This page is powered by Blogger.


  
  corner   



HOME

ARCHIVES

SEARCH

Contacting Us
 Recommendations
Mike Tarrani
Linda Zarate
Kate Hartshorn

Who We Are
 TEAM Zarate-Tarrani

Our main weblog
 Notes from the Field

Our other pages
 Mike's home page
Linda's home page
Kate's home page

Forums
 Simpatico [we]blogs
 Dan Gilmore
Robert X. Cringely
Jakob Nielsen
Julian Bond
Deborah Branscum
Lisa Rein
CamWorld
Ed Yourdon

 

Saturday, February 16, 2002

 
Posted by Mike Tarrani 11:20 PM
Friends, Files & Folly. Earlier today in Notes from the Field I extended the topics I started here yesterday and turned the focus on quality. If you're interested in advanced SQA or web usability metrics you'll want to read that entry.

In this entry I am going to provide more files that will augment the four core skills I discussed yesterday.

Friends. Today is Marcia Hopkins' birthday. Marcia is a close friend and a talented IT professional whose wide range of skills and commitment to professionalism epitomize everything this weblog is about - improving the IT profession. Happy birthday Marcia!

Files. Yesterday was about four core skills and how risk management was a common denominator. Today I am going to provide documents that will be useful in each of the core skill areas, as well as point you to a collection of risk management artifacts and articles. You'll also want this Information Systems Risk Management Manual if you're actively involved in IT risk management and/or want to improve your knowledge and skills.

The skill-specific documents are:

  1. Project Management:
  2. Analysis and Assessment:
  3. Measurement and Metrics:
  4. Security: A collection of security pubulications and a collection of security document drafts from the National Institute of Standards and Technology Computer Security Resource Center.
Folly. If you want to see folly read David Courtney's 14 February 2002 article in ZDNet Tech Update.

Enjoy the weekend ...



Friday, February 15, 2002

 
Posted by Mike Tarrani 7:02 PM
Mindsets, Techniques & Tools. My friend, Muthukumar U and I had a long phone conversation on the 14th. Muthukumar is a risk analyst for HSBC Bank Middle East (he works in the Sharjah, UAE offices). Our conversation was interleaved with catching up on personal stuff, a project he and I were working on with Thinking Minds, Inc. for Bank of Baroda (India), and some of the challenges that Muthukumar was facing as a risk analyst. Naturally, risk was a recurring topic throughout the conversation. After we hung up I began thinking about risk management and how it relates to our profession.

As IT professionals there are four core skills in which we all are required to master:

  1. Project management
  2. Analysis and assessment
  3. Measurement and metrics
  4. Security
    5. Risk management is an integral element of each, and as IT professionals this element needs to be an integral part of our mindset.

    Risk Management Mindset. Risk management is one of the key processes in project management, which is evidenced by the fact that it's a project management knowledge area with six associated processes in PMI's Project Management Body of Knowledge (PMBOK). This is the US national standard for project management.

    If you're using the UK standard for project management called PRINCE2, then you already understand the importance of risk management because it permeates the processes, with a requirement to be included in project start-up, initiation, and stage boundary management, as well as a key activity throughout PRINCE2's directing a project process.

    In our analyses and assessments we would be remiss if we didn't factor in risk. For example, we need to constantly ask questions like:

    • What is the probability of occurrence (or non-occurrence) of an event and what is the impact?
    • What are the dependencies between and among systems, processes or other subjects of analysis and assessment?
    • What are the risks of being wrong in an assessment?
    • How confident are we in our findings, and how can we mitigate uncertainties in our findings?

    Measurements and metrics are the foundation of quality. Quality is a key factor in both applications and service delivery. It's also a PMBOK project management knowledge area as well as a foundation of PRINCE2, which focuses attention on quality of deliverables.

    Uncertainty manifests itself in measurements and metrics, especially when we need to define the scope of what we're measuring or of the metrics we're collecting. Dealing with this uncertainty (risks) in measurements and metrics requires a good understanding of basic probability and statistics. This is especially true if you're working with or for a company that employs TQM or is at or above CMM level 3.

    Attaining an effective security posture requires that security be everyone's business. The foundation is awareness. At the risk of sounding Zen-like, awareness encompasses risk concepts - if you think in terms of risk you'll be enlightened.

    If you ponder the core skills and common tasks, you'll see they're interrelated. Try to imagine project management without analysis and assessment. How can analysis and assessment tasks be accomplished without measurements and metrics? And can you conceive of an effective security posture that does not include analysis and assessment?

    From the above discussion, another skill that is directly related to risk management emerges: auditing. In fact, as you delve into risk management you keep bumping into auditing. Moreover, auditing in some form is an element of each of the four core skills. I view auditing as a task element rather than a core skill for IT professionals. This does not diminish the important role of IT auditors and their profession. Instead, it underscores their importance as professionals, and also recognizes that risk management cannot stand by itself without auditing. Nor can the four core skills I cited.

    Techniques. Which came first, auditing or risk management? Instead of pondering that question I am going to recommend a resource on the integration of auditing and risk from an auditor's perspective: Activity Based Risk Evaluation Model of Auditing. This is a powerful framework and one that adds structure and clarity to auditing. If you add this to your knowledge and skill sets you'll find it will enhance your abilities in each of the four core skills.

    Another resource for professional auditors, but useful for IT professionals in general, is Risk Management: Defining a New Paradigm for Internal Auditors. An article that specifically addresses the integration of risk management and auditing is Changing the Paradigm (integrating risk management and internal auditing).

    IT-specific auditing resources include:

    Tools. One of the most useful tools for implementing a process is an example. The Treasury Board of Canada has an Integrated Risk Management Framework in MS Word format that can be adapted to meet your organization's requirements and will kickstart a risk management process implementation.

    As you become more familiar with IT auditing as an element of risk management, you're going to begin seeing the term, COSO crop up. The term stands for Committee of Sponsoring Organizations. The sponsoring organizations are: the American Institute of Certified Public Accountants, the Institute of Internal Auditors, the American Accounting Association, the Institute of Management Accountants, and the Financial Executives Institute.

    In practice, however, COSO is commonly used to refer to Internal Control - An Integrated Framework. The best way to understand the significance of COSO is to see how it's used by real organizations. The University of Texas System Institutional Compliance Program, addressed in a set of PowerPoint and Word documents that describe that institution's use, are valuable examples.

    How COSO applies to IT is illustrated in Network Auditing: A Control Assesment Approach by Gordon E. Smith. A glimpse into how that book uses COSO as a foundation can be seen in an article by Mr. Smith titled Securing the Internet for 2002.

    Another book that is more focused on risk management, but has the same general theme, is Information Security Risk Analysis by Thomas R. Peltier. Linda reviewed this book on Amazon on 25 September 2001, and I reviewed it on 22 April 2001.

    If your statistics are a bit rusty you can get up-to-speed on the basics with Statistical Sampling Refresher. If your interests are project risk related tools and techniques, my special project management page and my [now defunct] project management newsletter are sources of information.

    A compelling example of why auditing is important to IT is the SF Gate article, Risky Business: Tangling with the Business Software Alliance. This exercise in fear, uncertainty and doubt will get your attention if you're in management. An exercise for those of you who use MS IE5 or above will show in practical ways how risk and auditing go together.

    Late Note: 18:00 US Pacific time 15 February - I just posted related material, with an emphasis on software quality, in our Notes from the Field weblog.



Thursday, February 14, 2002

 
Posted by Mike Tarrani 9:28 PM
I just added a Search Feature to this page that returns results from both this page and Notes from the Field (see links on the left side of this page). Thanks to Unmesh Laddha for suggesting this enhancement.

 
Posted by Mike Tarrani 7:31 PM
Steve Page (mentioned in Linda's Notes from the Field entry earlier today) has a new book coming out about how to align strategy to policy. I agree with Linda that Steve is a foremost expert on the subject of policies and procedures, and his three books on the subject set a high standard for content and approach. Imagine my dismay when I checked Amazon to find a sprinkling of negative reviews among the majority of glowing praise for two of these books. The reviewers seem to focus on a few typos and sentence structure, completely missing the message. And the message in Steve's books is the essence: how to develop effective (and enforceable) policies and procedures.

Here's my recap of the books:

  • Establishing a System of Policies and Procedures: This is Steve's first book, published in 1998, and it is the first book (to the best of my knowledge) that steps readers through the unglamorous--but important--task of how to write policies and procedures. Anyone who follows Mr. Page's steps will develop well-crafted policies and procedures that will be unambiguous and clearly stated. This is where the Amazon "Reviewer from Independence, MO" and I disagree. The reviewer wrote on 12 February 2002 that the book "[is] long-winded, badly edited, poorly written ...", which are subjective. While the book will never be classified as a literary masterpiece, and it does contain typos, it will stand (in my opinion) as a solid book on the subject and one that I recommend without reservation to anyone who is faced with the task of writing policies and procedures.
  • Achieving 100% Compliance of Policies and Procedures: This is Mr. Page's second book, and in my opinion the best of the three that he's written. Each of the five reviewers, including Linda (see her 2 May 2001 review) awarded this book five stars and consistently glowing comments. Even experienced policies and procedures developers will find a technique or two that they didn't previously know.
  • 7 Steps to Better Written Policies and Procedures: This book is better suited to experienced policies and procedures writers. In fact, this book is a shining example of the economies of reuse because it's a reprint of key parts of Achieving 100% Compliance of Policies and Procedures. Our friend, "Reviewer from Independence, MO", decided to lambast this book on 12 February 2002 as well. His/her negative review, however, was the only dissenting one of the seven posted on Amazon (including my 27 September 2001 review, which was followed by Linda's 28 September review).
The purpose of my thoughts is not to single out the dissenter from Missouri, but to make a point about fact vs. value, which is a fundamental skill that analysts need to develop and refine.

In the case of the books, the reviewer was mixing facts (typos) with values (subjective statements about writing style) and then drawing conclusions that reflected bias towards the value judgement.

As analysts (and we all are), we need to park our values when we're objectively evaluating a process, design alternative, book or proposal.

The key is to focus on the essence of whatever it is that we're evaluating. To illustrate this, I am going to invite your attention to another book that both Linda and I reviewed: IT Organization: Building A Worldclass Infrastructure. My 11 January 2001 review noted the flaws in the book, including typos, a table of contents that didn't describe what was in the book and other blemishes. Had I imposed my values and stopped reading the book because of those reasons I would have missed some extremely valuable insights about IT organizational management. In fact, this book has strongly influenced my thinking and approach. Linda's 16 May 2001 review acknowledged some of the same problems with the book, but her perspective uncovered even more valuable information the authors were providing. Yes, the book has a few warts. A look beyond the warts reveals innovative thoughts and documented best practices. Had we dwelled on the warts we would have missed the book's message.

The moral is to strive to remain objective and to put things into perspective. In the case of a book, are typos and sentence structures show stoppers or merely inconveniences? In the case of other artifacts and processes that we are called upon to objectively evaluate, are we allowing values and nitpicking to get in the way of finding the real strengths and weaknesses of our subject? Think about it.



Wednesday, February 13, 2002

 
Posted by Mike Tarrani 7:20 PM
Random Musings. It's amazing how one thought triggers another until ideas emerge out of the mesh of random thoughts. Earlier I was thinking about a few milestone events: my close friend Marcia Hopkins has a birthday on the 16th, followed by Linda's birthday on the 17th, and the 35th anniversary of my joining the Navy on the 20th.

What brought these thoughts into focus was the fact a neighbor revealed that her brother was in the same industry as I, which led to e-mail exchanges, which led to a visit to his company ChangeBridge. It turns out that ChangeBridge is an SEI Transition Partner for introduction to the CMMI Systems Engineering/Software Engineering Courses and SCAMPI Assessment Services.

That fact linked me to Thinking Minds, Inc. because Linda and I did some earlier CMM strategy planning with Unmesh Laddha, Thinking Minds' CEO. It didn't end there - I did a quick Google search on ChangeBridge and discovered that Mark Servello, who I knew over 14 years ago from a Navy assignment as MIS director, was associated with ChangeBridge. That assignment, by the way, was for a large Navy facility in San Diego and was the one that capped off my 22-year Navy career.

Naturally more thoughts entered my head - CMM, San Diego, process improvement and related connections that I hadn't fully sorted out. These thoughts, though, led to more research, which led to ProcessVelocity, LLP, a San Diego-based consulting firm that is also an SEI Transition Partner. This small consulting firm also provides some innovative services, including three jumpstart services designed to assess and jumpstart a client's SQA, SCM or XP (eXtreme Programming) initiatives. While I was visiting the site I also downloaded two valuable files in Windows helpfile format: CMMI Staged and CMMI Continuous representations.

For some reason my thoughts turned to ISO9000, which led to NASA's Independent Software Verification and Validation site's ISO 9001 documents, all of which are in PDF and MS Word formats. This collection of documents exemplifies how to develop an ISO 9001-compliant quality manual. If you think ISO 9001 is unimportant or does not support the CMM read my 9 July 2001 review of ISO 9000-3: A Tool for Software Product and Process Improvement on Amazon.

Time to get out of daydream mode and back to work.



Tuesday, February 12, 2002

 
Posted by Mike Tarrani 6:52 PM
NOTICE: CERT® Advisory CA-2002-03 Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP) was issued today (12 February 2002). See also: Network World article titled CERT warns of SNMP vulnerability with widespread impact for a quick summary of the impact and scope of this problem.

 
Posted by Mike Tarrani 4:14 PM
Project Management. Project managers may be interested in project budgeting resources, which is a collection of Word and Excel documents. Some of the documentation is scant to nonexistent, but most of the spreadsheets and other tools will be easy for experienced project managers to figure out and quickly use.

Collaborative Frameworks. Anyone involved in group collaboration system design will find the DARPA-sponsored document titled collaborative framework rich in ideas and a highly useful methodology for evaluating collaborative computing systems. This framework applies to collaborative systems engines, such as ThinkingWare (developed by Thinking Minds, Inc.), as well as to architects and analysts developing portals and workflow systems.

Security. Regardless of whether you're an IT security professional or specialize in a different discipline, security is an inescapable concern. In previous entries I've discussed the need to incorporate security into testing, architecture and every other facet of service and applications delivery.

One standard of which every IT professional should be aware is the Common Criteria for IT Security Evaluation (CC). Why? ISO approved and published the CC text as the new International Standard (IS) 15408 on 1 December 1999. The CC started as a NIST initiative (see the original web page). You may find either or both of the two sites I listed overwhelming at first, and may want to get the cocktail party version of the CC (PowerPoint format) before you go exploring.

Two other related PowerPoint presentations are also worth downloading and reading

  1. Protection Profile Process Improvement, which discusses the CC protection profiles and how to align the CC to the Systems Security Engineering Capability Maturity Model.
  2. Information Security Metrics. This presentation by Bear Stearns gives an auditing approach that incorporates both process and metrics.
For general security awareness you may want to read the PowerPoint presentations on E-security and wireless security, both of which summarize the key issues.

End Notes: Spiked's IT section is a fresh source of IT news that is oriented towards business more than technology. I've also updated Notes from the Field with a few topics that will foster IT professionalism; specifically, a policy and procedures document for software inspections, and an interesting paper on using eXtreme Programming as a core approach for e-business start-up companies.



Monday, February 11, 2002

 
Posted by Mike Tarrani 8:43 PM
Process, Finance and Quality. I have a wealth of related resources to share in this entry:
  • Activity-Based Cost and Value-Added Assessment
  • eXtensible Business Reporting Language (XBRL)
  • Reference Software Quality Profiles
These resources are closely aligned with design patterns (and anti-patterns) that I covered in today's entry in Notes from the Field. Where patterns capture best practices, the topics I'm covering here are the basis for best practices.

Activity-Based Cost and Value-Added Assessment. I've used activity-based cost management (ABCM) since 1993, and have found it to be one of the most effective technques for determining total costs of ownership (TCO) for systems and applications. I've also used it to cost out shared resources and estimate outsourcing P&L from a vendor point of view. A Management Accounting Framework by Gary Cokins is a good starting point if you're not familiar with ABCM. Mr. Cokins is also the author of Activity-Based Cost Management Making It Work: A Manager's Guide to Implementing and Sustaining an Effective ABC System (see my 25 February 2001 review on Amazon).

Another facet of cost management is value assessments - the process of discovering non-value added activities in processes. There is a clear connection between ABCM and value assessment, and one of the best resources I've encountered is William E. Trischler's book titled Understanding and Applying Value-Added Assessment: Eliminating Business Process Waste. My 6 July 2001 review of this excellent book on Amazon summarizes why you should read this book. Another resource is a whitepaper by Thomas Miller titled Enterprise Architecture Framework: Providing a "Value Added" Analysis Capability.

Value analysis is not limited to measuring process steps, which is evidenced by Knowledge Value Added and Business Process Auditing. This brief paper is augmented by another paper that ties together knowledge value and ABCM by comparing the two. The paper, Knowledge Value Added and Activity Based Costing: A Comparison of Re-engineering Methodologies, is one of a series of similar papers that address different facets of the same topics.

We're now getting deep into business process improvement and reengineering territory. One valuable resource that covers this broader look at processes is the FAA's Business Process Improvement/Reengineering Handbook. Another resource is a PowerPoint presentation titled Tools for Managers: Measuring Performance and Success.

I'll wrap this topic up with two other recommended resources:

  1. A whitepaper in PDF format titled Principles of Benchmarking.
  2. Paul Strassmann's web page. If you're one of the half-dozen IT professionals who has not heard of Mr. Strassmann you're in for a treat as you read through his articles and papers. This guy is opinionated, egotistic, obnoxious - and is rarely wrong. His seminal book, The Business Value of Computers, established him as a straight-talking senior executive who was not afraid to debunk the voodoo methods used to justify computer purchases. Since this book's 1990 debut Mr. Strassmann's book writing has been prolific, and he has augmented his books with a series of digital publications.
eXtensible Business Reporting Language (XBRL). If you are working with or for a financial institution, or are supporting your company's finance department, then XBRL is an important topic.

A starting point is XBRL.ORG, which is developing XBRL for the preparation and exchange of business reports and data. The initial goal of XBRL is to provide an XML-based framework that the global business information supply chain will use to create, exchange, and analyze financial reporting information including, but not limited to, regulatory filings such as annual and quarterly financial statements, general ledger information, and audit schedules.

The XBRL Educational Resource Center maintained by Byrant College is a content-rich source of XBRL information too. If you want a good overview of XBRL download the XML-XRBL PowerPoint presentation. The Extensible Business Reporting Language (XBRL) 2.0 Specification dated 4 February 2002 (MS Word format) is the official spec and is essential reading if you are involved with XBRL solution development.

There are two books on the topic, neither of which I've read, that are currently available:

  1. Introducing XBRL: Making Decisions in a Digital Economy
  2. XBRL Essentials
Reference Software Quality Profiles. This topic is loosely related to XBRL and tightly related to SQA. An overview is provided in Definition of reference software quality profiles, which contains two MS Word documents that go into more detail:
  1. Software Product Quality Evaluation and Certification: the Qseal Consortium Methodology.
  2. The IBISCO initiative for the evaluation and certification of bank software product quality.
The latter document is the loose tie-in to XBRL, and is an essential document for anyone who works with or supports bank applications.

End Note: Do you have a fall-back strategy to go into manual mode if you lose a critical application? Here is an example of such a strategy for business process areas that depend heavily on word processing (law offices, transcription agencies, etc.), and a reminder to find a little fun in life.



Sunday, February 10, 2002

 
Posted by Mike Tarrani 11:12 PM
Important. I haven't authenticated this, but it comes from a source whom I trust. The warning is:
The IRS Criminal Investigations Division recently sent out an alert to law enforcement agencies regarding this scam. PLEASE READ and FORWARD to others, so they might not be a victim of what could seriously damage you financially.

Some taxpayers have received e-mails from a non-IRS source indicating that the taxpayer is under audit and needs to complete a questionnaire within 48 hours to avoid the assessment of penalties and interest. The e-mail refers to an "e-audit" and references IRS form 1040. The taxpayer is asked for social security numbers, bank account numbers and other confidential information. The IRS does not conduct e-audits, nor does it notify taxpayers of a pending audit via e-mail.

That e-mail is not from the IRS. Any e-mail received of this nature should be saved so that a computer forensics investigation can be conducted to determine the originator. Law enforcement personnel should remain cognizant of this latest identity theft ploy. And this social engineering exploit is not limited to the U.S.A. A criminal in your country can also pull a scam like this. Be warned! More info at: webmaster@fleoa.org - Federal Law Enforcement Officers Association.

I did do a quick Google search and discovered that this scam is also being pulled over the phone.

 
Posted by Mike Tarrani 8:37 PM
Loose Ends & Miscellaneous Notes. It's a beautiful Sunday in Southern California, so this entry is going to be short. My goals are to tie up some loose ends with respect to yesterday's entry on security and to also share a few sites that I serendipitously found in my never-ending surfing and research.

Security Redux. Phenoelit, a German group that is a self-described greyhat group (and one of the presenters at Black Hat Briefings '01), has an interesting site that features tools and papers security professionals will find both interesting and useful.

The tools include:

  • VIPPR (Virtual IP Phalanx Router) - a study of attack router concepts
  • IRPAS - Internetwork Routing Protocol Attack Suite
  • ARP0c - a connection interceptor (using ARP spoofing and a bridging engine)
  • cd00r.c - a working proof-of-concept code for a not listening remote shell on UN*X systems
  • PHossc - a sniffer designed to find HTTP, FTP, LDAP, Telnet, IMAP4 and POP3 logins on the wire
  • Lumberjack - scans the hash codes of all passwords in a ldif file
  • KOLD - a dictionary attack against LDAP server
  • ObiWAN - a brute force authentication attack against Webserver with authentication requests
Chilling stuff, but forewarned is forearmed. If you want both insights into security and a well written technical primer I highly recommend Bruce Schneier's Secrets and Lies: Digital Security in a Networked World. My friend Kate Hartshorn wrote an insightful review on Amazon dated 8 November 2001, and I reviewed this outstanding book on 3 January 2001. If you like this book and want a gentle introduction to the underlying math and mechanics of the technologies that are introduced I also recommend Cryptography Decrypted. Linda reviewed this book on 17 December 2001 and I wrote a review on 16 March 2001.

The Papers & References page on the site points to mainstream and non-mainstream resources.

Discoveries.

  • Moneywords is Tom Welsh's project management site. It contains checklists and a comprehensive list of book recommendations. I discovered this gem when Tom posted a message in our Project Management Forum. One page I especially like is Barometers, which is a listing of financial ratios and indicators.
  • Introduction to the Zachman Framework by David Hay. I've been a strong proponent of the Zachman framework ever since reading Spewak's and Hill's Enterprise Architecture Planning. See Linda's 21 January 2001 review on Amazon. I first read this book in 1993 and can attest that it's as relevant today as it was when it was first published over nine years ago.
  • Enterprise-Wide IT Architecture, which is a reference site and community resource for Enterprise-wide Information Technology Architecture (EWITA) or Enterprise Architecture (EA).
  • ZIFA, which is the Zachman Institute for Framework Advancement. I didn't recently discover this site, but am including it because it fits well into the themes of the sites I previously mentioned.