Saturday, March 02, 2002

 
Posted by Mike Tarrani 10:27 PM
Security, Standards and Choices. If you don't care where you are you're not lost. However, when it comes to security you will be lost without a map, and being lost is a bad thing.

Finding the Right Map. If you've been following security standards you know that it's a mess. A good starting point on your journey to sorting out the standards is Uncovering security standards, which is a single page that gives a brief summary of the standards you're likely to encounter and links to primary sources of information.

Choices. In the US you're probably examining the two major standards: Common Criteria and ISO 17799. We've written about Common Criteria in previous entries. What makes the choice confusing is the Common Criteria is an international standard, International Standard (IS) 15408, sponsored by ISO, and 17799 is also an ISO-sponsored standard. The crux of the matter is twofold:

1. Common Criteria and ISO 17799 are apples and oranges. In other words, there is no connection between the two. Common Criteria is designed to guide in the technical specification and evaluation of systems, while ISO 17799 is a management standard that deals with non-technical issues related to security (personnel, procedural, and physical security issues).
2. Where Common Criteria is used as an assurance measure, and as such, as a certification of sorts, ISO 17799 is not a certification program. There will be no ISO 17799 certification in the same manner that ISO certifies for ISO 9000.

At first glance it would seem logical to use both standards, and this approach has some merit. However, not all national bodies in the ISO 17799 standards making process are in agreement. Indeed, the US is among the group of national bodies that is in disagreement with the way ISO 17799 is written. This issue, among others, is addressed in the National Institute of Standards and Technology (NIST) ISO/IEC 17799:2000 FAQ. This document is clear about the US view of the standard; however, a more complete picture can be found by examining the following documents:

• Article on ISO Security Standards by Walter Fumy, Business Briefing: Global Infosecurity 2002
• Security management standard — ISO 17799/BS 7799, a paper that describes ISO 17799
• British Standard 7799, which is one of the models for the ISO 17799 standard and is worth knowing about.
• Information Security Development Trends, a discussion of general InfoSec standards and trends

Outside the US. A Zip archive with two PowerPoint presentations describe how one country, Malaysia, is standardizing on security. This is illustrative because it shows that the world is not centered on the US and Europe.

Other Considerations. For those who are in healthcare, the PowerPoint presentation titled, HIPAA by the Numbers shows the standards and issues that surround security in connection with the Healthcare Insurance Portability and Accountability Act. Also worthwhile are: Enabling Confident E-Commerce, Mobile Security, and Security Engineering Best Practices, all of which are in PowerPoint format.

End Note. I will follow-up this entry with a later one that discusses tools and techniques that can be used with any of the security standards.

Thursday, February 28, 2002

 
Posted by Mike Tarrani 11:10 PM
Connecting the Dots. Kate Hartshorn is playing a larger role in this weblog, and its sister, Notes from the Field. Kate will be posting here in the near future, but until then her ideas and expertise in business and competitive intelligence, and business strategy will be embodied in my entries.

Today's theme is business and competitive intelligence. I'm going to provide raw intelligence and techniques, but it will be up to you to connect the dots and arrive at your own conclusions.

Definitions. There is a distinction between data, raw intelligence and processed intelligence. Here are my definitions:

• Data - a fact, observation or symptom.
• Raw intelligence - collection of data that have been put into context, categorized or classified, calculated or summarized.
• Processed intelligence - information that can be used to make decisions or take actions. The state of information that is considered to be processed intelligence meets four criteria:
  1. Compared: how does this information in this situation compare to information in similar situations?
  2. Consequences: what are the implications of this information for decisions and actions?
  3. Connections: how is this information related to other information that is known?
  4. Conversation: what do people who are knowledgable about this information think?

One view of the transformation process wherein data becomes information is a management information value chain. Linda and I developed a quick reference card of Things to Consider in Technical Communications that depicts this value chain, as well as other information qualities.

As a side note, you may want to visit our Technical Communications Resources and Business and Strategic Planning Resources pages, both of which contain related information.

Sources. The following are sources of processed intelligence that you may find helpful in strategic planning, competitive intelligence or market analysis:

• Three sets of results from surveys conducted by The Intellor Group, Inc.. The surveys provide raw intelligence about industry business intelligence initiatives, XML database trends and XML adoption.
• A paper on Recalibrating Demand-Supply Chains for the Digital Economy, which is classified as raw intelligence because there is insufficient information upon which to base a strategy or action. It does, however, provide a starting point from which a strategy or an initiative can be launched after the intelligence has been processed.
• An excellent example of raw intelligence is a paper titled Dynamic Content Software Services, which makes a case for basing the component architecture for Internet Distributed Computing around SOAP (Simple Object Access Protocol). This paper is rich with raw intelligence, but does not pass the tests for processed intelligence.
• Choosing an Architecture for Wireless Content Delivery is a report that is filled with raw intelligence about the topic, plus news that falls into both data and raw intelligence in the last half of the report.

The above files are provided as examples of raw intelligence, and I have attempted to find examples that reflect contemporary issues in IT strategic planning and business/competitive intelligence.

Using Information. Two papers that show how to transform raw intelligence into processed intelligence, then use that to support decision making are:

1. A Learning Model for Forecasting the Future of Information Technology
2. Modeling and Forecasting the Information Sciences

I've also included Zip archive with two PowerPoint presentations that will give ideas about how to think about and use data.

End Notes. An article from Government Executive titled White House official outlines cybersecurity initiatives contained an interesting comment about encouraging information sharing among companies to avoid cyber attacks. The proposed initiative reported in the article is a partnership between government and business for information sharing. Why is this important? Here are a few news articles that I read only today that show why this is needed:

• From CNET News: From serenade to security hole? (You could get a worm along with a song played on a number of popular Internet media players, including Microsoft's Windows Media Player or RealNetworks' RealPlayer.)
• From Network World News: RSA speaker: 2002 will see uptick in security threats
• ZDNet reports Critics squash bug-reporting plan. This one is especially worth reading.

One final highlight: It looks like corporate America is shedding its wool this time around. Microsoft is rolling out a $200M ad campaign to "sell" .NET, and according to ZDNet's 25 February article titled, The world of Web services (according to Microsoft) there is a healthy amount of skepticism. Maybe--just maybe--the wolf won't be eating mutton; have the sheep wised up? I think that the growing awareness of product flaws coming out of Redmond may have something to do with it. The following direct quotes from the article mentioned previously, Critics squash bug-reporting plan, underscore this:

[A]s an example, Guninski draws on the recent disclosure of a bug in Microsoft's .Net framework and the Windows operating system by software risk management firm Cigital. Although Cigital said it followed the unwritten rules of responsible disclosure in the company's announcement, some security experts--including Microsoft--criticized it as being irresponsible.

He goes on to say, "I don't find it logical for it to be responsible to sell under-tested and under-quality software, and for it to be irresponsible to disclose a bug," he said. Furthermore, any vendor who sells software with disclaimers that disclaim any liability should not use the word "responsible", according to Guninski.

My take? With the focus on security, especially post 9/11 awareness, it may take more than a $200M ad campaign to convince corporate America that .NET is in their best interests. Let's hope so.

Wednesday, February 27, 2002

 
Posted by Mike Tarrani 6:54 AM
Sense & Sensibility. I recently discovered Jack Harich's home page, and was struck by two things: (1) the sensible approach Mr. Harich takes in a number of disciplines, including software reuse, processes, learning and knowledge management and best practices; and (2) an admiration for Mr. Harich's values.

I'm going to give a brief tour of the content that I especially liked, which is by no means everything on the site:

• Process: He has developed a Mini Process, that has undergone refinement, resulting in a version 2. Closely related is a Process Prescriptor page that is a highly configurable, modular approach that prescribes the optimal process components for each project anywhere in its lifetime. It fits one person on up.
• Architecture: Change Process and System Architecture, which is based on Mr. Harich's theory that software should be architecture driven. He starts with modeling the system architecture first, then works backward to the process needed to support changes to the system using that architecture. Supporting documents that he provides are continuous change architecture and change point theory (which is an element of a paper he wrote titled Configurability).
• Project Management: Among the pages are gems, such as Unpredictability, which is the minimal process necessary to achieve predictability in projects (and other initiatives), Optimizing Project Management (focused on software development), Structural Tension (one of the cleanest approaches to goal setting I've come across), and best practices.
• Miscellaneous: Visual Knowledge Structure Language (well thought out), Nature of Abstraction, Differences between procedural and object-orientation, concept maps and value-driven software evolution.

I could go on and on, but you'll have to check out this site for yourself. As an ending note, though, I do want to highlight one innovative tool that Mr. Harich has freely made available: Visual Circuit Board (VCB). VCB is a part oriented, scalable, visual tool assisted approach to software development consisting of reusable parts communicating through links with datatrons, like an electronic circuit board. VCB has a certain elegant simplicity that makes it highly intuitive, fast and fun. You can download VCB directly from his site.

The content on the web page is extraordinary, but not as extraordinary as its creator.

Tuesday, February 26, 2002

 
Posted by Mike Tarrani 11:32 PM
Practices and Processes. Today's theme spotlights best practices, processes and process improvement. These will add more depth to the security and project management topics that Linda and I have recently been discussing.

Best Practices. One amazing source of best practices is the California Health and Human Services Data Center (HHSDC). This page provides their Systems Integration Divisions (SIDs) Best Practices Website for Systems Acquisition. An example that shows why I'm so excited about this resource is the Project Office Support Tool (POST) Enterprise page. The site has a wealth of information and assets, such as project templates, a Software Acquisition CMM page and a complete set of life cycle processes.

Processes. The Process Group has a content-rich site that is focused on processes, with an emphasis on software development processes. Despite the emphasis, much of the material also applies to service delivery and IT operations. Their newsletter is excellent and available as a free e-mail subscription.

The co-founders of The Process Group have also published a book titled Making Process Improvement Work: A Concise Action Guide for Software Managers and Practitioners that will be available on 29 March 2002. For a look at the approach that the authors take, read their article titled Goal-Problem Approach for Scoping an Improvement Program that was published in the May 2000 issue of CrossTalk Magazine.

Process Improvement. The authors of Goal-Problem Approach for Scoping an Improvement Program, Neil Potter and Mary Sakry, wrote an article for the May 2000 issue of STQE titled Measuring Process Improvement: Tracking your project goals that addresses project issues in software development and quality management. I've added a PowerPoint presentation on models for software process improvement to my site to augment the article. Enjoy.

End Notes: I'm going to wrap this up with some papers that will be of interest to anyone who is interested in IT process improvement, operations management or service level management:

• How to Support the Negotiation of Service Level Agreements (SLAs) for Your Client/Server Application
• Information Systems Sourcing Prototypes
• Modeling IT Operations to Derive Provider Accepted Management Tools and the companion paper, Process oriented Approach to Develop Provider accepted Management Tools
• Specification of a Service Management Architecture to Run Distributed and Networked Systems
• Development Framework for Service-Oriented Application Instrumentation and SAP R/3 Model

One final paper that may be of interest is a dissertation titled Information Technology Implementation Issues: An Analysis. This research project addresses the issues affecting information technology development and deployment. The issues represented in this study are addressed in the context of IT implementation processes, especially with regard to the question of the needs and perceptions of administrators from the local government arena. You can download the thesis in PDF format.

 
Posted by Mike Tarrani 12:16 AM
Security. Tonight's entry is a list of security resources that I just received in a Gartner G2 Newsletter. Each article is short and packed with relevant information:

• Prioritizing Security Efforts: Create Structure from Disorder (download in PDF format)
• Don't Get Blindsided by Privacy and Security Regulations (download in PDF format)
• Privacy and Security: On a Continuum or a Collision Course? (download in PDF format)
• Intrusion Detection Systems (IDSs: Perspective) (download in PDF format)
• Big Brother: Real-Time Behavioral Monitoring (download in PDF format)
• Improving Enterprise Security (download in PDF format)

Since we have a number of regular readers who are in India, Malaysia and in other Asian countries I want to invite attention to a free Gartner newsletter called GartnerVoice that provides monthly news items for the Asia and India IT industries.

Monday, February 25, 2002

 
Posted by Mike Tarrani 5:01 AM
Don't Try This at Home. On Sunday, 24 February Linda realized a life-long dream by strapping on a parachute and jumping out of an airplane. That act embodies Linda's essence: she lives her life to the fullest, and endeavors to experience everything worth experiencing. I greatly admire her and strive to follow her example.

Unseen (and greatly appreciated) Forces. I write an entry here each day, and when she has time Linda also contributes. You see our names attached to the entries, but what you don't see is Kate Hartshorn's behind-the-scenes editorial magic. Linda and I will take responsibility for any errors, but I assure you that there would be many more if we didn't have Kate's editorial touch.

Linda and Kate epitomize the concept of teamwork, and I am indeed fortunate to work with both of these wonderful professionals. I can assure you that I consider it a privilege to be able to have them as friends as well as colleagues.

 
Posted by Mike Tarrani 12:37 AM
Advanced Project Management. In the past two entries I've focused on project management, and have provided what I consider to be critical success factors necessary for effective project management.

Advanced Techniques. Although you can effectively manage most projects by using a few simple techniques, as the complexity and scope of projects to which you're tasked with managing grow, you'll find that more advanced techniques are appropriate.

Keep It Simple. I am an advocate of keeping things as simple as possible. While I firmly believe that earned value project management, for example, is essential for project control, it's overkill for small, short-duration projects. I mention this because the advanced techniques are for high-end projects. They are not appropriate for, or applicable to, every project. Use the same judgement when selecting and applying these techniques as you would for handtools. You wouldn't select a sledgehammer to drive a thumbtack, right?

Cost and Schedule. Earned value integrates and correlates cost and schedule management. Two MS Word papers that deal with finer details are Management Impact On Software Cost and Schedule and A New Perspective in Software Schedule and Cost Estimation. What I like about these papers is the fact that the author of both (Randall W. Jensen) looks at people issues as well as quantitative methods.

Software Project Planning, Statistics, and Earned Value shows how EVPM starts with the planning and estimation phases of a project to develop the baseline to which you'll be managing, and how to use advanced techniques to develop and manage to that baseline.

Metrics Integration. A paper titled Practical Software Measurement, Performance-Based Earned Value ties together project control (EVPM) and estimating and measurement based on the Practical Software Measurement approach (PSM). This holistic approach is effective, but is only appropriate for highly mature organizations. Most US software companies, as well as large corporations with sophisticated in-house development, have a long way to go before the approach in this paper is achievable. Many offshore and selected US companies, especially those that have attained CMM level 3 or above, will find this paper useful. Another, more general, paper that will be useful to all project managers regardless of organizational maturity is A Framework for Software Project Metrics.

Project Success Factors. The following two papers cover each end of the project spectrum: Project Clarity Through Stakeholder Analysis provides techniques and advice for determining and setting stakeholder expectations. The importance of this critical success factor cannot be overestimated. At the other end is an article titled Project Recovery… It Can be Done. Needless to say, this paper is essential reading because the advice and techniques the author provides are worth their weight in gold - especially if you're struggling with an out-of-control project.

End Note. If you're working in an organization that has adopted the Rational Unified Process, or are seeking a coherent, off-the-shelf software project management process that will work with any development organization, I recommend Walker Royce's excellent book, Software Project Management: Unified Framework. Although this book is slanted towards the Rational Unified Process, the approach is flexible enough for any methodology. It covers earned value in detail, as well as estimating and planning. Although I have not written a review of this book I have read it and refer to it often.

Sunday, February 24, 2002

 
Posted by Mike Tarrani 12:56 AM
In my last entry I discussed a number of critical success factors, and also introduced earned value project management (EVPM). Earned value is typically thought of as an element of project control, and to a large extent it is. However, it is also an integral part of the planning and estimating process because it's used to develop cost and schedule baselines.

In my opinion it's impossible to effectively manage a project without EVPM. The best book on the topic is Earned Value Project Management by Quentin W. Fleming, Joel M. Koppelman. See my 18 March 2001 Amazon review for why I think this book is the best.

There are also five articles that every project manager should read:

1. Earned Value Project Management: An Introduction
2. Earned Value Project Management: A Powerful Tool for Software Projects
3. Gaining Confidence in Using Return On Investment and Earned Value
4. Applying Management Reserve to Projects
5. Impact Estimation Tables: Understanding Complex Technology Quantitatively

If you start with the first article and work your way through the list you'll go from an introduction to advanced techniques.

If you are at an advanced level in project management, I recommend that you read an article by Dr. Barry Boehm et al. on schedule as an independent variable (SAIV), cost as an independent variable (CAIV), and schedule-cost-quality as independent variables (SCQAIV).