.

A good article on the basics of estimating is Unreasonable project estimates: Find the cause, effect a cure by Kurt Linberg (he has authored other project management articles that are well written and hit the mark).

Project management consists of planning (includes estimating), scheduling and control. Success is measured, and for scheduling the document on team-driven scheduling metrics provides sound advice on what needs to be measured. Additional resources on risk, scheduling and control can be found on our old project management newsletter site. This page is no longer updated, but contains a wealth of valuable information.



Tuesday, April 23, 2002

 
Posted by Mike Tarrani 9:48 AM
Project Risk. Managing software project risks is often discussed, but too often misunderstood. One of the unfortunate problems is that IT professionals side-step the math and assign arbirtary ratings that have no basis in reality. The net result is miscalculated risks with no quantifiable impacts. A starting point is to brush up on probability, and Simple Measures of Success will step you through the basics. This Word document not only covers the fundamentals of probability, but also covers statistical process control charts.

After you get up to speed with the relatively simple math, What is Software Risk Management? will nudge you towards applying it in a practical way. The finishing touch is the theme of Software Project Risk Management Practices. These documents will give you the foundation, and are also consistent with project risk management processes that are set forth in the Project Management Body of Knowledge for those who are either certified as a Project Management Professional or pursuing that certification. The material is also consistent with practices used in the UK project management standard, PRINCE2, in addition to suporting requirements of the Capability Maturity Model.

 
Posted by Mike Tarrani 12:47 AM
Wrap-up. I'm going to wrap the security thread with a PDF presentation on risk analysis. The author of this presentation is Thomas R. Peltier who wrote Information Security Risk Analysis. Linda reviewed this excellent book on Amazon on 25 September 2001, and I reviewed it on 22 April 2001. Read what we had to say - if you're interested in risk analysis from a security perspective this book is worth reading.

Shifting Gears. I have two documents that address software project management and software quality management. They're short, to the point and worth sharing with colleagues.



Sunday, April 21, 2002

 
Posted by Mike Tarrani 11:50 PM
Back to Security. I'm going to sidestep Linda's challenge to continue the ISO thread and refocus on security. I have documents to share that cover two important topics:
  1. Access Controls
  2. Assurance and Metrics



Saturday, April 20, 2002

 
Posted by Linda 5:10 PM
My Turn. Mike and I have been tossing the ISO 9001 topic back and forth, both here and in Notes from the Field. Since I'm keeping score, Mike's 18 April entry in Notes from the Field means that the ball is back in my court.

If the burning question is "Why should I care about ISO 9001?" the answer is that it's a solid foundation upon which to build a quality system. Also, unlike the 1994 version, the new 2000 version requires continuous improvement, and has a clause that mandates customer satisfaction measurement. Even if you have no plans to pursue ISO 9001 certification, the standard provides good guidelines for implementing a quality management system upon which you can build.

If you're familiar with ISO 9001:94, and want to learn what has changed in the 2000 version, Fitting ISO 9001:2000 into a 20 Element Quality System is a good starting point. A shorter document that compares the two is ISO 9001:2000 to 9001:1994 Comparison and Change Highlights. You get the deltas in five pages.

The standard in action is described in ISO 9001 Quality Management System Requirements and in Best Practices for ISO 9001:2000.

The ball is back in Mike's court.



Friday, April 19, 2002

 
Posted by Mike Tarrani 3:16 AM
Security (again!). Security is a recurring theme here and in Notes from the Field, and it's time for another installment. One excellent resource for IT security is Ben Rothke's web page. Ben is a columnist for Information Security Magazine, among other things, and his home page contains a wealth of information. The real gems are:



Thursday, April 18, 2002

 
Posted by Mike Tarrani 5:24 PM
ITIL, ITSMF and Service Level Management. Linda's 14 April entry was on the mark. With established international standards we do not need another methodology, and we definitely don't need proprietary methodologies. She and I have over 50 years of IT operations, service delivery and production support experience between us. We've seen the methodology of the month, silver bullets and all of the other panaceas, and none are a total solution. Are the ITSMF's best practices perfect? No, but they do reflect the experience of IT professionals the world over.

One of the problems with the ITSMF's core documents, the IT Infrastructure Library, is the books are expensive. This is, in my opinion, a barrier to adoption. I am going to chip away at that barrier by sharing ITSMF files that I've collected with the goal of creating awareness. I'm going to start with a PowerPoint presentation that gives an overview of the ITIL: Why ITIL? Since the ITSMF uses the ITIL this presentation is important. The following files, which address various ITIL and ITSMF domains, will show the inner workings:



Wednesday, April 17, 2002

 
Posted by Kate 6:56 PM
Preparations. One of the projects in which I'll be engaging is to develop reference data for issue management. I'm currently reading Managing Reference Data in Enterprise Databases to get ideas about how to build a taxonomy, populate it and manage the data. Although the project is in support of service level management, the role I have is squarely in the knowledge management domain.

Knowledge Sharing. Since I'll be working with peers who may not be fully conversant with knowledge management I'm gathering artifacts that will explain the basics. One such artifact is a PowerPoint presentation titled KM Tour. It's a brief overview and should help me to fit my role into the project objectives. Another artifact is a PDF document titled Assessing Knowledge Assets. This document goes beyond the scope of my role, but it does place knowledge management into a practical context.

Nice to Know. If you have an interest in knowledge management or leveraging human capital (two different, but related topics), the following documents will be of interest:

 
Posted by Linda 4:41 PM
Frequently Asked Questions. We often receive e-mail that asks the same questions. I'm going to answer the most common questions in this entry:
Q Why isn't the Microsoft Solutions Framework (MSF) discussed here?
A The MSF is essentially a project management framework. It is a proprietary standard that is defined and owned by a single company. We support two internationally recognized standards:
  1. Project Management Institute's Project Management Body of Knowledge (PMBOK). The 2000 version of the PMBOK is an American National Standard ANSI/PMI 99-001-2000. More information about the PMBOK can be obtained from the Project Management Institute's Project Management Standards page
  2. PRINCE2 (PRojects IN a Controlled Environment, version 2), which is a United Kingdom standard that is managed by the UK Office of Government Commerce. See Official PRINCE2 website and the PRINCE User Group for details.
We believe that two internationally recognized project management standards are sufficient.

Q Why don't you discuss the Microsoft Operations Framework (MOF)?
A For the same reason that we don't support the Microsoft Solutions Framework: there is an international body called the IT Service Management Forum that is vendor-independent. The ITSMF uses the IT Infrastructure Library (ITIL) as the basis for their best practices. The ITIL, like PRINCE2, is under the cognizance of the UK's Office of Government Commerce, with portions of the ITIL provided by the British Standards Institution (BSi).

Since the ITSMF best practices have been adopted internationally we see no reason to employ or support a proprietary approach such as the MOF.

Q Is TEAM Zarate-Tarrani a corporation?
A No. We are independent consultants who share the same values and work ethics.



Tuesday, April 16, 2002

 
Posted by Kate 9:11 PM
Privacy is a hot topic, but hotter still is the thorny issues surrounding how to best protect it. Linda reviewed a chilling book titled World Without Secrets in her 17 April entry in Notes from the Field. This book, and its associated web page, paint a bleak picture of privacy. One of my main sources of information on the topic is Lisa Rein's weblog. I also do a considerable amount of research from other sources because privacy issues are main concerns of my specialities, knowledge management and competitive intelligence.

One solution that is being hotly debated is the concept of a national ID card. The key issues are contained in a Gartner research note titled Establishing a National ID Card: Definition and Debate. However, this issue is international in scope. Smart ID Cards in Europe: Different Views, Uncertain Future gives the perspective from Europe, while we can learn from Hong Kong’s Multiapplication Smart ID Card.

At the state level the Gartner research note titled Can the Smart State Implement a Smart Driver’s License? asks valid questions. Interestingly, another Gartner research note asserts that The Global Economy Already Has IDs.

At some point, though, it will behoove you to understand the underlying technology and the strengths and weaknesses of smartcards. Mike and Linda steered me to Get Smart : The Emergence of Smart Cards in the United States and their Pivotal Role in Internet Commerce as a well written introduction to the business and technical issues, and I join them in highly recommending it if you need to quickly learn about smartcards.

 
Posted by Linda 8:04 PM
Service Level Management Update. There are new articles and links on Next SLM, which is the web site that supports Foundations of Service Level Management by Rick Sturm, Wayne Morris and Mary Jander (see my and Mike's reviews on Amazon).

Highlights of the updated content include:

Much of the material on the site is directly related to the Tarrani-Zarate Model that we've been discussing, and is particularly applicable to my recent entries about organization and core processes.

 
Posted by Mike Tarrani 7:32 PM
Security & Contracts. I've been posting book reviews and other security-related information here and in Notes from the Field since the inception of these weblogs. Contracting is another recurring topic. A recent eWeek security series titled Contracts Getting Tough on Security ties the two topics together. If you write RFPs and evaluate vendors you'll find best practices. If you write proposals you'll find compelling reasons to start developing a set of security processes and strategy to use as a response to RFP requirements.

I canot resist a shameless commercial plug here: TEAM Zarate-Tarrani develops security strategies and processes that will prepare you for responding to RFPs.

 
Posted by Mike Tarrani 4:04 PM
Friends don't let friends use MS Project. If you want a project management application that correctly levels resources, can correctly compute earned value, and is made by a company that understands project management you should look at SureTrak Project Manager 3.0 (see Linda's 27 May 2001 review on Amazon).

I just finished reviewing an outstanding book on how to use this powerful program: Planning Using Primavera SureTrak Project Manager Version 3.0 by Paul E. Harris .

Although SureTrak Project Manager 3.0 ships with adequate documentation and the program is intuitive, there are three good reasons to buy this book:

  1. The product documentation covers every feature - the information about planning and managing projects using this powerful tool is scattered throughout, making it difficult to tap into SureTrak's power without wading through an overwhelming amount of nice-to-know, but non-essential detail.
  2. Although anyone who has used Microsoft's ubiquitous MS Project will have no problem getting started with SureTrak, they will miss the true project management features of SureTrak that are not present (or don't correctly work) in MS Project. This book identifies those features and shows how to use them effectively.
  3. The author goes beyond merely describing how to use SureTrak by showing you how to use effective project management techniques, many of which take years of managing projects to discover.
The book is structured as a series of 20 lessons (called workshops) that are designed to step you through setting up a project, and planning and scheduling it. If you follow them in sequence you will be able to not only set up a project using SureTrak's rich feature set, but will also pick up general project management techniques along the way. An example of one such technique is how the author classifies projects into four levels for planning and controlling. These levels are based on project complexity, with Level 1 being the simplest and suitable for short projects, to Level 4 for complex, high-value projects. You are given the planning and tracking criteria for each project type, which allows you to tailor your approach as well as ensure that you don't over-manage simple projects or under-manage the complex ones.

You are also shown how to use the more powerful features, such as the many project views (work breakdown structure, activity or resource), managing the sophisticated calendaring functions, and effectively using the resource profiles and reporting features. I particularly like the way earned value is treated. The author shows how to use SureTrak's facilities for managing to earned value, as well as explaining this essential technique (which, by the way, is now a part of the Project Management Institute's PMBOK 2000 version). Another bonus is the way scheduling is explained by walking through adding logic to activities. You'll not only be shown how to perform this task, but given reasons why you should use one approach from among four possibilities to establish relationships. In this example the choices are start-to-start, finish-to-start, start-to-finish and finish-to-finish.

The book is clear, concise and heavily illustrated with screenshots from SureTrak. The tutorial style and the way the lessons are sequenced will get you quickly up-to-speed with SureTrak and give you the knowledge and skills necessary to employ it with minimum reference to the manuals that come with the software.

If you're more interested in Primavera's high-end product, P3, please refer to my Amazon review of Planning Using Primavera Project Planner P3 Ver 3.0 by the same author.

As an end note I've gathered links to websites that may be of interest:

Our weblogs also contain a wealth of information - use the search feature to find information about earned value, WBS, PMBOK, PRINCE2 and other topics that you may be researching.



Monday, April 15, 2002

 
Posted by Mike Tarrani 4:54 PM
Flu? Flown! Workload? Groan! The past few days were spent suffering through a mild case of the flu. I seem to be back to normal (depending, of course, how you define normal). It appears that my workload is growing, which means that my entries here are going to remain short, and other avocation activities are going to be put on hold. One of those activities is writing book reviews on Amazon.

I have a small backlog of books for which I owe publishers and authors a review, after which I am taking a break from reviewing for Amazon.

When I'm in Kuwait I'll refocus my energies and attention on Mike Sisco's IT Manager Development Series and his IT Manager Toolkit. I've read most of the books in the IT Manager Development Series, and have reviewed Acquisition: IT Due Diligence (see my 1 April review below) and Acquisition: IT Assimilations (see my 31 March review below). Both are outstanding. I haven't looked at the tools in the IT Manager Toolkit that Mike sent me, but will later this week.

Terror? Here's an article that will give you pause: Win-XP Search Assistant silently downloads files. Another reason why I have no intention of downgrading my system to XP.

CMM Assessments. I recently read Assessment Coordinator's Handbook: Planning for a Well-Orchestrated Software Appraisal by Ken Dymond, who also wrote A Guide to the CMM: Understanding the Capability Maturity Model for Software (see Linda's 3 July review of that book).

Assessment Coordinator's Handbook: Planning for a Well-Orchestrated Software Appraisal is worth it's weight in gold to right readers. This short, 41-page guide is an invaluable resource to anyone who is getting started in assessments. It's been designed to augment SEI assessment training, therefore does not supplant official SEI materials. Here are the key features:

  • Gives a two-phase approach for preparing and training for CMM assessments that are consistent with SEI guidelines. Phase I covers pre-assessment training and planning and Phase II covers on-site assessment activities.
  • Provides detailed checklists for each phase. The author's extensive experience in assessments has been condensed into the essentials, which save you significant planning and artifact development time.
  • Checklists are provided in two levels of detail: summary and detailed. These are augmented by exhibits in the back of the book that provide an example schedule that you can use to benchmark your own plan, a project selection matrix, and an excerpt from a master task list. Using these you can refine your own planning approach.
At first glance the price-per-page ratio will make you question the value of this book. However, consider that you'll have a succinct guide that distills the essentials. This book can easily save you 50 hours or more of planning time, as well as step you through the process from the viewpoint of an experienced assessor. When you factor this into the equation the value becomes apparent. More importantly, much of the material and the approach can be refactored into planning for other types of assessments - not only for SEI CMM, making this book extra valuable to consultants who engage in assessments of all types.

Take-Aways. Although you'll have to purchase Mr. Dymond's books, I've collected papers that he's written that will be of interest if you are among the target audience for his books:

The last two fit nicely within Linda's organizational and core processes theme.

An added bonus is a Word document titled Capability Maturity Model Benefits by Richard Waina. Enjoy.

 
Posted by Mike Tarrani 7:22 AM
Administrative Note. Over the next few days my ISP will be doing maintenance. Most of the documents we provide here reside on the server that hosts tarrani.net. You may experience Document not found errors during the next 48 hours. If there are any documents that you absolutely need during this period let me know and I'll e-mail them to you.



Sunday, April 14, 2002

 
Posted by Mike Tarrani 3:33 AM
I just finished reading Computer Forensics: Incident Response Essentials by Warren G. Kruse and Jay G. Heiser. The authors, both of whom have impeccable credentials, have managed to distill a complex subject into a book that can be understood by anyone with intermediate-level computer skills. More importantly, computer forensics is a relatively new sub discipline of IT security, making this book important in that there are few books on the topic.

I'll start with the beginning and end of the book, each of which are focused on legal aspects of forensics. The book begins by explaining what forensics is, and giving a three-step process that covers the essentials at a high level:

  1. Acquire evidence
  2. Authenticate it
  3. Analyze it
Although this process is presented at a high level, important details, such as the importance of establishing and maintaining a chain of custody, how to collect and document evidence and key issues to consider when presenting the evidence in court are covered. This discussion is picked up again in Chapter 12, Introduction to the Criminal Justice System, in which applicable laws, advice on dealing with law enforcement agencies, and the distinction between criminal and civil cases are discussed. There is sufficient detail and pointers to put sources of information to arm you with the bare essentials.

Between the opening chapter and Chapter 12 described above are chapters devoted to basic techniques and procedures for tracing email, specific operating system issues (the book deals with UNIX and Windows), encryption, codes and compression and other common challenges an investigator will face. The material is not overly technical, and is presented in easy-to-understand prose. Anyone who works as a network or system administrator, provides desktop support, or is an advanced end user will have no problems following the techniques that are presented or the underlying technical details. If you're seeking an advanced text this book will probably disappoint you, although there is sure to be some new trick or fact that you'll learn. For example, I have over 25 years of IT experience and was fascinated by the discussion of steganography (an information hiding technique). There were other chapters that I quickly skimmed because I was well-versed in the subject matter.

What I like about the book is the easy approach, which makes it easy to develop the fundamental skills necessary to perform forensics. The few other papers and books on the subject are far more advanced and the learning curve is a barrier. This book will give the new security investigator a foothold in the topic upon which he or she can build. I especially liked the appendices, which provide an excellent framework for incident response. One of the best features is the detailed roles and responsibilities, which are well thought out and reinforce the axiom that security is everyone's business. Another outstanding feature is the flowcharts for various incident types, such as denial of service, hostile code, etc. These can be used verbatim in a security policies and procedures manual, as can the incident response form provided in Appendix B. I also liked the valuable URLs provided throughout the book. I knew of many, but was surprised to find invaluable resources that I didn't know about.

Even though much of this book presented information I already knew, I still enjoyed reading it because I picked up facts that I didn't previously know, and was reminded of legal aspects of forensics and security that I'd forgotten. The appendices alone make this worthwhile to even advanced readers, and the fact that it provides an entry point into forensics for new practitioners makes this book invaluable as a training tool and vehicle for professional growth.



Saturday, April 13, 2002

 
Posted by Mike Tarrani 3:36 AM
Good News. Microsoft postpones .NET My services, which means that the convicted monopoly is meeting with resistance. I, for one, applaud this turn of events. Why? I don't have confidence in their ability to secure my personal information, and I don't trust their corporate motives. Will I ever trust them? It depends on how effective they are with their security initiatives, and if they can manage to actually ship a product that is reliable; i.e., no memory leaks requiring therapeutic reboots, doesn't invite malicious code, and is designed to protect data and processes. In my opinion they have a long way to go.

Sobering News. If you develop commercial or business-critical products under the GPL, be aware that the Free Software Foundation is taking a proactive role in enforcing the GPL. See FSF ask Lindows: 'Where's the Source?' for details.



Friday, April 12, 2002

 
Posted by Linda 7:57 AM
Tarrani-Zarate Model: Organization and Core Processes, Part 2. I'm providing an annotated list of documents to give deeper background information about organizational issues. These documents address general IT service delivery processes, which will be delved into as this series unfolds.

Rewind. Before proceeding I want to recap the purpose of the model, which places organization and core processes into context. The Tarrani-Zarate Model was developed to:

  1. Provide a value chain that is based on business imperatives. As such, it:
    • aligns IT to business
    • focuses on reliability, availability and support of systems, applications and services provided in support of business imperatives
    • is structured to integrate applications and service delivery
  2. Is an end-to-end set of processes that connect business imperatives to support.
  3. Acknowledges that IT is a service and support activity.
This entry will focus on the organizational aspects, and the documents that I am providing are:I'll continue this series with more about organization and core processes in my next entry.



Thursday, April 11, 2002

 
Posted by Kate 10:38 AM
New Discoveries. I'm not-so-patiently awaiting the June publication of The Weblog Handbook by Rebecca Blood. Although weblogs have some major drawbacks as knowledge management tools, such as the difficulty in organizing and cross-referencing information for near-transparent retrieval, they do have a place in the knowledge ecology. Ms. Blood's weblog, Rebecca's Pocket shows that she is an articulate writer and socially-aware thinker who understands technology and its uses. She was also the subject of a recent Fast Company article by Anni Layne Rodgers titled Targeted Serendipity. The article piqued my interest in the book and got me thinking about how weblogs fit within the overall scheme of knowledge management. The jury [of my mind] is still out on this one.

Opportunity. Winston Churchill is quoted as saying, The pessimist sees difficulty in every opportunity. The optimist sees the opportunity in every difficulty. This goes to the heart of knowledge management, as well as competitive and business intelligence. It is also the clear message in the 14-page paper titled Identifying Web-Based Opportunities. Churchill was a great wartime leader during World War II, but the master of warfare, Sun Tzu, has been a major influence for over 2000 years. Here is a quote from his timeless The Art of War that applies to the unbloody battlefields of business as much as it does to the killing fields of military conflict: If you know the enemy and know yourself you need not fear the results of a hundred battles.. Knowing your enemy, and your competitor is your enemy, will give you advantage - assuming that you also understand your own strengths and weaknesses.

Internet Integration in Business Marketing Tactics is a step in the right direction for leveraging intelligence. Of course, it's all about survival, making Strategic "Morphing" and the Survivability Of E-Commerce Firms a good source of tactical and strategic ideas. Remember, though, that you need to know yourself as well as your competitor. In that respect it's about measuring your performance, and A Framework for Developing E-Business Metrics Through Functionality Interaction provides viable approaches.

Back to the Future. We are still impacted by a large list of action items and a shortening timeframe. Mike and I are trying to clear the highest priority items before we leave for a short project in Kuwait, and we are also preparing for a pending project in India. That makes for an exciting life, but also for a hectic schedule. In the coming weeks our entries here will be short, so bear with us - we're juggling many balls at the moment.

 
Posted by Mike Tarrani 7:27 AM
Security and Information Warfare. I just finished reading a book titled Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community. In it, the authors extensively document their honeypot project, which was designed to deflect attackers away from real systems and data assets by using decoys. The project evolved into something much more, which is chronicled in the book.

The first part of the book deals with technical issues and how and why the project was initiated. As the chronicle of the project proceeds the authors begin adding a new dimension to information security: psychological profiling. This is where the book becomes fascinating, and where reading the book becomes tedious.

The fascination stems from the methods used to identify, classify and profile their attackers. The tedium in reading the book is that you have to carefully read through logs of chats (Chapter 11, In their Own Words). This is not the stuff of casual reading - but is worth the time, effort and pain it takes to wade through this chapter.

Part of the tedium, aside from having to read raw (but annotated) logs is that profiling attackers requires an understanding of cultural issues, psychological motivations and risks associated with each attacker profile.

The accompanying CD ROM contains tools and supporting material for each of the chapters. The tools are the ones the project uses in building, maintaining, and using a Honeynet environment, and includes source code, precompiled binaries, and documentation. The supporting material consists of source code, network captures, and other information related to specific chapters.

The sophisticated profiling methods described his book are more suited for large corporations, organizations that support unpopular social causes (commercial and non-commercial) and targets of information warfare attacks. I personally believe that the book adds a new dimension to IT security, making it an important contribution to the security body of knowledge.

I'm giving the book to Kate to read and review because her background will allow her to gain insights that I missed. I'm looking forward to her review here as soon as she has time to finish the book and write her thoughts.

On a more mundane note I just received an e-mail notification reporting Microsoft Warns of 10 IIS Flaws. Are such reports news anymore? Yawn.



Wednesday, April 10, 2002

 
Posted by Mike Tarrani 3:46 AM
Measure Twice, Code Once. I've been posting material and book reviews about metrics in Notes from the Field, and have related documents that I will share here:Both of these documents touch upon architecture. They also cover issues and factors that Linda has recently addressed. The PDF document titled Architecture Engagement Process spans both topics and fills in gaps left by our discussions and associated documents that we've recently posted.



Tuesday, April 09, 2002

 
Posted by Mike Tarrani 12:40 PM
WAP, Banks and Business. I recently reviewed The Mobile Internet: How Japan Dialled up and the West Disconnected and came away insights I never imagined before I read the book. I've also worked closely with Unmesh Laddha and his team at Thinking Minds, Inc. on defining one of their products which extends the reach of Oracle-based applications, PeopleSoft and SAP R/3 to wireless PDAs and SMS-enabled cell phones. The document titled, WAP-Enabled Banking is an exciting look at practical uses of the Thinking Minds tool, as well as the business possibilities of WAP in general.

The key word is business use - as IT professionals our first thought was to use this tool to instrument systems to alert support staff if certain parameters, such as file system high water marks, excessive resource usage or outages occurred. The true value of this tool is to instrument business events and report them to business process owners. Only then will the investment pay off.

If you're interested in the Thinking Minds WAP tool please contact Unmesh Laddha for information.



Monday, April 08, 2002

 
Posted by Mike Tarrani 4:38 PM
I've been covering performance and scalability, and other metrics in Notes from the Field, and want to extend that discussion to this weblog. One excellent online paper I've recently read is SPI and Measurement, which is a wide survey of software and system engineering metrics.

Another related document is Web Site Analysis Using Soft System Methods. A final document, not closely related to metrics, is a PowerPoint presentation titled Business Case Analysis in Software Engineering. While this does cover metrics, it is more applicable to Kate's and Linda's recent entries.

 
Posted by Kate 11:21 AM
Insights and Truths. Robert Frost once said, "Half the world is composed of people who have something to say and can't, and the other half who have nothing to say and keep on saying it." His observation is both witty and astute. It was also written before the advent of weblogs, knowledge management and the underlying social and psychological theories and realities that define our world. I'm going to let the poet laureate's quip guide my entry today, which has a goal of supporting Linda's recent entry.

Linda and Mike have developed a model that supports the management of information technology, with an emphasis on people, process and technology. As Linda stated, one of the influences of the model is the capture, transformation and presentation of data and information. That process is in my area of expertise, which has given me an opportunity to contribute to how the model evolves - and evolve it does.

At the organizational level that Linda is currently discussing there are factors that will significantly enhance the organizational effectiveness. The following papers expose some of the major factors:

In addition, there are fine points to be put on the application delivery process, which is discussed in Knowledge Creation for Improving Software Organizations. Creating knowledge can have drawbacks. Knowledge, like everything, comes in varying degrees of value. In order to determine the value of knowledge it must be assessed and evaluated, and a value assigned. Integrated Knowledge Assessment provides guidelines for accomplishing this.

The collection of best practices is an aspect of knowledge management, which gives a recursive quality to the document titled Best Practices in Knowledge Based Innovation. A final document that fits and supports Linda's current topic is Task/Technology Fit and Information Technology Choices in Knowledge Work. This paper is more applicable to the service and applications delivery functions in the Tarrani-Zarate Model, but also influences the foundation layer.

I'll end this with of my favorite Robert Frost poems:

We dance round in a ring and suppose.
But the Secret sits in the middle and knows.
I marvel at how these two simple, elegant verses say more about what knowledge management is than the pile of books I have on the subject.



Sunday, April 07, 2002

 
Posted by Linda 11:37 PM
Tarrani-Zarate Model: Organization and Core Processes. This entry will refer to illustrations, each of which will open in a separate window. The first illustration is a quick view of the Porter Value Chain, from Michael Porter's classic, Competitive Strategy.

Basically, the value chain is comprised of direct value-adding activities and support activities. A common business ratio, called the tooth-to-tail, is the ratio of workers who produce and those who provide support or management. The leaner organizations, of course, have more producers than supporters and managers. This is why self-directed work teams add value.

There is another value chain at work, and it is called the Management Information Value Chain. This value chain maps the capture or creation of data, and its transformation into information upon which decisions and actions can be based. Kate Hartshorn has written about this in many of her entries that deal with competitive intelligence and business intelligence. The management information value chain is where IT can prove its value because we provide the systems that capture, store, transform and compute the data and information, and present it to the business.

Our role, and a major factor that plays into the way the Tarrani-Zarate Model is structured, is the juxtapositioning of service delivery, and the value chains. Service delivery comprises the core processes of our model, depicted in focused service delivery, and forms the basis for an Information Services and Support Value Chain.

If you examine the simplified version of our model you'll see that service and applications delivery are connected to the foundation, which is the subject of this entry.

The organizational structure that we have developed from the above is an idealized set of resources and processes. This is our model's foundation, and it contains all of the core processes as well as organizational workflow for both service and application delivery.

I've briskly and tersely covered a lot of territory and am going to step back and allow the information I've provided to sink in. In my next entry I'll go into more detail about the core processes and out rationale for the organizational structure.

 
Posted by Mike Tarrani 5:48 AM
Due Diligence, Quality and Strategy. Since writing extensively about RFPs, contracts and related topics during the past two weeks I continue to discover material that is too good to keep to the team. One collection of such gems is a GartnerGroup series on IT Service Contracts.

If quality and strategy are foremost on your agenda, the collection of PowerPoint presentations and Word documents that address IS Quality Strategies will be useful. The ideas, concepts and practical approaches in this collection make downloading this Zip archive time well spent.

Closely related is a PDF document titled, IS Project Scorecard. This document is not only for project managers, but also contains information about governance, SQA and organizational processes. It also ties to Linda's recent and ongoing discussions here.



Saturday, April 06, 2002

 
Posted by Mike Tarrani 3:06 PM
Notes & Miscellany. Kate's announcement regarding our documentation products we'll soon be offering represents a major step forward for TEAM Zarate-Tarrani. Offering these products has been an oft discussed goal and a source of procrastination. Kate stepped forward and the project is taking on a life of its own. Our timing may not be optimum because we are scheduled to be in Kuwait for a project, and there is a second project in the pipeline.

Web Project Support Material. I came across three interesting documents that I want to share:

  1. Integrating User-Perceived Quality into Web Server Design.
  2. Analyzing Factors That Influence End-to-End Web Performance.
  3. Web Modeling Language (WebML): A modeling language for designing Web sites.
I haven't fully absorbed these documents, although I did a quick read. If you're involved in any type of web or portal project you may find them interesting, valuable or both.



Friday, April 05, 2002

 
Posted by Kate 11:36 AM
Much Ado About Much. This has been a busy week. First I became a grandmother, joining Mike and Linda in that milestone event in life where one must confront the march of time. I assure you that I'll not go gently into that role if it means growing up. Second, I've been given editorial control over a collection of documents that Mike and Linda have produced over the past two years. My task is to take policy, process and procedures, project plans and related artifacts and turn them into generic, fill-in-the-blanks templates for change control, issue management and service level management processes.

Value Proposition. The documents will be offered at an attractive price by TEAM Zarate-Tarrani. The value will be as follows:

  1. Documents will be in Microsoft Word and Excel formats, and all graphics will be in Visio. We have decided that Office 97 and Visio 5 are the best formats because most companies have upgraded to those products or beyond. The value in this approach is that the documents can be easily tailored to meet an organization's specific requirements and reflect the current situation with respect to process maturity.
  2. See before you buy. Samples of each of the documents will be provided, in their entirety, in Adobe PDF format. We'll lock the documents to prevent printing, selecting and copying text, or making modifications to protect our intellectual property, but potential customers can see exactly what they'll be getting before risking a penny.
  3. Pricing: $49.95 is the standard price per document. We chose this price because it's a compromise between outright giving the documents away (something that we considered) and recognizing that people do not value what is freely given regardless of the intrinsic value of the artifact.
If you are interested please let us know.

More About Value and Tools. Refocusing on my technical specialities (my skills are much more than technical editing), I want to share an article about the relative value of project management and related articles that address KM tools and their real and perceived value, and the maturing and convergence of portals and KM as reported in Portal/KM Mix Gains Mind Share.

Ending Note. Although I consider myself to be a sophisticated consumer of IT services, I find myself with one foot in the IT profession, and the other foot is almost in that domain. I now find articles, such as Standards to Drive Services to be essential to my job, which indicates the increasing shades of grey that distinguish the boundaries between IT and business. Another indication is my recent reading list, which includes Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community (an outstanding book that adds personality and psychological profiling to IS security), e-Data: Turning Data into Information with Data Warehousing (see Mike's 28 June 2001 and Linda's 30 June 2001 reviews), and The CRM Handbook: A Business Guide to Customer Relationship Management. I'll know into what I'm being transformed when the moon is next in its full phase. Until then I'll classify myself as a grandmother who refuses to morph into an adult.

 
Posted by Mike Tarrani 3:21 AM
Dutch - Language of Service Management? Most of our research focused on service management leads to the Netherlands, and many of the documents are in Dutch - a language that none of the members of TEAM Zarate-Tarrani read or speak.

The IT Service CMM initiative is under the aegis of the Software Engineering Research Centre (Netherlands). The other interesting initiative, the Application Services Library, a framework for application management, is also an innovation that comes from the Netherlands.

Although the entire Application Services Library web site, and most of the documents, are in Dutch, I've managed to find a few documents in English. The approach is mature, especially if you're familiar with the support hierarchy using application support analysts, business systems analysts and business systems managers. The documents are:

There is sufficient information in these documents to reverse-engineer the processes and methods that comprise the Application Services Library. I can only hope that the full suite of documents will one day be available in English.

The key point, other than sharing information and trends that we've noted, is that if you're a service level management practitioner you will do well to watch that the Dutch are doing because they appear to be doing world-class work. Learning Dutch is optional.



Thursday, April 04, 2002

 
Posted by Mike Tarrani 2:20 PM
Service Management. More background material and primary reading for anyone who is developing, implementing and/or managing a service delivery strategy. First, Introduction to IT Service Management places service management within the context of the IT Infrastructure Library (ITIL)approach. Linda and I have both discussed the ITIL in previous entries, and we both closely follow news related to the ITIL.

Another excellent introductory resource is the May 2000 issue of the IT Service Management Journal. Although the issue is comprised of only four pages, the discussion manages to nicely frame a value proposition for service management.

Closely related to service management, and to Linda's forthcoming entries about core processes and organizational support, is a GartnerGroup presentation titled TCO — The Framework for Optimizing Business and IT Management Decisions.



Wednesday, April 03, 2002

 
Posted by Mike Tarrani 11:13 PM
A Little Help for my Friends. Linda has graciously accepted the task of continuing the description of the Tarrani-Zarate Model for core processes and organization. She has been busy working on her Oracle Certified Professional training, among other things, and will get to it when her increasingly busy schedule permits.

While she's structuring her description I'm going to contribute more background material. Please note that when she and I first developed the model it was a rough cut, and the model has evolved. We're now forced to think it through, and that takes time, thought and energy.

Background material that pertains are:

  • Assessing the Organizational Impact of IT Infrastructure Capabilities. This 53-page PDF document is the findings from a survey of 236 firms regarding the he organizational impact of IT. The conclusion is that IT infrastructure capabilities have little business value. The paper goes on the claim that investments in IT infrastructure will be seriously undervalued if they are assessed only in terms of its direct link to organizational performance. IT infrastructure is of strategic importance to an organization because it either enables or inhibits IT applications and business processes.
  • Organization without Accountability = Sure Failure. This single-page PDF document is an exercise for provoking thinking - I think it succeeds.
  • The Role of Trust in Managing the Information Systems Enterprise. The author of this seven page paper goes to the core of organizational effectiveness. The paper is a cogent discussion of the keystone: trust and credibility.



Tuesday, April 02, 2002

 
Posted by Kate 10:43 AM
Legal Issues and Other Matters. I've been bouncing among knowledge management, legal issues and competitive intelligence in recent entries here and in Notes from the Field. One important topic that touches everything we do is law. In particular, the legal aspects of intellectual property. See my earlier entry today in Notes from the Field for more information and breaking news.

K8 ... Q8? Insh'Allah! That cryptic lead-in is a cute way of announcing that, God willing, I will be in Kuwait working with Mike on a project. I'm sure you immediately picked up on K8 as Kate and, maybe, Q8 as Kuwait. However, unless you're Muslim or speak Arabic you probably didn't know that Insh'Allah means God Willing. At any rate, I'm excited about the professional opportunities that this holds, as well as the personal opportunity to see a part of the world that I've only heard and read about.

 
Posted by Linda 9:56 AM
News, Reviews and Miscellaneous Notes. I'll be writing the next entry about the Tarrani-Zarate Model, which will address process and organization elements of the foundation layer. Much of this information deals with infrastructure, and I want to provide background material as a prelude while I'm writing my entry. One important book (among many) is one that I recently read titled, Enriching the Value Chain: Infrastructure Strategies Beyond the Enterprise. This book is an extensive rework of the authors' The Adaptive Enterprise, and in my opinion supersedes that earlier book.

Like the first book this one borrows heavily from the software engineering community to employ proven techniques, such as layered design, patterns and a component-based approach to infrastructure. Where this book extends and builds upon the earlier work is the emphasis on extending the corporate infrastructure into a meta infrastructure that is characterized by B2B and supply chains. As such it lives up to the title because the goal of the extended infrastructure is to enrich the value chain - or at least support the underlying business goals.

What I like about this book is what the authors propose is not only attainable, but makes good business sense. It starts with a 22-page introduction that clearly defines what is and is not infrastructure, and the concept of an adaptivity. These are important to understanding the approach that follows. Chapter 2, Laying the Foundation, quickly gives the basics for a layered infrastructure, develops a model for associated services that are needed to make the infrastructure adaptable, and drills down into service-related issues. I am not in complete agreement with the impact that this approach has on IT organizational structures; however, I am not willing to write it off as unfeasible until I have a chance to carefully think it through. The ideas do have merit (on paper) and are better developed in the first book.

Much of the rest of the book is a rehash of The Adaptive Enterprise, but the material is slanted towards the extended infrastructure. What is important is the emphasis on patterns and components as frameworks and building blocks. Where the first book brought infrastructure management to a new level, this book extends it in a manner that reflects the realities of connected enterprises defined by supply chain management and business partners. Please see my review of "The Adaptive Enterprise" below for specifics that apply to this book, and if you're deciding between the two books, this is the one to get.

The Adaptive Enterprise: IT Infrastructure Strategies to Manage Change and Enable Growth. The infrastructure management approach that the authors give in this book incorporates practices from systems (and software) engineering, and is a blueprint for success. The objectives are:

  1. End-to-end management with no gaps in ownership.
  2. Cost efficiencies through reuse and component-based strategies.
  3. Holistic view that looks at business, operational and technology (instead of the common 'technology only' view)
  4. Adaptability (an infrastructure that is managed to long range goals, but can be quickly adapted to emerging and immediate business needs).
How the authors meet these objectives is by identifying physical, functional and interface components that make up the infrastructure and integrating them into a service-oriented framework. This is consistent with component-based software engineering, and it is a remarkably good fit to infrastructure management. Moreover, the authors introduce patterns, also borrowed from software and systems engineering disciplines, to map business requirements to design in an efficient manner that promotes reuse. Another advantage of patterns is this approach captures knowledge (something not directly pointed out in the book). If you're not familiar with process patterns the book I recommend for infrastructure professionals is More Process Patterns by Scott Ambler. This is the second of a two book set and it directly addresses patterns that are related to infrastructure (the first book, Process Patterns, is more focused on software engineering).

The two chapters I liked the most are 4, Developing Adaptive Services, and 5, Services Starter Kit. These chapters tie services to infrastructure and go into fine detail about how to integrate services and the underlying technology. I especially like the way the authors use multiple life cycle management for each layer in the infrastructure. Chapters 6 (Processes and Methods) and 7 (Packaging and People) neatly pull together the preceding chapters into a coherent, process-oriented strategy. The single appendix is also valuable because it gives a comprehensive component catalog. This catalog can be used as the basis of the infrastructure blueprint as well as the foundation of an encompassing asset management initiative.

Miscellaneous Notes. I found a collection of papers that are related to infrastructure management that are worth reading. Until I resurface with my entry on the process and organization elements of the Tarrani-Zarate Model foundation layer you have my best regards from Azusa, California.



Monday, April 01, 2002

 
Posted by Mike Tarrani 3:28 PM
Book Review. Title: Acquisition: IT Due Diligence from IT Manager Development Series by Mike Sisco.

Summary: This book is one of a ten-book series of short, focused books on aspects of IT management. The companion to this particular book is Acquisition: IT Assimilations, which I reviewed in my 31 March entry.

Due diligence is about risk management from an investment perspective. This 88-page book provides a process and set of procedures for assessing the value and viability of investments in companies. The approach set forth is the book is about due diligence in acquiring companies; however, the process and procedures can be used to do an internal assessment, evaluate vendor viability and even develop a capital project portfolio.

What's Inside: The relationship between due diligence and acquisition that is the subject of the related book is defined by a meta process that begins with a letter of intent (deal structure and expected value), an assessment of value, risks, opportunities, financial impacts and projections and related criteria (due diligence - dotting the i's and crossing the t's), the acquisition, and assimilation of the new company into your existing operations. If you closely examine the factors and essence of due diligence it's boils down to CYA - cover your butt. The eight chapters in this book give you everything you need to make prudent decisions that will withstand the most critical scrutiny, and will prevent you from blundering into an investment that squanders instead of adding to shareholder value.

Specifics: The process, as in Mr. Sisco's other books, is straightforward and follows a logical sequence. He examines the key risks. steps you through how to conduct an onsite review, and provides a complete list of data collection templates. These templates include:

  • Business applications portfolio
  • Infrastructure portfolio (servers, LAN and WAN assets)
  • IT organization structure
  • Project initiatives
  • Automation capabilities
  • Software licenses/agreements
  • Software licenses/agreements - to other companies
  • Maintenance and support agreements (hardware and software)
  • Other contracts and leases
  • Capital budget items
  • Consulting/contract work - 12 month planning horizon
  • Operating budget - 12 month forecast
  • Transition costs - 12-month forecast
As you can see, the process covers asset identification, budget projections and other indicators to determine the true costs against which the actual value of the acquisition can be determined. This is what due diligence is all about - examining every facet and understanding the big picture and the details before investing.

The due diligence report is the end goal of the process and the book provides ample guidance for developing a report that summarizes the information captured during the data collection phase. As valuable as this process is, the appendices in the book provide equal value to any reader who is in a position that requires the application of due diligence. Each of the eight appendices are outlines, forms and supporting artifacts that you can tailor to your needs. Another valuable aspect of this book is the format that characterizes all of the books in the series: case studies, personal notes and side bars that liven up the text while imparting Mr. Sisco's extensive experience and observations.

What I would Have Liked: Since Mike Sisco is a frequent visitor here I am going to take this opportunity to express what I'd like to see in the next edition. Here's my wish list:

  1. An appendix that's a financial analysis primer - important balance sheet indicators, how to read a balance sheet and how to make sense of it all. Yes, the financial types will be responsible for this; however, this is something IT managers need to know, and too many can fill in a spreadsheet without understanding the overall picture that the numbers portray.
    2. Understanding leases - this is another area that is complex and needs to be exposed in greater detail. If you think IRS rules and tax laws are complex, take a close look at the Byzantine approach leasing companies take!
  2. Provide a list of auditing approaches in common use, with an emphasis on Control Objectives for Information and Related Technologies and key Financial Accounting Standards Board compliance criteria. These do not mean that IT professionals should practice auditing and accounting, but there are compliance requirements and practices of which they should be aware.
  3. Introduce the Altman Z-Score as a fundamental due diligence tool. Linda and I have used this particular tool and take every opportunity to disseminate information about it and its value for assessing the viability of a company.
    4. Overall this is an excellent book and it meets my personal criteria for value: short, focused and straightforward. It's filled with advice, tools and techniques, and--most importantly--is written by someone who has obviously performed due diligence. If you're an IT manager it may cost you more to not have this book than many times the price.



Sunday, March 31, 2002

 
Posted by Mike Tarrani 4:28 AM
I've been reading Mike Sisco's final book in the IT Manager Development Series titled Acquisition: IT assimilations. This 58-page book is worth its weight in gold to any organization which is acquiring (or being acquired by) another and is faced with the daunting task of merging IT.

The book starts with the problem statement ("We've bought another company; what do we do now?") and then proceeds to lay out a ten-step process for assimilating the acquisition. The steps, each a chapter, are:

  1. Identify Objectives.
  2. Use the Objectives to Develop a Strategy.
  3. Ascertain that Due Diligence was Performed.
  4. Situational Analysis:
    • Key Risks
    • Potential Problem Areas
    • IT Dependencies
    • IT Organizational Impacts
    • Budget Implications
    • Opportunities
  5. List Key Initiatives.
  6. Prioritize.
  7. Obtain Stakeholder Consensus.
  8. Develop the Plan.
  9. Implement.
  10. Measure and Control.
I am not using actual chapter titles above because I wanted to summarize the contents. The final chapter is titled Got More than One Technology to Convert, which provides additional guidance when you're faced with integration challenges that can be best described as a hairball.

While the body of the book is well worth the price, the appendices significantly increase the value of this book. The six appendices are: A - New Acquisition Planning Questionnaire, B - Business Application Conversion Plan Template, C - Sample Employee Severance/Retention Letter, D - Legacy System Status, E - Transition Issues Templates and F - Transition Summary Checklist.

The capstone of value, in my opinion, is the straightforward approach provided, the case studies that reinforce the approach, and the personal notes and side bars that Mr. Sisco has sprinkled throughout. He's distilled his 25+ years of IT management experience into 58 information-packed pages that will give you the foundation for planning an assimilation of an IT department. Embodied in the pages are not only sage advice, but wisdom. It's obvious that Mr. Sisco has done this before, and you'll benefit from his experience.

I will review the companion book in this series titled Acquisition: IT Due Diligence later in the week. I've read through most of this 88 page book and should have reviewed it first because it addresses the software development contracting and outsourcing issues which we've been discussing. However, I had already read Acquisition: IT assimilations and wanted to discuss it because that book complements my ongoing discussion of the Tarrani-Zarate Model.

Have a great Sunday!



Saturday, March 30, 2002

 
Posted by Kate 11:53 AM
Life imitating ... life. Mike's recent entries here and in Notes from the Field have been heavily focused on contract law. I cannot resist using the following quote as a lead-in:
A learned County Court judge in a book of memoirs recently said that the overwhelming amount of his time on the bench was taken up 'with people who are persuaded by persons whom they do not know to enter into contracts that they do not understand to purchase goods that they do not want with money that they have not got.'
Credit goes to Lord Greene, about whom I know nothing except the above is attributed to him. What Lord Green says, however, goes to the essence of contracts in general and aptly sums up software development contracts.

Opportunities Abound. What I most like about writing here and in Notes from the Field is the frequent opportunity to meld my knowledge and skills with what Mike and Linda discuss. Such an opportunity presents itself today. As a competitive intelligence specialist one of the knowledge areas that is important to my profession is law. The practice of law is left to the attorneys; however, understanding the fundamental issues is necessary when one is gathering raw intelligence and transforming it into processed intelligence and knowledge. The scope of understanding includes principles and processes.

A Matter of Principle. Intellectual property is a core area for intelligence gathering and analysis, which makes Basic Principles of Patent Law a key knowledge area. Patent and contract law have radically changed since the web's growth in popularity and the business focus on e-commerce. I've put together a Zip archive of documents and presentations about E-contracts as a basic primer on a wide-ranging subject. The field is ever changing, so do not base any decisions on knowledge or sources other than from an attorney who specializes in this practice of law. You can, however, gain sufficient understanding of the issues through selected reading. One book I recommend is CyberRegs: A Business Guide to Web Property, Privacy, and Patents by Bill Zoellick. I reviewed this book on Amazon on 8 November 2001 and Mike reviewed it on 25 September 2001. It's interesting to read our two completely different perspectives, both of which are valid, of the book.

An interesting paper that integrates contract and knowledge management factors is titled An Incomplete Contracts Theory of Information, Technology and Organization, which discusses information as an asset (which it certainly is) and contested ownership of the information. This paper cuts across a number of disciplines, including law, knowledge management, and human resources.

Processes. Mike has gathered a wealth of documents and links about contracting and/or outsourcing software development. If you want to see what happens when things go wrong (and they often do in our litigious society), read The Anatomy of a Software Lawsuit. Since litigation occurs despite the best efforts and intentions of all parties it will behoove you to gain an understanding of the underlying process.

 
Posted by Mike Tarrani 11:14 AM
New Thread? Not! The material on software development RFPs and contracts was in response to a friend's questions. The topic has taken on a life of its own. On the plus side we've all pitched in and provided information to someone who needed it, and that's what TEAM Zarate-Tarrani is all about, and why we started these weblogs in the first place. An added bonus is this material complements layers in the Tarrani-Zarate model, which I've been writing about. On the minus side, however, is I'm behind on the series about the Tarrani-Zarate Model. I'll err on the side of sharing information every time, so I'm going to wrap up the software development and contract topic and leave it to Kate and Linda to fill in any gaps.

Putting a Fine Point on it All. The final documents and resources I'm going to share are:

I'm ending this entry with one final document that is an example of a decision support tool for in-house vs. outsourcing development. It employs standard risk adjustment factors based on PERT (program evaluation and review technique), and uses one standard deviation to the normalized result to increase the safety factor to 84% probability (versus the 50% probability that the PERT formula yields). This is an example from a real life document.



Friday, March 29, 2002

 
Posted by Kate 8:02 AM
Saving the Best for Later. I've accumulated a large number of presentations, links and documents about knowledge management and competitive intelligence during the past two days. I'm in the process of sorting and classifying them, and will be posting them here and in Notes from the Field later today.

There are two resources that I do want to share in this entry:

  1. CIO Magazine's collection of articles about knowledge measurement.
  2. An article titled Is Somebody Dulling Your Competitive Edge?
I'm also reading Working Knowledge: How Organizations Manage What They Know, and will be sharing my thoughts and impressions about this wonderful book later this weekend. Stay tuned.



Thursday, March 28, 2002

 
Posted by Linda 4:40 PM
RFP Redux, Outsourcing and More on Quality. I have a few additional considerations to add to Mike's software RFP entry. I also want to share two papers on outsourcing and an excellent journal that is devoted to ISO 9000-3 (also known as TickIT).

Software RFP Items to Consider. Mike ended his entry with the statement that acceptance testing is the buyer's responsibility. The entire QA process in an outsourced software development scenario is complex, and I agree that it responsibility rests on the buyer. A document that was previously cited in Notes from the Field, titled Applying Software Quality Assurance to Outsourced Software Development, provides detailed guidelines for managing this type of development and should be read before the RFP is drafted.

If any of the software development includes open source components you need to consider the ramifications of GPL licensing issues. If not you may find that your application is, by law, also open source and what you think is your intellectual property doesn't belong to you. Read the article titled Lineo's GPL Compliance Tool to get up-to-speed in GPL licensing. Related reading that touches upon intellectual property and a number of other issues is the 25 March 2002 article in eWeek titled Internet Insight: Getting Legal.

Other things to consider when outsourcing software development:

  • Clearly define your service level objectives and make them a part of the contract. Mike mentioned this, but they are almost always missing from contracts. Also make sure your change control and release management criteria, and application acceptance policies and procedures are included in the contract terms and conditions. The goal is to align your existing processes with vendor requirements, and this is especially important when it comes to fixes and enhancements that are sure to arise after you've accepted the software for which you've contracted.
  • Don't forget security. Regardless of whether open source software is provided as a part of the application for which you're contracting the Open Source Test Methodology is a solid framework for security testing. Use it as the basis for security testing in the acceptance test process.
  • Make sure that release notes and build analysis documentation are included in the deliverables listed in your SOW.
General Outsourcing. I found three documents on general outsourcing that I thought were particularly well written and detailed:
  1. Outsourcing Impact on Security Issues
  2. Writing an Outsourcing Contract
  3. Outsourcing Information Systems
Although these documents are not specific to software development, each contains information that does apply to development.

Your TickIT to Quality. As a follow-up to my 24 March entry I want to share a cache of information that expands on the ISO 9000 book I recently reviewed and also provides a lot of information about ISO 9000-3, which is the part of the standard that addresses software and services: TickIT International, which is the quarterly journal of the TickIT software sector quality certification scheme. The First Quarter 2002 issue has an excellent article on quality service delivery, and the back issues are treasures. If you're interested in TickIT see Mike's 9 July 2001 review of ISO 9000-3: A Tool for Software Product and Process Improvement.



Wednesday, March 27, 2002

 
Posted by Mike Tarrani 5:22 AM
Software RFPs. A friend recently asked if I had an example RFP for software development. The short answer was I had a few, but like all RFPs they were poor examples. I've been on both sides of the RFP process: I've written them and managed the vendor evaluation and selection process, and I've responded to them with proposals. Rare is the RFP that does the either party justice (rarer still are proposals that completely respond to RFPs, but that issue is for another time).

If you want it done right, do it yourself, so I'm going to take this opportunity to develop an RFP template and share it with all who needs one.

The Goal. The goal of the RFP is to clearly communicate what it is that you're seeking, and to give potential bidders enough information with which to propose a solution that is matched to your needs. An RFP epitomizes capitalism at its finest because you want something someone else has, and they want your money in exchange for it.

An RFP also is an exercise in risk management because you don't want to pay more than necessary to to get what you want. In the seller's case, value is at risk. The sellers who will be responding with proposals will be competing for your money, and risk bidding too high and losing your business or bidding too low and leaving money on the table (or losing money).

There are other, more subtle risks inherent in the process that go to the stability and track record of the seller, the quality of their work, their ability to warrant their work and make good on the warranty, and ownership of the product after it has been developed and delivered. All of these will be addressed in the discussion below.

Elements of the RFP. Here are the minimum elements of a software development RFP and why they are necessary:

  1. Statement of Objectives - describe what you are seeking in general terms. Example: Company is seeking the development of a software application to sort widgets.

  2. Background - give the background in a paragraph or two that sets the context of your objective(s). Example: A workflow study concluded that our manufacturing facility can reduce cycle time by 30% and improve quality by 50% if newly manufactured widgets are sorted by size and color before they are sent to QA. The software application we are seeking is an initiative sponsored by our VP of Manufacturing to implement a system that results in the improvements cited in the workflow study.
  3. Environment - Describe the technical environment that will determine how the respondents to the RFP approach crafting a proposed solution. Example: The system operates on a 24x7 basis, supporting geographically dispersed manufacturing locations across three time zones with two 10-hour shifts in each time zone. We use IBM AS/400 midrange systems that are located in our West Coast data center. The applications to which our widget counting solution must interface are written in RPG/400. We use IBM Client Access/400 and Rumba 5250 terminal emulation from Windows 98 and Windows 2000 PCs. Access to the midrange systems are via point-to-point circuits from each remote facility. Each circuit is sized to allow each remote user 56 kbps of bandwidth, and all terminate into a 100 mpbs switched Ethernet environment in our central data center.
  4. Policies, Standards and Methods - List all mandatory policies and standards with which vendors are expected to comply, and methods that you employ to which they will need to align. Example:
    • [Company] has policies in place for change control and release management (copies to be provided under non-disclosure to bidders that make our short list) with which the success bidder must comply.
    • We use Rational ClearCase software configuration management software and will make one licensed seat available to the success bidder to be used during the life of the contract.
    • The system into which the application we are requesting will be integrated has the following service level objectives [list them]. These service level objectives cannot be degraded by any proposed solution.
    • We are in the process of standardizing on Windows 2000 with plans to migrate to Windows XP in 9 months. Any proposed solution must work with our existing and planned standards, and not conflict with the standard software suites and configurations for [Company] desktop PCs that are provided in Attachment A.
  5. Statement of Work - Completely describe what you want in unambiguous language. Make sure that the following are covered:
    • Requirements and specifications. Express requirements as business rules for the best results. Example: The application will:
      1. Sort all widgets in two passes: (1) by size and (2) by color.
      2. Group all widgets of the same size and color
      3. Create a routing slip that provides a count of each group and route widgets as follows: Size less than 1" and Color = any to QA station #1, Size greater than or equal to 1" and less than 2" and Color = any to QA Station #2, Size greater than or equal to 3" and Color = any to QA Station #3.
      4. If any Group has only one widget create an exception report that documents the operator (from the WIDGET_OP table), date and time (from the RUN_DATE table) and the size and color (from the widget_size and widget_color columns in the WIDGET_BATCH table). The PK/FK will be the run_number attribute in all of the above tables.
    • Provide all specifications. Example: The application will use Client Access/400 data queues as the means of inputting data into the system. The application will use standard SQL queries to extract any necessary information from the system.
  • List service level management requirements: Example: Any problems with the application that are not detected in acceptance testing must be resolved in accordance with our standards for problem management. Definitions for severity and priority levels are provided in Attachment B.
  • Terms and Conditions. Although your organization probably has a standard format, make sure the following are considered:
    • who owns the source code - if the vendor, will the source code be placed in escrow so you have access if the vendor goes out of business?
    • specify expectations for corrective action for defects discovered after the software has been accepted
    • specify in clear language acceptance criteria before payment will be made; if you you're using progress payments, what are the quality gates for each progress stage

    Also be aware that acceptance testing is your responsibility and the criteria for acceptance needs to be clearly stated in the RFP.



    • Tuesday, March 26, 2002

     
    Posted by Mike Tarrani 5:14 PM
    Linda's 24 March post in Notes from the Field triggered something in my memory about an article I recently read about quality and its relationship to project failure. The article is titled Failed Software Projects? Not Anymore and is a chronicle of how an international service company, CTG, adopted ISO 9001 to eliminate costly errors.

    I also want to add one more resource to augment my last entry on the Tarrani-Zarate Model and the discussion of service level objectives. The April 2000 Gartner Advisory titled An Introduction to IT Service Management packs information and insight into a short and well written brief.

    Mike Sisco's latest issue of Practical Technology Tips & Techniques Newsletter is out. This newsletter covers a wide array of issues that are of interest to IT managers. Signing up for a free subscription is painless and well worth your effort.



    Monday, March 25, 2002

     
    Posted by Kate 8:04 PM
    Connections. One of the joys is to be able to augment or complement Mike's or Linda's entries. Both have left me an opportunity to connect material from my technical specialties to entries that reflect their specialities. Today is a day of joy.

    The whitepaper titled Value-Based Requirements for eCommerce Applications connects Mike's recent entries on both business requirements and service level objectives to competitive intelligence. This document supports Mike's assertions in his recent entries, and it is a blueprint for reverse engineering competitor requirements for CI specialists.

    Managing Innovation Risks is clearly a document of interest to the competitive intelligence specialist, and if you stretch your imagination, it also lightly brushes against Linda's recent discussion of business continuity planning (yes - it is a stretch). A more direct correlation between Mike's business requirements and business imperatives discussions and competitive intelligence is found in A Scorecard to Assess Enterprise Innovation Capabilities.

     
    Posted by Mike Tarrani 3:15 AM
    Tarrani-Zarate Model: Service Level Objectives. In my last entry about the Tarrani-Zarate Model I wrapped up the discussion on business requirements. The next layer in the model is service level objectives (see the illustration). Because we've extensively addressed service level management in previous entries I am going to keep this discussion short and focused.

    Short. Instead of wading through the previous entries, download and read the whitepaper titled Successful Deployment of IT Service Management in the Distributed Enterprise. It succinctly and comprehensively discusses all of the key elements of service level management, and places service level objectives in their proper context.

    Focused. Service level objectives are goals that are defined as the level of service to be delivered to the business. Examples include:

    • When the system will be available (principal period of operations)
    • What percentage of the time it will be guaranteed to be available during the principal period of operations (this gives room for unplanned maintenance).
    • How long will it take to respond to a reported incident.
    • How long it will take to resolve a reported incident.
    • How long it will take for a module to load or new screen to appear (key transaction performance)
    As you can see these are measurable objectives.

    Characteristics of service level objectives:

    • Each service level objective must be traceable to a business requirement. If it does not meet this test then the business value of meeting it is questionable.
    • They are defined by the business process owners. IT does not define them - a service level objective states a goal that the business defines.
    • Service level objectives are used by IT as the specification for service to be delivered. Any gap between what the business requires and what IT can deliver is negotiated when the service level objectives are used as the basis for the service level agreement between the business and IT for the level of service to be delivered.
    • Requirements and specifications for applications delivery for systems, applications and services are defined in part by service level objectives.
    It's clear from the foregoing that any service level management initiative starts with eliciting business requirements. It's also clear that service level management is directly traceable to business requirements, which are driven by business imperatives, and the smallest unit in service level management is the service level objective.

    There you have it: short and focused. That's not to say that it's easy - it's anything but. However, if you attempt to develop, implement and manage service level management processes without taking into account the definition of service level objectives, how they relate to business requirements, and their characteristics I'll predict failure.

    In case I was too terse, or you want more information about service level objectives, I'll offer the following:

    • Service Level Management Factors, which is a short paper I wrote in 1996. It's embarrassingly out of date and was hurriedly thrown together, but I'll trust you to take those into account as you glean useful information from it.
    • Service Support Assessment, which is an assessment checklist in MS Word format. It has some excellent questions and forces you to examine the big picture. Tailor it to suit your own needs and save it because it's a valuable artifact for service level management practitioners.
    • Commitment to Service: The Role of Service Level Management - an online paper that touches the key issues.

    In the next discussion I'll continue up the vertical path of the model by discussing processes and organization.



    Sunday, March 24, 2002

     
    Posted by Linda 8:59 PM
    My recent research has been directed towards business continuity planning and service level management from the service provider perspective. I've collected two archives of the better documents and PowerPoint presentations on these two subjects to share:
    1. Service Provider SLAs
    2. Business Continuity Planning Resources
    Since I am also in Oracle training for Oracle Certified Professional I couldn't resist the MS Word whitepaper titled Data Warehouse Availability, which fills the gap between service level management and business continuity planning.

    I'm going to be busy most of the week, so Mike and Kate will be the main contributors for the rest of the week. I also want to welcome Marcia Hopkins, who has joined us as a contributor. I'm looking forward to reading Marcia's entries here and in Notes from the Field. Welcome aboard Marcia!

     
    Posted by Mike Tarrani 4:57 PM
    I just finished reading Doug Kaye's second issue of his IT Strategy Letter and am overwhelmed by the depth of analysis and array of topics covered. Doug is well-connected in the industry and is an insighful observer. Add the fact that he is an articulate writer who addresses topics that are of interest to consultants, IT managers and those in the trenches, and you'll understand why I listen to what he has to say.

    Also out is the newest issue of Amy Wohl's Opinions. This newsletter is well worth reading, and for a limited time you can also read a special report on her web site titled Linux Comes of Age?



    Saturday, March 23, 2002

     
    Posted by Mike Tarrani 9:17 PM
    Reading Material. I'm still writing my next entry that addresses the service level objective layer in the Tarrani-Zarate Model. In the interim I want to provide some background material on business imperatives. It's a sad fact that too many IT professionals do not fully understand or appreciate the importance of business imperatives. Sadder still is the fact that many who have the title business systems analyst lack the understanding and appreciation. The books I've listed below will go a long way towards filling the understanding and knowledge gaps that exist:
    • Internet Commerce Metrics and Models. This book is an encyclopedia of metrics that business process owners care about, and a compendium of advice for measuring them. Don't let the title fool you - this book is as applicable to bricks and mortar businesses as it is to e-commerce sites. I can assure you that reading this book will give you insights into the minds of the business process owners for whom you exist to serve, and will impart a good appreciation of business imperatives.
    • Measuring the Impact of Your Web Site. Not only does this book expose the key metrics, but it also provides a methodology for gathering and analyzing the metrics. The methodology steps you through gathering raw measures, consolidating them, developing assumptions and approximations, then performing impact measurements. This book will not only give you insights into the business and what is important, but will also give you a methodology that can be employed for technical analysis within the IT domain. For example, these business techniques are also the basis for measuring IT effectiveness, service level attainment and other performance areas. Of course the metrics for IT are going to be different than the business metrics given in the book.
    • Financial and Process Metrics for the New Economy. More metrics, but from a financial perspective with coupling to process performance. I won't rehash the specifics because you can read my 28 August 2001 review on Amazon.
    • Ecosystem: Living the 12 Principles of Networked Business. My 10 September 2001 review covers the reasons why I am recommending this book. Also, in light of recent posts by Kate Hartshorn on complexity and perception I am going to revisit this one myself. The book has a lot of depth and provides deep insights into the business side.
    • Web Business Engineering. I saved the best for last. This book is one of the top five I read in 2001, and has everything to do with business imperatives and little to do with technology. Both Linda and I reviewed this book and I cannot improve upon what Linda said in her 16 September 2001 review or what I said in my 14 September review. If you only buy one book this is the one to get.



    Friday, March 22, 2002

     
    Posted by Kate 9:42 PM
    Dim Memories of Exciting Times. What do the radical free speech movement of the 1960s Berkeley and a computer-based education system based on B. F. Skinner's behavioral theories have in common? Each has influenced the art and science of knowledge management in unique ways.

    I made these connections by serendipity. It started when Mike related some fascinating stories of the early days of personal computing and his parallel experiences on the Internet back in the late 1970s. The reason the experiences were parallel is because his access to the Internet and its network culture was via mainframes and minicomputers on MILNET. His personal computing experience and online experience converged in the early 1980s when he graduated from dialing into single-line bulletin board systems (BBS) to USENET access. The deeper I dug with probing questions the more he revealed (dredged up is a more apt term).

    Connections. As his story unfolded he mentioned early work called the Community Memory Project. I took this bit of information and applied my own research. What I discovered was that in the early 1970s a community-minded innovator and visionary named Lee Felsenstein was one of the project's creators. He was also involved with the free speech movement, which influenced his thinking. In any other place but Berkeley an engineering mindset and social consciousness would be mutually exclusive, but the summary of the project and how it came to be shows that Mr. Felsenstein was an engineer with a strong commitment to social change. An account of his role and motivations are provided in a two-article overview of the Community Memory Project's history: Part 1 - How Community Memory Project Came to Be and Part 2 - Second Generation. Mr. Felsenstein (a fellow Philadelphian) made a number of contributions to personal computing, which were recognized when he was inducted into the Computer Hall of Fame in 1998.

    The connection to B. F. Skinner and computer-based education also has its roots in the 1960s, when Control Data Corporation initiated the PLATO Project. This early work evolved into collaborative computing, and has significantly influenced, in many overt and subtle ways, the way the world wide web has evolved.

    The Point? Both events (the free speech movement that was the impetus for the Community Memory Project and the PLATO project) planted the seeds of knowledge management. Studying these early projects gives insights into what does and does not work when developing a knowledge management solution. Both contribute to the body of knowledge for collaborative systems and knowledge management (PLATO is exceptionally well-documented), and this body of knowledge should not be overlooked if you are involved in knowledge management strategies.

     
    Posted by Mike Tarrani 4:28 PM
    Tarrani-Zarate Model: Business Requirements. In my 21 March entry I introduced the model, how it evolved and discussed the importance of business imperatives. These are the impetus or driving force behind everything also the flows through the model, with an ultimate purpose of delivering tools to the business that are characterized by reliability, availability and support from IT.

    Refer to the illustration and you'll see that before the model's foundation there is one additional layer: business requirements. These requirements are dictated by business imperatives. The requirements flow in two directions:

    1. Up, which determines service level objectives, which are performance targets that IT uses to measure how well the business is supported.
    2. To application delivery processes, which is either a project to develop a system needed to support business imperatives (or to modify existing systems), or the acquisition of the system/application. Application delivery also encompasses the procurement of third-party services, such as application service providers (ASPs), managed service providers (MSPs) and outsourced services and functions, including IT as a whole.
    Doing the right things. Getting requirements right is probably one of the most important activities in IT. This is a two-part process: elicitation and documentation. Within this process is the normal due diligence of peer reviews, review and approval of the documented requirements by not only the source of those requirements (from whom they were elicited), but from the business process owner(s) who are the final authority for whether or not the requirement conforms to business needs, governing policy (see my series on processes in Notes from the Field), and business processes (both "as is" and "to be").

    Technical and Business Value. The technical value of requirements is that they are the basis for committing resources (people and money) to develop or acquire the systems and services that support the fulfillment of business imperatives. Poorly defined requirements will at worst result in project cancellation, and at best, tools that do not completely satisfy needs generated by business imperatives.

    The business value of requirements is straightforward as well: poorly defined requirements will result in either the delay of the systems and services that comprise tools with which the business employs to satisfy business imperatives, or tools that do not fully address business imperatives.

    In both cases there is much at risk, all of which goes back to competitive advantage and shareholder value. These are significant factors that determine whether or not a business will survive (or you have a job). The cost of poor requirements is clearly illustrated in costs of defects, which shows that as the development of a system progresses throughout its life cycle the cost of catching problems in the requirements phase is nominal, yet it increases dramatically in later phases. One of the biggest causes of problems is poor requirements. It's ironic that requirements elicitation and management is too often deemed least important when a project is initiated. To be sure there is much lip service given, but in many organizations the focus is on the development stage. This is why IT often delivers results that are [to put it charitably] less than adequate.

    Business Rules. This approach to requirements has been repeatedly mentioned here and in Notes from the Field. The value of using a business rules approach is discussed in detail in my 10 March entry, so I am not going to rehash it in this entry. I do want to recommend two books, both of which I've recently reviewed on Amazon, and encourage you to carefully investigate this proven approach to requirements:

    1. Business Rules and Information Systems: Aligning IT with Business Goals
      Best introductory text on the subject
      This book introduces the concept and mechanics of business rules, and is essential reading for anyone involved in eliciting and writing requirements, or developing specifications. I want to disclose that I am a staunch advocate of business rules, so take this into consideration as you read this review.

      This is one of two books on the subject. The other book, Business Rules Applied by Barbara von Halle, is more suitable for an experienced practitioner or someone responsible for implementing business rules as an enterprise methodology. This book, however, focuses on the basics and addresses topics, such as object orientation and development, that are not found in von Halle's book. Both books are valuable, but to different audiences.

      What I like most about this book is that it painstakingly describes how to define business rules, and how to clearly and unambiguously describe them. Moreover, the approach given in this book employs the object constraint language, which is a part of the unified modeling language (UML) version 1.1. As such it shows how to integrate business rules into use cases, and to develop artifacts that align to organizations that are using UML or the Rational Unified Process, as well as object-oriented frameworks in general.

      My favorite chapters were 3, which is about defining business rules (getting them right) and 5, which covers controlling business rule quality. To me these are the keys to understanding and using business rules, and both chapters were clear and filled with examples. I also liked the appendix, which covered logic - another essential knowledge factor for analysts who are involved in requirements and specifications.

      If you're new to business rules or are exploring them, start here. Even though the von Halle book is better suited to experienced practitioners, I would still recommend this book to members of that audience who are working in object-oriented environments or are using UML. If you are also using UML, do consider also reading Alistair Cockburn's excellent book titled Writing Effective Use Cases because that book is completely consistent with the material in this one.

    2. Business Rules Applied
      For experienced practitioners and business rules implementors
      This is one of two books currently in print about business rules, and each book addresses the subject from a different perspective. The other book, Business Rules and Information Systems by Tony Morgan, is a better introduction because it assumes less technical knowledge. This book, however, has unique strengths that the other book doesn't, including:
      1. A comprehensive approach to preparing for and implementing business rules as an enterprise-wide discipline. It accomplishes this by providing a life cycle approach to business rules development through ongoing management.
      2. The implementation approach is provided as a work breakdown structure, which significantly reduces your planning for an enterprise-wide initiative (or a pilot initiative based on a single project).
      3. There is an accompanying web site that provides additional papers, case studies and other materials that enhance the value of the book.
      The introduction to business rules and concepts is perhaps too verbose, but is thorough. What this part of the book lacks in sparkling prose it more than compensates in detail. I particularly liked the chapter devoted to business rules methodology, which takes the concepts and applies them in a structured way. Another strong point is that the book provides many examples to reinforce points under discussion, and summarizes key information in easy-to-read tables. The illustrations that are sprinkled throughout the book also add clarity.

      If you're new to business rules the best book, in my opinion, is Morgan's Business Rules and Information Systems. However, after reading that book you'll also want this one if you are serious about implementing business rules because of the way Ms. von Halle has structured the flow and content. Also, the author is one of the pioneers in the business rules community, which adds considerable authority and credibility to her approach.

    Next Up. In my next entry I'm going to discuss the impact of business requirements on service level objectives.

     
    Posted by Mike Tarrani 3:11 AM
    Treasure. We're all required to write, and for some of us it's what we really do for a living despite our titles. I found a handbook recently that is so well written and on the mark that I'm compelled to share it: Plain Language Handbook. I usually provide links and documents knowing that they will interest some readers, but not others. This book is for everyone and I encourage you to download a copy.

     
    Posted by Kate 12:02 AM
    Miscellaneous Musings. Group Decision Support Systems, Inc. has an excellent working paper collection covering topics ranging from knowledge management to organizational improvement.

    One of the best papers to illustrate competitive intelligence concepts is the 62 page publication titled U.S. and Worldwide Consulting Services Market Forecast and Analysis, 2001–2005. What makes this paper valuable is the collection and analysis techniques are clearly apparent. While the document itself does not fall into the category of competitive intelligence, it was developed using the same techniques. Since most of us are in the consulting business, the contents are as interesting as the methods with which they were developed.

    Strategic Application of e-Intelligence discusses the use of data as a strategic tool. This paper fits nicely into Mike's earlier discussion about business imperatives and how they relate to the Tarrani-Zarate Model.

    How Can IT Support the Learning Organization intersects with my discussion of knowledge management and business intelligence, and the direction that Mike is taking with the Tarrani-Zarate Model discussion.

    I posted material about cognitive science, complexity and perception in my last Notes from the Field entry. As a follow-up here I am sharing a PowerPoint presentation on requirements engineering that lightly touches on the more subtle challenges of eliciting and documenting requirements.



    Thursday, March 21, 2002

     
    Posted by Mike Tarrani 5:23 PM
    Tarrani-Zarate Model - Part 1. I'm finally caught up and have the time to pick up where I left off nearly two weeks ago. First things first: I greatly appreciate the way Linda Zarate and Kate Hartshorn stepped in and kept this and Notes from the Field going while I was engaged elsewhere. Not only did they cover for me, but they both shared an incredible amount of information about a wide array of topics. With such wonderful colleagues and friends I am doubly blessed. Thank you both!

    Genesis. Linda and I developed this model nearly two years ago. The impetus behind it was our dissatisfaction with a model, called the Inteliant Operations Maturity Model (iOMM), that was developed by a company where she and I were working. Although we participated in the development of the model, we clearly saw that it model had many gaps, not the least of which was the fact that it just didn't make sense when you drilled down into it. The reason why the problems existed had little to do with the team that developed it. Indeed, the people with whom we worked were the best and brightest IT operations management professionals in the business. The problem came about because we attempted to cast the model in a neat geometric shape. The first iteration was a pyramid, which did capture the essence of what it takes to effectively decompose the complexities of IT operations management into domains.

    The second iteration of the model as it unfolded was depicted in a cube to add another dimension to capture elements that were impossible to depict in a pyramid. This was a major leap forward, but the root cause of the problem was we were looking at a geometric form with which to visualize IT operations management instead of looking at the important aspect: answering the simple question, "What is operations management supposed to accomplish?"

    We decided to answer the question and let the shape of the model, regardless of how unseemly it turned out, be determined by that answer.

    What is the Tarrani-Zarate Model? In a nutshell, the model is a way of capturing the purpose of IT operations management, looking at the necessary drivers, required processes and casting them into an end-to-end flow that delivers service and support to the business. That, after all, is why IT exists.

    What we came up with was a model (see illustration) that had business imperatives as a driving force, and the following major layers:

    • Foundation, consisting of business requirements, service level objectives, processes and organization
    • Key processes, which encompass change and configuration, problem, recovery, workload, security and service level management
    • Technology - the layers of infrastructure and systems that are necessary to provide tools to the business
    • Service Delivery (the end goal of IT operations
    • Applications Delivery - which is how new systems and services are brought into the enterprise
    One problem with this model is that we have not shown the full scope of security. While there are IT security processes, they should be under the aegis of an enterprise-wide security program. This is something we'll correct in the model as we develop it.

    Business Imperatives. This is the driving force behind the model, which determines how all other layers (both vertical and horizontal) will be managed. Business imperatives can be broken down into five basic forces, all designed to create customers at the most basic level, and business viability at the macro level. The forces are:

    1. Strategic and tactical objectives - the reactive and proactive responses to competition, market shifts, regulatory factors, etc.
    2. Mission and values, which define the business entity and are a function of leadership.
    3. Competition, which determines strategy and tactics to a large degree, and the barrier to creating customers in an open and free market.
    4. Shareholder value, which is an imperative for all publicly held companies. This imperative has legal ramifications that are closely connected to regulatory and legal imperatives.
    5. Legal and regulatory compliance requirements are constraints and govern how all other imperatives affect the business.
    One way to see the cause and effect of business imperatives on meeting the model's objective of providing service and support to the business is to closely examine the flow, factors and considerations depicted in the recovery management process. This particular process is at the key processes level in our model, and as shown in the illustration it touches all other aspects of the model (with the exception of applications delivery). Each of the key processes in the model can be traced to business imperatives, so this example is apt.

    Closing Notes. Tomorrow I'll discuss the foundation level of the model, which has been partially addressed by Linda's recent entries here and in Notes from the Field. At some point in the coming entries I will also begin introducing books from Mike Sisco's IT Manager Development Series. Until then you may find useful information that addresses business imperatives on our Business and Strategic Planning Resources page.



    Wednesday, March 20, 2002

     
    Posted by Linda 10:30 PM
    Capacity Management. I've just posted a review on Amazon of Resource Management. The review is:
    Approach and concepts that apply to all environments

    This book provides in-depth coverage of resource management that can be applied to not only Solaris (or other UNIX systems), but to any system. It accomplishes this by tying resource management to service level management, and does so with one of the best discussions of service level management in print.

    Service level management, covered in chapter 2, clearly shows the service delivery cycle by exposing interactions among and between vendors, system managers and the systems being managed, and business users. I especially like the resource management control loop discussion, which places the rest of the book into the context of support and service. Another innovation that is introduced in this book is the concept of viewpoints as they relate to performance and capacity: These viewpoints can be system-, cluster-, network-, application- storage- or database-centric. The viewpoints are not mutually exclusive. The authors show how to integrate any and all of them into a coherent and consolidated approach.

    The approach is based on policies and controls,and workload management and measurement. The discussion remains focused on service level management throughout the book. The examples for achieving the approach's objectives are, of course, based on Solaris for the most part. If you're using a different variant of UNIX you should be able to easily re-map the facilities and utilities cited in the book to those that are available in your own environment. This also applies to non-UNIX environments. The concepts and approach apply to NT/W2K/XP, IBM midrange systems and mainframes. I was surprised to find that IBM's Workload Manager for OS/390 was included in the book. I came from this environment, so the discussion provided me with familiar territory that caused me to clearly see just how applicable this book is to any environment.

    If you work with Solaris this book is essential. If you work with other operating systems still buy this outstanding book for the concepts and approach.

    One of the foundations of service level management (which I discussed in my entry in Notes from the Field earlier today) is resource management. This activity not only affects how well service level objectives for transaction times are met, but also has much to do with availability. Poorly planned and managed resources (capacity and performance) can affect maintenance window length and/or frequency. Maintenance windows should be minimized as much as possible. Every maintenance action that requires a system to be off-line reduces overall availability of the tools that the business uses to meet business imperatives.

    I want to share related documents about capacity and performance management that will get you thinking about these two primary elements of resource management:

    Since this material is directly related to what I posted today in Notes from the Field, I'm going to end this entry with two additional documents that tie together both entries:
    1. Application Service Provider Models
    2. Balanced Scorecards and IT Management
    I hope these will also help Mike when he begins his discussion of the Tarrani-Zarate Model for Information Technology Management, which is due to commence any day now.

    Best regards from Azusa, California.



    Tuesday, March 19, 2002

     
    Posted by Linda 10:00 PM
    Knowledge Management Wrap-Up. Kate's wonderful contributions and endless sources of documents and presentations on knowledge management have given me a priceless education and has inspired me to do deeper research on the topic. I have two contributions to the topic that relate to support and service delivery:
    1. Diagnostic Knowledge Representation, which discusses how to best display knowledge to tier 1 and 2 resources who troubleshoot and resolve problems.
    2. Managing Customer Support Knowledge, which squarely addresses issues and challenges in using knowledge management effectively at the call center and help desk level.



    Monday, March 18, 2002

     
    Posted by Kate 7:14 PM
    Manage Knowledge Before It Manages You. Linda graciously left me an opening to add more material about knowledge management. The theme of this material is making the business case, and a good starting point is Knowledge Management Business Case Exploration. If you are considering whether or not knowledge management is worth the effort and resources, the paper titled Risks of No Knowledge Management may help you decide. The paper starts with an attention-grabbing sentence:
    Three recent failures in risk management-at Barings Bank, Kidder Peabody, and Metallgesellschaft Refining & Marketing-point to a similar underlying cause: the failure of the firms to manage their organizational knowledge.
    It goes on to give some compelling reasons in favor of knowledge management.

    As you go deeper into the analysis and decision process you'll find the paper on knowledge management implementation issues to be useful. You'll also find invaluable information in The Quest for a Model of Knowledge Management Evaluation. This paper's abstract illustrates why the information it contains is an important part of the decision making process:

    This paper reviews the features of successful knowledge management systems, trying to reveal the general factors and the characteristics of such systems. The aim is to enable managers to distinguish between traditional IT systems labeled KM systems, and real knowledge management systems, enabling companies to use their specific knowledge in order to gain competitive advantage. The list of general characteristics can be used either for examining existing knowledge management systems at different stages of their lifecycle, or as guidelines for planning and starting the design of such a system.
    In other words, approach knowledge management from a business perspective, not from the IT view.

    A more advanced look at knowledge management is given in Knowledge Reuse, subtitled, The Missing Focus in Knowledge Management: Results of a Case Analysis at the Jet Propulsion Laboratory. It's a well written case study with information that you can effectively use as you plan your knowledge management strategy.

    La Vita Dolce Per Tutti. Rough translation: the sweet life for all. It's a beautiful day in Irvine, California and I am going to take a break and enjoy it. Ciao.

     
    Posted by Mike Tarrani 4:34 AM
    Book Review. Linda and I finally posted our reviews of : IT Systems Management: Designing, Implementing, and Managing World-Class Infrastructures on Amazon. It will take between three to five days for the reviews to appear on the Amazon product page, so I am going to post both here.

    Linda's Review
    Amazingly complete and packed with knowledge

    Mr. Schiesser has managed to capture all of the essential service delivery processes in a single book, and he covers each of these topics with a thoroughness that will give you a foundation to implement world-class system management.

    He starts out with three chapters that cover the history of system management and how it has evolved into an important discipline that is currently challenged by issues that were not foreseeable when I started in the industry 25 years ago. Today systems are interconnected into complex supply chains and extend onto the desktops of home and business users who are not known to the managers of the systems. Although these chapters can be skipped, they do provide context for the details that come in later chapters. In fact, each topic in the book is introduced at a basic level, then built upon in layer upon layer of detail. This makes learning the complex discipline of system management easy to someone new to IT, and exposes details that even seasoned veterans may not have encountered.

    The book's best feature is that covers each of the key processes (support and problem management, availability, performance tuning and capacity planning, change control and configuration management), and ties them to related areas (security, disaster recovery, facilities management, and infrastructure management areas for storage and networks).

    Although the book is not sequenced in the key process and related areas in the order I've listed, a pattern emerges as each topic is covered. The glue that ties all of these together is the way the author develops a strategy for organizing for systems management, including staffing considerations, and the integration of the processes at the end of the book. I especially like the way tactical and strategic processes are identified and how the relationships are developed.

    As an IT operations management specialist with extensive experience I appreciate the way the book has accurately captured the essence of systems management. As a consultant I found the checklists and worksheets provided in the book to be invaluable. This book represents an important contribution to the overlooked body of knowledge of systems management and IT operations, and should be on the bookshelf of every IT manager or service delivery specialist who takes their job seriously. It should be carefully read by those in the dot com and ASP industries because the processes described in this book, if implemented, will differentiate your services and give you a significant competitive advantage.

    My Review
    Complete coverage of critical processes
    This book provides sorely needed guidance for developing and implementing system management processes that will assure reliability, availability and support. The topics that this book addresses that are not found in any other I've read include:
    • Production acceptance criteria - this topic covers the critical boundary between development or projects, and operations. The value of employing the book's approach to production acceptance is that applications and systems will be brought into production in a carefully controlled manner that ensures all operations is fully prepared to provide the level of support required by the business.
    • Acknowledgement of the importance of facilities management, which is almost always overlooked until problems arise.
    • One of the most comprehensive and well thought out collections of checklists I've ever encountered. The checklists provided in the book cover every aspect of systems management, ranging from staffing profiles, key issues in infrastructure support processes, to capacity planning. The checklists alone are worth many times the price of the book.
    • Linking change control (a rare topic itself) to configuration management. I specialize in these two areas and can attest that the author's treatment is accurate and reflect best practices.
    • Special considerations for web-enabled environments. Finally we have material that updates traditional management and support processes to reflect challenges of web-based computing. The tried and true methods many of us learned from mainframe environments impeded the meeting of business goals in web-based environments. This book gives advice that is useful and provides a foundation for evolving processes to meet these unique challenges.
    I also like the way each topic is explored by starting simple and expanding into details that are examined for strengths and weaknesses. The net result is an understanding of all factors and issues, including many subtle ones that would have required iterations of trial and error to get right. Most importantly the author stayed focused on processes and best practices, leaving system management products to authors of books for a much narrower audience. This, in my opinion, greatly increases the value of the book and makes it applicable to anyone who is part of the system management or service delivery process. My only complaint, and it is minor, is the lack of a web site or accompanying CD ROM with the invaluable checklists and tools in electronic format.

     
    Posted by Linda 12:49 AM
    Knowledge Captured. I'm going to wait for Kate to pick up the knowledge management thread to which she and I are contributing before going deeper into that topic. Knowledge management is Kate's domain and I am going to defer to her expertise, while learning everything I can from her. In this entry I want to address a topic that's important, but one that we tend to overlook: data center management. There is a large body of knowledge about this discipline, but it is difficult to find.

    Data Center Knowledge Base. When was the last time you saw a book about data center management in your local bookstore? Even a search on Amazon, which boasts over two million books, yields two titles, one of which is out-of-print. However, you can find excellent material with persistence and the help of Google. Here are the gems that I uncovered:

    Closely related in a PowerPoint presentation titled System Administration Efficiency, which covers many issues related to data center management.

    Fairness. To be fair to Amazon my title search was limited to books with the words "data center" in the title. There are some excellent books, if you're familiar with the top ones in print, and most of them are published as books in the Harris Kern Enterprise Computing Series. Mike and I have reviewed all but two of the books in this series on Amazon. Of the remaining two, we are each ready to post a review of IT Systems Management: Designing, Implementing, and Managing World-Class Infrastructures, which is probably the best book in the series. As soon as we post our reviews on Amazon we'll post them here as well, so you can read why we both think so highly of this book.



    Saturday, March 16, 2002

     
    Posted by Linda 2:33 PM
    Knowledge in Production Support. Kate's discussion of knowledge management ties into IT production support, particularly at the contact center or help desk level. In fact, all of the major help desk applications either have knowledge management modules built into the core product or are available as options and/or third-party add-ons.

    Gaps. While these tools have been available for years, they are often not implemented, or if they are implemented, they are not used to their fullest potential by any but a few help desk organizations.

    Help desk professionals who understand knowledge management are rare. Moreover, many help desk managers are experts in problem management and service level management, few have the background and knowledge needed to appreciate the true value of knowledge management. In theory they all seem to agree that it's a good thing, but in practice many give it lip service. This does not diminish their professionalism; instead it validates everything Kate had to say about the daunting (and expensive) endeavor of implementing knowledge management. As a service delivery practitioner I fully appreciate the difficulties, and also believe that knowledge management is a discipline, and implementing it correctly requires experienced professionals who fully understand how to capture, organize and disseminate knowledge. I also appreciate having Kate on our team and look forward to her future entries about knowledge management.

    I want to share some basic documents about knowledge management that are specific to help desk operations:

    These documents only scratch the surface of what help desk and service delivery professionals need to know about knowledge management, but they are a starting point.

    Wrap-up. Lessons Learned from Help Desk Consolidations doesn't address knowledge management, but does represent valuable knowledge that we should be capturing and managing. I found this gem when I was researching a completely different topic and immediately saw its value to anyone who is faced with consolidating help desks or contact centers. I also enjoyed reading a whitepaper published by Hewlett-Packard titled A Fool With a Tool is Still a Fool because it supports my position that tools without processes are useless.

    Mike is not missing in action - he's swamped with a heavy workload. He should be resurfacing later in the week.



    Friday, March 15, 2002

     
    Posted by Kate 12:05 PM
    Knowledge is Empowering. I've been discussing competitive intelligence and its relationship to business intelligence in recent entries here and in Notes from the Field. When you strip away the motives, processes and activities it all comes down to knowledge. It makes little sense to engage in competitive intelligence operations, or to use business intelligence as the basis for solutions to give competitive advantage if knowledge isn't effectively managed.

    Information and Knowledge. Information by itself is of marginal value. It must be turned into intelligence (see Mike's 28 February 2002 entry for details), and intelligence provides decision makers with the basis for decisions and action.

    Managing information is the easy part - it's stored as data in databases and extracted, aggregated and transformed into information using queries, tools such as spreadsheets and more specialized tools. At some point the information that is derived from the data becomes intelligence. Decision support systems and multidimensional databases and other technology are routinely employed to either enable this, or to actually provide raw intelligence.

    The hard part, however, is capturing and managing the knowledge that is a byproduct of the data-information-intelligence flow. In too many organizations knowledge, unlike information and intelligence, resides inside heads. The disadvantage is that when the executive or key employee leaves the knowledge locked in their brains leaves too.

    One reason for this is implementing effective knowledge management systems is difficult and expensive. This is slowly changing, due in no small part to portal technology.

    Realistic Concerns. Technology alone is not the solution. There has to be a strategy for capturing, organizing, disseminating and maintaining the knowledge.

    There are hurdles to overcome, one of which is the politics of information sharing. Yes, sharing information empowers and strengthens. Making it happen often requires a sweeping change in corporate culture. Even then, there will be pockets of resistance.

    There also has to be a strategy for securing knowledge. For all of the talk about learning organizations, how knowledge empowers and knowledge capital, a lack of controls would result in a disaster.

    Need to know, is a time tested rule for managing sensitive information that could cause damage if it falls into the wrong hands. Therefore, in addition to capturing, organizing, disseminating and maintaining knowledge, you need to include compartmentalizing knowledge.

    Full Circle. Knowledge has value. The critical issue is how to quantify that value as it relates to your organization, and how can it be leveraged. The driver is simple: business imperatives. The approach is straightforward: investigate, develop a business case, evaluate options and alternatives, decide on a solution that best supports business imperatives with the most attractive ROI.

    Make no mistake, the approach to leveraging organizational knowledge may be straightforward, but it is not easy. It also requires commitment at the highest level, both for vision and for funding.

    Read Intellectual Capital ROI to gain an understanding of how to determine the value of knowledge, and this article about data waste for additional supporting information for your business case. Outer issues and factors can be derived from Principles of Knowledge Management, which will give you the big picture.



    Thursday, March 14, 2002

     
    Posted by Mike Tarrani 9:49 PM
    TEAM Zarate-Tarrani. You read what we write, but probably don't know much about our backgrounds and professional capabilities. I've just placed TEAM Zarate-Tarrani Capabilities page online that fills in the gaps.

    Software Process Improvement. I've added process-related documents and presentations to my latest entry in Notes from the Field, and want to focus on software process improvement in my entry here. To that end I have a collection of documents and presentations that succinctly cover the key issues, as well as tie software engineering processes to the topic (general process design and implementation) that I am addressing in Notes from the Field.

    Implementing Software Process Improvement discusses the issues and challenges of an initiative that many organizations have started only to later abandon because it isn't easy. Critical Success Factors for Software Improvement is a document that points out what must be done in order to successfully implement software process improvement, and Software Quality Organization brief gives a brief summary of the organizational considerations that need to be taken into account.

    Related. When you're addressing software process improvement you'll have a model or framework in mind. If you're considering the CMMI as the framework, then the presentation titled Unintended Consequences of the CMMI is a document you're certainly want to read. If you're either an ISO 9000 organization considering the CMM, or are weighing the options of whether to go with ISO 9000 or the CMM, you'll find the 75 page CMM-ISO 9000 cross-reference invaluable.



    Wednesday, March 13, 2002

     
    Posted by Linda 7:18 PM
    Service is the Game. In today's Notes from the Field entry I discussed IT services and the emerging models that have been designed to standardize and/or add structure to service level management. My focus in that entry was service level management as it related to outsourcing and contracts. Here I'm going to concentrate on more general aspects of service level management, and also discuss the IT Infrastructure Library (ITIL), which is the UK standard that encompasses it.

    Service Foundations. First I want to add to Mike's earlier entries that provided balanced scorecard material. The document titled Balanced Scorecard for IT contains advice and strategy for measuring services provided by IT. Another document that gives a solid foundation to any service level management initiative is Production Environment Engineering, which is a topic near and dear because I spent most of my professional life in production services.

    Chicken or Egg? Do you begin with Service Management Essentials or with SLA Specifications? Neither - it's a trick question. You start with an understanding of the basics, and with a framework, then build out from there.

    Building Blocks. A starting place is Introduction to Service Management, and is reinforced by an example using real service management processes that were implemented by Bangalore Labs.

    Quality and service management go together. Quality Framework for ITIL does an excellent job of explaining the basics of the ITIL, and also uncovers the essential quality ingredients that need to be present in any service management process, regardless of the model used. The flexibility of the ITIL approach is shown in Hewlett-Packard's Service Management Reference Model, which is based on the ITIL approach. You can learn much about how to apply ITIL processes and practices by reading this document.

    As you dig deeper into the ITIL (and you should if you're serious about service management), then you'll find the ITIL glossary to be a handy reference to terminology you'll encounter. If you're involved in business continuity planning, which was raised to a highly visible activity after 11 September, the whitepaper titled Interfacing ITIL Change Management and Contingency Planning shows the close interrelationship between business continuity planning and service level management at a high level, and how specifically the ITIL approach supports BCP.

    A mature look at service level management for advanced practitioners is discussed in Policy-Based IT Service Management.

    Parting Note. I've only just discovered the IT Comfort Reference Model. It's poorly named, in my opinion, because it has nothing to do with ergonomics (which is implied) and everything to do with service management. I only briefly browsed through the site, but it does look interesting and is certainly slanted towards the ITIL.



    Tuesday, March 12, 2002

     
    Posted by Kate 10:07 PM
    News. My web page is completed and available for viewing. There is still much content to add, but none of the pages are under construction. They are in a state of evolution, and more content will be added in the coming week.

    Interests and Documents. Although my background and technical specialties encompass research, competitive intelligence and knowledge management, I also have a professional interest in information warfare. There is a grey line between competitive intelligence and information warfare, and a direct relationship between competitive intelligence and security. In you were to create a Venn diagram using competitive intelligence, knowledge management, information warfare and security domains you would see the relationships among each of these areas.

    I have three collections of documents that introduce information warfare, provide related issues and cover basic security, all of which show the connections that you would spot if you drew the Venn diagram:

    1. Overview of Information Warfare (what is it, who does it and why).
    2. Info War Issues (insights into political and legal issues).
    3. Security Issues (various topics, including assessment appraisals, privacy, typical threats and security in a connected world).
      4. My Role. If you've been reading this weblog or its sister, Notes from the Field, you've probably noticed that I'm taking a more active role in developing and publishing content. Mike and I are in the process of developing a new web site that focuses on business and competitive intelligence, which will tie together my entries in the weblogs and broader material about those topics. Until then, you can read up on security and information warfare by going to the Information Technology Security Page that Mike and Linda maintain (this page has a sub page devoted to information warfare), and Robert D. Steele's collection of security and information warfare whitepapers. In addition, you will find well-written and topical entries in Lisa Rein's weblog. Enjoy.

     
    Posted by Mike Tarrani 10:51 AM
    Briefly Speaking. My time lately has been thinly sliced and shared among a number of competing projects, so this entry is going to be brief. My goal is to share, with little commentary, documents that I've recently come across. Each document is related to, or supports, in some way topics that I've recently discussed here and in Notes from the Field. Without further ado (or much in the way of explanation), here they are:



    Monday, March 11, 2002

     
    Posted by Mike Tarrani 4:07 AM
    Plan of the Week. I just finished posting my first entry in a series about processes in Notes from the Field. In the next day or so I'll be starting a series about the Tarrani-Zarate Information Technology Management Model, starting with the foundation layer of business imperatives and requirements. That layer and the entries on processes in Notes from the Field complement each other, so if you're interested in one topic, you'll probably be interested in the other.

    Because Mike Sisco's IT Manager Development Series covers many elements of our model I will be reviewing each of his books as I write about the model. The IT Manager Development Series is a 10-book collection of professional guidance that addresses every facet of IT management.

    Full Plates. Linda is starting her Oracle Certified Professional training tomorrow, so I don't expect her to be actively writing here of in Notes from the Field until she settles into the training regimen. My workload has also increased. I've encouraged Kate to take a more active role, and hope she continues to grace these weblogs with her clear writing and extensive knowledge.

    Resource. Until I start posting the entry about business imperatives you may want to explore the documents and links that we have on our Business Strategy and Planning page.



    Sunday, March 10, 2002

     
    Posted by Mike Tarrani 6:34 PM
    Zachman Framework - Part 4. Since my last entry Kate Hartshorn and Linda Zarate have been busy adding background material here and in Notes from the Field. It's now my turn to produce. I'm going to pick up where I left off in my 7 March entry by finishing the topic about business rules, and wrapping up the Zachman Framework.

    Business Rules. In my previous entry I gave an overview of business rules, an example and resources for further reading. Among the resources was Barbara von Halle's book, Business Rules Applied: Building Better Systems Using the Business Rules Approach. While I think Ms. von Halle's approach is sound, the business rules body of knowledge is still relatively young. There are many differing, albeit complementary, points of view and approaches, and if you intend to become an advocate you need exposure to these points of view and approaches. One of my favorites is a five-page document titled Business Rules Primer. It's consistent with Ms. von Halle's approach and you can get a working overview without wading through Business Rules Applied: Building Better Systems Using the Business Rules Approach's 546 pages. To be sure, you'll still want to read the book, but exposure to the concepts and basic mechanics before delving into a 546-page tome is an efficient way to get up-to-speed.

    The six-page whitepaper titled The Importance of Business Rules in the Organizational Transformation Process touches upon topics related to business processes and, to a degree if you extrapolate, knowledge management. Both of these topics are integral elements of the Zachman Framework, making this paper particularly valuable.

    Modeling Processes and Workflows by Business Rules goes even deeper into the importance of business rules as a technique for organizational transformation, and also augments a topic that I'll soon be addressing in Notes from the Field: processes. (Kate Hartshorn and Linda Zarate have already laid the foundation for this topic in their recent entries.)

    There is a strong and natural affinity between business rules and data, which is illustrated in the following documents:

    If you work with PeopleSoft you'll also want to read Enforcing Business Rules with PeopleSoft.

    I'm obviously a business rules advocate, and hope that I've piqued your interest as well as provided a good starting point from which to gain a more in-depth understanding of business rules and their value to an enterprise architecture. While I've linked business rules to the Zachman Framework in my series of entries, the two are complementary. Business rules as a technique and approach stand alone as a tool and are effective independent of any framework, methodology or approach you are working with or considering.

    Zachman Framework Wrap-up. Between my entries covering the Zachman Framework and Kate Hartshorn's excellent and insightful entries here and in Notes from the Field that cover business intelligence and knowledge management, there is sufficient information with which to evaluate the Zachman Framework as a viable approach to an enterprise architecture. I'm an advocate of the Zachman Framework in the same manner that I am of business rules.

    I do want to point out a drawback to the Zachman Framework that you should keep in mind if you do share my opinions about its value: there is a tight coupling among the dependencies in the framework. If you change one cell, it will trigger a cascade effect that ripples across all of the cells. If an enterprise architecture based on the framework is developed be aware that it can spin out of control if the evolution is not carefully managed. Do read Enterprise Architecture Planning: Developing a Blueprint for Data, Applications and Technology by Steven H. Spewak and Steven C. Hill if you are seriously considering the Zachman Framework as the basis for your enterprise architecture.

    There are three final documents that I want to share, all of which were written by John Zachman:

    1. A Framework for Enterprise Architecture
    2. A Framework for Enterprise Architecture: Background, Description and Utility
    3. Challenge is Change
    These documents, all in MS Word format, succinctly summarize the Zachman Framework, and provide enough information to make a further investigate/not of interest decision with respect to Mr. Zachman's approach to enterprise architecture.

    End Note. I am pleased to see Kate Hartshorn's increasingly active contributions here and in Notes from the Field. She has a wealth of knowledge and experience from which we can all benefit. What makes her entries especially valuable is the fact that Kate is not an IT professional. Her insights give those of us who are IT professionals a unique glimpse into the thought processes of a sophisticated business user.

    Linda's recent entries have also added value to both of the weblogs and I appreciate how she has augmented my topics, in some cases anticipating me, with background information. She and I enjoy a close working relationship and deep friendship that are symbiotic and enriching.

     
    Posted by Linda 5:06 PM
    Killing Two Birds. I posted an extensive amount of material earlier today in Notes from the Field about processes. The following documents are about security, but two of them discuss security processes in great detail. In you're interested in developing and implementing security processes you'll find the general material on processes and capability maturity useful.

    The documents:

    • Enterprise Security Policy is a PowerPoint presentation that steps you through the development and implementation of an enterprise-wide security policy. This document is directly related to the process material I posted in Notes from the Field because policies govern processes.
    • Another document that is about process and security is the PowerPoint presentation about how to set up a Security Incident Response Team. This document contains a lot of material about security, as well as policy, process and procedures.
    • Cyber Threats to Critical Infrastructures is for the hard core security practitioner. This document is short on process and rich with technical insights.



    Saturday, March 09, 2002

     
    Posted by Kate 2:23 PM
    More Material. I've been reading Lisa Rein's weblog and am amazed by her knowledge of intellectual property law issues and related topics. When I first read about her in one of Mike's entries I assumed that she was an XML expert and a journalist. As it turns out, Ms. Rein closely follows intellectual property, civil liberties and related law, and her assessments are cogent and intelligent.

    Mike sent me a copy of Laura Brown's Innovations Newsletter, in which she discusses the DMCA. The newsletter is well written and covers a wide range of topics. If you like the newsletter you may wish to subscribe and automatically receive it in your email when each issue is published. I took the time to explore her web site, and found a wealth of information. Mike cited Ms. Brown's Integration Models: Templates for Business Transformation as one of the top four books he read in 2001 (see the 4 January 2002 entry in Notes from the Field). Take my word, that's high praise. If you want to know more about the book see Mike's and Linda's Amazon reviews that were written in June 2001.



    Friday, March 08, 2002

     
    Posted by Kate 3:32 PM
    Introduction. Mike's recent Zachman Framework topic touches upon my core competencies, which has inspired me to emerge from the shadows and contribute to the discussion.

    Before proceeding I want to share information about my background and professional interests. I received my BA in Social Ecology from the University of California, Irvine in 1988. I've held a number of positions ranging from marketing support, to project management, to competitive intelligence specialist. I'm also an inactive (at the moment) member of Society of Competitive Intelligence Professionals (SCIP) and Special Libraries Association (SLA).

    Mesh of Topics. There is a direct correlation among knowledge management, competitive intelligence and intellectual property law. The relationships are:

    • Knowledge management is a superset of competitive intelligence. The infusion of competitive intelligence into an organization's knowledge base is business intelligence.
    • Competitive intelligence has its own specialized domains. For example, technical intelligence can be gathered using patent searches, reverse engineering and competitor marketing literature. The connection between competitive intelligence in the technical domain and intellectual property law is clearly shown when patent searches are used as a gathering strategy.
    • Intellectual property (IP) law also governs reverse engineering strategies because the Digital Millennium Copyright Act (DMCA) restricts practices that were formerly completely legal. If you've been reading Mike's entries on the Uniform Computer Information and Transactions Act (UCITA), you'll see that IP laws are not the only inhibiting factor in contemporary competitive intelligence. UCITA is related to the Uniform Commercial Code (UCC), which is a set of laws that govern fair business practices. Intellectual property laws govern copyrights, trademarks and patents. Although IP law and UCC are two completely separate areas of law, they both affect competitive intelligence, and the new requirements imposed by the DMCA and proposed by UCITA need to be understood.
    What Does This Mean to You? As an IT professional you may be involved in competitive intelligence gathering, either through covert methods (legal and ethical, of course) or through benchmarking. In addition, you have a responsibility to understand legal and ethical ramifications that are inherent in IT. Some examples of the inherent legal and ethical ramifications that apply specifically to IT professionals are:The above articles are all from M. E. Kabay's Network World Fusion Newsletters and each provides chilling examples of ramifications of which you need to be aware.

    Knowledge management is also a foremost concern for IT professionals because you will either be called upon to develop solutions for your constituents, the business process owners, or will employ it internally to improve IT processes, or both.

    Material. I've gathered material (using competitive intelligence techniques, of course) that will get you started in the basics of CI, knowledge management and IP law:

    • Competitive Intelligence. Four archives of PowerPoint presentations:
      1. CI Basics (contains six presentations covering the fundamentals)
      2. CI and the Internet (two presentations on basic Internet research techniques)
      3. Research Techniques (five presentations on topics ranging from strategic intelligence to gleaning intelligence from patents)
      4. Other CI topics (contains seven presentations covering CI benchmarking, education, strategic use of intelligence, etc.)
    • Intellectual Property. IP Law and DMCA, containing seven presentations on IP law, DCMA, Cyber Liabilities and related topics
    • Knowledge Management. Five archives of PowerPoint presentations covering:
      1. Knowledge Management Basics
      2. Knowledge Management in Practice
      3. Knowledge Management in IT
      4. Knowledge Management Processes
      5. Knowledge Management and Business Process Improvement
      Back into the Woodwork. I am going to return to my shadowy underground, providing support to Mike and Linda. I'll emerge into the sunlight again when Mike becomes inundated, which he is now. In the meantime, I hope this short piece and the materials that I've provided fill in any gaps or clarify Mike's discussion of knowledge management as it relates to the Zachman Framework. Some of this material will also be helpful when Mike begins discussing policies, processes and procedures in Notes from the Field. Best wishes from Irvine, California.



    Thursday, March 07, 2002

     
    Posted by Mike Tarrani 3:56 PM
    Zachman Framework - Part 3. This entry is going to introduce business rules, which is a continuation of my last two entries.

    What are Business Rules? A business rule, according to Barbara von Halle in Business Rules Applied: Building Better Systems Using the Business Rules Approach is defined as:

    [t]he set of conditions that govern a business event so that it occurs in a way that is acceptable to the business (or customer). The business people (or customer) state rules that define all possible and permissible conditions for the business event along with those that are not permissible or are undesirable.
    She goes on to state:
    A useful way to divide the world of business rules involves three major categories:
    1. Terms
    2. Facts
    3. Rules
    The terms and facts will be the foundation for a logical data model and physical database. The third classification ­ rules ­ is where the excitement lies in a business rules approach.

    Rules are classified as five different types:

    1. Mandatory constraints
    2. Guidelines
    3. Action-enablers
    4. Computations
    5. Inferences
    If you're familiar with Information Mapping, you'll see parallels between that documentation technique and business rules. You'll also notice familiar concepts if you've worked with the IDEF family of models that provide a structured approach to enterprise modeling and analysis.

    Why are they Important? I became a proponent of business rules when I saw how unambiguously they express requirements, and how they easily translate into specifications and test cases. However, the most important aspect of business rules is the fact that they are from the business and reflect a genuine view of what the business needs. By expressing requirements as business rules we in IT are forced to examine enterprise policies, processes and procedures, discover the constraints imposed by policy (corporate and external, such as regulatory and legal requirements with which the business must comply), and the other elements that are provided from Ms. von Halle's definition.

    Example. An example of business rules in action is the best way to illustrate their value.

    • Situation: A 1996 Congressional act mandated a statutory obligation be put into effect for the FCC and state telecommunications commissions to provide affordable telephone service to rural areas. The act allowed 15 months to establish a method for providing this service.

      To comply with this act, the FCC has begun assessing Universal Service Fund charges on all telecommunications companies. The companies in turn will pass this charge on to their customer base with two percentage based taxes, a low income USF tax on usage charges and a school, library and rural health care USF tax on usage charges.

      The federal government will send assessments to the enterprise periodically based on the prior periods' revenue.

      The percentage charges assessed to the customer base will then be determined by taking into account such factors as the size of the customer base, projected growth etc.

    • Rules: The situation obviously imposes mandatory constraints in the form of a law. Since this is an example I am going to bypass the impact analysis and legal research that the situation requires and provide business rules that are based on the findings of those skipped activities:
      1. Incorporate into the system USF percentages for
        • low income
        • school
        • library
        • rural health care
      2. The existing tax calculation routine needs to be modified to use the percentage rates required by USF when applying the USF taxes.
      3. These rates from the previous rule needs to override the statutory rates supplied by the existing taxing interface.
      4. USF taxes applied need to be written to the existing Tax Detail table.
      5. USF taxes applied need to be shown on the Tax Summary report.
    To underscore the value of using the business rules approach, consider a typical requirements specification using the same situation:
    The business needs the ability to establish a system parameter to be used for storing the Universal Service Fund (USF) percentage rates and the ability to assess USF taxes based on these percentages.
    Look familiar? This is, unfortunately, typical of requirements that are passed to the specification developers and designers. If you carefully read the requirement you'll notice that it not only is vague, but it breaks a basic rule in expressing requirements by stating a design approach (... establish a system parameter to be used for storing ...).

    Contrasting the business rules approach with the typical example yields the following assessment:

    • Efficiency - the requirements stated in the business rules are from governing source documents and business subject matter experts. The design team will not need to meet with the business subject matter experts separately to clarify details about the USF, percentages or other facts. This information was captured in the business rules.
    • Testability - the requirements specification containing business rules can be used as the basis for a test strategy because there is sufficient information from which to develop test cases (the business rules show where the USF percentages are to be applied, and they point to other subsystems such as the existing tax tables that need to be regression tested).
    • Non-ambiguity - the business logic is captured in the business rules and are expressed in a manner that can be interpreted only one way.
    • Focus - requirements are separated from specifications and design because business rules capture the what is important to the business, not how to implement a solution (revisit the statement about establishing a system parameter above to see how easy it is to mix requirements and solutions if requirements are not precisely expressed as business rules).
    Resources. I'll be writing more about business rules over the next few days because this topic has a rich body of knowledge. Until my next entry you may want to explore the basics, and the best starting points are: Knowledge Partners, Inc. whitepapers, which contains some of the best business rules material available on the web. One of the principals is Barbara von Halle, who has authored many of the whitepapers on the site, and is the author of Business Rules Applied: Building Better Systems Using the Business Rules Approach.

    Business Rules Community is the website for the business rules community. This site is filled with articles, news, case studies and discussions. If you adopt business rules you'll find yourself visiting this site often. Business Rules Community is sponsored by Business Rules Solutions, LLC. Although this is a commercial site the principals, Ronald G. Ross and Gladys S.W. Lam, are internationally acclaimed as the foremost experts and practitioners of business rule techniques and methodology.

    End Note. In my last entry I stated that I wanted to discuss the knowledge management aspects of the Zachman Framework with Muthukumar U and Kate Hartshorn. The opportunity to engage either of these two experts has eluded me, so I am going finish the business rules topic before addressing knowledge management. However, I did find an interesting paper titled A Methodology for Knowledge Discovery and Classification. You may also want to visit Technical Communications Resources and Business and Strategic Planning Resources, which are two web pages that Linda and I maintain. Both pages contain material related to business rules, policies and procedures, and knowledge management.



    Wednesday, March 06, 2002

     
    Posted by Mike Tarrani 6:41 AM
    Zachman Framework - Part 2. My last entry introduced the Zachman Framework and background information. This entry is going to be brief because there are two people with whom I want to collaborate before I get too deep into this topic. The first is Muthukumar U, a close friend who works as a risk management specialist at HSBC Bank Middle East in Sharjah, UAE. Muthukumar is much more than a risk management specialist - he's a deep thinker and genuine intellectual who is well versed in a number of subjects. Among his many talents is an abiding passion for knowledge management. Because the Zachman Framework is an ideal structure for developing architectures and solutions that enable knowledge management I want Muthukumar's thoughts before getting too deep into that aspect of the framework.

    I also want the benefit of Kate Hartshorn's knowledge and experience. Kate has a keen understanding of knowledge management, in addition to data mining, information transformation and related topics, all of which are enabled or fostered by the Zachman Framework.

    Knowledge. Although I am waiting to discuss aspects of knowledge management with Muthukumar and Kate, I do have my own ideas about aspects of the subject. Two areas in which I have professional interests are business case development and value analysis. The 20-page whitepaper (in PDF format) titled, Estimating Benefits of Knowledge Management Initiatives is an important discussion of the methods and tools used to prove the business value of knowledge management. This is especially important if you're examining the potential use of portals as a means of disseminating knowledge throughout the enterprise.

    If you need to quickly get up-to-speed in portals as a technology and as a business strategy I recommend Heidi Collins' Corporate Portals: Revolutionizing Information Access to Increase Productivity and Drive the Bottom Line. I reviewed this book on Amazon on 8 April 2001. Linda also wrote an Amazon review on 24 February 2001. Ms. Collins has a new book that will be out in May titled, Enterprise Knowledge Portals: Next Generation Portal Solutions for Dynamic Information Access, Better Decision Making and Maximum Results. Since I was pleased with her first book I pre-ordered a copy of this one.

    As you delve into the Zachman Framework you're going to notice that XML is a recurring topic. Discussing the many reasons for this is well beyond the scope of this entry; however, the short version is XML's ability to facilitate data exchange among disparate systems and data sources makes it an ideal technology to employ in any enterprise architecture. Extracting the data is typically done with SQL queries. XML DTDs are the templates into which the results of the SQL queries are stored, which allows you to aggregate data in ways that were not easy before XML came along. Details and techniques are provided in XML and SQL: Developing Web Applications by Daniel Appelquist.

    XML and portals are also usually associated with each other. How specifically they are associated can be discerned by reading Building Corporate Portals with XML by Clive Finkelstein, Peter G. Aiken and John A. Zachman (the man himself), or my favorite book titled, Metadata Solutions: Using Metamodels, Repositories, XML, and Enterprise Portals to Generate Information on Demand, which I reviewed on 22 September 2001.

    Are you starting to see a pattern? It's all about the data. It always has been.

    Yellow Light. We have the standards, techniques and tools to bring to bear on initiatives and strategies that not so long ago would have required us to do a lot of inventing. Here's an example requirement that can be easily met using some of the standards and techniques I've just discussed:

    • Requirement: Realtime updating of customer account information and transactions to a central server. Customers should have access to Internet banking functions, including fund transfers, payments, status lookups, etc.
    • Situational Analysis: Current account and transaction data resides at the branch level, and is managed by different systems depending on the branch.
    • Constraints:
      1. Cost - an enterprise solution is planned with a two-year planning horizon and business goals dictate that no large investment be made in infrastructure that could be obsoleted by the enterprise solution
      2. Competitive pressures - the bank wants to achieve competitive advantage now using an interim solution that will capture and/or retain customers who want Internet banking
      3. Existing infrastructure - 290 branches are interconnected with varying connectivity options, most of which are relatively low speed (VSAT, ISDN, etc.); the solution cannot require a change to the existing infrastructure.
    How to proceed? A solution that can meet stated requirements within the constraints can be achieved as follows:
    1. Task: Analyze the data structure used in each of the existing systems. Deliverable: E-R diagrams and data dictionary for each system.
    2. Task: Develop a master data dictionary using agreed upon data naming conventions. Deliverable: Master data dictionary.
    3. Task: Develop a master DTD using data naming conventions. Deliverable: Document Type Definition master template
    4. Task: Develop SQL queries for each data source. Deliverable: Tested SQL queries for each data source.
    5. Task: Develop and configure central portal to accept customer sessions, assure identity, issue transaction requests and display results. Deliverable: Design specifications, access controls, secure transmission protocol(s), user interface, application and presentation layer coding.
      6. Of course, the solution I just presented is something I quickly pulled out of thin air, and many details have been glossed over. The point is that using the alphabet soup of SQL, XML, LDAP and other standards and technologies a solution can be crafted.

      The Rub. Therein lies the rub - the solution shortly becomes an impediment to the planned system, which is two years out. It (or a more fleshed-out version) may address the immediate requirements and stay within the constraints, but it is short-sighted. The missing ingredient is a larger view of the problem, and that view should be based on a framework that serves as a blueprint for the evolving architecture. This is where the Zachman Framework's value becomes apparent. The viewpoints and focus that I discussed in my last entry not only add structure to the solution, but place it in context of the much larger domains of business strategy and enterprise architecture.

      Wrap-up. I am out of time on this entry. The foregoing will [I hope] spark ideas, and the following will provide more details about the Zachman Framework and related topics:

      End Note. I hope to introduce business rules in my next entry, and if I have an opportunity to discuss knowledge management with either Kate Hartshorn or Muthukumar U I'll summarize key findings from the discussions.



    Tuesday, March 05, 2002

     
    Posted by Linda 4:00 PM
    Target of Opportunity. Mike's new theme of enterprise architectures gives me an opportunity to keep the spotlight on security while complementing his entries. I've compiled resources that pertain to data and information security, which is a nice intersection of the two topic areas. The tie-in is data itself, and it's a target of opportunity. An awareness of database security techniques is the first step towards changing an opportunity to a barrier to those whom you want to keep out of your data and information. I also chose this topic because it showcases Kate Hartshorn's specialty, business and competitive intelligence (a.k.a. legal corporate espionage).

    Fortress Database. A surprising number of databases are insecure. Many DBAs take painstaking care to develop views and access controls, yet overlook exposures to statistical attacks. The collection of PowerPoint presentations on data security issues contains four presentations that address many facets of data and database security, and also address security vulnerabilities inherent in SQL even when access controls and views are carefully implemented.

    The presentations only provide a ten-thousand foot view. The following documents, most in PDF format, drill down into the problem and solution sets:

    At the more theoretical level the following documents cover advanced challenges and issues in database security:Related. Well defined roles and responsibilities are imperative for any well managed assurance and/or security initiative. Effective Data Warehouse Organizational Roles and Responsibilities provides excellent guidance for data warehouse managers and stakeholders in both IT and business domains.

     
    Posted by Mike Tarrani 5:23 AM
    New Topic. I've been focusing on project management, security and some aspects of service delivery in recent entries here, with some cross-over in Notes from the Field. It's time to introduce a fresh topic, and the catalyst for doing so is a brief conversation between me and Thinking Minds, Inc. CEO, Unmesh Laddha.

    Unmesh's company develops portal, knowledge management, and groupware solutions, among other products and services, and he has become intensely interested in the Zachman Framework. He's on the right track because Thinking Minds, Inc. solutions are a close, natural fit to the Zachman Framework.

    What is the Zachman Framework? In a nutshell it's a multidimensional model that displays information systems in accordance with:

    • stakeholder viewpoints and perspectives
    • focus - What, How, When, Where, Why (the Who is captured in the stakeholder viewpoints)
    A picture is worth a thousand words, and a PowerPoint presentation is worth many more, so I'm going to refer you to Overview of the Zachman Enterprise Architecture for a quick introduction (or refresher if you're already familiar with the Zachman Framework). Another document worth reading is the original 1987 article in which Mr. Zachman introduced the framework. More information can be obtained from Zachman Institute for Framework Advancement.

    Anytime you research the Zachman Framework you're going to also see the term Enterprise Architecture Planning. The connection is shown in the PowerPoint presentation titled, Zachman Framework for Enterprise Architecture. The best book on the subject, in my opinion, is Enterprise Architecture Planning: Developing a Blueprint for Data, Applications and Technology by Steven H. Spewak and Steven C. Hill. My personal copy of this book dates back to 1993, and I've referred to it many times over the years. My first exposure to the Zachman Framework as a foundation for enterprise architecture planning came from this book. Linda also read the book and came away with a completely different perspective, which she documented in her 21 January 2001 review on Amazon. Where I saw a coherent approach to planning and implementing enterprise architectures, Linda saw a direct connection to service delivery. Her perspective is validated in a PowerPoint presentation that I discovered on the web titled, Service Delivery for Virtual Communities. This document ties together Linda's perspective, how one of Thinking Minds, Inc. products called ThinkingWare aligns to the Zachman Framework, and how the Zachman Framework defines an enterprise-wide architecture.

    Examples. I made an earlier statement about how the Zachman Framework was a natural fit for portal, knowledge management,and groupware solutions. The following examples, most of which are PowerPoint presentations, support my statement:

    Note: the last presentation is a Department of Defense initiative. C4ISR stands for Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance. The reason I chose this example is the alignment to the complex C4ISR architecture is a much more difficult undertaking than merely applying the Zachman Framework to a commercial enterprise.

    End Note. I am by no means finished with this topic. Tomorrow I'll share more presentations and documents, as well as introduce business rules. While business rules are not a part of the Zachman Framework, they do align very closely with the framework.



    Monday, March 04, 2002

     
    Posted by Linda 8:15 PM
    Mike has managed to spread security and risk topics and items across both weblogs, with a good deal of security information here, and addressing risks in his latest entries in Notes from the Field. I'm going to lump my additions to both topics here.

    Mitre has a research page on infrastructure risk that applies to both security and risk management.

    David Dittrich's personal page contains a wealth of security links and documents, as does Bennet Yee's home page. Mr. Yee's page includes an extensive list of security references.

     
    Posted by Mike Tarrani 4:54 PM
    Late Note. In my haste to get the last entry published I overlooked PIKT, which is an embedded scripting language and accompanying script interpreter.

    What does a scripting language have to do with security? It was designed to be an embedded tool for developing monitoring and problem resolution solutions. The Introduction to PIKT fully describes the design philosophy and how to use PIKT to achieve these goals.

    Other resources for PIKT include:

    You can download PIKT if you feel that it may be useful to your purposes. It is compatible with AIX, Digital UNIX, FreeBSD, GNU/Linux, HP-UX, IRIX, OpenBSD, SCO OpenServer, Solaris and SunOS.

    Also see related applications that work with or like PIKT.



    Sunday, March 03, 2002

     
    Posted by Mike Tarrani 11:07 PM
    Security Tools. As promised in my last entry I am sharing sources of free security tools that will aid in security assurance initiatives:
    • Egressor, which is designed to check the configuration of their Internet point-of-presence router. The tool will help companies determine whether their routers are configured to the Help Defeat Denial of Service Attacks guidelines. This configuration of egress filtering reduces the chance that their computers can unwittingly contribute to a distributed denial of service attack.
    • Spitfire, developed as a prototype operator workstation for Network Intrusion Detection System Operators.
    A complete list of UNIX host and network security tools is provided by NIST. Another list, with overlap, is published by Mitre. This list covers the wider scope of Security Information Resources, that includes tools and documents.

    NIST also provides free Common Criteria tools that include the Common Criteria Toolbox and Common Criteria Profiling Knowledge Base.

    End Note. Realtime Forensics and Tracking is a PowerPoint presentation on forensics that covers this aspect of security in detail. The more generic PowerPoint presentation titled Security Management Practices is useful as a memory jogger and as a training resource.



    Saturday, March 02, 2002

     
    Posted by Mike Tarrani 10:27 PM
    Security, Standards and Choices. If you don't care where you are you're not lost. However, when it comes to security you will be lost without a map, and being lost is a bad thing.

    Finding the Right Map. If you've been following security standards you know that it's a mess. A good starting point on your journey to sorting out the standards is Uncovering security standards, which is a single page that gives a brief summary of the standards you're likely to encounter and links to primary sources of information.

    Choices. In the US you're probably examining the two major standards: Common Criteria and ISO 17799. We've written about Common Criteria in previous entries. What makes the choice confusing is the Common Criteria is an international standard, International Standard (IS) 15408, sponsored by ISO, and 17799 is also an ISO-sponsored standard. The crux of the matter is twofold:

    1. Common Criteria and ISO 17799 are apples and oranges. In other words, there is no connection between the two. Common Criteria is designed to guide in the technical specification and evaluation of systems, while ISO 17799 is a management standard that deals with non-technical issues related to security (personnel, procedural, and physical security issues).
    2. Where Common Criteria is used as an assurance measure, and as such, as a certification of sorts, ISO 17799 is not a certification program. There will be no ISO 17799 certification in the same manner that ISO certifies for ISO 9000.
    At first glance it would seem logical to use both standards, and this approach has some merit. However, not all national bodies in the ISO 17799 standards making process are in agreement. Indeed, the US is among the group of national bodies that is in disagreement with the way ISO 17799 is written. This issue, among others, is addressed in the National Institute of Standards and Technology (NIST) ISO/IEC 17799:2000 FAQ. This document is clear about the US view of the standard; however, a more complete picture can be found by examining the following documents:Outside the US. A Zip archive with two PowerPoint presentations describe how one country, Malaysia, is standardizing on security. This is illustrative because it shows that the world is not centered on the US and Europe.

    Other Considerations. For those who are in healthcare, the PowerPoint presentation titled, HIPAA by the Numbers shows the standards and issues that surround security in connection with the Healthcare Insurance Portability and Accountability Act. Also worthwhile are: Enabling Confident E-Commerce, Mobile Security, and Security Engineering Best Practices, all of which are in PowerPoint format.

    End Note. I will follow-up this entry with a later one that discusses tools and techniques that can be used with any of the security standards.



    Friday, March 01, 2002

     
    Posted by Linda 6:12 PM
    Catching Up. I haven't posted in weeks. My vacation set me back, and my birthday made me realize that there is life outside of work, which included skydiving, reconnecting with non-technical pursuits that I love and just enjoying life. Not that work went completely by the wayside, which is why I am still so far behind.

    I first want to welcome Kate Hartshorn, who plays a key behind the scenes role with our weblogs. Kate is more than a wordsmith. She is a strategist, expert in business intelligence, and a researcher who can find out anything about anything.

    Strategy & Intelligence. A document that nicely augments what Mike wrote here yesterday is Strategy and Tactics Primer. This guide blends business strategy with competitive intelligence, and at 20 pages is an easy read.

    One book that I think connects IT to business strategy is Competing with Information: A Manager's Guide to Creating Business Value with Information Content.

    I reviewed this book on Amazon on 22 September 2001 and gave it high marks for both writing and content. The book was edited by Donald A. Marchand who coauthored another book I also reviewed on 22 September titled, Information Orientation: The Link to Business Performance. This book is a classic IT/business alignment book that focuses on information. However, you can extrapolate how to use the techniques and information for business and competitive intelligence.

    Examples of extrapolation are shown two of Kate's book reviews, neither of which were about competitive intelligence. However, if you read Kate's 8 November 2001 review of Secrets and Lies: Digital Security in a Networked World you see how she gleans data and raw intelligence from a book about security and turns it into findings that support competitive intelligence. She does the same thing in her 8 November 2001 review of CyberRegs: A Business Guide to Web Property, Privacy, and Patents. The point is that sources of intelligence aren't always from books on the subject. It takes a skilled researcher to find the data or raw intelligence, and to perform the sequence of steps that Mike mentioned yesterday: compare, examine consequences, find connections and engage in conversation. Kate's findings that she reported in her review of CyberRegs: A Business Guide to Web Property, Privacy, and Patents is a prime example of taking raw intelligence (data collected about intellectual property) and transforming it into processed intelligence with which you can make decisions and initiate actions.

    Loose Ends. Mike only touched upon implementation and adoption issues yesterday. I want to provide a random sampling of information that either directly or indirectly support these.

    In strategic planning you typically define goals or objectives, determine what are the critical success factors that support meeting those goals or objectives, and measure how well those critical success factors are met using key performance indicators. In IT, and especially in software engineering, the Goal/Question/Metric (GQM) methods is used. Actually it's the same as the Goal->critical success factor->key performance indicator approach. Technology Package for the Goal-Question-Metric Paradigm is a solid introduction to GQM, as well as a set of recommended refinements to the method. This document has value regardless of where you work in IT or your particular discipline. Think of it as a core tool.

    Another technique that we're called upon to employ, regardless of our speciality, is cycle time reduction. Whether the objective is to shorten problem resolution times, streamline a development process or analyze a business requirement, cycle time reduction is a technique that should be in our bag of IT tricks. The Cycle Time Improvement Guidebook is a 134 page PDF document that covers all facets of cycle time management.

    Implementation issues for any initiative, strategic or tactical, is a barrier. So is technology adoption. An insightful article that addresses the basic issues is Suzanne Garcia's Are you Prepared for CMMI?, which was published in the March 2002 issue of CrossTalk Magazine. Although the article is about determining whether you're ready for CMMI, the information in this well-written article can be adopted to any type of initiative. Two key points in the article are the discussion of adopter types, and the Patterson-Connor Change Adoption Model.

    Enjoy your weekend - I have a plane to jump out of.



    Thursday, February 28, 2002

     
    Posted by Mike Tarrani 11:10 PM
    Connecting the Dots. Kate Hartshorn is playing a larger role in this weblog, and its sister, Notes from the Field. Kate will be posting here in the near future, but until then her ideas and expertise in business and competitive intelligence, and business strategy will be embodied in my entries.

    Today's theme is business and competitive intelligence. I'm going to provide raw intelligence and techniques, but it will be up to you to connect the dots and arrive at your own conclusions.

    Definitions. There is a distinction between data, raw intelligence and processed intelligence. Here are my definitions:

    • Data - a fact, observation or symptom.
    • Raw intelligence - collection of data that have been put into context, categorized or classified, calculated or summarized.
    • Processed intelligence - information that can be used to make decisions or take actions. The state of information that is considered to be processed intelligence meets four criteria:
      1. Compared: how does this information in this situation compare to information in similar situations?
      2. Consequences: what are the implications of this information for decisions and actions?
      3. Connections: how is this information related to other information that is known?
      4. Conversation: what do people who are knowledgable about this information think?
    One view of the transformation process wherein data becomes information is a management information value chain. Linda and I developed a quick reference card of Things to Consider in Technical Communications that depicts this value chain, as well as other information qualities.

    As a side note, you may want to visit our Technical Communications Resources and Business and Strategic Planning Resources pages, both of which contain related information.

    Sources. The following are sources of processed intelligence that you may find helpful in strategic planning, competitive intelligence or market analysis:

    • Three sets of results from surveys conducted by The Intellor Group, Inc.. The surveys provide raw intelligence about industry business intelligence initiatives, XML database trends and XML adoption.
    • A paper on Recalibrating Demand-Supply Chains for the Digital Economy, which is classified as raw intelligence because there is insufficient information upon which to base a strategy or action. It does, however, provide a starting point from which a strategy or an initiative can be launched after the intelligence has been processed.
    • An excellent example of raw intelligence is a paper titled Dynamic Content Software Services, which makes a case for basing the component architecture for Internet Distributed Computing around SOAP (Simple Object Access Protocol). This paper is rich with raw intelligence, but does not pass the tests for processed intelligence.
    • Choosing an Architecture for Wireless Content Delivery is a report that is filled with raw intelligence about the topic, plus news that falls into both data and raw intelligence in the last half of the report.
    The above files are provided as examples of raw intelligence, and I have attempted to find examples that reflect contemporary issues in IT strategic planning and business/competitive intelligence.

    Using Information. Two papers that show how to transform raw intelligence into processed intelligence, then use that to support decision making are:

    1. A Learning Model for Forecasting the Future of Information Technology
    2. Modeling and Forecasting the Information Sciences
    I've also included Zip archive with two PowerPoint presentations that will give ideas about how to think about and use data.

    End Notes. An article from Government Executive titled White House official outlines cybersecurity initiatives contained an interesting comment about encouraging information sharing among companies to avoid cyber attacks. The proposed initiative reported in the article is a partnership between government and business for information sharing. Why is this important? Here are a few news articles that I read only today that show why this is needed:

    One final highlight: It looks like corporate America is shedding its wool this time around. Microsoft is rolling out a $200M ad campaign to "sell" .NET, and according to ZDNet's 25 February article titled, The world of Web services (according to Microsoft) there is a healthy amount of skepticism. Maybe--just maybe--the wolf won't be eating mutton; have the sheep wised up? I think that the growing awareness of product flaws coming out of Redmond may have something to do with it. The following direct quotes from the article mentioned previously, Critics squash bug-reporting plan, underscore this:
    [A]s an example, Guninski draws on the recent disclosure of a bug in Microsoft's .Net framework and the Windows operating system by software risk management firm Cigital. Although Cigital said it followed the unwritten rules of responsible disclosure in the company's announcement, some security experts--including Microsoft--criticized it as being irresponsible.

    He goes on to say, "I don't find it logical for it to be responsible to sell under-tested and under-quality software, and for it to be irresponsible to disclose a bug," he said. Furthermore, any vendor who sells software with disclaimers that disclaim any liability should not use the word "responsible", according to Guninski.

    My take? With the focus on security, especially post 9/11 awareness, it may take more than a $200M ad campaign to convince corporate America that .NET is in their best interests. Let's hope so.



    Wednesday, February 27, 2002

     
    Posted by Mike Tarrani 6:54 AM
    Sense & Sensibility. I recently discovered Jack Harich's home page, and was struck by two things: (1) the sensible approach Mr. Harich takes in a number of disciplines, including software reuse, processes, learning and knowledge management and best practices; and (2) an admiration for Mr. Harich's values.

    I'm going to give a brief tour of the content that I especially liked, which is by no means everything on the site:

    I could go on and on, but you'll have to check out this site for yourself. As an ending note, though, I do want to highlight one innovative tool that Mr. Harich has freely made available: Visual Circuit Board (VCB). VCB is a part oriented, scalable, visual tool assisted approach to software development consisting of reusable parts communicating through links with datatrons, like an electronic circuit board. VCB has a certain elegant simplicity that makes it highly intuitive, fast and fun. You can download VCB directly from his site.

    The content on the web page is extraordinary, but not as extraordinary as its creator.



    Tuesday, February 26, 2002

     
    Posted by Mike Tarrani 11:32 PM
    Practices and Processes. Today's theme spotlights best practices, processes and process improvement. These will add more depth to the security and project management topics that Linda and I have recently been discussing.

    Best Practices. One amazing source of best practices is the California Health and Human Services Data Center (HHSDC). This page provides their Systems Integration Divisions (SIDs) Best Practices Website for Systems Acquisition. An example that shows why I'm so excited about this resource is the Project Office Support Tool (POST) Enterprise page. The site has a wealth of information and assets, such as project templates, a Software Acquisition CMM page and a complete set of life cycle processes.

    Processes. The Process Group has a content-rich site that is focused on processes, with an emphasis on software development processes. Despite the emphasis, much of the material also applies to service delivery and IT operations. Their newsletter is excellent and available as a free e-mail subscription.

    The co-founders of The Process Group have also published a book titled Making Process Improvement Work: A Concise Action Guide for Software Managers and Practitioners that will be available on 29 March 2002. For a look at the approach that the authors take, read their article titled Goal-Problem Approach for Scoping an Improvement Program that was published in the May 2000 issue of CrossTalk Magazine.

    Process Improvement. The authors of Goal-Problem Approach for Scoping an Improvement Program, Neil Potter and Mary Sakry, wrote an article for the May 2000 issue of STQE titled Measuring Process Improvement: Tracking your project goals that addresses project issues in software development and quality management. I've added a PowerPoint presentation on models for software process improvement to my site to augment the article. Enjoy.

    End Notes: I'm going to wrap this up with some papers that will be of interest to anyone who is interested in IT process improvement, operations management or service level management:

    One final paper that may be of interest is a dissertation titled Information Technology Implementation Issues: An Analysis. This research project addresses the issues affecting information technology development and deployment. The issues represented in this study are addressed in the context of IT implementation processes, especially with regard to the question of the needs and perceptions of administrators from the local government arena. You can download the thesis in PDF format.

     
    Posted by Mike Tarrani 12:16 AM
    Security. Tonight's entry is a list of security resources that I just received in a Gartner G2 Newsletter. Each article is short and packed with relevant information:Since we have a number of regular readers who are in India, Malaysia and in other Asian countries I want to invite attention to a free Gartner newsletter called GartnerVoice that provides monthly news items for the Asia and India IT industries.



    Monday, February 25, 2002

     
    Posted by Mike Tarrani 5:01 AM
    Don't Try This at Home. On Sunday, 24 February Linda realized a life-long dream by strapping on a parachute and jumping out of an airplane. That act embodies Linda's essence: she lives her life to the fullest, and endeavors to experience everything worth experiencing. I greatly admire her and strive to follow her example.

    Unseen (and greatly appreciated) Forces. I write an entry here each day, and when she has time Linda also contributes. You see our names attached to the entries, but what you don't see is Kate Hartshorn's behind-the-scenes editorial magic. Linda and I will take responsibility for any errors, but I assure you that there would be many more if we didn't have Kate's editorial touch.

    Linda and Kate epitomize the concept of teamwork, and I am indeed fortunate to work with both of these wonderful professionals. I can assure you that I consider it a privilege to be able to have them as friends as well as colleagues.

     
    Posted by Mike Tarrani 12:37 AM
    Advanced Project Management. In the past two entries I've focused on project management, and have provided what I consider to be critical success factors necessary for effective project management.

    Advanced Techniques. Although you can effectively manage most projects by using a few simple techniques, as the complexity and scope of projects to which you're tasked with managing grow, you'll find that more advanced techniques are appropriate.

    Keep It Simple. I am an advocate of keeping things as simple as possible. While I firmly believe that earned value project management, for example, is essential for project control, it's overkill for small, short-duration projects. I mention this because the advanced techniques are for high-end projects. They are not appropriate for, or applicable to, every project. Use the same judgement when selecting and applying these techniques as you would for handtools. You wouldn't select a sledgehammer to drive a thumbtack, right?

    Cost and Schedule. Earned value integrates and correlates cost and schedule management. Two MS Word papers that deal with finer details are Management Impact On Software Cost and Schedule and A New Perspective in Software Schedule and Cost Estimation. What I like about these papers is the fact that the author of both (Randall W. Jensen) looks at people issues as well as quantitative methods.

    Software Project Planning, Statistics, and Earned Value shows how EVPM starts with the planning and estimation phases of a project to develop the baseline to which you'll be managing, and how to use advanced techniques to develop and manage to that baseline.

    Metrics Integration. A paper titled Practical Software Measurement, Performance-Based Earned Value ties together project control (EVPM) and estimating and measurement based on the Practical Software Measurement approach (PSM). This holistic approach is effective, but is only appropriate for highly mature organizations. Most US software companies, as well as large corporations with sophisticated in-house development, have a long way to go before the approach in this paper is achievable. Many offshore and selected US companies, especially those that have attained CMM level 3 or above, will find this paper useful. Another, more general, paper that will be useful to all project managers regardless of organizational maturity is A Framework for Software Project Metrics.

    Project Success Factors. The following two papers cover each end of the project spectrum: Project Clarity Through Stakeholder Analysis provides techniques and advice for determining and setting stakeholder expectations. The importance of this critical success factor cannot be overestimated. At the other end is an article titled Project Recovery… It Can be Done. Needless to say, this paper is essential reading because the advice and techniques the author provides are worth their weight in gold - especially if you're struggling with an out-of-control project.

    End Note. If you're working in an organization that has adopted the Rational Unified Process, or are seeking a coherent, off-the-shelf software project management process that will work with any development organization, I recommend Walker Royce's excellent book, Software Project Management: Unified Framework. Although this book is slanted towards the Rational Unified Process, the approach is flexible enough for any methodology. It covers earned value in detail, as well as estimating and planning. Although I have not written a review of this book I have read it and refer to it often.



    Sunday, February 24, 2002

     
    Posted by Mike Tarrani 12:56 AM
    In my last entry I discussed a number of critical success factors, and also introduced earned value project management (EVPM). Earned value is typically thought of as an element of project control, and to a large extent it is. However, it is also an integral part of the planning and estimating process because it's used to develop cost and schedule baselines.

    In my opinion it's impossible to effectively manage a project without EVPM. The best book on the topic is Earned Value Project Management by Quentin W. Fleming, Joel M. Koppelman. See my 18 March 2001 Amazon review for why I think this book is the best.

    There are also five articles that every project manager should read:

    1. Earned Value Project Management: An Introduction
    2. Earned Value Project Management: A Powerful Tool for Software Projects
    3. Gaining Confidence in Using Return On Investment and Earned Value
    4. Applying Management Reserve to Projects
    5. Impact Estimation Tables: Understanding Complex Technology Quantitatively
    If you start with the first article and work your way through the list you'll go from an introduction to advanced techniques.

    If you are at an advanced level in project management, I recommend that you read an article by Dr. Barry Boehm et al. on schedule as an independent variable (SAIV), cost as an independent variable (CAIV), and schedule-cost-quality as independent variables (SCQAIV).



    Friday, February 22, 2002

     
    Posted by Mike Tarrani 4:07 AM
    Crossover. In my 20 February entry in Notes from the Field I briefly touched upon some of the success factors that need to be satisfied in any project. Because the topic is more applicable to this weblog (Notes from the Field is where we address software and systems engineering topics; this weblog is for IT professional improvement), I am going to continue the topic here.

    Project Management - the short version. I've been managing projects for nearly 25 years. Not just IT projects either. I've managed ship repair projects, where a cost overrun or two among friends is not nearly as career-killing as missing a schedule milestone. When a ship is scheduled to get underway it better do just that.

    Setting the Stage. There are three stages in a project manager's career:

    1. Mastery of techniques. These include the basics: work breakdown structure (WBS) development, estimating techniques, critical path method (CPM), program review and evaluation technique (PERT), precedent and activity diagramming, scheduling algorithms, compression techniques and , earned value, and a plethora of other tools of the trade.
    2. Recognition that it's all about people. The techniques that need to be mastered will get you only so far, as you quickly discover after you've mastered them. You begin to understand that it's all about managing people, and your leadership skills begin to emerge. You also discover that you need to be able to communicate, delegate responsibilities and authority, and to hold people accountable. You also develop polished political skills and become adroit in manipulation and coordination.
    3. Enlightenment. After you've managed successful projects and a few disasters you will eventually reach a state of enlightenment where you clearly see that project management is about making sure that your backside is covered. This is done with the techniques you've mastered, and the people and political skills you've developed and honed.
    The problem with IT project management in most cases is [so-called] PMs skip step 1, gloss over step 2 and focus on step 3. There are no shortcuts to Nirvana. You need to get there in stages.

    Four Noble Truths. Projects are initiated, performed and closed out. It's the perform part that can be distilled into four basic elements:

    1. Plan
    2. Estimate
    3. Schedule
    4. Control
    This does not diminish the importance of project initiation and close-out procedures, nor does it conflict with the key processes set forth in the Project Management Body of Knowledge or PRINCE2 (both of which have been discussed in previous entries).

    The Eightfold Path. There are eight tools that I've found to be essential to successful project management:

    1. Start with a WBS. (I've included a sanitized WBS from a service level management project to show how it's done.)
    2. Have the people who are going to do the work estimate the time it will take. Resist the temptation to pull numbers out of thin air - it's the surest way to cost and schedule overruns. An example estimating worksheet is included in a ZIP archive of project management tools that also include deliverables management and fixed-price contracting presentations that you may find useful.
    3. Clearly define what is in- and out of project scope.
    4. Clearly define each project deliverable in sufficient detail so that there will be no question that what you deliver is what you promised.
    5. Define client acceptance criteria to which the client or project sponsor agrees.
    6. Do not deviate from the scope or defined deliverables without an approved change order. Never! See the example change request for what one should contain.
    7. Ensure that each deliverable is signed for by the client or project sponsor (or designated representative). See example deliverable receipt for a sanitized copy of one that was used on a real project.
    8. Keep all stakeholders informed. This includes the client/project sponsor and team members. All stakeholders should have a statement of work! Especially the rank and file workers who are performing the actual work. All stakeholders should also receive a copy of status reports, which need to be published at least every two weeks, and in many cases on a weekly basis.
    There it is in a nutshell - eight keys to project success. For specific techniques see my special project management page.

    Under the Bodhi Tree. The Bodhi Tree is known as the tree of wisdom, and is located in Bodh Gaya, India. There's an easier way to get project management wisdom, and that's by reading a few selected books. So, instead, travel to Amazon and get one (or both) of these two highly recommended books:

    1. Getting Started in Project Management by Paula K. Martin and Karen Tate. See Linda's 15 December 2001 or my 17 December 2001 review to see why we so highly recommend this book, especially to occasional project managers. It does not bog you down in unnecessary details or overly complicate project management.
    2. Visualizing Project Management by Kevin Forsberg, Howard Cotterman and Hal Mooz. This is the book that I recommend to beginners and experienced project managers and is, in my opinion, the best book ever written on the subject. See Linda's 16 March 2001 review (well worth reading) and my 7 December 2000 review for details.

    If you have questions about project management, want to share your experiences, techniques and thoughts, or want to discuss PM in general please join our Project Management Forum. Free registration is required to post.



    Thursday, February 21, 2002

     
    Posted by Mike Tarrani 11:28 PM
    Goals. One of the basic tasks in which we all engage is goal setting. This is a fundamental part of project management, strategic planning, and even personal career management. One excellent resource that I recently discovered is Peter de Jager's newsletter (he also has a page of miscellaneous articles on goal setting.)

    Service Level Management. NextSLM.org has new articles on service level management that are clearly articulated and are on the mark with respect to excellence in service delivery. The two newest articles are:

    1. Speeding up Service Level Agreement Negotiations
    2. Reporting for SLM
    NextSLM.org is the web site that supports Foundations of Service Level Management by Rick Sturm, Wayne Morris and Mary Jander. The site keeps the book up-to-date, and is one of the places I look for SLM and SLA reference material. Linda reviewed the book on Amazon on 27 December 2000 (it was her first Amazon review) and I reviewed it on 19 June 2001.

    Security. One of the recurring topics is security, and if you've read any of my entries you'll frequently come across the term Common Criteria, which is shorthand for Common Criteria for Information Technology Security Evaluation ISO/IEC 15408. You can visit the official Common Criteria site, but if you're new to the Common Criteria, I recommend that you first visit the tutorial track page from the First International Common Criteria Conference. You can download all of the tutorials in a single ZIP archive. Each tutorial is in PowerPoint format.

    End Note. Kate Hartshorn and I will be collaborating on a business intelligence web site in the near future. Stay tuned.



    Wednesday, February 20, 2002

     
    Posted by Mike Tarrani 9:48 AM
    Agree With One, Disagree With the Other. I just finished two Sticky Minds articles that got my attention.

    I Agree. The first article, by Johanna Rothman is one that every software quality team member and manager, as well as business process owner and governance member should read: What Does It Cost to Fix a Defect?. Ms. Rothman steps you through the cost analysis and decision points for determining if a defect should be fixed or lived with. It is, after all, a business decision, and her approach will help to determine if it makes sense to fix a problem or not.

    I Disagree. The second article, by Brian Beaver, is titled Categorizing Defects by Eliminating 'Severity' and 'Priority'. In essence Mr. Beaver proposes that severity and priority be replaced with a single category: business impact.

    Severity is too fine-grained of an attribute to be cast aside. In fact, a definition of severity is the degree of impact a problem has on business operations.

    For example, the following are severity levels that are defined in a typical problem management process:

    • Severity One - Loss of application, or critical performance degradation, with no workaround. Incident affects an entire workgroup.
    • Severity Two - Moderate application degradation incidents. Severity One workaround. Incident affects several customers.
    • Severity Three - Minor application degradation incidents. Incident or request has medium to high impact on single customer's ability to work.
    • Severity Four - Incident or request has a low impact on single customer's ability to work.

    Severity without priority would mean that a mission-critical application falling into the Severity Two classification would be given the same business impact rating as one that is less critical. How does one prioritize in that case? See the gap?


    The gap can be closed by assigning a criticality rating to each system, application and service in an enterprise's portfolio. Linda and I developed a spreadsheet for determining criticality. Criticality does not replace severity definitions, but is useful for arriving at a system of priorities that is based on how important an application is to an enterprise.


    Where Mr. Beaver's premise and mine differ is in our viewpoints. He is on the technical side, concerned with fixing defects, and I am on the service level management side ensuring that tools and services are there when users need them to meet business objectives. We're both right.

    In an issue management scenario that requires coordination between applications and service delivery, life would be simple if we could assign a single rating. However, IT should not be the group that determines what gets fixed and when it gets fixed - that's up to the business. It's their systems and applications. We're the custodians. Without a priority rating, which is determined by the business (ideally under the cognizance of governance), the judgement would be [wrongfully] left to IT.

    Assuming all else equal, there is no way to assign a business impact without severity plus criticality. Even then there needs to be arbitration for competing requirements sharing the same business impact, and priority is the way to fairly arbitrate.

    That said, I do admire the fact that Mr. Beaver is thinking in terms of business impact instead of IT impact. I also admire the way he has developed a line of thought and has taken the time to document it and share it with his peers. That is what fostering professionalism is all about.

    End Note. I also downloaded an interesting paper by Dave Lutzker titled, Testing Is a Phase, Quality Is an Approach. In a single page Mr. Lutzker captures the essence of quality vs. testing. It's a quick read and well worth the time to download. The paper is from Sticky Minds, which is one of the best software QA resources on the web. Most of the articles take a business approach, and the content is first rate.



    Tuesday, February 19, 2002

     
    Posted by Mike Tarrani 9:06 PM
    Development Critical Success Factors. The Department of Defense-sponsored Software Program Managers Network has been one of my long time sources of best practices. Over the past few years they have distilled down to 16 critical practices what is essential to successfully developing software. You can download the 146-slide PowerPoint presentation on these 16 critical software practices, as well as get a whitepaper in MS Word format.

    Two New Books The Harris Kern Enterprise Computing Series has two new additions:

    1. Technology Strategies by Cooper Smith
    2. IT Systems Management: Designing, Implementing, and Managing World-Class Infrastructures by Richard Schiesser
    Here's a hard-to-find bonus: Participate in a survey (you'll first have to go through a free registration process), and you can select one of the series books as a free reward for your efforts. The offer is, unfortunately, limited to survey takers in the United States.

    End Note. As a prelude to my entry that introduces the Tarrani-Zarate Model I'm sharing an excellent article titled, Grammar of Goal Setting. This will set the context for the business imperatives layer of our model. A well-written companion article is Common Goal Setting Tangles.



    Monday, February 18, 2002

     
    Posted by Linda 10:59 PM
    Overcoming the Power Curve. I've been somewhat elusive lately. Busy actually. I spent a relaxing week in Hawaii the week before last, and my sisters treated me to a mini-cruise out of San Diego for my birthday. Between much needed social activities and chipping away at a mountain of e-mail I think I'm getting to the other side of the power curve.

    On My Scope. I've been paying attention to the latest security events, most of which involve Microsoft in some way (no news there).

    I've been following Richard Forno's articles in infowarrior.org, among other sources, and it seems as though Microsoft cannot get out of its own way. One of the reasons I'm a Richard Forno fan is he's consistent and his news articles read like a series. Let's go back to November 2001 and read forward:

    A wrap-up to the above is the news that Judge grants States access to Windows source by John Lettice, The Register dated 16 February 2002. See Richard Forno's comments in his Linux Security News article of 18 February 2002 titled, Message To Microsoft: Only The Truth Shall Set You Free.

    The Point. The above is in the same spirit as Mike's 9 February 2002 entry here. Yes, Microsoft gets its share of the heat. In my opinion it's well deserved because social responsibility should be part of the price of being a convicted monopoly. At a time when security is of paramount concern I don't feel that shoddy products filled with reported vulnerabilities are an indication of social responsibility.

    However, this isn't about social responsibility either. It's actually a lead-in to the first layer in the Tarrani-Zarate Model that we'll be discussing in subsequent entries. The foundation of that model is business imperatives, and in the next few days you'll see how infrastructure choices should be tied to that foundation instead of being an arbitrary technical decision. Therein lies the point to this entry: had IT been closely monitoring the industry and employing risk management practices, one of two things would have happened:

    1. Microsoft would have long ago been proactive about ensuring their products were not the security risks that have been widely reported.
    2. Microsoft would have not achieved the monopoly position it currently holds.
    Points to ponder. It's also the springboard to Mike's next entry, which will introduce business imperatives.

     
    Posted by Mike Tarrani 3:48 PM
    Quick Picks. Here are two sites that provide information that is closely aligned to this weblog's goal of promoting IT professionalism:
    1. Utopia Place is a resource site for IT professionals in mid-size organizations. This site has a collection of whitepapers that serve as realistic guidelines for its target audience.
    2. Surrex Solutions also provides valuable resources, with an emphasis on ERP and underlying database systems. They provide a page of links, news and other resources for each of the following: Baan, Essbase, Oracle, PeopleSoft, SAP, Siebel and Sybase. Their newsletter, The Changing IT Landscape is focused on IT management issues.
    Irresistible. Mike Sisco (see my 5 February entry) sent me an e-mail this morning letting me know that he has discounted his IT Manager Development Series until the end of the month. From now until then you can order the 10-book collection and his 80-tool IT Manager Toolkit for $179.00. The IT Manager Development Series normally sells for $495.00 and the Toolkit for $250.00, so this limited time offer is a bargain. For more information see the description and ordering page or contact Mike Sisco directly.

    Simple Path to Success. If you manage software development projects you'll want to download 10 Keys to Software Project Success. This document is a 42-slide presentation (in PDF format) that was given by Steve McConnell at the 12th International Symposium on Software Reliability Engineering.

    End Note: Microsoft security is a continuing topic (or soap opera, depending on your point of view). The 15 February ZDNet News article, titled Spat over MS 'Flaw' Gets Heated by Robert Lemos will make you wonder who are the inmates and who is running the asylum.

    Late Note - Correction (18:00 US Pacific Time): I was just notified by Mike Sisco that the price of the IT Management Development Series will be $279.00 after 28 February instead of the $495.00 price I cited. I apologize for the mistake.



    Sunday, February 17, 2002

     
    Posted by Mike Tarrani 3:20 PM
    Best Wishes. Please join me in a happy birthday wish to Linda. She freely gives of herself to promote IT professionalism through entries here, her role in the family of web pages we maintain, and her insightful and well-written Amazon book reviews. As a colleague I greatly appreciate her collaboration on the countless projects, papers and deliverables on which we work--past, present and future. She is my cherished friend as well as colleague, and one of the hardest working people in IT.

    Best Efforts. Linda and I developed the Tarrani-Zarate Model for Information Technology Management during the middle of 2000, and have refined this model in sporadic bursts of ambition over a period of time. What we want to do is to rekindle the work and the best way to do that is to base a series of entries here on each layer in the model.

    Someone (and I wish I knew to whom to attribute this) said, no model is perfect, but some are more useful than others. That sums up our model. We know there are flaws, but we also know that it has the potential to serve a useful purpose if we flesh it out and document it better. Describing it will force us to look at it with a more critical eye. From there it may evolve into something more useful.

    We welcome your participation as the model's details unfold, and the best way is to join our IT Operations Management discussion on Delphi. You'll need to register with Delphi to participate, but registration is free.

    Killing Two Birds. No, we're not going to abuse our feathered friends. What we are going to do is tie the Tarrani-Zarate Model entries here to books in Mike Sisco's IT Manager Development Series. (See my 5 February entry here for more details.)

    Ending Notes. Before signing off to enjoy the rest of the day I want to share two online publications that support our goals of promoting IT professionalism: Quality Digest and iSeries Microsite for Software Management. Enjoy your weekend.



    Saturday, February 16, 2002

     
    Posted by Mike Tarrani 11:20 PM
    Friends, Files & Folly. Earlier today in Notes from the Field I extended the topics I started here yesterday and turned the focus on quality. If you're interested in advanced SQA or web usability metrics you'll want to read that entry.

    In this entry I am going to provide more files that will augment the four core skills I discussed yesterday.

    Friends. Today is Marcia Hopkins' birthday. Marcia is a close friend and a talented IT professional whose wide range of skills and commitment to professionalism epitomize everything this weblog is about - improving the IT profession. Happy birthday Marcia!

    Files. Yesterday was about four core skills and how risk management was a common denominator. Today I am going to provide documents that will be useful in each of the core skill areas, as well as point you to a collection of risk management artifacts and articles. You'll also want this Information Systems Risk Management Manual if you're actively involved in IT risk management and/or want to improve your knowledge and skills.

    The skill-specific documents are:

    1. Project Management:
    2. Analysis and Assessment:
    3. Measurement and Metrics:
    4. Security: A collection of security pubulications and a collection of security document drafts from the National Institute of Standards and Technology Computer Security Resource Center.
    Folly. If you want to see folly read David Courtney's 14 February 2002 article in ZDNet Tech Update.

    Enjoy the weekend ...



    Friday, February 15, 2002

     
    Posted by Mike Tarrani 7:02 PM
    Mindsets, Techniques & Tools. My friend, Muthukumar U and I had a long phone conversation on the 14th. Muthukumar is a risk analyst for HSBC Bank Middle East (he works in the Sharjah, UAE offices). Our conversation was interleaved with catching up on personal stuff, a project he and I were working on with Thinking Minds, Inc. for Bank of Baroda (India), and some of the challenges that Muthukumar was facing as a risk analyst. Naturally, risk was a recurring topic throughout the conversation. After we hung up I began thinking about risk management and how it relates to our profession.

    As IT professionals there are four core skills in which we all are required to master:

    1. Project management
    2. Analysis and assessment
    3. Measurement and metrics
    4. Security
      5. Risk management is an integral element of each, and as IT professionals this element needs to be an integral part of our mindset.

      Risk Management Mindset. Risk management is one of the key processes in project management, which is evidenced by the fact that it's a project management knowledge area with six associated processes in PMI's Project Management Body of Knowledge (PMBOK). This is the US national standard for project management.

      If you're using the UK standard for project management called PRINCE2, then you already understand the importance of risk management because it permeates the processes, with a requirement to be included in project start-up, initiation, and stage boundary management, as well as a key activity throughout PRINCE2's directing a project process.

      In our analyses and assessments we would be remiss if we didn't factor in risk. For example, we need to constantly ask questions like:

      • What is the probability of occurrence (or non-occurrence) of an event and what is the impact?
      • What are the dependencies between and among systems, processes or other subjects of analysis and assessment?
      • What are the risks of being wrong in an assessment?
      • How confident are we in our findings, and how can we mitigate uncertainties in our findings?

      Measurements and metrics are the foundation of quality. Quality is a key factor in both applications and service delivery. It's also a PMBOK project management knowledge area as well as a foundation of PRINCE2, which focuses attention on quality of deliverables.

      Uncertainty manifests itself in measurements and metrics, especially when we need to define the scope of what we're measuring or of the metrics we're collecting. Dealing with this uncertainty (risks) in measurements and metrics requires a good understanding of basic probability and statistics. This is especially true if you're working with or for a company that employs TQM or is at or above CMM level 3.

      Attaining an effective security posture requires that security be everyone's business. The foundation is awareness. At the risk of sounding Zen-like, awareness encompasses risk concepts - if you think in terms of risk you'll be enlightened.

      If you ponder the core skills and common tasks, you'll see they're interrelated. Try to imagine project management without analysis and assessment. How can analysis and assessment tasks be accomplished without measurements and metrics? And can you conceive of an effective security posture that does not include analysis and assessment?

      From the above discussion, another skill that is directly related to risk management emerges: auditing. In fact, as you delve into risk management you keep bumping into auditing. Moreover, auditing in some form is an element of each of the four core skills. I view auditing as a task element rather than a core skill for IT professionals. This does not diminish the important role of IT auditors and their profession. Instead, it underscores their importance as professionals, and also recognizes that risk management cannot stand by itself without auditing. Nor can the four core skills I cited.

      Techniques. Which came first, auditing or risk management? Instead of pondering that question I am going to recommend a resource on the integration of auditing and risk from an auditor's perspective: Activity Based Risk Evaluation Model of Auditing. This is a powerful framework and one that adds structure and clarity to auditing. If you add this to your knowledge and skill sets you'll find it will enhance your abilities in each of the four core skills.

      Another resource for professional auditors, but useful for IT professionals in general, is Risk Management: Defining a New Paradigm for Internal Auditors. An article that specifically addresses the integration of risk management and auditing is Changing the Paradigm (integrating risk management and internal auditing).

      IT-specific auditing resources include:

      Tools. One of the most useful tools for implementing a process is an example. The Treasury Board of Canada has an Integrated Risk Management Framework in MS Word format that can be adapted to meet your organization's requirements and will kickstart a risk management process implementation.

      As you become more familiar with IT auditing as an element of risk management, you're going to begin seeing the term, COSO crop up. The term stands for Committee of Sponsoring Organizations. The sponsoring organizations are: the American Institute of Certified Public Accountants, the Institute of Internal Auditors, the American Accounting Association, the Institute of Management Accountants, and the Financial Executives Institute.

      In practice, however, COSO is commonly used to refer to Internal Control - An Integrated Framework. The best way to understand the significance of COSO is to see how it's used by real organizations. The University of Texas System Institutional Compliance Program, addressed in a set of PowerPoint and Word documents that describe that institution's use, are valuable examples.

      How COSO applies to IT is illustrated in Network Auditing: A Control Assesment Approach by Gordon E. Smith. A glimpse into how that book uses COSO as a foundation can be seen in an article by Mr. Smith titled Securing the Internet for 2002.

      Another book that is more focused on risk management, but has the same general theme, is Information Security Risk Analysis by Thomas R. Peltier. Linda reviewed this book on Amazon on 25 September 2001, and I reviewed it on 22 April 2001.

      If your statistics are a bit rusty you can get up-to-speed on the basics with Statistical Sampling Refresher. If your interests are project risk related tools and techniques, my special project management page and my [now defunct] project management newsletter are sources of information.

      A compelling example of why auditing is important to IT is the SF Gate article, Risky Business: Tangling with the Business Software Alliance. This exercise in fear, uncertainty and doubt will get your attention if you're in management. An exercise for those of you who use MS IE5 or above will show in practical ways how risk and auditing go together.

      Late Note: 18:00 US Pacific time 15 February - I just posted related material, with an emphasis on software quality, in our Notes from the Field weblog.



    Thursday, February 14, 2002

     
    Posted by Mike Tarrani 9:28 PM
    I just added a Search Feature to this page that returns results from both this page and Notes from the Field (see links on the left side of this page). Thanks to Unmesh Laddha for suggesting this enhancement.

     
    Posted by Mike Tarrani 7:31 PM
    Steve Page (mentioned in Linda's Notes from the Field entry earlier today) has a new book coming out about how to align strategy to policy. I agree with Linda that Steve is a foremost expert on the subject of policies and procedures, and his three books on the subject set a high standard for content and approach. Imagine my dismay when I checked Amazon to find a sprinkling of negative reviews among the majority of glowing praise for two of these books. The reviewers seem to focus on a few typos and sentence structure, completely missing the message. And the message in Steve's books is the essence: how to develop effective (and enforceable) policies and procedures.

    Here's my recap of the books:

    • Establishing a System of Policies and Procedures: This is Steve's first book, published in 1998, and it is the first book (to the best of my knowledge) that steps readers through the unglamorous--but important--task of how to write policies and procedures. Anyone who follows Mr. Page's steps will develop well-crafted policies and procedures that will be unambiguous and clearly stated. This is where the Amazon "Reviewer from Independence, MO" and I disagree. The reviewer wrote on 12 February 2002 that the book "[is] long-winded, badly edited, poorly written ...", which are subjective. While the book will never be classified as a literary masterpiece, and it does contain typos, it will stand (in my opinion) as a solid book on the subject and one that I recommend without reservation to anyone who is faced with the task of writing policies and procedures.
    • Achieving 100% Compliance of Policies and Procedures: This is Mr. Page's second book, and in my opinion the best of the three that he's written. Each of the five reviewers, including Linda (see her 2 May 2001 review) awarded this book five stars and consistently glowing comments. Even experienced policies and procedures developers will find a technique or two that they didn't previously know.
    • 7 Steps to Better Written Policies and Procedures: This book is better suited to experienced policies and procedures writers. In fact, this book is a shining example of the economies of reuse because it's a reprint of key parts of Achieving 100% Compliance of Policies and Procedures. Our friend, "Reviewer from Independence, MO", decided to lambast this book on 12 February 2002 as well. His/her negative review, however, was the only dissenting one of the seven posted on Amazon (including my 27 September 2001 review, which was followed by Linda's 28 September review).
    The purpose of my thoughts is not to single out the dissenter from Missouri, but to make a point about fact vs. value, which is a fundamental skill that analysts need to develop and refine.

    In the case of the books, the reviewer was mixing facts (typos) with values (subjective statements about writing style) and then drawing conclusions that reflected bias towards the value judgement.

    As analysts (and we all are), we need to park our values when we're objectively evaluating a process, design alternative, book or proposal.

    The key is to focus on the essence of whatever it is that we're evaluating. To illustrate this, I am going to invite your attention to another book that both Linda and I reviewed: IT Organization: Building A Worldclass Infrastructure. My 11 January 2001 review noted the flaws in the book, including typos, a table of contents that didn't describe what was in the book and other blemishes. Had I imposed my values and stopped reading the book because of those reasons I would have missed some extremely valuable insights about IT organizational management. In fact, this book has strongly influenced my thinking and approach. Linda's 16 May 2001 review acknowledged some of the same problems with the book, but her perspective uncovered even more valuable information the authors were providing. Yes, the book has a few warts. A look beyond the warts reveals innovative thoughts and documented best practices. Had we dwelled on the warts we would have missed the book's message.

    The moral is to strive to remain objective and to put things into perspective. In the case of a book, are typos and sentence structures show stoppers or merely inconveniences? In the case of other artifacts and processes that we are called upon to objectively evaluate, are we allowing values and nitpicking to get in the way of finding the real strengths and weaknesses of our subject? Think about it.

     
    Posted by Linda 5:20 PM
    Service Delivery, MS Security and Business Continuity Planning. My topics today are eclectic to say the least, but then, I'm an eclectic person.

    Service Delivery. I closely follow the IT Services CMM initiative. This project appears to stall, then show signs of life, then stall again. This is a frustration because the work is important and adds much to the IT profession. The last update was made to the Level 3 definition on 29 November 2001, and does show promise that things are proceeding with some momentum. Another artifact that has emerged from the project is the Assess to Improve (A2I) assessment kit. The base document is IT Service CMM Questionnaire, which goes to Level 2. I have have a copy of the CCTA IS Management Self-Assessment Questionnaire in MS Word format that complements the IT Service CMM material. If you want to learn more about the IT Service CMM this IT Service CMM presentation in PDF format fully describes the initiative and its goals.

    MS Security. Why am I not surprised? Or, can Microsoft make good on its commitments? It seems that a new Microsoft security feature that was added to their latest C++ compiler (called both Visual C++.NET and Visual C++ version 7) resulted in a security flaw. In Mike's 9 February entry he expressed skepticism about Microsoft's ability to meet an ambitious schedule to correct the flaws. Perhaps the cowboys and cowgirls in Redmond have taken on more than they can handle in such a short timeframe. Time will tell, but it doesn't look promising so far. At least they're doing something, though, which is a step forward.

    Business Continuity Planning. Bill Meredith's 14 February essay on business continuity planning (reprinted from Continuity Planner's The E-ZINE) is one of the best descriptions of BCP I've read. I want to summarize the key points, all with which I'm in total agreement:

    1. Disaster Recovery is a term of the past, an admission of failure. Yes, some of you will experience serious disruption but if you are aware of the consequences it will not be a disaster.
    2. Business Continuity Management is the process to ensure your critical business functions continue in a crisis and the remainder are recovered in a controlled and phased manner.
    3. Business Continuity Management and Maintenance do not belong with IT or Premises but with the business itself. If responsibility cannot reside there then Internal Audit is the obvious choice.
    4. It is easier to teach someone to carry out a BIA than it is to teach someone your business. Make sure at least some of your people are involved first hand in the BIA or the consultant comes from a relevant background.
    If you're interested in BCP and disaster recovery planning there are two books that I recommend:
    1. Manager's Guide to Contingency Planning for Disasters: Protecting Vital Facilities and Critical Operations by Kenneth N. Myers (see my 23 September 2001 Amazon review)
    2. Disaster Recovery Planning For Computers and Communication Resouces by Jon Toigo (see my 11 July 2001 Amazon review)
    That's all for today ...



    Wednesday, February 13, 2002

     
    Posted by Mike Tarrani 7:20 PM
    Random Musings. It's amazing how one thought triggers another until ideas emerge out of the mesh of random thoughts. Earlier I was thinking about a few milestone events: my close friend Marcia Hopkins has a birthday on the 16th, followed by Linda's birthday on the 17th, and the 35th anniversary of my joining the Navy on the 20th.

    What brought these thoughts into focus was the fact a neighbor revealed that her brother was in the same industry as I, which led to e-mail exchanges, which led to a visit to his company ChangeBridge. It turns out that ChangeBridge is an SEI Transition Partner for introduction to the CMMI Systems Engineering/Software Engineering Courses and SCAMPI Assessment Services.

    That fact linked me to Thinking Minds, Inc. because Linda and I did some earlier CMM strategy planning with Unmesh Laddha, Thinking Minds' CEO. It didn't end there - I did a quick Google search on ChangeBridge and discovered that Mark Servello, who I knew over 14 years ago from a Navy assignment as MIS director, was associated with ChangeBridge. That assignment, by the way, was for a large Navy facility in San Diego and was the one that capped off my 22-year Navy career.

    Naturally more thoughts entered my head - CMM, San Diego, process improvement and related connections that I hadn't fully sorted out. These thoughts, though, led to more research, which led to ProcessVelocity, LLP, a San Diego-based consulting firm that is also an SEI Transition Partner. This small consulting firm also provides some innovative services, including three jumpstart services designed to assess and jumpstart a client's SQA, SCM or XP (eXtreme Programming) initiatives. While I was visiting the site I also downloaded two valuable files in Windows helpfile format: CMMI Staged and CMMI Continuous representations.

    For some reason my thoughts turned to ISO9000, which led to NASA's Independent Software Verification and Validation site's ISO 9001 documents, all of which are in PDF and MS Word formats. This collection of documents exemplifies how to develop an ISO 9001-compliant quality manual. If you think ISO 9001 is unimportant or does not support the CMM read my 9 July 2001 review of ISO 9000-3: A Tool for Software Product and Process Improvement on Amazon.

    Time to get out of daydream mode and back to work.

     
    Posted by Linda 3:39 PM
    I've been back from my Hawaii vacation for nearly a week and have been doing light research while mentally re-engaging. Part of the process is to catch up with what Mike has been posting here and in Notes from the Field. His XML and XBRL resources sent me on my own search, which led me to Lisa Rein's site.

    Ms. Rein has an impressive portfolio of published articles, and a valuable collection of tutorials on topics such as XML, P2P and HTML. She's an XML expert and has an extensive background that is filled with accomplishments. Ms. Rein's weblog is filled with diverse and interesting entries and is one that I've bookmarked and added to our collection of simpatico weblogs (see the list on the left).

    The official ebXML site is a resource for IT professionals who are working with or in e-commerce. ebXML is a modular suite of specifications that enables enterprises of any size and in any geographical location to conduct business over the internet. using ebXML, companies now have a standard method to exchange business messages, conduct trading relationships, communicate data in common terms and define and register business processes. I've placed a PowerPoint presentation in my server space titled ebXML technical overview that explains why ebXML is important.

    When I first starting working with Mike two years ago he introduced me to a project management tool called Project Control Panel, which is not only powerful, but an amazing example of VBA programming and Microsoft Excel. Last night I discovered another tool called CAN-PLAN that was developed by Bill McMillan who has generously made it available for free. This Excel-based tool is perfect for managing small-to-medium size projects and is another example of the power of Excel in the hands of a VBA developer who also understands the process that he or she is automating. If you have problems downloading CAN-PLAN from Mr. McMillan's site you can get it from my directory.

    I'm still catching up with hundreds (!) of e-mail messages, so am going to cut this short and return to my long "to-do" list.



    Tuesday, February 12, 2002

     
    Posted by Mike Tarrani 6:52 PM
    NOTICE: CERT® Advisory CA-2002-03 Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP) was issued today (12 February 2002). See also: Network World article titled CERT warns of SNMP vulnerability with widespread impact for a quick summary of the impact and scope of this problem.

     
    Posted by Mike Tarrani 4:14 PM
    Project Management. Project managers may be interested in project budgeting resources, which is a collection of Word and Excel documents. Some of the documentation is scant to nonexistent, but most of the spreadsheets and other tools will be easy for experienced project managers to figure out and quickly use.

    Collaborative Frameworks. Anyone involved in group collaboration system design will find the DARPA-sponsored document titled collaborative framework rich in ideas and a highly useful methodology for evaluating collaborative computing systems. This framework applies to collaborative systems engines, such as ThinkingWare (developed by Thinking Minds, Inc.), as well as to architects and analysts developing portals and workflow systems.

    Security. Regardless of whether you're an IT security professional or specialize in a different discipline, security is an inescapable concern. In previous entries I've discussed the need to incorporate security into testing, architecture and every other facet of service and applications delivery.

    One standard of which every IT professional should be aware is the Common Criteria for IT Security Evaluation (CC). Why? ISO approved and published the CC text as the new International Standard (IS) 15408 on 1 December 1999. The CC started as a NIST initiative (see the original web page). You may find either or both of the two sites I listed overwhelming at first, and may want to get the cocktail party version of the CC (PowerPoint format) before you go exploring.

    Two other related PowerPoint presentations are also worth downloading and reading

    1. Protection Profile Process Improvement, which discusses the CC protection profiles and how to align the CC to the Systems Security Engineering Capability Maturity Model.
    2. Information Security Metrics. This presentation by Bear Stearns gives an auditing approach that incorporates both process and metrics.
    For general security awareness you may want to read the PowerPoint presentations on E-security and wireless security, both of which summarize the key issues.

    End Notes: Spiked's IT section is a fresh source of IT news that is oriented towards business more than technology. I've also updated Notes from the Field with a few topics that will foster IT professionalism; specifically, a policy and procedures document for software inspections, and an interesting paper on using eXtreme Programming as a core approach for e-business start-up companies.



    Monday, February 11, 2002

     
    Posted by Mike Tarrani 8:43 PM
    Process, Finance and Quality. I have a wealth of related resources to share in this entry:
    • Activity-Based Cost and Value-Added Assessment
    • eXtensible Business Reporting Language (XBRL)
    • Reference Software Quality Profiles
    These resources are closely aligned with design patterns (and anti-patterns) that I covered in today's entry in Notes from the Field. Where patterns capture best practices, the topics I'm covering here are the basis for best practices.

    Activity-Based Cost and Value-Added Assessment. I've used activity-based cost management (ABCM) since 1993, and have found it to be one of the most effective technques for determining total costs of ownership (TCO) for systems and applications. I've also used it to cost out shared resources and estimate outsourcing P&L from a vendor point of view. A Management Accounting Framework by Gary Cokins is a good starting point if you're not familiar with ABCM. Mr. Cokins is also the author of Activity-Based Cost Management Making It Work: A Manager's Guide to Implementing and Sustaining an Effective ABC System (see my 25 February 2001 review on Amazon).

    Another facet of cost management is value assessments - the process of discovering non-value added activities in processes. There is a clear connection between ABCM and value assessment, and one of the best resources I've encountered is William E. Trischler's book titled Understanding and Applying Value-Added Assessment: Eliminating Business Process Waste. My 6 July 2001 review of this excellent book on Amazon summarizes why you should read this book. Another resource is a whitepaper by Thomas Miller titled Enterprise Architecture Framework: Providing a "Value Added" Analysis Capability.

    Value analysis is not limited to measuring process steps, which is evidenced by Knowledge Value Added and Business Process Auditing. This brief paper is augmented by another paper that ties together knowledge value and ABCM by comparing the two. The paper, Knowledge Value Added and Activity Based Costing: A Comparison of Re-engineering Methodologies, is one of a series of similar papers that address different facets of the same topics.

    We're now getting deep into business process improvement and reengineering territory. One valuable resource that covers this broader look at processes is the FAA's Business Process Improvement/Reengineering Handbook. Another resource is a PowerPoint presentation titled Tools for Managers: Measuring Performance and Success.

    I'll wrap this topic up with two other recommended resources:

    1. A whitepaper in PDF format titled Principles of Benchmarking.
    2. Paul Strassmann's web page. If you're one of the half-dozen IT professionals who has not heard of Mr. Strassmann you're in for a treat as you read through his articles and papers. This guy is opinionated, egotistic, obnoxious - and is rarely wrong. His seminal book, The Business Value of Computers, established him as a straight-talking senior executive who was not afraid to debunk the voodoo methods used to justify computer purchases. Since this book's 1990 debut Mr. Strassmann's book writing has been prolific, and he has augmented his books with a series of digital publications.
    eXtensible Business Reporting Language (XBRL). If you are working with or for a financial institution, or are supporting your company's finance department, then XBRL is an important topic.

    A starting point is XBRL.ORG, which is developing XBRL for the preparation and exchange of business reports and data. The initial goal of XBRL is to provide an XML-based framework that the global business information supply chain will use to create, exchange, and analyze financial reporting information including, but not limited to, regulatory filings such as annual and quarterly financial statements, general ledger information, and audit schedules.

    The XBRL Educational Resource Center maintained by Byrant College is a content-rich source of XBRL information too. If you want a good overview of XBRL download the XML-XRBL PowerPoint presentation. The Extensible Business Reporting Language (XBRL) 2.0 Specification dated 4 February 2002 (MS Word format) is the official spec and is essential reading if you are involved with XBRL solution development.

    There are two books on the topic, neither of which I've read, that are currently available:

    1. Introducing XBRL: Making Decisions in a Digital Economy
    2. XBRL Essentials
    Reference Software Quality Profiles. This topic is loosely related to XBRL and tightly related to SQA. An overview is provided in Definition of reference software quality profiles, which contains two MS Word documents that go into more detail:
    1. Software Product Quality Evaluation and Certification: the Qseal Consortium Methodology.
    2. The IBISCO initiative for the evaluation and certification of bank software product quality.
    The latter document is the loose tie-in to XBRL, and is an essential document for anyone who works with or supports bank applications.

    End Note: Do you have a fall-back strategy to go into manual mode if you lose a critical application? Here is an example of such a strategy for business process areas that depend heavily on word processing (law offices, transcription agencies, etc.), and a reminder to find a little fun in life.



    Sunday, February 10, 2002

     
    Posted by Mike Tarrani 11:12 PM
    Important. I haven't authenticated this, but it comes from a source whom I trust. The warning is:
    The IRS Criminal Investigations Division recently sent out an alert to law enforcement agencies regarding this scam. PLEASE READ and FORWARD to others, so they might not be a victim of what could seriously damage you financially.

    Some taxpayers have received e-mails from a non-IRS source indicating that the taxpayer is under audit and needs to complete a questionnaire within 48 hours to avoid the assessment of penalties and interest. The e-mail refers to an "e-audit" and references IRS form 1040. The taxpayer is asked for social security numbers, bank account numbers and other confidential information. The IRS does not conduct e-audits, nor does it notify taxpayers of a pending audit via e-mail.

    That e-mail is not from the IRS. Any e-mail received of this nature should be saved so that a computer forensics investigation can be conducted to determine the originator. Law enforcement personnel should remain cognizant of this latest identity theft ploy. And this social engineering exploit is not limited to the U.S.A. A criminal in your country can also pull a scam like this. Be warned! More info at: webmaster@fleoa.org - Federal Law Enforcement Officers Association.

    I did do a quick Google search and discovered that this scam is also being pulled over the phone.

     
    Posted by Mike Tarrani 8:37 PM
    Loose Ends & Miscellaneous Notes. It's a beautiful Sunday in Southern California, so this entry is going to be short. My goals are to tie up some loose ends with respect to yesterday's entry on security and to also share a few sites that I serendipitously found in my never-ending surfing and research.

    Security Redux. Phenoelit, a German group that is a self-described greyhat group (and one of the presenters at Black Hat Briefings '01), has an interesting site that features tools and papers security professionals will find both interesting and useful.

    The tools include:

    • VIPPR (Virtual IP Phalanx Router) - a study of attack router concepts
    • IRPAS - Internetwork Routing Protocol Attack Suite
    • ARP0c - a connection interceptor (using ARP spoofing and a bridging engine)
    • cd00r.c - a working proof-of-concept code for a not listening remote shell on UN*X systems
    • PHossc - a sniffer designed to find HTTP, FTP, LDAP, Telnet, IMAP4 and POP3 logins on the wire
    • Lumberjack - scans the hash codes of all passwords in a ldif file
    • KOLD - a dictionary attack against LDAP server
    • ObiWAN - a brute force authentication attack against Webserver with authentication requests
    Chilling stuff, but forewarned is forearmed. If you want both insights into security and a well written technical primer I highly recommend Bruce Schneier's Secrets and Lies: Digital Security in a Networked World. My friend Kate Hartshorn wrote an insightful review on Amazon dated 8 November 2001, and I reviewed this outstanding book on 3 January 2001. If you like this book and want a gentle introduction to the underlying math and mechanics of the technologies that are introduced I also recommend Cryptography Decrypted. Linda reviewed this book on 17 December 2001 and I wrote a review on 16 March 2001.

    The Papers & References page on the site points to mainstream and non-mainstream resources.

    Discoveries.

    • Moneywords is Tom Welsh's project management site. It contains checklists and a comprehensive list of book recommendations. I discovered this gem when Tom posted a message in our Project Management Forum. One page I especially like is Barometers, which is a listing of financial ratios and indicators.
    • Introduction to the Zachman Framework by David Hay. I've been a strong proponent of the Zachman framework ever since reading Spewak's and Hill's Enterprise Architecture Planning. See Linda's 21 January 2001 review on Amazon. I first read this book in 1993 and can attest that it's as relevant today as it was when it was first published over nine years ago.
    • Enterprise-Wide IT Architecture, which is a reference site and community resource for Enterprise-wide Information Technology Architecture (EWITA) or Enterprise Architecture (EA).
    • ZIFA, which is the Zachman Institute for Framework Advancement. I didn't recently discover this site, but am including it because it fits well into the themes of the sites I previously mentioned.



    Saturday, February 09, 2002

     
    Posted by Mike Tarrani 2:55 PM
    TOPIC: Security Issues and Resources: This entry might look like Microsoft bashing, but bear with me because it isn't. The topic is security, and my goal is to provide awareness, opinion and resources.

    Awareness. First, if your organization has heavily invested in Microsoft technology or is leaning that way, take a quick look at the numerous problems you are facing or will be facing. Bleak? Overwhelming? These problems did not happen overnight, but the consequences have finally come to a head. Some of the more glaring problems and consequences can be found in two articles in eWeek and an article from E-Commerce Times.

    The first article dated 28 May 2001 dropped a bombshell with the report that Insurer Considers Microsoft NT High-Risk. Another damaging article from this publication, dated 25 September 2001, turned up the heat with a report that Gartner Recommends Against Microsoft IIS. The article in the 4 October 2001 issue of E-Commerce Times Under Pressure, Microsoft Moves to Tighten Security unearthed a litany of problems.

    Apparently Microsoft was listening. Here is the short-term response, the now famous Bill Gates' Email on Trustworthy Computing (copied from Paul Boutin's weblog).

    Yes, it's a step in the right direction, but is it a sincere effort or a marketing/public relations ploy? The reported action is there will be a 30 day moratorium on coding to fix security problems. 30 days? Let's examine the realities here:

    • There are millions of lines of code that make up the Microsoft product line
    • Strong circumstantial evidence that Microsoft hasn't given much apparent thought to security until now
    • The daunting planning and coordination challenges that need to be overcome before coding efforts of thousands of developers can be redirected towards the task of finding and fixing security vulnerabilities. Not to mention the training that the coders-turned-security auditors will need before they're effective.
    Given the realities, consider this: a rollout of Windows XP for a 1000-person organization requires more planning and coordination than the project to which Mr. Gates proposes. Personally, I don't believe it is anything more than spin control.

    From the foregoing it would appear on the surface that Microsoft can't produce secure software and, therefore, we should look to [pick your favorite vendor, OS or whatever] to save us.

    Here's a dose of reality: go to the CERT/CC Vulnerability Notes Database, which is maintained by the CERT Coordination Center (CERT/CC). You may be surprised to notice the vulnerabilities reported for your favorite vendor, OS or whatever. If you're still not convinced, look through the advisories and draw your own conclusions. While you're on the site do a little exploring and you'll find tools and practices to help you shore up your own security posture.

    I'll give an example of how we sometimes allow personal opinions and value judgements to cloud our objectivity. I happen to think that Oracle is the only sane solution for mission critical computing. When Oracle began advertising their Unbreakable database I took it as a matter of fact. You can well imagine my surprise and chagrin when I read the 7 February article in The Register that reported How to hack unbreakable Oracle servers. David Litchfield of Next Generation Security Software uncovered a number of vulnerabilities. If you want specifics download Mr. Litchfield's whitepaper titled Hackproofing Oracle Application Server. If your organization uses Oracle or Lotus Domino you would also do well to read the advisories and whitepapers in the site's research section.

    Opinions:

    1. Microsoft bashing has become so fashionable that we tend to not notice that software (including firmware) security vulnerabilities are the norm instead of the exception. This is dangerous because if Microsoft cleaned up every security flaw and vulnerability tomorrow there would still be a plethora of risks using computers for business or personal use.
    2. Microsoft is positioned to lead. They acknowledged certain facts about their software and have announced that they are going to do something about it. If the announcement is spin control and empty promises they will ultimately suffer. However, if they do make a concerted effort and it starts showing results, then the rest of the industry is going to be followers that play the me too game.
    3. I do not expect any real progress to be made within the 30-day timeframe that Microsoft announced.
    4. The root cause of the problem, in my opinion, goes to shoddy-to-nonexistent software engineering and quality practices industry-wide. We're watching a company focus on security when it's really a process and quality problem. We're also watching a particular company, bashing them along the way, when it's the entire US software industry that should be watched.
    5. If UCITA (see my 8 February entry) was law neither Microsoft nor any other US company would have much incentive to clean up the mess (that's my opinion, of course).
    Do not construe my opinions as excuses for Microsoft. They are a monopoly and should be held to the highest standards. This does not exonerate the rest of the industry of their sins of omission and commission with respect to quality and professional standards.

    The purpose of this weblog is to promote and foster best practices and improvement within the IT profession. To that end here's my advice with respect to shrink-wrapped software and COTS (commercial off-the-shelf software):

    Resources. Linda and I have an Information Technology Security page that contains links to a large number of resources, many of which are primary sites for security professionals. We also have documents on this site that will prove helpful. Use this site as your gateway to the primary security sites on the web and you'll be on your way. Since the Information Technology Security page is infrequently updated (we have since discovered weblogs and use this and Notes from the Field to update content and share news and documents), I'm including a few resources that you will not find on our page:

    • A nicely designed and useful security page from the National Institutes of Health. This resource is included because it's a model for your own organization, and it has security policies, guidelines and a handbook that you can benchmark against yours. The IS Security Program Handbook in MS Word format is especially valuable.
      • The Network Risk Assessment page (also from NIH) has a manual in MS Word format and an accompanying Excel risk assessment tool that are invaluable.
    • Speaker notes and presentations from the Black Hat Briefings '01, which took place in Amsterdam, November 2001. The presentations are a treasure trove for security professionals.
    Since it's a Saturday I am going to enjoy the rest of the day.



    Friday, February 08, 2002

     
    Posted by Mike Tarrani 7:58 PM
    If you're initiating process improvement you'll want to read American Productivity & Quality Center's whitepaper titled Benchmarking: Leveraging Best-Practice Strategies. You'll find that it's a good fit with the material on process improvement that I've posted in the last two entries. If you're interested in knowledge management and how it enables business processes and process improvement you'll also want to download the PowerPoint presentations from APQC's September 2001 conference on Next-Generation Knowledge Management: Enabling Business Processes.

    I also recommend e-Newsletter of Practical Process Improvement if you want to read insightful articles about process improvement.

    If you are pursuing improvement in project management or program management practices you'll want to check out NNH Enterprise's earned value project management papers and associated earned value definitions.

    On 17 January Linda and I each addressed the Uniform Computer Information Transactions Act (UCITA) in Notes from The Field. One of the key issues (and there are many) that we have with UCITA is the restriction against criticizing a product. This extends to reviews, statements of fact concerning shortcomings and the like. If you want to see justice before UCITA check out the short article from The Register dated 7 February 2002 headlined as NY sues NAI so you can say McAfee sucks. If UCITA were in force McAfee would have prevailed. Food for thought. If you're not up-to-speed about UCITA do take the time to read Linda's and my 17 January comments, as well as InfoWorld's UCITA briefing page and Ed Foster's incisive thoughts in his Gripeline article titled The Bride of UCITAstein.

    Another legal issue (actually a raft of them) that affects our profession and the businesses that we support concerns intellectual property. I won't go into my thoughts about the Digital Millennium Copyright Act (DCMA) today because I'll wind up writing a tome instead of making a weblog entry. I will recommend that you read Bill Zoellick's excellent book titled CyberRegs: A Business Guide to Web Property, Privacy, and Patents, which succinctly captures the essence of the thorny legal issues and the laws that are being passed to keep pace with our web-enabled, information-driven world. I reviewed this book on 25 September, and my friend Kate Hartshorn also reviewed it on 8 November. Kate's review is interesting because her expertise is competitive intelligence (a fancy word for corporate spy), and her comments place the issues in a different perspective than the rest of the reviews.

    One site I frequently visit for news regarding intellectual property issues on the web is Info Anarchy. This site's stated mission is to cover: reviews of file sharing/anonymity tools, announcements of new releases, ideas and concepts, legal proceedings, statements and other relevant news. Along these same lines, Deborah Branscum's weblog is a worthwhile resource. Her views of UCITA, Microsoft follies and related topics are completely in line with mine. The difference between Deborah and me, though, is she does not sugar-coat her opinions.

    Closing items are odds and ends that are valuable to IT managers:

    TGIF. Tomorrow's entry will address more security issues and provide some documents and resources that you may find especially valuable for refining your security posture.



    Thursday, February 07, 2002

     
    Posted by Mike Tarrani 11:48 PM
    In yesterday's entry I ended by sharing a process improvement manual that I made available for download. That manual is valuable as a standalone asset, but when combined with Continuous Improvement: A way of life (a 36-page essay by P. R Balakrishnan), you'll be armed with enough material to place process improvement into the context that is right for your organization.

    There is much ado about security these days. I've frequently written about it here and in Notes from the Field, and will continue to do so because it's an important topic from operational and software engineering points of view. One interesting resource is Generally Accepted System Security Principles (GASSP). This page contains the principles in HTML and MS Word format. The approach used is to cast security principles in the same manner as generally accepted accounting principles (GAAP). Given the fact that accounting and auditing, and core security practices are closely related, the GASSP approach makes sense. Bear in mind that this is no real standard outside of MIT, which developed it, but it does reflect best practices from which you may want to borrow. Final notes about security in this entry: Security Focus is a repository of resources, including a fairly complete library of security documents that is worth checking into. If you're working on e-commerce or Internet projects you'll want to read A Parametric Approach for Security Testing of Internet Applications to make sure the test and release phases of your project cover key aspects. That's what due diligence is all about.

    If you haven't guessed, I subscribe to the adage that if you can't measure it it doesn't exist. It's finding what needs measuring that's the challenge. An article from Baseline Magazine titled A Dozen Smart Metrics, To Go provides twelve useful indicators that you should be measuring, including:

    Before ending I want to share a new weblog I discovered today: VoidStar, which is Julian Bond's creative outlet for his valuable thoughts and ideas. Mr. Bond has much to say about a wide range of subjects and topics related to IT operations, software engineering and anything that falls on the periphery or in between. I spent a few hours earlier today reading, absorbing and assimilating. I'm impressed.



    Wednesday, February 06, 2002

     
    Posted by Mike Tarrani 1:41 PM
    On Risks: The theme of this post is risk management. Leading off is a pointer to Resource Management Systems, which sells tools that are reasonably priced and useful. Their FastPlanner for IT is an Excel add-in for IT budgeting and estimating. At $79.00 it's cost-effective because it will surely shorten the time spent doing one of the most painful tasks that goes with the territory if you're an IT manager. What does this have to do with risk? Everything. How many budgets and estimates are accurate? FastPlanner provides a framework that fosters accuracy by ensuring that all cost drivers are taken into account. Budget risk, especially when shareholder value is at stake, is inversely proportional to budget forecast accuracy. However, products aren't the only reason to visit Resource Management Systems' web site - there are online tutorials, budgeting FAQs and briefs that are valuable and freely available.

    Risk Matrix from Mitre (compliments of your tax dollars) is a free risk assessment tool. You can obtain it by filling out a registration form, and instructions will be promptly sent for downloading it. The advantage of registering the tool is you'll receive update notifications. If you can't wait you can download it from my server. I do urge you to go through the registration process at your convenience if you do get the tool from me.

    Simtools and Formlist are free Excel add-ins that should be in the toolbox of every risk manager, strategic planner and project manager. Simtools adds statistical functions and procedures for doing Monte Carlo simulation and risk analysis in spreadsheets. Formlist is a simple auditing tool that adds procedures for displaying the formulas of any selected range. There is an additional tool, TORNDIAG.XLS, that adds a Tornado Diagram procedure to the Excel Tools menu. This procedure can then be used to make a tornado-style sensitivity-analysis diagram in any open workbook. (Tornado diagrams show how an output value would change as various input parameters are changed, one at a time, from a given best estimate to a given low estimate and a given high estimate.)

    On the topic of business continuity and disaster recovery planning, which are two activities that are steeped in risk management, I have three papers that are worth reading:

    1. BCP and DR in Perspective
    2. High Availability in Perspective
    3. Negotiating Business Continuity Contracts
    In addition, Managing Risks in an Increasingly Automated Customer Contact Center by PricewaterhouseCoopers LLP is a summary of call center automation risks that call center professionals will find useful.

    If you haven't been following the Microsoft Passport vs. Project Liberty posturing and you're involved in e-commerce you should visit ZDNet's Tech Update page for the Project Liberty Special Report. In my opinion (as well as many in the industry) there are many inherent risks in Microsoft's online ID system. For more information see also Meta's report titled Passing Passport. Passport is tied into Microsoft's .NET initiative, which has its own set of risks, foremost among them is Internet interoperability. A piece of reassuring news for those of us who espouse open standards is the ZDNet report of a .NET Alternative.

    Information security policies are designed to reduce, mitigate or avoid risks. An excellent PowerPoint presentation that addresses this is Measuring Information Security Policy Conformance. I also have material on project risk management at the following pages: PM Overview Page and Tools & Documents. Both of these pages are on my old Infrastructure, Life Cycle and Project Management site. The site is dusty and does not receive much maintenance from me, but remains popular and does have a wealth of useful material.

    A parting note: improving processes reduces risk. I'm including a manual in MS Word format titled Managing Process Improvement that may prove useful. If you're also interested in software engineering I'll be updating Notes from the Field with material that addresses software risk management, among other topics.



    Tuesday, February 05, 2002

     
    Posted by Mike Tarrani 4:25 PM
    A few random topics:
    1. Bad News: Doug Kaye has shelved his new book tentatively titled Blog the Organization (see the book's discussion forum and book proposal for more information). What makes this event particularly sad is Doug was on to something special regarding tools that enable organizational knowledge management. That he cannot find a publisher indicates that either Doug is ahead of his time (my theory) or publishers don't "get it" (my fallback theory). Linda and I have a view of information, knowledge and value chains that is shown in the following poster she and I created. This view cries out for weblogs as one of the components in a management information value chain. I hope Doug doesn't give up because if he prevails with the book it will spark insights into how to disseminate knowledge using easy-to-implement tools (weblogs and RSS/RDF publish and subscribe). It also has implications for how portals evolve. I would love to see weblogs and RSS integrated into ThinkingWare which is built around the Open ArsDigita Community System. The combination, in my opinion, is potent.
    2. Good News: Mike Sisco has sent me the entire IT Manager Development Series (see my previous entry) and Linda and I will review a book from the series in future entries until we've finished the entire series. If you're interested in this series (and if you work in IT management you should be) you can contact Mike with any questions. Also feel free to contact Linda and me about this series for our take on it.
    3. Something to Ponder: You're the CIO and have made capital investments exceeding $1M to assure availability and business continuity. You've built a monument to fault tolerance. You overlooked the simple things, though, and you're standing in front of the CEO attempting to explain why none of your systems are available because the local fire marshal closed down your data center for local fire and safety code violations.

      Yes, it can (and does) happen. Why? Facilities are taken for granted, and in many cases the IT people running the data center do not consult with the facilities professionals before making changes, bringing in more hardware and taking it upon themselves to determine where new hardware goes.

      Too many CIOs and IT managers who are dimly aware of the problem plan around it. This misses the point for two reasons: (1) it's reactive, which is less desirable than proactive, and (2) planning around a potential problem costs money. Why squander more shareholder value devising elaborate and expensive contingency plans, when vigilant internal inspections and a close working relationship with your company's facilities professionals cost much less and is proactive? See my point?

      If you are not familiar with the issues and factors I strongly encourage you to visit Mission Critical Facilities, which is a site that lives up to its title. The tools and resources provided by this valuable site include a site selection tool, an interactive design flowchart (Linda and I used this a few years back when developing facilities management policies and procedures for a CLEC), and RA/Quick Test, which is a freeware program for Windows 9x that automates the reliability analysis methods described in the site's technical articles. You can use this tool to estimate and compare facility designs from a cost/reliability perspective.

      If you've outsourced all or part of your facilities to an ISP, MSP or other facility I sincerely hope that your contract terms and conditions included a requirement for your vendor to maintain their facilities in accordance with all federal, state and local codes.

    4. Frustrations: I have a pile of books reviews to post to Amazon and am frustrated by their new problems with reviews. They are taking too long to post, reviews are getting lost and other problems and challenges in Amazonland. Not that there aren't a few here on blogger as well. As I write this I cannot get into either of my weblogs because of server timeouts on the blogspot end. If anyone knows of a reliable service to which I can move these weblogs I'd appreciate hearing about it. I don't mind paying as long as I know it's professionally managed and available.

     
    Posted by Mike Tarrani 3:48 AM
    In my 12:09 PM 4 February entry I mentioned the IT Manager Development Series, but said that I had not read any of the books that comprised that collection. The author, Mike Sisco, sent me two of the books in PDF format to show how he approached two key topics in the series. The topics I received are: Acquisition-IT Due Diligence and IT Management 101. I haven't spent the time to write in-depth reviews, but have read both of them and have the following preliminary comments:
    • Both of the books are well written and reflect Mr. Sisco's extensive experience and ability to capture the essence of that experience.
    • The books have a common formula: they are broken down into topics that flow from top-level to details, and contain frequent personal notes in which Mr. Sisco relates his own personal experience in a particular topic to reinforce the approach that he lays out in the book. He also uses sidebars to share examples and observations.
    • There is no fluff. Acquisition - IT Due Diligence, at 88 pages, is filled with checklists, forms and to-the-point advice. IT Management 101 is 104 pages of questionnaires, how to interpret answers elicited by the questions, advice and techniques, forms and wisdom.
    Needless to say, from what I've seen and read the IT Manager Development Series is a much-needed addition to the IT operations management body of knowledge.

    I want to share a process design and improvement tool that I've used since 1996: TurboBPR. This Windows application is one of the most complete and useful tools one can have in their arsenal. See TurboBPR workflow for a graphical overview of what the tool does and how it does it.

    One additional tool that I want to share because it ties together Mr. Sisco's Acquisition - IT Due Diligence book and TurboBPR is the FAA's Lifecycle Processes/Mission Analysis Process Flowchart. Click on areas on the graphic to drill down into details.



    Monday, February 04, 2002

     
    Posted by Mike Tarrani 5:42 PM
    Here's a question: What is your interest level in policies, processes and procedures for the following?
    • change control
    • issue management
    • user profile management
    • data center facilities management

    Linda and I have enough material to produce a set of generic documents for each of these. We also have a complete and comprehensive project plan that includes a work breakdown structure, critical path analysis and estimates for tasks and deliverables for a service level management project. This also includes SLA templates, a risk-adjusted estimating worksheet and other artifacts.

    One idea is to sell them in Word and Excel format, allowing clients to customize them to their own needs and organization. This will greatly shorten the development and implementation time for these critical processes, which adds to their value. Another idea is to sell them in PDF format as guidelines and idea resources.

    An initial strategy was to price the Word/Excel collection at a premium, and the PDF files at a reduced price since they are difficult to customize, but still have value. Another idea is to give away the PDF collection as locked files that can only be viewed (not printed) as a see-before-you-buy option, and sell the Word/Excel versions. That is the direction in which we're leaning.

    We are also leaning towards selling them by topic because the entire collection may be overkill, such as in the case of an organization that has existing issue management processes and procedures, but wants a more mature change control process.

    The difficult part from our viewpoint is pricing. How much should we charge? Here we're leaning towards a pricing strategy that is in the $49.95 range for each topic area with rights limited to single companies. For consultants we're toying with the idea of a license scheme whereby each topic is priced at $495.00 and can be resold to clients as tailored documents.

    We welcome your comments, opinions and recommendations.

     
    Posted by Mike Tarrani 3:09 PM
    My friend Kate Hartshorn is a competitive intelligence specialist and a savvy researcher who knows how to ferret out knowledge and information. For example, the GartnerGroup is a pricey research service that is worth the investment. What is less known is GartnerGroup also publishes high quality papers that are free. Three such papers that will prove valuable to anyone managing outsourcing are:
    1. IT Benchmarking and Outsourcing - Problem Avoidance. This paper distills the ten worst practices of outsourcing and reinforces them with real examples. The net result is a checklist of what not to do and why.
    2. Measuring Outsourcing Relationships. Worth its weight in gold to anyone who is struggling with how to measure vendor performance. I am frankly amazed that this short paper is offered for free. As I read this paper it occurred to me that it's also applicable to measuring internal IT services, so I encourage you to read and bookmark this one.