This page is powered by Blogger.





Contacting Us
Mike Tarrani
Linda Zarate
Kate Hartshorn

Who We Are
TEAM Zarate-Tarrani

Our main weblog
Notes from the Field

Our other pages
Mike's home page
Linda's home page
Kate's home page

Simpatico [we]blogs
Dan Gilmore
Robert X. Cringely
Jakob Nielsen
Julian Bond
Deborah Branscum
Lisa Rein
Ed Yourdon


Tuesday, April 30, 2002


More on Process. I place process above all else. Tools without processes frequently turn into shelfware and are a monument to poor management practices, abysmal leadership and the major disconnect between IT and business imperatives. Once processes are in place they cannot remain static, or they will soon become monuments themselves - monuments to lethargy, not invented here syndrome and source material for Dilbert cartoons.

There are books, articles and philosophies devoted to process improvement. Pick one. However, if you are sincerely searching for a workable approach The Purpose Driven Process Improvement Guidebook may have what you're seeking. I was impressed with the approach and found the PowerPoint presentation on purpose-driven process improvement to be a quick-start introduction. Another excellent view of process improvement is the 5-step approach by the same authors who created the Purpose Driven Process Improvement Guidebook. Highly recommended.

Monday, April 29, 2002


Linda and Kate covered service delivery in their recent entries while I addressed project management and metrics. The following documents will, in many ways, tie together these disciplines:

Sunday, April 28, 2002


My entry on 25 April wrapped up thoughts and associated documents on project management. This entry's theme is metrics. There is a direct relationship between software project management and metrics, as well as between service delivery and metrics. A good place to start is Practical Approach to Software Metrics, which is a primer. Also see previous metrics entries because this is a recurring topic.

Metrics need to be placed within a context of the development life cycle. An interesting approach to life cycles is the hybrid process model that combines the spiral and waterfall life cycles. This is but one example and certainly not the only viable model. However, you have to credit the authors for creativity and some excellent ideas. Armed with a primer and one model that incorporates two common life cycles into a hybrid, the next step is to survey metrics practices. This document presents best practices that you can learn from to develop (or improve) your metrics program. If you want to assess your metrics posture the Excel metrics self-evaluation tool will give you a baseline and the basis for launching a process improvement initiative.

Saturday, April 27, 2002


I've dredged up more documents that apply to service delivery in one or more ways. Each is from the GartnerGroup and each is short and focused:

Friday, April 26, 2002


Kate's entry caused me to remember that I have recent ITIL resources to share. ITIL Tools to Manage IT is collection of links that all service delivery professionals will find valuable, but are particularly applicable to ITIL practitioners. I also like the way that ITIL-compliant service processes are depicted in the well designed IT services page. It you're a help desk professional you'll probably relate to the article titled Managing IT Rage (Help for the Help Desk). Besides the loud ring of truth, this article combines advice for maintaining composure while delivering the high quality support services that are intended by the ITIL.

Thursday, April 25, 2002


In my entry in Notes from the Field today I discussed privacy as it related to presence and availability management. If you read my 25 April entry there you'll see initiatives sponsored by IETF IMPP Working Group and the Presence and Availability Management Forum. Those are not the only two groups that have emerged with privacy-related initiatives and proposed standards. An article titled Implementing privacy/preference policies with P3P introduces the W3C standard titled Platform for Privacy Preferences (P3P). This is an XML standard that describes the privacy and/or user preference policies for a Web site. Personally I applaud the recent activity by these groups to establish standards to assure privacy - something that may be sorely missed if the Liberty and Passport factions proceed unchecked.

Mike and Linda frequently write about the ITIL, service delivery and related topics. Until I joined TEAM Zarate-Tarrani my career path was a straight line in the knowledge management and competitive intelligence areas. Since joining the team I've been more involved in the service delivery domain, and it turns out to be a natural fit. Two documents that gave me the points of reference I needed to change direction are Delivering High Quality Service, which explains the goals of the International Service Management Forum, and a PowerPoint presentation on the ITIL essentials. Where my skill base allows me to fit in and to grow as a service delivery professional are the direct connection between managing knowledge and providing support services, and the process analysis and reporting that service level management requires. The latter is similar to competitive intelligence, with the difference being my information gathering and assessment activities will be directed inward towards the service delivery process. In addition, my competitive intelligence background will serve me well in benchmarking to best practices and the security knowledge areas of the ITIL.

An example of how competitive intelligence relates to service delivery is shown in eShopper Modeling and Simulation. This paper is a classic example of the grey area between competitive and business intelligence, but is also an approach that a skilled service delivery professional would take in establishing business patterns that can be used as the basis for service level objectives. Another example is a typical source document that a competitive intelligence specialist would use: Understanding Web Performance. Yet another competitive intelligence source document that is as applicable to service delivery as it is to surveying best practices and trends is Strategy for Exploiting Improvement. The bottom line is that it's not a great leap between the skills and experience I've accured and those that I'll need to perform effectively as a service delivery professional.


Ending Notes: Project Management. My last two entries covered various aspects of software project management. I'll end the series (which didn't start out as a series, but managed to become one anyway) with these documents:One of the best books, in my opinion, on software project management is Software Project Management: Unified Approach by Walker Royce. This book is especially valuable if you're using the Rational Unified Process, but will be applicable to any software development project regardless of methodology. My only complaint about the book is the way it addresses work breakdown structures, but I'll go into that particular issue in a future entry in the form of a book review.

Wednesday, April 24, 2002


More on Project Management. In my last entry I shared documents that will pave the way to sound software project risk management techniques. In this entry I have documents to share that will further strengthen the foundation of software project management. The context for software projects can be captured in software development rules of thumb and software project success factors. These two documents can effectively serve as primary guidelines for all software projects, and if followed will increase your awareness of what does and does not work. Another document that every project manager should read is Prevent Software Project Surprises. This document ties back to my previous entry about project risk management. Forewarned is forearmed.

A good article on the basics of estimating is Unreasonable project estimates: Find the cause, effect a cure by Kurt Linberg (he has authored other project management articles that are well written and hit the mark).

Project management consists of planning (includes estimating), scheduling and control. Success is measured, and for scheduling the document on team-driven scheduling metrics provides sound advice on what needs to be measured. Additional resources on risk, scheduling and control can be found on our old project management newsletter site. This page is no longer updated, but contains a wealth of valuable information.

Tuesday, April 23, 2002


Project Risk. Managing software project risks is often discussed, but too often misunderstood. One of the unfortunate problems is that IT professionals side-step the math and assign arbirtary ratings that have no basis in reality. The net result is miscalculated risks with no quantifiable impacts. A starting point is to brush up on probability, and Simple Measures of Success will step you through the basics. This Word document not only covers the fundamentals of probability, but also covers statistical process control charts.

After you get up to speed with the relatively simple math, What is Software Risk Management? will nudge you towards applying it in a practical way. The finishing touch is the theme of Software Project Risk Management Practices. These documents will give you the foundation, and are also consistent with project risk management processes that are set forth in the Project Management Body of Knowledge for those who are either certified as a Project Management Professional or pursuing that certification. The material is also consistent with practices used in the UK project management standard, PRINCE2, in addition to suporting requirements of the Capability Maturity Model.


Wrap-up. I'm going to wrap the security thread with a PDF presentation on risk analysis. The author of this presentation is Thomas R. Peltier who wrote Information Security Risk Analysis. Linda reviewed this excellent book on Amazon on 25 September 2001, and I reviewed it on 22 April 2001. Read what we had to say - if you're interested in risk analysis from a security perspective this book is worth reading.

Shifting Gears. I have two documents that address software project management and software quality management. They're short, to the point and worth sharing with colleagues.

Sunday, April 21, 2002


Back to Security. I'm going to sidestep Linda's challenge to continue the ISO thread and refocus on security. I have documents to share that cover two important topics:
  1. Access Controls
  2. Assurance and Metrics

Saturday, April 20, 2002


My Turn. Mike and I have been tossing the ISO 9001 topic back and forth, both here and in Notes from the Field. Since I'm keeping score, Mike's 18 April entry in Notes from the Field means that the ball is back in my court.

If the burning question is "Why should I care about ISO 9001?" the answer is that it's a solid foundation upon which to build a quality system. Also, unlike the 1994 version, the new 2000 version requires continuous improvement, and has a clause that mandates customer satisfaction measurement. Even if you have no plans to pursue ISO 9001 certification, the standard provides good guidelines for implementing a quality management system upon which you can build.

If you're familiar with ISO 9001:94, and want to learn what has changed in the 2000 version, Fitting ISO 9001:2000 into a 20 Element Quality System is a good starting point. A shorter document that compares the two is ISO 9001:2000 to 9001:1994 Comparison and Change Highlights. You get the deltas in five pages.

The standard in action is described in ISO 9001 Quality Management System Requirements and in Best Practices for ISO 9001:2000.

The ball is back in Mike's court.

Friday, April 19, 2002


Security (again!). Security is a recurring theme here and in Notes from the Field, and it's time for another installment. One excellent resource for IT security is Ben Rothke's web page. Ben is a columnist for Information Security Magazine, among other things, and his home page contains a wealth of information. The real gems are:

Thursday, April 18, 2002


ITIL, ITSMF and Service Level Management. Linda's 14 April entry was on the mark. With established international standards we do not need another methodology, and we definitely don't need proprietary methodologies. She and I have over 50 years of IT operations, service delivery and production support experience between us. We've seen the methodology of the month, silver bullets and all of the other panaceas, and none are a total solution. Are the ITSMF's best practices perfect? No, but they do reflect the experience of IT professionals the world over.

One of the problems with the ITSMF's core documents, the IT Infrastructure Library, is the books are expensive. This is, in my opinion, a barrier to adoption. I am going to chip away at that barrier by sharing ITSMF files that I've collected with the goal of creating awareness. I'm going to start with a PowerPoint presentation that gives an overview of the ITIL: Why ITIL? Since the ITSMF uses the ITIL this presentation is important. The following files, which address various ITIL and ITSMF domains, will show the inner workings:

Wednesday, April 17, 2002


Preparations. One of the projects in which I'll be engaging is to develop reference data for issue management. I'm currently reading Managing Reference Data in Enterprise Databases to get ideas about how to build a taxonomy, populate it and manage the data. Although the project is in support of service level management, the role I have is squarely in the knowledge management domain.

Knowledge Sharing. Since I'll be working with peers who may not be fully conversant with knowledge management I'm gathering artifacts that will explain the basics. One such artifact is a PowerPoint presentation titled KM Tour. It's a brief overview and should help me to fit my role into the project objectives. Another artifact is a PDF document titled Assessing Knowledge Assets. This document goes beyond the scope of my role, but it does place knowledge management into a practical context.

Nice to Know. If you have an interest in knowledge management or leveraging human capital (two different, but related topics), the following documents will be of interest:


Frequently Asked Questions. We often receive e-mail that asks the same questions. I'm going to answer the most common questions in this entry:
Q Why isn't the Microsoft Solutions Framework (MSF) discussed here?
A The MSF is essentially a project management framework. It is a proprietary standard that is defined and owned by a single company. We support two internationally recognized standards:
  1. Project Management Institute's Project Management Body of Knowledge (PMBOK). The 2000 version of the PMBOK is an American National Standard ANSI/PMI 99-001-2000. More information about the PMBOK can be obtained from the Project Management Institute's Project Management Standards page
  2. PRINCE2 (PRojects IN a Controlled Environment, version 2), which is a United Kingdom standard that is managed by the UK Office of Government Commerce. See Official PRINCE2 website and the PRINCE User Group for details.
We believe that two internationally recognized project management standards are sufficient.

Q Why don't you discuss the Microsoft Operations Framework (MOF)?
A For the same reason that we don't support the Microsoft Solutions Framework: there is an international body called the IT Service Management Forum that is vendor-independent. The ITSMF uses the IT Infrastructure Library (ITIL) as the basis for their best practices. The ITIL, like PRINCE2, is under the cognizance of the UK's Office of Government Commerce, with portions of the ITIL provided by the British Standards Institution (BSi).

Since the ITSMF best practices have been adopted internationally we see no reason to employ or support a proprietary approach such as the MOF.

Q Is TEAM Zarate-Tarrani a corporation?
A No. We are independent consultants who share the same values and work ethics.

Tuesday, April 16, 2002


Privacy is a hot topic, but hotter still is the thorny issues surrounding how to best protect it. Linda reviewed a chilling book titled World Without Secrets in her 17 April entry in Notes from the Field. This book, and its associated web page, paint a bleak picture of privacy. One of my main sources of information on the topic is Lisa Rein's weblog. I also do a considerable amount of research from other sources because privacy issues are main concerns of my specialities, knowledge management and competitive intelligence.

One solution that is being hotly debated is the concept of a national ID card. The key issues are contained in a Gartner research note titled Establishing a National ID Card: Definition and Debate. However, this issue is international in scope. Smart ID Cards in Europe: Different Views, Uncertain Future gives the perspective from Europe, while we can learn from Hong Kong’s Multiapplication Smart ID Card.

At the state level the Gartner research note titled Can the Smart State Implement a Smart Driver’s License? asks valid questions. Interestingly, another Gartner research note asserts that The Global Economy Already Has IDs.

At some point, though, it will behoove you to understand the underlying technology and the strengths and weaknesses of smartcards. Mike and Linda steered me to Get Smart : The Emergence of Smart Cards in the United States and their Pivotal Role in Internet Commerce as a well written introduction to the business and technical issues, and I join them in highly recommending it if you need to quickly learn about smartcards.


Service Level Management Update. There are new articles and links on Next SLM, which is the web site that supports Foundations of Service Level Management by Rick Sturm, Wayne Morris and Mary Jander (see my and Mike's reviews on Amazon).

Highlights of the updated content include:

Much of the material on the site is directly related to the Tarrani-Zarate Model that we've been discussing, and is particularly applicable to my recent entries about organization and core processes.


Security & Contracts. I've been posting book reviews and other security-related information here and in Notes from the Field since the inception of these weblogs. Contracting is another recurring topic. A recent eWeek security series titled Contracts Getting Tough on Security ties the two topics together. If you write RFPs and evaluate vendors you'll find best practices. If you write proposals you'll find compelling reasons to start developing a set of security processes and strategy to use as a response to RFP requirements.

I canot resist a shameless commercial plug here: TEAM Zarate-Tarrani develops security strategies and processes that will prepare you for responding to RFPs.


Friends don't let friends use MS Project. If you want a project management application that correctly levels resources, can correctly compute earned value, and is made by a company that understands project management you should look at SureTrak Project Manager 3.0 (see Linda's 27 May 2001 review on Amazon).

I just finished reviewing an outstanding book on how to use this powerful program: Planning Using Primavera SureTrak Project Manager Version 3.0 by Paul E. Harris .

Although SureTrak Project Manager 3.0 ships with adequate documentation and the program is intuitive, there are three good reasons to buy this book:

  1. The product documentation covers every feature - the information about planning and managing projects using this powerful tool is scattered throughout, making it difficult to tap into SureTrak's power without wading through an overwhelming amount of nice-to-know, but non-essential detail.
  2. Although anyone who has used Microsoft's ubiquitous MS Project will have no problem getting started with SureTrak, they will miss the true project management features of SureTrak that are not present (or don't correctly work) in MS Project. This book identifies those features and shows how to use them effectively.
  3. The author goes beyond merely describing how to use SureTrak by showing you how to use effective project management techniques, many of which take years of managing projects to discover.
The book is structured as a series of 20 lessons (called workshops) that are designed to step you through setting up a project, and planning and scheduling it. If you follow them in sequence you will be able to not only set up a project using SureTrak's rich feature set, but will also pick up general project management techniques along the way. An example of one such technique is how the author classifies projects into four levels for planning and controlling. These levels are based on project complexity, with Level 1 being the simplest and suitable for short projects, to Level 4 for complex, high-value projects. You are given the planning and tracking criteria for each project type, which allows you to tailor your approach as well as ensure that you don't over-manage simple projects or under-manage the complex ones.

You are also shown how to use the more powerful features, such as the many project views (work breakdown structure, activity or resource), managing the sophisticated calendaring functions, and effectively using the resource profiles and reporting features. I particularly like the way earned value is treated. The author shows how to use SureTrak's facilities for managing to earned value, as well as explaining this essential technique (which, by the way, is now a part of the Project Management Institute's PMBOK 2000 version). Another bonus is the way scheduling is explained by walking through adding logic to activities. You'll not only be shown how to perform this task, but given reasons why you should use one approach from among four possibilities to establish relationships. In this example the choices are start-to-start, finish-to-start, start-to-finish and finish-to-finish.

The book is clear, concise and heavily illustrated with screenshots from SureTrak. The tutorial style and the way the lessons are sequenced will get you quickly up-to-speed with SureTrak and give you the knowledge and skills necessary to employ it with minimum reference to the manuals that come with the software.

If you're more interested in Primavera's high-end product, P3, please refer to my Amazon review of Planning Using Primavera Project Planner P3 Ver 3.0 by the same author.

As an end note I've gathered links to websites that may be of interest:

Our weblogs also contain a wealth of information - use the search feature to find information about earned value, WBS, PMBOK, PRINCE2 and other topics that you may be researching.

Monday, April 15, 2002


Flu? Flown! Workload? Groan! The past few days were spent suffering through a mild case of the flu. I seem to be back to normal (depending, of course, how you define normal). It appears that my workload is growing, which means that my entries here are going to remain short, and other avocation activities are going to be put on hold. One of those activities is writing book reviews on Amazon.

I have a small backlog of books for which I owe publishers and authors a review, after which I am taking a break from reviewing for Amazon.

When I'm in Kuwait I'll refocus my energies and attention on Mike Sisco's IT Manager Development Series and his IT Manager Toolkit. I've read most of the books in the IT Manager Development Series, and have reviewed Acquisition: IT Due Diligence (see my 1 April review below) and Acquisition: IT Assimilations (see my 31 March review below). Both are outstanding. I haven't looked at the tools in the IT Manager Toolkit that Mike sent me, but will later this week.

Terror? Here's an article that will give you pause: Win-XP Search Assistant silently downloads files. Another reason why I have no intention of downgrading my system to XP.

CMM Assessments. I recently read Assessment Coordinator's Handbook: Planning for a Well-Orchestrated Software Appraisal by Ken Dymond, who also wrote A Guide to the CMM: Understanding the Capability Maturity Model for Software (see Linda's 3 July review of that book).

Assessment Coordinator's Handbook: Planning for a Well-Orchestrated Software Appraisal is worth it's weight in gold to right readers. This short, 41-page guide is an invaluable resource to anyone who is getting started in assessments. It's been designed to augment SEI assessment training, therefore does not supplant official SEI materials. Here are the key features:

  • Gives a two-phase approach for preparing and training for CMM assessments that are consistent with SEI guidelines. Phase I covers pre-assessment training and planning and Phase II covers on-site assessment activities.
  • Provides detailed checklists for each phase. The author's extensive experience in assessments has been condensed into the essentials, which save you significant planning and artifact development time.
  • Checklists are provided in two levels of detail: summary and detailed. These are augmented by exhibits in the back of the book that provide an example schedule that you can use to benchmark your own plan, a project selection matrix, and an excerpt from a master task list. Using these you can refine your own planning approach.
At first glance the price-per-page ratio will make you question the value of this book. However, consider that you'll have a succinct guide that distills the essentials. This book can easily save you 50 hours or more of planning time, as well as step you through the process from the viewpoint of an experienced assessor. When you factor this into the equation the value becomes apparent. More importantly, much of the material and the approach can be refactored into planning for other types of assessments - not only for SEI CMM, making this book extra valuable to consultants who engage in assessments of all types.

Take-Aways. Although you'll have to purchase Mr. Dymond's books, I've collected papers that he's written that will be of interest if you are among the target audience for his books:

The last two fit nicely within Linda's organizational and core processes theme.

An added bonus is a Word document titled Capability Maturity Model Benefits by Richard Waina. Enjoy.


Administrative Note. Over the next few days my ISP will be doing maintenance. Most of the documents we provide here reside on the server that hosts You may experience Document not found errors during the next 48 hours. If there are any documents that you absolutely need during this period let me know and I'll e-mail them to you.

Sunday, April 14, 2002


I just finished reading Computer Forensics: Incident Response Essentials by Warren G. Kruse and Jay G. Heiser. The authors, both of whom have impeccable credentials, have managed to distill a complex subject into a book that can be understood by anyone with intermediate-level computer skills. More importantly, computer forensics is a relatively new sub discipline of IT security, making this book important in that there are few books on the topic.

I'll start with the beginning and end of the book, each of which are focused on legal aspects of forensics. The book begins by explaining what forensics is, and giving a three-step process that covers the essentials at a high level:

  1. Acquire evidence
  2. Authenticate it
  3. Analyze it
Although this process is presented at a high level, important details, such as the importance of establishing and maintaining a chain of custody, how to collect and document evidence and key issues to consider when presenting the evidence in court are covered. This discussion is picked up again in Chapter 12, Introduction to the Criminal Justice System, in which applicable laws, advice on dealing with law enforcement agencies, and the distinction between criminal and civil cases are discussed. There is sufficient detail and pointers to put sources of information to arm you with the bare essentials.

Between the opening chapter and Chapter 12 described above are chapters devoted to basic techniques and procedures for tracing email, specific operating system issues (the book deals with UNIX and Windows), encryption, codes and compression and other common challenges an investigator will face. The material is not overly technical, and is presented in easy-to-understand prose. Anyone who works as a network or system administrator, provides desktop support, or is an advanced end user will have no problems following the techniques that are presented or the underlying technical details. If you're seeking an advanced text this book will probably disappoint you, although there is sure to be some new trick or fact that you'll learn. For example, I have over 25 years of IT experience and was fascinated by the discussion of steganography (an information hiding technique). There were other chapters that I quickly skimmed because I was well-versed in the subject matter.

What I like about the book is the easy approach, which makes it easy to develop the fundamental skills necessary to perform forensics. The few other papers and books on the subject are far more advanced and the learning curve is a barrier. This book will give the new security investigator a foothold in the topic upon which he or she can build. I especially liked the appendices, which provide an excellent framework for incident response. One of the best features is the detailed roles and responsibilities, which are well thought out and reinforce the axiom that security is everyone's business. Another outstanding feature is the flowcharts for various incident types, such as denial of service, hostile code, etc. These can be used verbatim in a security policies and procedures manual, as can the incident response form provided in Appendix B. I also liked the valuable URLs provided throughout the book. I knew of many, but was surprised to find invaluable resources that I didn't know about.

Even though much of this book presented information I already knew, I still enjoyed reading it because I picked up facts that I didn't previously know, and was reminded of legal aspects of forensics and security that I'd forgotten. The appendices alone make this worthwhile to even advanced readers, and the fact that it provides an entry point into forensics for new practitioners makes this book invaluable as a training tool and vehicle for professional growth.

Saturday, April 13, 2002


Good News. Microsoft postpones .NET My services, which means that the convicted monopoly is meeting with resistance. I, for one, applaud this turn of events. Why? I don't have confidence in their ability to secure my personal information, and I don't trust their corporate motives. Will I ever trust them? It depends on how effective they are with their security initiatives, and if they can manage to actually ship a product that is reliable; i.e., no memory leaks requiring therapeutic reboots, doesn't invite malicious code, and is designed to protect data and processes. In my opinion they have a long way to go.

Sobering News. If you develop commercial or business-critical products under the GPL, be aware that the Free Software Foundation is taking a proactive role in enforcing the GPL. See FSF ask Lindows: 'Where's the Source?' for details.

Friday, April 12, 2002


Tarrani-Zarate Model: Organization and Core Processes, Part 2. I'm providing an annotated list of documents to give deeper background information about organizational issues. These documents address general IT service delivery processes, which will be delved into as this series unfolds.

Rewind. Before proceeding I want to recap the purpose of the model, which places organization and core processes into context. The Tarrani-Zarate Model was developed to:

  1. Provide a value chain that is based on business imperatives. As such, it:
    • aligns IT to business
    • focuses on reliability, availability and support of systems, applications and services provided in support of business imperatives
    • is structured to integrate applications and service delivery
  2. Is an end-to-end set of processes that connect business imperatives to support.
  3. Acknowledges that IT is a service and support activity.
This entry will focus on the organizational aspects, and the documents that I am providing are:I'll continue this series with more about organization and core processes in my next entry.

Thursday, April 11, 2002


New Discoveries. I'm not-so-patiently awaiting the June publication of The Weblog Handbook by Rebecca Blood. Although weblogs have some major drawbacks as knowledge management tools, such as the difficulty in organizing and cross-referencing information for near-transparent retrieval, they do have a place in the knowledge ecology. Ms. Blood's weblog, Rebecca's Pocket shows that she is an articulate writer and socially-aware thinker who understands technology and its uses. She was also the subject of a recent Fast Company article by Anni Layne Rodgers titled Targeted Serendipity. The article piqued my interest in the book and got me thinking about how weblogs fit within the overall scheme of knowledge management. The jury [of my mind] is still out on this one.

Opportunity. Winston Churchill is quoted as saying, The pessimist sees difficulty in every opportunity. The optimist sees the opportunity in every difficulty. This goes to the heart of knowledge management, as well as competitive and business intelligence. It is also the clear message in the 14-page paper titled Identifying Web-Based Opportunities. Churchill was a great wartime leader during World War II, but the master of warfare, Sun Tzu, has been a major influence for over 2000 years. Here is a quote from his timeless The Art of War that applies to the unbloody battlefields of business as much as it does to the killing fields of military conflict: If you know the enemy and know yourself you need not fear the results of a hundred battles.. Knowing your enemy, and your competitor is your enemy, will give you advantage - assuming that you also understand your own strengths and weaknesses.

Internet Integration in Business Marketing Tactics is a step in the right direction for leveraging intelligence. Of course, it's all about survival, making Strategic "Morphing" and the Survivability Of E-Commerce Firms a good source of tactical and strategic ideas. Remember, though, that you need to know yourself as well as your competitor. In that respect it's about measuring your performance, and A Framework for Developing E-Business Metrics Through Functionality Interaction provides viable approaches.

Back to the Future. We are still impacted by a large list of action items and a shortening timeframe. Mike and I are trying to clear the highest priority items before we leave for a short project in Kuwait, and we are also preparing for a pending project in India. That makes for an exciting life, but also for a hectic schedule. In the coming weeks our entries here will be short, so bear with us - we're juggling many balls at the moment.


Security and Information Warfare. I just finished reading a book titled Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community. In it, the authors extensively document their honeypot project, which was designed to deflect attackers away from real systems and data assets by using decoys. The project evolved into something much more, which is chronicled in the book.

The first part of the book deals with technical issues and how and why the project was initiated. As the chronicle of the project proceeds the authors begin adding a new dimension to information security: psychological profiling. This is where the book becomes fascinating, and where reading the book becomes tedious.

The fascination stems from the methods used to identify, classify and profile their attackers. The tedium in reading the book is that you have to carefully read through logs of chats (Chapter 11, In their Own Words). This is not the stuff of casual reading - but is worth the time, effort and pain it takes to wade through this chapter.

Part of the tedium, aside from having to read raw (but annotated) logs is that profiling attackers requires an understanding of cultural issues, psychological motivations and risks associated with each attacker profile.

The accompanying CD ROM contains tools and supporting material for each of the chapters. The tools are the ones the project uses in building, maintaining, and using a Honeynet environment, and includes source code, precompiled binaries, and documentation. The supporting material consists of source code, network captures, and other information related to specific chapters.

The sophisticated profiling methods described his book are more suited for large corporations, organizations that support unpopular social causes (commercial and non-commercial) and targets of information warfare attacks. I personally believe that the book adds a new dimension to IT security, making it an important contribution to the security body of knowledge.

I'm giving the book to Kate to read and review because her background will allow her to gain insights that I missed. I'm looking forward to her review here as soon as she has time to finish the book and write her thoughts.

On a more mundane note I just received an e-mail notification reporting Microsoft Warns of 10 IIS Flaws. Are such reports news anymore? Yawn.

Wednesday, April 10, 2002


Measure Twice, Code Once. I've been posting material and book reviews about metrics in Notes from the Field, and have related documents that I will share here:Both of these documents touch upon architecture. They also cover issues and factors that Linda has recently addressed. The PDF document titled Architecture Engagement Process spans both topics and fills in gaps left by our discussions and associated documents that we've recently posted.

Tuesday, April 09, 2002


WAP, Banks and Business. I recently reviewed The Mobile Internet: How Japan Dialled up and the West Disconnected and came away insights I never imagined before I read the book. I've also worked closely with Unmesh Laddha and his team at Thinking Minds, Inc. on defining one of their products which extends the reach of Oracle-based applications, PeopleSoft and SAP R/3 to wireless PDAs and SMS-enabled cell phones. The document titled, WAP-Enabled Banking is an exciting look at practical uses of the Thinking Minds tool, as well as the business possibilities of WAP in general.

The key word is business use - as IT professionals our first thought was to use this tool to instrument systems to alert support staff if certain parameters, such as file system high water marks, excessive resource usage or outages occurred. The true value of this tool is to instrument business events and report them to business process owners. Only then will the investment pay off.

If you're interested in the Thinking Minds WAP tool please contact Unmesh Laddha for information.

Monday, April 08, 2002


I've been covering performance and scalability, and other metrics in Notes from the Field, and want to extend that discussion to this weblog. One excellent online paper I've recently read is SPI and Measurement, which is a wide survey of software and system engineering metrics.

Another related document is Web Site Analysis Using Soft System Methods. A final document, not closely related to metrics, is a PowerPoint presentation titled Business Case Analysis in Software Engineering. While this does cover metrics, it is more applicable to Kate's and Linda's recent entries.


Insights and Truths. Robert Frost once said, "Half the world is composed of people who have something to say and can't, and the other half who have nothing to say and keep on saying it." His observation is both witty and astute. It was also written before the advent of weblogs, knowledge management and the underlying social and psychological theories and realities that define our world. I'm going to let the poet laureate's quip guide my entry today, which has a goal of supporting Linda's recent entry.

Linda and Mike have developed a model that supports the management of information technology, with an emphasis on people, process and technology. As Linda stated, one of the influences of the model is the capture, transformation and presentation of data and information. That process is in my area of expertise, which has given me an opportunity to contribute to how the model evolves - and evolve it does.

At the organizational level that Linda is currently discussing there are factors that will significantly enhance the organizational effectiveness. The following papers expose some of the major factors:

In addition, there are fine points to be put on the application delivery process, which is discussed in Knowledge Creation for Improving Software Organizations. Creating knowledge can have drawbacks. Knowledge, like everything, comes in varying degrees of value. In order to determine the value of knowledge it must be assessed and evaluated, and a value assigned. Integrated Knowledge Assessment provides guidelines for accomplishing this.

The collection of best practices is an aspect of knowledge management, which gives a recursive quality to the document titled Best Practices in Knowledge Based Innovation. A final document that fits and supports Linda's current topic is Task/Technology Fit and Information Technology Choices in Knowledge Work. This paper is more applicable to the service and applications delivery functions in the Tarrani-Zarate Model, but also influences the foundation layer.

I'll end this with of my favorite Robert Frost poems:

We dance round in a ring and suppose.
But the Secret sits in the middle and knows.
I marvel at how these two simple, elegant verses say more about what knowledge management is than the pile of books I have on the subject.

Sunday, April 07, 2002


Tarrani-Zarate Model: Organization and Core Processes. This entry will refer to illustrations, each of which will open in a separate window. The first illustration is a quick view of the Porter Value Chain, from Michael Porter's classic, Competitive Strategy.

Basically, the value chain is comprised of direct value-adding activities and support activities. A common business ratio, called the tooth-to-tail, is the ratio of workers who produce and those who provide support or management. The leaner organizations, of course, have more producers than supporters and managers. This is why self-directed work teams add value.

There is another value chain at work, and it is called the Management Information Value Chain. This value chain maps the capture or creation of data, and its transformation into information upon which decisions and actions can be based. Kate Hartshorn has written about this in many of her entries that deal with competitive intelligence and business intelligence. The management information value chain is where IT can prove its value because we provide the systems that capture, store, transform and compute the data and information, and present it to the business.

Our role, and a major factor that plays into the way the Tarrani-Zarate Model is structured, is the juxtapositioning of service delivery, and the value chains. Service delivery comprises the core processes of our model, depicted in focused service delivery, and forms the basis for an Information Services and Support Value Chain.

If you examine the simplified version of our model you'll see that service and applications delivery are connected to the foundation, which is the subject of this entry.

The organizational structure that we have developed from the above is an idealized set of resources and processes. This is our model's foundation, and it contains all of the core processes as well as organizational workflow for both service and application delivery.

I've briskly and tersely covered a lot of territory and am going to step back and allow the information I've provided to sink in. In my next entry I'll go into more detail about the core processes and out rationale for the organizational structure.


Due Diligence, Quality and Strategy. Since writing extensively about RFPs, contracts and related topics during the past two weeks I continue to discover material that is too good to keep to the team. One collection of such gems is a GartnerGroup series on IT Service Contracts.

If quality and strategy are foremost on your agenda, the collection of PowerPoint presentations and Word documents that address IS Quality Strategies will be useful. The ideas, concepts and practical approaches in this collection make downloading this Zip archive time well spent.

Closely related is a PDF document titled, IS Project Scorecard. This document is not only for project managers, but also contains information about governance, SQA and organizational processes. It also ties to Linda's recent and ongoing discussions here.

Saturday, April 06, 2002


Notes & Miscellany. Kate's announcement regarding our documentation products we'll soon be offering represents a major step forward for TEAM Zarate-Tarrani. Offering these products has been an oft discussed goal and a source of procrastination. Kate stepped forward and the project is taking on a life of its own. Our timing may not be optimum because we are scheduled to be in Kuwait for a project, and there is a second project in the pipeline.

Web Project Support Material. I came across three interesting documents that I want to share:

  1. Integrating User-Perceived Quality into Web Server Design.
  2. Analyzing Factors That Influence End-to-End Web Performance.
  3. Web Modeling Language (WebML): A modeling language for designing Web sites.
I haven't fully absorbed these documents, although I did a quick read. If you're involved in any type of web or portal project you may find them interesting, valuable or both.

Friday, April 05, 2002


Much Ado About Much. This has been a busy week. First I became a grandmother, joining Mike and Linda in that milestone event in life where one must confront the march of time. I assure you that I'll not go gently into that role if it means growing up. Second, I've been given editorial control over a collection of documents that Mike and Linda have produced over the past two years. My task is to take policy, process and procedures, project plans and related artifacts and turn them into generic, fill-in-the-blanks templates for change control, issue management and service level management processes.

Value Proposition. The documents will be offered at an attractive price by TEAM Zarate-Tarrani. The value will be as follows:

  1. Documents will be in Microsoft Word and Excel formats, and all graphics will be in Visio. We have decided that Office 97 and Visio 5 are the best formats because most companies have upgraded to those products or beyond. The value in this approach is that the documents can be easily tailored to meet an organization's specific requirements and reflect the current situation with respect to process maturity.
  2. See before you buy. Samples of each of the documents will be provided, in their entirety, in Adobe PDF format. We'll lock the documents to prevent printing, selecting and copying text, or making modifications to protect our intellectual property, but potential customers can see exactly what they'll be getting before risking a penny.
  3. Pricing: $49.95 is the standard price per document. We chose this price because it's a compromise between outright giving the documents away (something that we considered) and recognizing that people do not value what is freely given regardless of the intrinsic value of the artifact.
If you are interested please let us know.

More About Value and Tools. Refocusing on my technical specialities (my skills are much more than technical editing), I want to share an article about the relative value of project management and related articles that address KM tools and their real and perceived value, and the maturing and convergence of portals and KM as reported in Portal/KM Mix Gains Mind Share.

Ending Note. Although I consider myself to be a sophisticated consumer of IT services, I find myself with one foot in the IT profession, and the other foot is almost in that domain. I now find articles, such as Standards to Drive Services to be essential to my job, which indicates the increasing shades of grey that distinguish the boundaries between IT and business. Another indication is my recent reading list, which includes Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community (an outstanding book that adds personality and psychological profiling to IS security), e-Data: Turning Data into Information with Data Warehousing (see Mike's 28 June 2001 and Linda's 30 June 2001 reviews), and The CRM Handbook: A Business Guide to Customer Relationship Management. I'll know into what I'm being transformed when the moon is next in its full phase. Until then I'll classify myself as a grandmother who refuses to morph into an adult.


Dutch - Language of Service Management? Most of our research focused on service management leads to the Netherlands, and many of the documents are in Dutch - a language that none of the members of TEAM Zarate-Tarrani read or speak.

The IT Service CMM initiative is under the aegis of the Software Engineering Research Centre (Netherlands). The other interesting initiative, the Application Services Library, a framework for application management, is also an innovation that comes from the Netherlands.

Although the entire Application Services Library web site, and most of the documents, are in Dutch, I've managed to find a few documents in English. The approach is mature, especially if you're familiar with the support hierarchy using application support analysts, business systems analysts and business systems managers. The documents are:

There is sufficient information in these documents to reverse-engineer the processes and methods that comprise the Application Services Library. I can only hope that the full suite of documents will one day be available in English.

The key point, other than sharing information and trends that we've noted, is that if you're a service level management practitioner you will do well to watch that the Dutch are doing because they appear to be doing world-class work. Learning Dutch is optional.

Thursday, April 04, 2002


Service Management. More background material and primary reading for anyone who is developing, implementing and/or managing a service delivery strategy. First, Introduction to IT Service Management places service management within the context of the IT Infrastructure Library (ITIL)approach. Linda and I have both discussed the ITIL in previous entries, and we both closely follow news related to the ITIL.

Another excellent introductory resource is the May 2000 issue of the IT Service Management Journal. Although the issue is comprised of only four pages, the discussion manages to nicely frame a value proposition for service management.

Closely related to service management, and to Linda's forthcoming entries about core processes and organizational support, is a GartnerGroup presentation titled TCO — The Framework for Optimizing Business and IT Management Decisions.

Wednesday, April 03, 2002


A Little Help for my Friends. Linda has graciously accepted the task of continuing the description of the Tarrani-Zarate Model for core processes and organization. She has been busy working on her Oracle Certified Professional training, among other things, and will get to it when her increasingly busy schedule permits.

While she's structuring her description I'm going to contribute more background material. Please note that when she and I first developed the model it was a rough cut, and the model has evolved. We're now forced to think it through, and that takes time, thought and energy.

Background material that pertains are:

  • Assessing the Organizational Impact of IT Infrastructure Capabilities. This 53-page PDF document is the findings from a survey of 236 firms regarding the he organizational impact of IT. The conclusion is that IT infrastructure capabilities have little business value. The paper goes on the claim that investments in IT infrastructure will be seriously undervalued if they are assessed only in terms of its direct link to organizational performance. IT infrastructure is of strategic importance to an organization because it either enables or inhibits IT applications and business processes.
  • Organization without Accountability = Sure Failure. This single-page PDF document is an exercise for provoking thinking - I think it succeeds.
  • The Role of Trust in Managing the Information Systems Enterprise. The author of this seven page paper goes to the core of organizational effectiveness. The paper is a cogent discussion of the keystone: trust and credibility.

Tuesday, April 02, 2002


Legal Issues and Other Matters. I've been bouncing among knowledge management, legal issues and competitive intelligence in recent entries here and in Notes from the Field. One important topic that touches everything we do is law. In particular, the legal aspects of intellectual property. See my earlier entry today in Notes from the Field for more information and breaking news.

K8 ... Q8? Insh'Allah! That cryptic lead-in is a cute way of announcing that, God willing, I will be in Kuwait working with Mike on a project. I'm sure you immediately picked up on K8 as Kate and, maybe, Q8 as Kuwait. However, unless you're Muslim or speak Arabic you probably didn't know that Insh'Allah means God Willing. At any rate, I'm excited about the professional opportunities that this holds, as well as the personal opportunity to see a part of the world that I've only heard and read about.


News, Reviews and Miscellaneous Notes. I'll be writing the next entry about the Tarrani-Zarate Model, which will address process and organization elements of the foundation layer. Much of this information deals with infrastructure, and I want to provide background material as a prelude while I'm writing my entry. One important book (among many) is one that I recently read titled, Enriching the Value Chain: Infrastructure Strategies Beyond the Enterprise. This book is an extensive rework of the authors' The Adaptive Enterprise, and in my opinion supersedes that earlier book.

Like the first book this one borrows heavily from the software engineering community to employ proven techniques, such as layered design, patterns and a component-based approach to infrastructure. Where this book extends and builds upon the earlier work is the emphasis on extending the corporate infrastructure into a meta infrastructure that is characterized by B2B and supply chains. As such it lives up to the title because the goal of the extended infrastructure is to enrich the value chain - or at least support the underlying business goals.

What I like about this book is what the authors propose is not only attainable, but makes good business sense. It starts with a 22-page introduction that clearly defines what is and is not infrastructure, and the concept of an adaptivity. These are important to understanding the approach that follows. Chapter 2, Laying the Foundation, quickly gives the basics for a layered infrastructure, develops a model for associated services that are needed to make the infrastructure adaptable, and drills down into service-related issues. I am not in complete agreement with the impact that this approach has on IT organizational structures; however, I am not willing to write it off as unfeasible until I have a chance to carefully think it through. The ideas do have merit (on paper) and are better developed in the first book.

Much of the rest of the book is a rehash of The Adaptive Enterprise, but the material is slanted towards the extended infrastructure. What is important is the emphasis on patterns and components as frameworks and building blocks. Where the first book brought infrastructure management to a new level, this book extends it in a manner that reflects the realities of connected enterprises defined by supply chain management and business partners. Please see my review of "The Adaptive Enterprise" below for specifics that apply to this book, and if you're deciding between the two books, this is the one to get.

The Adaptive Enterprise: IT Infrastructure Strategies to Manage Change and Enable Growth. The infrastructure management approach that the authors give in this book incorporates practices from systems (and software) engineering, and is a blueprint for success. The objectives are:

  1. End-to-end management with no gaps in ownership.
  2. Cost efficiencies through reuse and component-based strategies.
  3. Holistic view that looks at business, operational and technology (instead of the common 'technology only' view)
  4. Adaptability (an infrastructure that is managed to long range goals, but can be quickly adapted to emerging and immediate business needs).
How the authors meet these objectives is by identifying physical, functional and interface components that make up the infrastructure and integrating them into a service-oriented framework. This is consistent with component-based software engineering, and it is a remarkably good fit to infrastructure management. Moreover, the authors introduce patterns, also borrowed from software and systems engineering disciplines, to map business requirements to design in an efficient manner that promotes reuse. Another advantage of patterns is this approach captures knowledge (something not directly pointed out in the book). If you're not familiar with process patterns the book I recommend for infrastructure professionals is More Process Patterns by Scott Ambler. This is the second of a two book set and it directly addresses patterns that are related to infrastructure (the first book, Process Patterns, is more focused on software engineering).

The two chapters I liked the most are 4, Developing Adaptive Services, and 5, Services Starter Kit. These chapters tie services to infrastructure and go into fine detail about how to integrate services and the underlying technology. I especially like the way the authors use multiple life cycle management for each layer in the infrastructure. Chapters 6 (Processes and Methods) and 7 (Packaging and People) neatly pull together the preceding chapters into a coherent, process-oriented strategy. The single appendix is also valuable because it gives a comprehensive component catalog. This catalog can be used as the basis of the infrastructure blueprint as well as the foundation of an encompassing asset management initiative.

Miscellaneous Notes. I found a collection of papers that are related to infrastructure management that are worth reading. Until I resurface with my entry on the process and organization elements of the Tarrani-Zarate Model foundation layer you have my best regards from Azusa, California.

Monday, April 01, 2002


Book Review. Title: Acquisition: IT Due Diligence from IT Manager Development Series by Mike Sisco.

Summary: This book is one of a ten-book series of short, focused books on aspects of IT management. The companion to this particular book is Acquisition: IT Assimilations, which I reviewed in my 31 March entry.

Due diligence is about risk management from an investment perspective. This 88-page book provides a process and set of procedures for assessing the value and viability of investments in companies. The approach set forth is the book is about due diligence in acquiring companies; however, the process and procedures can be used to do an internal assessment, evaluate vendor viability and even develop a capital project portfolio.

What's Inside: The relationship between due diligence and acquisition that is the subject of the related book is defined by a meta process that begins with a letter of intent (deal structure and expected value), an assessment of value, risks, opportunities, financial impacts and projections and related criteria (due diligence - dotting the i's and crossing the t's), the acquisition, and assimilation of the new company into your existing operations. If you closely examine the factors and essence of due diligence it's boils down to CYA - cover your butt. The eight chapters in this book give you everything you need to make prudent decisions that will withstand the most critical scrutiny, and will prevent you from blundering into an investment that squanders instead of adding to shareholder value.

Specifics: The process, as in Mr. Sisco's other books, is straightforward and follows a logical sequence. He examines the key risks. steps you through how to conduct an onsite review, and provides a complete list of data collection templates. These templates include:

  • Business applications portfolio
  • Infrastructure portfolio (servers, LAN and WAN assets)
  • IT organization structure
  • Project initiatives
  • Automation capabilities
  • Software licenses/agreements
  • Software licenses/agreements - to other companies
  • Maintenance and support agreements (hardware and software)
  • Other contracts and leases
  • Capital budget items
  • Consulting/contract work - 12 month planning horizon
  • Operating budget - 12 month forecast
  • Transition costs - 12-month forecast
As you can see, the process covers asset identification, budget projections and other indicators to determine the true costs against which the actual value of the acquisition can be determined. This is what due diligence is all about - examining every facet and understanding the big picture and the details before investing.

The due diligence report is the end goal of the process and the book provides ample guidance for developing a report that summarizes the information captured during the data collection phase. As valuable as this process is, the appendices in the book provide equal value to any reader who is in a position that requires the application of due diligence. Each of the eight appendices are outlines, forms and supporting artifacts that you can tailor to your needs. Another valuable aspect of this book is the format that characterizes all of the books in the series: case studies, personal notes and side bars that liven up the text while imparting Mr. Sisco's extensive experience and observations.

What I would Have Liked: Since Mike Sisco is a frequent visitor here I am going to take this opportunity to express what I'd like to see in the next edition. Here's my wish list:

  1. An appendix that's a financial analysis primer - important balance sheet indicators, how to read a balance sheet and how to make sense of it all. Yes, the financial types will be responsible for this; however, this is something IT managers need to know, and too many can fill in a spreadsheet without understanding the overall picture that the numbers portray.
  2. Understanding leases - this is another area that is complex and needs to be exposed in greater detail. If you think IRS rules and tax laws are complex, take a close look at the Byzantine approach leasing companies take!
  3. Provide a list of auditing approaches in common use, with an emphasis on Control Objectives for Information and Related Technologies and key Financial Accounting Standards Board compliance criteria. These do not mean that IT professionals should practice auditing and accounting, but there are compliance requirements and practices of which they should be aware.
  4. Introduce the Altman Z-Score as a fundamental due diligence tool. Linda and I have used this particular tool and take every opportunity to disseminate information about it and its value for assessing the viability of a company.
  5. Overall this is an excellent book and it meets my personal criteria for value: short, focused and straightforward. It's filled with advice, tools and techniques, and--most importantly--is written by someone who has obviously performed due diligence. If you're an IT manager it may cost you more to not have this book than many times the price.