This page is powered by Blogger.


  
  corner   



HOME

ARCHIVES

SEARCH

Contacting Us
 Recommendations
Mike Tarrani
Linda Zarate
Kate Hartshorn

Who We Are
 TEAM Zarate-Tarrani

Our main weblog
 Notes from the Field

Our other pages
 Mike's home page
Linda's home page
Kate's home page

Forums
 Simpatico [we]blogs
 Dan Gilmore
Robert X. Cringely
Jakob Nielsen
Julian Bond
Deborah Branscum
Lisa Rein
CamWorld
Ed Yourdon

 

Thursday, February 28, 2002

 
Posted by Mike Tarrani 11:10 PM
Connecting the Dots. Kate Hartshorn is playing a larger role in this weblog, and its sister, Notes from the Field. Kate will be posting here in the near future, but until then her ideas and expertise in business and competitive intelligence, and business strategy will be embodied in my entries.

Today's theme is business and competitive intelligence. I'm going to provide raw intelligence and techniques, but it will be up to you to connect the dots and arrive at your own conclusions.

Definitions. There is a distinction between data, raw intelligence and processed intelligence. Here are my definitions:

  • Data - a fact, observation or symptom.
  • Raw intelligence - collection of data that have been put into context, categorized or classified, calculated or summarized.
  • Processed intelligence - information that can be used to make decisions or take actions. The state of information that is considered to be processed intelligence meets four criteria:
    1. Compared: how does this information in this situation compare to information in similar situations?
    2. Consequences: what are the implications of this information for decisions and actions?
    3. Connections: how is this information related to other information that is known?
    4. Conversation: what do people who are knowledgable about this information think?
One view of the transformation process wherein data becomes information is a management information value chain. Linda and I developed a quick reference card of Things to Consider in Technical Communications that depicts this value chain, as well as other information qualities.

As a side note, you may want to visit our Technical Communications Resources and Business and Strategic Planning Resources pages, both of which contain related information.

Sources. The following are sources of processed intelligence that you may find helpful in strategic planning, competitive intelligence or market analysis:

  • Three sets of results from surveys conducted by The Intellor Group, Inc.. The surveys provide raw intelligence about industry business intelligence initiatives, XML database trends and XML adoption.
  • A paper on Recalibrating Demand-Supply Chains for the Digital Economy, which is classified as raw intelligence because there is insufficient information upon which to base a strategy or action. It does, however, provide a starting point from which a strategy or an initiative can be launched after the intelligence has been processed.
  • An excellent example of raw intelligence is a paper titled Dynamic Content Software Services, which makes a case for basing the component architecture for Internet Distributed Computing around SOAP (Simple Object Access Protocol). This paper is rich with raw intelligence, but does not pass the tests for processed intelligence.
  • Choosing an Architecture for Wireless Content Delivery is a report that is filled with raw intelligence about the topic, plus news that falls into both data and raw intelligence in the last half of the report.
The above files are provided as examples of raw intelligence, and I have attempted to find examples that reflect contemporary issues in IT strategic planning and business/competitive intelligence.

Using Information. Two papers that show how to transform raw intelligence into processed intelligence, then use that to support decision making are:

  1. A Learning Model for Forecasting the Future of Information Technology
  2. Modeling and Forecasting the Information Sciences
I've also included Zip archive with two PowerPoint presentations that will give ideas about how to think about and use data.

End Notes. An article from Government Executive titled White House official outlines cybersecurity initiatives contained an interesting comment about encouraging information sharing among companies to avoid cyber attacks. The proposed initiative reported in the article is a partnership between government and business for information sharing. Why is this important? Here are a few news articles that I read only today that show why this is needed:

One final highlight: It looks like corporate America is shedding its wool this time around. Microsoft is rolling out a $200M ad campaign to "sell" .NET, and according to ZDNet's 25 February article titled, The world of Web services (according to Microsoft) there is a healthy amount of skepticism. Maybe--just maybe--the wolf won't be eating mutton; have the sheep wised up? I think that the growing awareness of product flaws coming out of Redmond may have something to do with it. The following direct quotes from the article mentioned previously, Critics squash bug-reporting plan, underscore this:
[A]s an example, Guninski draws on the recent disclosure of a bug in Microsoft's .Net framework and the Windows operating system by software risk management firm Cigital. Although Cigital said it followed the unwritten rules of responsible disclosure in the company's announcement, some security experts--including Microsoft--criticized it as being irresponsible.

He goes on to say, "I don't find it logical for it to be responsible to sell under-tested and under-quality software, and for it to be irresponsible to disclose a bug," he said. Furthermore, any vendor who sells software with disclaimers that disclaim any liability should not use the word "responsible", according to Guninski.

My take? With the focus on security, especially post 9/11 awareness, it may take more than a $200M ad campaign to convince corporate America that .NET is in their best interests. Let's hope so.



Wednesday, February 27, 2002

 
Posted by Mike Tarrani 6:54 AM
Sense & Sensibility. I recently discovered Jack Harich's home page, and was struck by two things: (1) the sensible approach Mr. Harich takes in a number of disciplines, including software reuse, processes, learning and knowledge management and best practices; and (2) an admiration for Mr. Harich's values.

I'm going to give a brief tour of the content that I especially liked, which is by no means everything on the site:

I could go on and on, but you'll have to check out this site for yourself. As an ending note, though, I do want to highlight one innovative tool that Mr. Harich has freely made available: Visual Circuit Board (VCB). VCB is a part oriented, scalable, visual tool assisted approach to software development consisting of reusable parts communicating through links with datatrons, like an electronic circuit board. VCB has a certain elegant simplicity that makes it highly intuitive, fast and fun. You can download VCB directly from his site.

The content on the web page is extraordinary, but not as extraordinary as its creator.



Tuesday, February 26, 2002

 
Posted by Mike Tarrani 11:32 PM
Practices and Processes. Today's theme spotlights best practices, processes and process improvement. These will add more depth to the security and project management topics that Linda and I have recently been discussing.

Best Practices. One amazing source of best practices is the California Health and Human Services Data Center (HHSDC). This page provides their Systems Integration Divisions (SIDs) Best Practices Website for Systems Acquisition. An example that shows why I'm so excited about this resource is the Project Office Support Tool (POST) Enterprise page. The site has a wealth of information and assets, such as project templates, a Software Acquisition CMM page and a complete set of life cycle processes.

Processes. The Process Group has a content-rich site that is focused on processes, with an emphasis on software development processes. Despite the emphasis, much of the material also applies to service delivery and IT operations. Their newsletter is excellent and available as a free e-mail subscription.

The co-founders of The Process Group have also published a book titled Making Process Improvement Work: A Concise Action Guide for Software Managers and Practitioners that will be available on 29 March 2002. For a look at the approach that the authors take, read their article titled Goal-Problem Approach for Scoping an Improvement Program that was published in the May 2000 issue of CrossTalk Magazine.

Process Improvement. The authors of Goal-Problem Approach for Scoping an Improvement Program, Neil Potter and Mary Sakry, wrote an article for the May 2000 issue of STQE titled Measuring Process Improvement: Tracking your project goals that addresses project issues in software development and quality management. I've added a PowerPoint presentation on models for software process improvement to my site to augment the article. Enjoy.

End Notes: I'm going to wrap this up with some papers that will be of interest to anyone who is interested in IT process improvement, operations management or service level management:

One final paper that may be of interest is a dissertation titled Information Technology Implementation Issues: An Analysis. This research project addresses the issues affecting information technology development and deployment. The issues represented in this study are addressed in the context of IT implementation processes, especially with regard to the question of the needs and perceptions of administrators from the local government arena. You can download the thesis in PDF format.

 
Posted by Mike Tarrani 12:16 AM
Security. Tonight's entry is a list of security resources that I just received in a Gartner G2 Newsletter. Each article is short and packed with relevant information:Since we have a number of regular readers who are in India, Malaysia and in other Asian countries I want to invite attention to a free Gartner newsletter called GartnerVoice that provides monthly news items for the Asia and India IT industries.



Monday, February 25, 2002

 
Posted by Mike Tarrani 5:01 AM
Don't Try This at Home. On Sunday, 24 February Linda realized a life-long dream by strapping on a parachute and jumping out of an airplane. That act embodies Linda's essence: she lives her life to the fullest, and endeavors to experience everything worth experiencing. I greatly admire her and strive to follow her example.

Unseen (and greatly appreciated) Forces. I write an entry here each day, and when she has time Linda also contributes. You see our names attached to the entries, but what you don't see is Kate Hartshorn's behind-the-scenes editorial magic. Linda and I will take responsibility for any errors, but I assure you that there would be many more if we didn't have Kate's editorial touch.

Linda and Kate epitomize the concept of teamwork, and I am indeed fortunate to work with both of these wonderful professionals. I can assure you that I consider it a privilege to be able to have them as friends as well as colleagues.

 
Posted by Mike Tarrani 12:37 AM
Advanced Project Management. In the past two entries I've focused on project management, and have provided what I consider to be critical success factors necessary for effective project management.

Advanced Techniques. Although you can effectively manage most projects by using a few simple techniques, as the complexity and scope of projects to which you're tasked with managing grow, you'll find that more advanced techniques are appropriate.

Keep It Simple. I am an advocate of keeping things as simple as possible. While I firmly believe that earned value project management, for example, is essential for project control, it's overkill for small, short-duration projects. I mention this because the advanced techniques are for high-end projects. They are not appropriate for, or applicable to, every project. Use the same judgement when selecting and applying these techniques as you would for handtools. You wouldn't select a sledgehammer to drive a thumbtack, right?

Cost and Schedule. Earned value integrates and correlates cost and schedule management. Two MS Word papers that deal with finer details are Management Impact On Software Cost and Schedule and A New Perspective in Software Schedule and Cost Estimation. What I like about these papers is the fact that the author of both (Randall W. Jensen) looks at people issues as well as quantitative methods.

Software Project Planning, Statistics, and Earned Value shows how EVPM starts with the planning and estimation phases of a project to develop the baseline to which you'll be managing, and how to use advanced techniques to develop and manage to that baseline.

Metrics Integration. A paper titled Practical Software Measurement, Performance-Based Earned Value ties together project control (EVPM) and estimating and measurement based on the Practical Software Measurement approach (PSM). This holistic approach is effective, but is only appropriate for highly mature organizations. Most US software companies, as well as large corporations with sophisticated in-house development, have a long way to go before the approach in this paper is achievable. Many offshore and selected US companies, especially those that have attained CMM level 3 or above, will find this paper useful. Another, more general, paper that will be useful to all project managers regardless of organizational maturity is A Framework for Software Project Metrics.

Project Success Factors. The following two papers cover each end of the project spectrum: Project Clarity Through Stakeholder Analysis provides techniques and advice for determining and setting stakeholder expectations. The importance of this critical success factor cannot be overestimated. At the other end is an article titled Project Recovery… It Can be Done. Needless to say, this paper is essential reading because the advice and techniques the author provides are worth their weight in gold - especially if you're struggling with an out-of-control project.

End Note. If you're working in an organization that has adopted the Rational Unified Process, or are seeking a coherent, off-the-shelf software project management process that will work with any development organization, I recommend Walker Royce's excellent book, Software Project Management: Unified Framework. Although this book is slanted towards the Rational Unified Process, the approach is flexible enough for any methodology. It covers earned value in detail, as well as estimating and planning. Although I have not written a review of this book I have read it and refer to it often.



Sunday, February 24, 2002

 
Posted by Mike Tarrani 12:56 AM
In my last entry I discussed a number of critical success factors, and also introduced earned value project management (EVPM). Earned value is typically thought of as an element of project control, and to a large extent it is. However, it is also an integral part of the planning and estimating process because it's used to develop cost and schedule baselines.

In my opinion it's impossible to effectively manage a project without EVPM. The best book on the topic is Earned Value Project Management by Quentin W. Fleming, Joel M. Koppelman. See my 18 March 2001 Amazon review for why I think this book is the best.

There are also five articles that every project manager should read:

  1. Earned Value Project Management: An Introduction
  2. Earned Value Project Management: A Powerful Tool for Software Projects
  3. Gaining Confidence in Using Return On Investment and Earned Value
  4. Applying Management Reserve to Projects
  5. Impact Estimation Tables: Understanding Complex Technology Quantitatively
If you start with the first article and work your way through the list you'll go from an introduction to advanced techniques.

If you are at an advanced level in project management, I recommend that you read an article by Dr. Barry Boehm et al. on schedule as an independent variable (SAIV), cost as an independent variable (CAIV), and schedule-cost-quality as independent variables (SCQAIV).



Friday, February 22, 2002

 
Posted by Mike Tarrani 4:07 AM
Crossover. In my 20 February entry in Notes from the Field I briefly touched upon some of the success factors that need to be satisfied in any project. Because the topic is more applicable to this weblog (Notes from the Field is where we address software and systems engineering topics; this weblog is for IT professional improvement), I am going to continue the topic here.

Project Management - the short version. I've been managing projects for nearly 25 years. Not just IT projects either. I've managed ship repair projects, where a cost overrun or two among friends is not nearly as career-killing as missing a schedule milestone. When a ship is scheduled to get underway it better do just that.

Setting the Stage. There are three stages in a project manager's career:

  1. Mastery of techniques. These include the basics: work breakdown structure (WBS) development, estimating techniques, critical path method (CPM), program review and evaluation technique (PERT), precedent and activity diagramming, scheduling algorithms, compression techniques and , earned value, and a plethora of other tools of the trade.
  2. Recognition that it's all about people. The techniques that need to be mastered will get you only so far, as you quickly discover after you've mastered them. You begin to understand that it's all about managing people, and your leadership skills begin to emerge. You also discover that you need to be able to communicate, delegate responsibilities and authority, and to hold people accountable. You also develop polished political skills and become adroit in manipulation and coordination.
  3. Enlightenment. After you've managed successful projects and a few disasters you will eventually reach a state of enlightenment where you clearly see that project management is about making sure that your backside is covered. This is done with the techniques you've mastered, and the people and political skills you've developed and honed.
The problem with IT project management in most cases is [so-called] PMs skip step 1, gloss over step 2 and focus on step 3. There are no shortcuts to Nirvana. You need to get there in stages.

Four Noble Truths. Projects are initiated, performed and closed out. It's the perform part that can be distilled into four basic elements:

  1. Plan
  2. Estimate
  3. Schedule
  4. Control
This does not diminish the importance of project initiation and close-out procedures, nor does it conflict with the key processes set forth in the Project Management Body of Knowledge or PRINCE2 (both of which have been discussed in previous entries).

The Eightfold Path. There are eight tools that I've found to be essential to successful project management:

  1. Start with a WBS. (I've included a sanitized WBS from a service level management project to show how it's done.)
  2. Have the people who are going to do the work estimate the time it will take. Resist the temptation to pull numbers out of thin air - it's the surest way to cost and schedule overruns. An example estimating worksheet is included in a ZIP archive of project management tools that also include deliverables management and fixed-price contracting presentations that you may find useful.
  3. Clearly define what is in- and out of project scope.
  4. Clearly define each project deliverable in sufficient detail so that there will be no question that what you deliver is what you promised.
  5. Define client acceptance criteria to which the client or project sponsor agrees.
  6. Do not deviate from the scope or defined deliverables without an approved change order. Never! See the example change request for what one should contain.
  7. Ensure that each deliverable is signed for by the client or project sponsor (or designated representative). See example deliverable receipt for a sanitized copy of one that was used on a real project.
  8. Keep all stakeholders informed. This includes the client/project sponsor and team members. All stakeholders should have a statement of work! Especially the rank and file workers who are performing the actual work. All stakeholders should also receive a copy of status reports, which need to be published at least every two weeks, and in many cases on a weekly basis.
There it is in a nutshell - eight keys to project success. For specific techniques see my special project management page.

Under the Bodhi Tree. The Bodhi Tree is known as the tree of wisdom, and is located in Bodh Gaya, India. There's an easier way to get project management wisdom, and that's by reading a few selected books. So, instead, travel to Amazon and get one (or both) of these two highly recommended books:

  1. Getting Started in Project Management by Paula K. Martin and Karen Tate. See Linda's 15 December 2001 or my 17 December 2001 review to see why we so highly recommend this book, especially to occasional project managers. It does not bog you down in unnecessary details or overly complicate project management.
  2. Visualizing Project Management by Kevin Forsberg, Howard Cotterman and Hal Mooz. This is the book that I recommend to beginners and experienced project managers and is, in my opinion, the best book ever written on the subject. See Linda's 16 March 2001 review (well worth reading) and my 7 December 2000 review for details.

If you have questions about project management, want to share your experiences, techniques and thoughts, or want to discuss PM in general please join our Project Management Forum. Free registration is required to post.



Thursday, February 21, 2002

 
Posted by Mike Tarrani 11:28 PM
Goals. One of the basic tasks in which we all engage is goal setting. This is a fundamental part of project management, strategic planning, and even personal career management. One excellent resource that I recently discovered is Peter de Jager's newsletter (he also has a page of miscellaneous articles on goal setting.)

Service Level Management. NextSLM.org has new articles on service level management that are clearly articulated and are on the mark with respect to excellence in service delivery. The two newest articles are:

  1. Speeding up Service Level Agreement Negotiations
  2. Reporting for SLM
NextSLM.org is the web site that supports Foundations of Service Level Management by Rick Sturm, Wayne Morris and Mary Jander. The site keeps the book up-to-date, and is one of the places I look for SLM and SLA reference material. Linda reviewed the book on Amazon on 27 December 2000 (it was her first Amazon review) and I reviewed it on 19 June 2001.

Security. One of the recurring topics is security, and if you've read any of my entries you'll frequently come across the term Common Criteria, which is shorthand for Common Criteria for Information Technology Security Evaluation ISO/IEC 15408. You can visit the official Common Criteria site, but if you're new to the Common Criteria, I recommend that you first visit the tutorial track page from the First International Common Criteria Conference. You can download all of the tutorials in a single ZIP archive. Each tutorial is in PowerPoint format.

End Note. Kate Hartshorn and I will be collaborating on a business intelligence web site in the near future. Stay tuned.



Wednesday, February 20, 2002

 
Posted by Mike Tarrani 9:48 AM
Agree With One, Disagree With the Other. I just finished two Sticky Minds articles that got my attention.

I Agree. The first article, by Johanna Rothman is one that every software quality team member and manager, as well as business process owner and governance member should read: What Does It Cost to Fix a Defect?. Ms. Rothman steps you through the cost analysis and decision points for determining if a defect should be fixed or lived with. It is, after all, a business decision, and her approach will help to determine if it makes sense to fix a problem or not.

I Disagree. The second article, by Brian Beaver, is titled Categorizing Defects by Eliminating 'Severity' and 'Priority'. In essence Mr. Beaver proposes that severity and priority be replaced with a single category: business impact.

Severity is too fine-grained of an attribute to be cast aside. In fact, a definition of severity is the degree of impact a problem has on business operations.

For example, the following are severity levels that are defined in a typical problem management process:

  • Severity One - Loss of application, or critical performance degradation, with no workaround. Incident affects an entire workgroup.
  • Severity Two - Moderate application degradation incidents. Severity One workaround. Incident affects several customers.
  • Severity Three - Minor application degradation incidents. Incident or request has medium to high impact on single customer's ability to work.
  • Severity Four - Incident or request has a low impact on single customer's ability to work.

Severity without priority would mean that a mission-critical application falling into the Severity Two classification would be given the same business impact rating as one that is less critical. How does one prioritize in that case? See the gap?


The gap can be closed by assigning a criticality rating to each system, application and service in an enterprise's portfolio. Linda and I developed a spreadsheet for determining criticality. Criticality does not replace severity definitions, but is useful for arriving at a system of priorities that is based on how important an application is to an enterprise.


Where Mr. Beaver's premise and mine differ is in our viewpoints. He is on the technical side, concerned with fixing defects, and I am on the service level management side ensuring that tools and services are there when users need them to meet business objectives. We're both right.

In an issue management scenario that requires coordination between applications and service delivery, life would be simple if we could assign a single rating. However, IT should not be the group that determines what gets fixed and when it gets fixed - that's up to the business. It's their systems and applications. We're the custodians. Without a priority rating, which is determined by the business (ideally under the cognizance of governance), the judgement would be [wrongfully] left to IT.

Assuming all else equal, there is no way to assign a business impact without severity plus criticality. Even then there needs to be arbitration for competing requirements sharing the same business impact, and priority is the way to fairly arbitrate.

That said, I do admire the fact that Mr. Beaver is thinking in terms of business impact instead of IT impact. I also admire the way he has developed a line of thought and has taken the time to document it and share it with his peers. That is what fostering professionalism is all about.

End Note. I also downloaded an interesting paper by Dave Lutzker titled, Testing Is a Phase, Quality Is an Approach. In a single page Mr. Lutzker captures the essence of quality vs. testing. It's a quick read and well worth the time to download. The paper is from Sticky Minds, which is one of the best software QA resources on the web. Most of the articles take a business approach, and the content is first rate.



Tuesday, February 19, 2002

 
Posted by Mike Tarrani 9:06 PM
Development Critical Success Factors. The Department of Defense-sponsored Software Program Managers Network has been one of my long time sources of best practices. Over the past few years they have distilled down to 16 critical practices what is essential to successfully developing software. You can download the 146-slide PowerPoint presentation on these 16 critical software practices, as well as get a whitepaper in MS Word format.

Two New Books The Harris Kern Enterprise Computing Series has two new additions:

  1. Technology Strategies by Cooper Smith
  2. IT Systems Management: Designing, Implementing, and Managing World-Class Infrastructures by Richard Schiesser
Here's a hard-to-find bonus: Participate in a survey (you'll first have to go through a free registration process), and you can select one of the series books as a free reward for your efforts. The offer is, unfortunately, limited to survey takers in the United States.

End Note. As a prelude to my entry that introduces the Tarrani-Zarate Model I'm sharing an excellent article titled, Grammar of Goal Setting. This will set the context for the business imperatives layer of our model. A well-written companion article is Common Goal Setting Tangles.



Saturday, February 16, 2002

 
Posted by Mike Tarrani 11:20 PM
Friends, Files & Folly. Earlier today in Notes from the Field I extended the topics I started here yesterday and turned the focus on quality. If you're interested in advanced SQA or web usability metrics you'll want to read that entry.

In this entry I am going to provide more files that will augment the four core skills I discussed yesterday.

Friends. Today is Marcia Hopkins' birthday. Marcia is a close friend and a talented IT professional whose wide range of skills and commitment to professionalism epitomize everything this weblog is about - improving the IT profession. Happy birthday Marcia!

Files. Yesterday was about four core skills and how risk management was a common denominator. Today I am going to provide documents that will be useful in each of the core skill areas, as well as point you to a collection of risk management artifacts and articles. You'll also want this Information Systems Risk Management Manual if you're actively involved in IT risk management and/or want to improve your knowledge and skills.

The skill-specific documents are:

  1. Project Management:
  2. Analysis and Assessment:
  3. Measurement and Metrics:
  4. Security: A collection of security pubulications and a collection of security document drafts from the National Institute of Standards and Technology Computer Security Resource Center.
Folly. If you want to see folly read David Courtney's 14 February 2002 article in ZDNet Tech Update.

Enjoy the weekend ...



Friday, February 15, 2002

 
Posted by Mike Tarrani 7:02 PM
Mindsets, Techniques & Tools. My friend, Muthukumar U and I had a long phone conversation on the 14th. Muthukumar is a risk analyst for HSBC Bank Middle East (he works in the Sharjah, UAE offices). Our conversation was interleaved with catching up on personal stuff, a project he and I were working on with Thinking Minds, Inc. for Bank of Baroda (India), and some of the challenges that Muthukumar was facing as a risk analyst. Naturally, risk was a recurring topic throughout the conversation. After we hung up I began thinking about risk management and how it relates to our profession.

As IT professionals there are four core skills in which we all are required to master:

  1. Project management
  2. Analysis and assessment
  3. Measurement and metrics
  4. Security
    5. Risk management is an integral element of each, and as IT professionals this element needs to be an integral part of our mindset.

    Risk Management Mindset. Risk management is one of the key processes in project management, which is evidenced by the fact that it's a project management knowledge area with six associated processes in PMI's Project Management Body of Knowledge (PMBOK). This is the US national standard for project management.

    If you're using the UK standard for project management called PRINCE2, then you already understand the importance of risk management because it permeates the processes, with a requirement to be included in project start-up, initiation, and stage boundary management, as well as a key activity throughout PRINCE2's directing a project process.

    In our analyses and assessments we would be remiss if we didn't factor in risk. For example, we need to constantly ask questions like:

    • What is the probability of occurrence (or non-occurrence) of an event and what is the impact?
    • What are the dependencies between and among systems, processes or other subjects of analysis and assessment?
    • What are the risks of being wrong in an assessment?
    • How confident are we in our findings, and how can we mitigate uncertainties in our findings?

    Measurements and metrics are the foundation of quality. Quality is a key factor in both applications and service delivery. It's also a PMBOK project management knowledge area as well as a foundation of PRINCE2, which focuses attention on quality of deliverables.

    Uncertainty manifests itself in measurements and metrics, especially when we need to define the scope of what we're measuring or of the metrics we're collecting. Dealing with this uncertainty (risks) in measurements and metrics requires a good understanding of basic probability and statistics. This is especially true if you're working with or for a company that employs TQM or is at or above CMM level 3.

    Attaining an effective security posture requires that security be everyone's business. The foundation is awareness. At the risk of sounding Zen-like, awareness encompasses risk concepts - if you think in terms of risk you'll be enlightened.

    If you ponder the core skills and common tasks, you'll see they're interrelated. Try to imagine project management without analysis and assessment. How can analysis and assessment tasks be accomplished without measurements and metrics? And can you conceive of an effective security posture that does not include analysis and assessment?

    From the above discussion, another skill that is directly related to risk management emerges: auditing. In fact, as you delve into risk management you keep bumping into auditing. Moreover, auditing in some form is an element of each of the four core skills. I view auditing as a task element rather than a core skill for IT professionals. This does not diminish the important role of IT auditors and their profession. Instead, it underscores their importance as professionals, and also recognizes that risk management cannot stand by itself without auditing. Nor can the four core skills I cited.

    Techniques. Which came first, auditing or risk management? Instead of pondering that question I am going to recommend a resource on the integration of auditing and risk from an auditor's perspective: Activity Based Risk Evaluation Model of Auditing. This is a powerful framework and one that adds structure and clarity to auditing. If you add this to your knowledge and skill sets you'll find it will enhance your abilities in each of the four core skills.

    Another resource for professional auditors, but useful for IT professionals in general, is Risk Management: Defining a New Paradigm for Internal Auditors. An article that specifically addresses the integration of risk management and auditing is Changing the Paradigm (integrating risk management and internal auditing).

    IT-specific auditing resources include:

    Tools. One of the most useful tools for implementing a process is an example. The Treasury Board of Canada has an Integrated Risk Management Framework in MS Word format that can be adapted to meet your organization's requirements and will kickstart a risk management process implementation.

    As you become more familiar with IT auditing as an element of risk management, you're going to begin seeing the term, COSO crop up. The term stands for Committee of Sponsoring Organizations. The sponsoring organizations are: the American Institute of Certified Public Accountants, the Institute of Internal Auditors, the American Accounting Association, the Institute of Management Accountants, and the Financial Executives Institute.

    In practice, however, COSO is commonly used to refer to Internal Control - An Integrated Framework. The best way to understand the significance of COSO is to see how it's used by real organizations. The University of Texas System Institutional Compliance Program, addressed in a set of PowerPoint and Word documents that describe that institution's use, are valuable examples.

    How COSO applies to IT is illustrated in Network Auditing: A Control Assesment Approach by Gordon E. Smith. A glimpse into how that book uses COSO as a foundation can be seen in an article by Mr. Smith titled Securing the Internet for 2002.

    Another book that is more focused on risk management, but has the same general theme, is Information Security Risk Analysis by Thomas R. Peltier. Linda reviewed this book on Amazon on 25 September 2001, and I reviewed it on 22 April 2001.

    If your statistics are a bit rusty you can get up-to-speed on the basics with Statistical Sampling Refresher. If your interests are project risk related tools and techniques, my special project management page and my [now defunct] project management newsletter are sources of information.

    A compelling example of why auditing is important to IT is the SF Gate article, Risky Business: Tangling with the Business Software Alliance. This exercise in fear, uncertainty and doubt will get your attention if you're in management. An exercise for those of you who use MS IE5 or above will show in practical ways how risk and auditing go together.

    Late Note: 18:00 US Pacific time 15 February - I just posted related material, with an emphasis on software quality, in our Notes from the Field weblog.



Thursday, February 14, 2002

 
Posted by Mike Tarrani 9:28 PM
I just added a Search Feature to this page that returns results from both this page and Notes from the Field (see links on the left side of this page). Thanks to Unmesh Laddha for suggesting this enhancement.

 
Posted by Mike Tarrani 7:31 PM
Steve Page (mentioned in Linda's Notes from the Field entry earlier today) has a new book coming out about how to align strategy to policy. I agree with Linda that Steve is a foremost expert on the subject of policies and procedures, and his three books on the subject set a high standard for content and approach. Imagine my dismay when I checked Amazon to find a sprinkling of negative reviews among the majority of glowing praise for two of these books. The reviewers seem to focus on a few typos and sentence structure, completely missing the message. And the message in Steve's books is the essence: how to develop effective (and enforceable) policies and procedures.

Here's my recap of the books:

  • Establishing a System of Policies and Procedures: This is Steve's first book, published in 1998, and it is the first book (to the best of my knowledge) that steps readers through the unglamorous--but important--task of how to write policies and procedures. Anyone who follows Mr. Page's steps will develop well-crafted policies and procedures that will be unambiguous and clearly stated. This is where the Amazon "Reviewer from Independence, MO" and I disagree. The reviewer wrote on 12 February 2002 that the book "[is] long-winded, badly edited, poorly written ...", which are subjective. While the book will never be classified as a literary masterpiece, and it does contain typos, it will stand (in my opinion) as a solid book on the subject and one that I recommend without reservation to anyone who is faced with the task of writing policies and procedures.
  • Achieving 100% Compliance of Policies and Procedures: This is Mr. Page's second book, and in my opinion the best of the three that he's written. Each of the five reviewers, including Linda (see her 2 May 2001 review) awarded this book five stars and consistently glowing comments. Even experienced policies and procedures developers will find a technique or two that they didn't previously know.
  • 7 Steps to Better Written Policies and Procedures: This book is better suited to experienced policies and procedures writers. In fact, this book is a shining example of the economies of reuse because it's a reprint of key parts of Achieving 100% Compliance of Policies and Procedures. Our friend, "Reviewer from Independence, MO", decided to lambast this book on 12 February 2002 as well. His/her negative review, however, was the only dissenting one of the seven posted on Amazon (including my 27 September 2001 review, which was followed by Linda's 28 September review).
The purpose of my thoughts is not to single out the dissenter from Missouri, but to make a point about fact vs. value, which is a fundamental skill that analysts need to develop and refine.

In the case of the books, the reviewer was mixing facts (typos) with values (subjective statements about writing style) and then drawing conclusions that reflected bias towards the value judgement.

As analysts (and we all are), we need to park our values when we're objectively evaluating a process, design alternative, book or proposal.

The key is to focus on the essence of whatever it is that we're evaluating. To illustrate this, I am going to invite your attention to another book that both Linda and I reviewed: IT Organization: Building A Worldclass Infrastructure. My 11 January 2001 review noted the flaws in the book, including typos, a table of contents that didn't describe what was in the book and other blemishes. Had I imposed my values and stopped reading the book because of those reasons I would have missed some extremely valuable insights about IT organizational management. In fact, this book has strongly influenced my thinking and approach. Linda's 16 May 2001 review acknowledged some of the same problems with the book, but her perspective uncovered even more valuable information the authors were providing. Yes, the book has a few warts. A look beyond the warts reveals innovative thoughts and documented best practices. Had we dwelled on the warts we would have missed the book's message.

The moral is to strive to remain objective and to put things into perspective. In the case of a book, are typos and sentence structures show stoppers or merely inconveniences? In the case of other artifacts and processes that we are called upon to objectively evaluate, are we allowing values and nitpicking to get in the way of finding the real strengths and weaknesses of our subject? Think about it.



Wednesday, February 13, 2002

 
Posted by Mike Tarrani 7:20 PM
Random Musings. It's amazing how one thought triggers another until ideas emerge out of the mesh of random thoughts. Earlier I was thinking about a few milestone events: my close friend Marcia Hopkins has a birthday on the 16th, followed by Linda's birthday on the 17th, and the 35th anniversary of my joining the Navy on the 20th.

What brought these thoughts into focus was the fact a neighbor revealed that her brother was in the same industry as I, which led to e-mail exchanges, which led to a visit to his company ChangeBridge. It turns out that ChangeBridge is an SEI Transition Partner for introduction to the CMMI Systems Engineering/Software Engineering Courses and SCAMPI Assessment Services.

That fact linked me to Thinking Minds, Inc. because Linda and I did some earlier CMM strategy planning with Unmesh Laddha, Thinking Minds' CEO. It didn't end there - I did a quick Google search on ChangeBridge and discovered that Mark Servello, who I knew over 14 years ago from a Navy assignment as MIS director, was associated with ChangeBridge. That assignment, by the way, was for a large Navy facility in San Diego and was the one that capped off my 22-year Navy career.

Naturally more thoughts entered my head - CMM, San Diego, process improvement and related connections that I hadn't fully sorted out. These thoughts, though, led to more research, which led to ProcessVelocity, LLP, a San Diego-based consulting firm that is also an SEI Transition Partner. This small consulting firm also provides some innovative services, including three jumpstart services designed to assess and jumpstart a client's SQA, SCM or XP (eXtreme Programming) initiatives. While I was visiting the site I also downloaded two valuable files in Windows helpfile format: CMMI Staged and CMMI Continuous representations.

For some reason my thoughts turned to ISO9000, which led to NASA's Independent Software Verification and Validation site's ISO 9001 documents, all of which are in PDF and MS Word formats. This collection of documents exemplifies how to develop an ISO 9001-compliant quality manual. If you think ISO 9001 is unimportant or does not support the CMM read my 9 July 2001 review of ISO 9000-3: A Tool for Software Product and Process Improvement on Amazon.

Time to get out of daydream mode and back to work.



Tuesday, February 12, 2002

 
Posted by Mike Tarrani 6:52 PM
NOTICE: CERT® Advisory CA-2002-03 Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP) was issued today (12 February 2002). See also: Network World article titled CERT warns of SNMP vulnerability with widespread impact for a quick summary of the impact and scope of this problem.

 
Posted by Mike Tarrani 4:14 PM
Project Management. Project managers may be interested in project budgeting resources, which is a collection of Word and Excel documents. Some of the documentation is scant to nonexistent, but most of the spreadsheets and other tools will be easy for experienced project managers to figure out and quickly use.

Collaborative Frameworks. Anyone involved in group collaboration system design will find the DARPA-sponsored document titled collaborative framework rich in ideas and a highly useful methodology for evaluating collaborative computing systems. This framework applies to collaborative systems engines, such as ThinkingWare (developed by Thinking Minds, Inc.), as well as to architects and analysts developing portals and workflow systems.

Security. Regardless of whether you're an IT security professional or specialize in a different discipline, security is an inescapable concern. In previous entries I've discussed the need to incorporate security into testing, architecture and every other facet of service and applications delivery.

One standard of which every IT professional should be aware is the Common Criteria for IT Security Evaluation (CC). Why? ISO approved and published the CC text as the new International Standard (IS) 15408 on 1 December 1999. The CC started as a NIST initiative (see the original web page). You may find either or both of the two sites I listed overwhelming at first, and may want to get the cocktail party version of the CC (PowerPoint format) before you go exploring.

Two other related PowerPoint presentations are also worth downloading and reading

  1. Protection Profile Process Improvement, which discusses the CC protection profiles and how to align the CC to the Systems Security Engineering Capability Maturity Model.
  2. Information Security Metrics. This presentation by Bear Stearns gives an auditing approach that incorporates both process and metrics.
For general security awareness you may want to read the PowerPoint presentations on E-security and wireless security, both of which summarize the key issues.

End Notes: Spiked's IT section is a fresh source of IT news that is oriented towards business more than technology. I've also updated Notes from the Field with a few topics that will foster IT professionalism; specifically, a policy and procedures document for software inspections, and an interesting paper on using eXtreme Programming as a core approach for e-business start-up companies.



Monday, February 11, 2002

 
Posted by Mike Tarrani 8:43 PM
Process, Finance and Quality. I have a wealth of related resources to share in this entry:
  • Activity-Based Cost and Value-Added Assessment
  • eXtensible Business Reporting Language (XBRL)
  • Reference Software Quality Profiles
These resources are closely aligned with design patterns (and anti-patterns) that I covered in today's entry in Notes from the Field. Where patterns capture best practices, the topics I'm covering here are the basis for best practices.

Activity-Based Cost and Value-Added Assessment. I've used activity-based cost management (ABCM) since 1993, and have found it to be one of the most effective technques for determining total costs of ownership (TCO) for systems and applications. I've also used it to cost out shared resources and estimate outsourcing P&L from a vendor point of view. A Management Accounting Framework by Gary Cokins is a good starting point if you're not familiar with ABCM. Mr. Cokins is also the author of Activity-Based Cost Management Making It Work: A Manager's Guide to Implementing and Sustaining an Effective ABC System (see my 25 February 2001 review on Amazon).

Another facet of cost management is value assessments - the process of discovering non-value added activities in processes. There is a clear connection between ABCM and value assessment, and one of the best resources I've encountered is William E. Trischler's book titled Understanding and Applying Value-Added Assessment: Eliminating Business Process Waste. My 6 July 2001 review of this excellent book on Amazon summarizes why you should read this book. Another resource is a whitepaper by Thomas Miller titled Enterprise Architecture Framework: Providing a "Value Added" Analysis Capability.

Value analysis is not limited to measuring process steps, which is evidenced by Knowledge Value Added and Business Process Auditing. This brief paper is augmented by another paper that ties together knowledge value and ABCM by comparing the two. The paper, Knowledge Value Added and Activity Based Costing: A Comparison of Re-engineering Methodologies, is one of a series of similar papers that address different facets of the same topics.

We're now getting deep into business process improvement and reengineering territory. One valuable resource that covers this broader look at processes is the FAA's Business Process Improvement/Reengineering Handbook. Another resource is a PowerPoint presentation titled Tools for Managers: Measuring Performance and Success.

I'll wrap this topic up with two other recommended resources:

  1. A whitepaper in PDF format titled Principles of Benchmarking.
  2. Paul Strassmann's web page. If you're one of the half-dozen IT professionals who has not heard of Mr. Strassmann you're in for a treat as you read through his articles and papers. This guy is opinionated, egotistic, obnoxious - and is rarely wrong. His seminal book, The Business Value of Computers, established him as a straight-talking senior executive who was not afraid to debunk the voodoo methods used to justify computer purchases. Since this book's 1990 debut Mr. Strassmann's book writing has been prolific, and he has augmented his books with a series of digital publications.
eXtensible Business Reporting Language (XBRL). If you are working with or for a financial institution, or are supporting your company's finance department, then XBRL is an important topic.

A starting point is XBRL.ORG, which is developing XBRL for the preparation and exchange of business reports and data. The initial goal of XBRL is to provide an XML-based framework that the global business information supply chain will use to create, exchange, and analyze financial reporting information including, but not limited to, regulatory filings such as annual and quarterly financial statements, general ledger information, and audit schedules.

The XBRL Educational Resource Center maintained by Byrant College is a content-rich source of XBRL information too. If you want a good overview of XBRL download the XML-XRBL PowerPoint presentation. The Extensible Business Reporting Language (XBRL) 2.0 Specification dated 4 February 2002 (MS Word format) is the official spec and is essential reading if you are involved with XBRL solution development.

There are two books on the topic, neither of which I've read, that are currently available:

  1. Introducing XBRL: Making Decisions in a Digital Economy
  2. XBRL Essentials
Reference Software Quality Profiles. This topic is loosely related to XBRL and tightly related to SQA. An overview is provided in Definition of reference software quality profiles, which contains two MS Word documents that go into more detail:
  1. Software Product Quality Evaluation and Certification: the Qseal Consortium Methodology.
  2. The IBISCO initiative for the evaluation and certification of bank software product quality.
The latter document is the loose tie-in to XBRL, and is an essential document for anyone who works with or supports bank applications.

End Note: Do you have a fall-back strategy to go into manual mode if you lose a critical application? Here is an example of such a strategy for business process areas that depend heavily on word processing (law offices, transcription agencies, etc.), and a reminder to find a little fun in life.



Sunday, February 10, 2002

 
Posted by Mike Tarrani 11:12 PM
Important. I haven't authenticated this, but it comes from a source whom I trust. The warning is:
The IRS Criminal Investigations Division recently sent out an alert to law enforcement agencies regarding this scam. PLEASE READ and FORWARD to others, so they might not be a victim of what could seriously damage you financially.

Some taxpayers have received e-mails from a non-IRS source indicating that the taxpayer is under audit and needs to complete a questionnaire within 48 hours to avoid the assessment of penalties and interest. The e-mail refers to an "e-audit" and references IRS form 1040. The taxpayer is asked for social security numbers, bank account numbers and other confidential information. The IRS does not conduct e-audits, nor does it notify taxpayers of a pending audit via e-mail.

That e-mail is not from the IRS. Any e-mail received of this nature should be saved so that a computer forensics investigation can be conducted to determine the originator. Law enforcement personnel should remain cognizant of this latest identity theft ploy. And this social engineering exploit is not limited to the U.S.A. A criminal in your country can also pull a scam like this. Be warned! More info at: webmaster@fleoa.org - Federal Law Enforcement Officers Association.

I did do a quick Google search and discovered that this scam is also being pulled over the phone.

 
Posted by Mike Tarrani 8:37 PM
Loose Ends & Miscellaneous Notes. It's a beautiful Sunday in Southern California, so this entry is going to be short. My goals are to tie up some loose ends with respect to yesterday's entry on security and to also share a few sites that I serendipitously found in my never-ending surfing and research.

Security Redux. Phenoelit, a German group that is a self-described greyhat group (and one of the presenters at Black Hat Briefings '01), has an interesting site that features tools and papers security professionals will find both interesting and useful.

The tools include:

  • VIPPR (Virtual IP Phalanx Router) - a study of attack router concepts
  • IRPAS - Internetwork Routing Protocol Attack Suite
  • ARP0c - a connection interceptor (using ARP spoofing and a bridging engine)
  • cd00r.c - a working proof-of-concept code for a not listening remote shell on UN*X systems
  • PHossc - a sniffer designed to find HTTP, FTP, LDAP, Telnet, IMAP4 and POP3 logins on the wire
  • Lumberjack - scans the hash codes of all passwords in a ldif file
  • KOLD - a dictionary attack against LDAP server
  • ObiWAN - a brute force authentication attack against Webserver with authentication requests
Chilling stuff, but forewarned is forearmed. If you want both insights into security and a well written technical primer I highly recommend Bruce Schneier's Secrets and Lies: Digital Security in a Networked World. My friend Kate Hartshorn wrote an insightful review on Amazon dated 8 November 2001, and I reviewed this outstanding book on 3 January 2001. If you like this book and want a gentle introduction to the underlying math and mechanics of the technologies that are introduced I also recommend Cryptography Decrypted. Linda reviewed this book on 17 December 2001 and I wrote a review on 16 March 2001.

The Papers & References page on the site points to mainstream and non-mainstream resources.

Discoveries.

  • Moneywords is Tom Welsh's project management site. It contains checklists and a comprehensive list of book recommendations. I discovered this gem when Tom posted a message in our Project Management Forum. One page I especially like is Barometers, which is a listing of financial ratios and indicators.
  • Introduction to the Zachman Framework by David Hay. I've been a strong proponent of the Zachman framework ever since reading Spewak's and Hill's Enterprise Architecture Planning. See Linda's 21 January 2001 review on Amazon. I first read this book in 1993 and can attest that it's as relevant today as it was when it was first published over nine years ago.
  • Enterprise-Wide IT Architecture, which is a reference site and community resource for Enterprise-wide Information Technology Architecture (EWITA) or Enterprise Architecture (EA).
  • ZIFA, which is the Zachman Institute for Framework Advancement. I didn't recently discover this site, but am including it because it fits well into the themes of the sites I previously mentioned.



Saturday, February 09, 2002

 
Posted by Mike Tarrani 2:55 PM
TOPIC: Security Issues and Resources: This entry might look like Microsoft bashing, but bear with me because it isn't. The topic is security, and my goal is to provide awareness, opinion and resources.

Awareness. First, if your organization has heavily invested in Microsoft technology or is leaning that way, take a quick look at the numerous problems you are facing or will be facing. Bleak? Overwhelming? These problems did not happen overnight, but the consequences have finally come to a head. Some of the more glaring problems and consequences can be found in two articles in eWeek and an article from E-Commerce Times.

The first article dated 28 May 2001 dropped a bombshell with the report that Insurer Considers Microsoft NT High-Risk. Another damaging article from this publication, dated 25 September 2001, turned up the heat with a report that Gartner Recommends Against Microsoft IIS. The article in the 4 October 2001 issue of E-Commerce Times Under Pressure, Microsoft Moves to Tighten Security unearthed a litany of problems.

Apparently Microsoft was listening. Here is the short-term response, the now famous Bill Gates' Email on Trustworthy Computing (copied from Paul Boutin's weblog).

Yes, it's a step in the right direction, but is it a sincere effort or a marketing/public relations ploy? The reported action is there will be a 30 day moratorium on coding to fix security problems. 30 days? Let's examine the realities here:

  • There are millions of lines of code that make up the Microsoft product line
  • Strong circumstantial evidence that Microsoft hasn't given much apparent thought to security until now
  • The daunting planning and coordination challenges that need to be overcome before coding efforts of thousands of developers can be redirected towards the task of finding and fixing security vulnerabilities. Not to mention the training that the coders-turned-security auditors will need before they're effective.
Given the realities, consider this: a rollout of Windows XP for a 1000-person organization requires more planning and coordination than the project to which Mr. Gates proposes. Personally, I don't believe it is anything more than spin control.

From the foregoing it would appear on the surface that Microsoft can't produce secure software and, therefore, we should look to [pick your favorite vendor, OS or whatever] to save us.

Here's a dose of reality: go to the CERT/CC Vulnerability Notes Database, which is maintained by the CERT Coordination Center (CERT/CC). You may be surprised to notice the vulnerabilities reported for your favorite vendor, OS or whatever. If you're still not convinced, look through the advisories and draw your own conclusions. While you're on the site do a little exploring and you'll find tools and practices to help you shore up your own security posture.

I'll give an example of how we sometimes allow personal opinions and value judgements to cloud our objectivity. I happen to think that Oracle is the only sane solution for mission critical computing. When Oracle began advertising their Unbreakable database I took it as a matter of fact. You can well imagine my surprise and chagrin when I read the 7 February article in The Register that reported How to hack unbreakable Oracle servers. David Litchfield of Next Generation Security Software uncovered a number of vulnerabilities. If you want specifics download Mr. Litchfield's whitepaper titled Hackproofing Oracle Application Server. If your organization uses Oracle or Lotus Domino you would also do well to read the advisories and whitepapers in the site's research section.

Opinions:

  1. Microsoft bashing has become so fashionable that we tend to not notice that software (including firmware) security vulnerabilities are the norm instead of the exception. This is dangerous because if Microsoft cleaned up every security flaw and vulnerability tomorrow there would still be a plethora of risks using computers for business or personal use.
  2. Microsoft is positioned to lead. They acknowledged certain facts about their software and have announced that they are going to do something about it. If the announcement is spin control and empty promises they will ultimately suffer. However, if they do make a concerted effort and it starts showing results, then the rest of the industry is going to be followers that play the me too game.
  3. I do not expect any real progress to be made within the 30-day timeframe that Microsoft announced.
  4. The root cause of the problem, in my opinion, goes to shoddy-to-nonexistent software engineering and quality practices industry-wide. We're watching a company focus on security when it's really a process and quality problem. We're also watching a particular company, bashing them along the way, when it's the entire US software industry that should be watched.
  5. If UCITA (see my 8 February entry) was law neither Microsoft nor any other US company would have much incentive to clean up the mess (that's my opinion, of course).
Do not construe my opinions as excuses for Microsoft. They are a monopoly and should be held to the highest standards. This does not exonerate the rest of the industry of their sins of omission and commission with respect to quality and professional standards.

The purpose of this weblog is to promote and foster best practices and improvement within the IT profession. To that end here's my advice with respect to shrink-wrapped software and COTS (commercial off-the-shelf software):

Resources. Linda and I have an Information Technology Security page that contains links to a large number of resources, many of which are primary sites for security professionals. We also have documents on this site that will prove helpful. Use this site as your gateway to the primary security sites on the web and you'll be on your way. Since the Information Technology Security page is infrequently updated (we have since discovered weblogs and use this and Notes from the Field to update content and share news and documents), I'm including a few resources that you will not find on our page:

  • A nicely designed and useful security page from the National Institutes of Health. This resource is included because it's a model for your own organization, and it has security policies, guidelines and a handbook that you can benchmark against yours. The IS Security Program Handbook in MS Word format is especially valuable.
    • The Network Risk Assessment page (also from NIH) has a manual in MS Word format and an accompanying Excel risk assessment tool that are invaluable.
  • Speaker notes and presentations from the Black Hat Briefings '01, which took place in Amsterdam, November 2001. The presentations are a treasure trove for security professionals.
Since it's a Saturday I am going to enjoy the rest of the day.



Friday, February 08, 2002

 
Posted by Mike Tarrani 7:58 PM
If you're initiating process improvement you'll want to read American Productivity & Quality Center's whitepaper titled Benchmarking: Leveraging Best-Practice Strategies. You'll find that it's a good fit with the material on process improvement that I've posted in the last two entries. If you're interested in knowledge management and how it enables business processes and process improvement you'll also want to download the PowerPoint presentations from APQC's September 2001 conference on Next-Generation Knowledge Management: Enabling Business Processes.

I also recommend e-Newsletter of Practical Process Improvement if you want to read insightful articles about process improvement.

If you are pursuing improvement in project management or program management practices you'll want to check out NNH Enterprise's earned value project management papers and associated earned value definitions.

On 17 January Linda and I each addressed the Uniform Computer Information Transactions Act (UCITA) in Notes from The Field. One of the key issues (and there are many) that we have with UCITA is the restriction against criticizing a product. This extends to reviews, statements of fact concerning shortcomings and the like. If you want to see justice before UCITA check out the short article from The Register dated 7 February 2002 headlined as NY sues NAI so you can say McAfee sucks. If UCITA were in force McAfee would have prevailed. Food for thought. If you're not up-to-speed about UCITA do take the time to read Linda's and my 17 January comments, as well as InfoWorld's UCITA briefing page and Ed Foster's incisive thoughts in his Gripeline article titled The Bride of UCITAstein.

Another legal issue (actually a raft of them) that affects our profession and the businesses that we support concerns intellectual property. I won't go into my thoughts about the Digital Millennium Copyright Act (DCMA) today because I'll wind up writing a tome instead of making a weblog entry. I will recommend that you read Bill Zoellick's excellent book titled CyberRegs: A Business Guide to Web Property, Privacy, and Patents, which succinctly captures the essence of the thorny legal issues and the laws that are being passed to keep pace with our web-enabled, information-driven world. I reviewed this book on 25 September, and my friend Kate Hartshorn also reviewed it on 8 November. Kate's review is interesting because her expertise is competitive intelligence (a fancy word for corporate spy), and her comments place the issues in a different perspective than the rest of the reviews.

One site I frequently visit for news regarding intellectual property issues on the web is Info Anarchy. This site's stated mission is to cover: reviews of file sharing/anonymity tools, announcements of new releases, ideas and concepts, legal proceedings, statements and other relevant news. Along these same lines, Deborah Branscum's weblog is a worthwhile resource. Her views of UCITA, Microsoft follies and related topics are completely in line with mine. The difference between Deborah and me, though, is she does not sugar-coat her opinions.

Closing items are odds and ends that are valuable to IT managers:

TGIF. Tomorrow's entry will address more security issues and provide some documents and resources that you may find especially valuable for refining your security posture.



Thursday, February 07, 2002

 
Posted by Mike Tarrani 11:48 PM
In yesterday's entry I ended by sharing a process improvement manual that I made available for download. That manual is valuable as a standalone asset, but when combined with Continuous Improvement: A way of life (a 36-page essay by P. R Balakrishnan), you'll be armed with enough material to place process improvement into the context that is right for your organization.

There is much ado about security these days. I've frequently written about it here and in Notes from the Field, and will continue to do so because it's an important topic from operational and software engineering points of view. One interesting resource is Generally Accepted System Security Principles (GASSP). This page contains the principles in HTML and MS Word format. The approach used is to cast security principles in the same manner as generally accepted accounting principles (GAAP). Given the fact that accounting and auditing, and core security practices are closely related, the GASSP approach makes sense. Bear in mind that this is no real standard outside of MIT, which developed it, but it does reflect best practices from which you may want to borrow. Final notes about security in this entry: Security Focus is a repository of resources, including a fairly complete library of security documents that is worth checking into. If you're working on e-commerce or Internet projects you'll want to read A Parametric Approach for Security Testing of Internet Applications to make sure the test and release phases of your project cover key aspects. That's what due diligence is all about.

If you haven't guessed, I subscribe to the adage that if you can't measure it it doesn't exist. It's finding what needs measuring that's the challenge. An article from Baseline Magazine titled A Dozen Smart Metrics, To Go provides twelve useful indicators that you should be measuring, including:

Before ending I want to share a new weblog I discovered today: VoidStar, which is Julian Bond's creative outlet for his valuable thoughts and ideas. Mr. Bond has much to say about a wide range of subjects and topics related to IT operations, software engineering and anything that falls on the periphery or in between. I spent a few hours earlier today reading, absorbing and assimilating. I'm impressed.



Wednesday, February 06, 2002

 
Posted by Mike Tarrani 1:41 PM
On Risks: The theme of this post is risk management. Leading off is a pointer to Resource Management Systems, which sells tools that are reasonably priced and useful. Their FastPlanner for IT is an Excel add-in for IT budgeting and estimating. At $79.00 it's cost-effective because it will surely shorten the time spent doing one of the most painful tasks that goes with the territory if you're an IT manager. What does this have to do with risk? Everything. How many budgets and estimates are accurate? FastPlanner provides a framework that fosters accuracy by ensuring that all cost drivers are taken into account. Budget risk, especially when shareholder value is at stake, is inversely proportional to budget forecast accuracy. However, products aren't the only reason to visit Resource Management Systems' web site - there are online tutorials, budgeting FAQs and briefs that are valuable and freely available.

Risk Matrix from Mitre (compliments of your tax dollars) is a free risk assessment tool. You can obtain it by filling out a registration form, and instructions will be promptly sent for downloading it. The advantage of registering the tool is you'll receive update notifications. If you can't wait you can download it from my server. I do urge you to go through the registration process at your convenience if you do get the tool from me.

Simtools and Formlist are free Excel add-ins that should be in the toolbox of every risk manager, strategic planner and project manager. Simtools adds statistical functions and procedures for doing Monte Carlo simulation and risk analysis in spreadsheets. Formlist is a simple auditing tool that adds procedures for displaying the formulas of any selected range. There is an additional tool, TORNDIAG.XLS, that adds a Tornado Diagram procedure to the Excel Tools menu. This procedure can then be used to make a tornado-style sensitivity-analysis diagram in any open workbook. (Tornado diagrams show how an output value would change as various input parameters are changed, one at a time, from a given best estimate to a given low estimate and a given high estimate.)

On the topic of business continuity and disaster recovery planning, which are two activities that are steeped in risk management, I have three papers that are worth reading:

  1. BCP and DR in Perspective
  2. High Availability in Perspective
  3. Negotiating Business Continuity Contracts
In addition, Managing Risks in an Increasingly Automated Customer Contact Center by PricewaterhouseCoopers LLP is a summary of call center automation risks that call center professionals will find useful.

If you haven't been following the Microsoft Passport vs. Project Liberty posturing and you're involved in e-commerce you should visit ZDNet's Tech Update page for the Project Liberty Special Report. In my opinion (as well as many in the industry) there are many inherent risks in Microsoft's online ID system. For more information see also Meta's report titled Passing Passport. Passport is tied into Microsoft's .NET initiative, which has its own set of risks, foremost among them is Internet interoperability. A piece of reassuring news for those of us who espouse open standards is the ZDNet report of a .NET Alternative.

Information security policies are designed to reduce, mitigate or avoid risks. An excellent PowerPoint presentation that addresses this is Measuring Information Security Policy Conformance. I also have material on project risk management at the following pages: PM Overview Page and Tools & Documents. Both of these pages are on my old Infrastructure, Life Cycle and Project Management site. The site is dusty and does not receive much maintenance from me, but remains popular and does have a wealth of useful material.

A parting note: improving processes reduces risk. I'm including a manual in MS Word format titled Managing Process Improvement that may prove useful. If you're also interested in software engineering I'll be updating Notes from the Field with material that addresses software risk management, among other topics.