Saturday, May 04, 2002
Risk management is a much discussed topic here, and one of the better books on this topic that I've recently read is Effective Risk Management: Some Keys to Success. This book is for risk management professionals, or those who work with risk management (project managers, IT security and business continuity professionals and engineers) who want or need to master advanced risk management techniques based on real world issues and factors. Although the book is focused on risk management from a DoD contracting perspective, the material is applicable to commercial organizations as well. The author provides an appendix that compare DoD contracting and commercial environments to ensure that this book has a wide appeal (A Comparison of Risk Management for Commercial and Defense Programs). Obviously if you work in the DoD contracting industry this book is going to be more applicable.
The book begins with an introduction that discusses risk management, why it's needed and what it is. I felt that this material was too basic for an advanced book, but the subsequent chapters quickly got to the heart of the subject by providing the details for an implementation life cycle of an effective risk management process that consists of:
What makes this book valuable for real world practitioners are the pragmatic advice for developing a risk management process that is based on the lessons learned by the author and best practices. In fact, there are over 250 such lessons learned. These alone make the book worthwhile for even the most experienced practitioner because there are sure to be many that you may not have considered. In addition to the best practices, the author provides pitfalls common to risk management and how to avoid them.
- Managing risks
Another aspect of this book that adds value is the use of readily available tools, such as Microsoft Excel, and popular simulation software (CrystalBall) to reinforce the techniques that are described in the book. Overall this is one of the best books on risk management that I own because it goes into deep detail and coves advanced topics. It also is practical instead of theoretical, which sets it apart from most risk management books. See my 3 May entry in Notes from the Field for descriptions of tools that you will find useful with the probability computations that are required to effectively compute risks.
Essential Security Resources. If you develop security policies and procedures you need to seriously consider investing in a copy of Information Security Policies Made Easy. The 1175 policies contained in this book are also provided in soft copy on the accompanying CD ROM, making this one of the most valuable resources to companies that need to cost-effectively develop and implement policies. This book is also particularly valuable for consultants, although the licensing appears to restrict the use of the policies if they are used verbatim. However, each of the policies are too generic to be used as is, so for consultants their value if the key elements and discussion of each.
Unlike other collections of security policies that I've purchased, this collection is up-to-date and address contemporary requirements. Among the specific policies in this collection are those that address:
In addition, the policy collection addresses issues such as social engineering, digital signatures and public key infrastructures, which show the breadth of topics covered. It also addresses credit card fraud, internet use policies (another hot topic) and network and internet security.
- HIPAA (Health Insurance Portability and Accountability Act), which is a high priority requirement in the health care industry
- Gramm, Leach, Bliley Act for US federal government organizations
- European Union Data Protection Directive, which makes this book as applicable to European readers as it does to US audiences
What I like is the fact that the book is much more than a collection of policies - it also discusses implementation and enforcement issues, contains checklists for developing (or tailoring) and implementation of the policies.
On the topic of value: this book contains 18 core policies that should be in place regardless of company type. These alone would take between 150 and 200 hours to develop. Using the fully loaded rate by in-house experts it's easy to make a business case for buying this book because these 18 policies alone would cost more to develop from scratch than the cost of the book. If you are using consultants the cost savings will be dramatic. In addition to this book I recommend investing in the author's other book, Information Security Roles & Responsibilities Made Easy, which completes the picture for developing an effective security organization and posture.
This book, Information Security Roles & Responsibilities Made Easy is the other half of Information Security Policies Made Easy discussed above. What makes this book complement the policy book is that once the policies are written they are useless without defined roles and responsibilities assigned to manage and enforce them.
Included in this book (and in soft copy on the accompanying CD ROM) are organizational mission statements that form the framework for policies, job descriptions for major security role players, and organizational structures with reporting relationships.
The book does not merely present the roles and responsibilities - it goes into the hows and whys, and steps you through the definition and development of a security function in which the roles and responsibilities are defined. More important, the author does not use a canned approach, but provides alternative structures that will allow you to develop and implement the organization that is best aligned to your company. This is one of the most practical and flexible approaches I've seen, and shows the author's extensive experience and realistic attitude. Equally important is the fact that small companies are also addressed, making this book valuable to organizations of all sizes.
You're stepped through the process of identifying your requirements, tailoring the documents provided on the CD ROM to reflect those requirements, and given an idea of the time and resources needed to implement them. In addition to the documented roles and responsibilities and organizational structures provided, this book also covers (and the CD ROM provides) pamphlets to promote security awareness, memos, forms, action plans, a sample security manual and standards, and other documents that will be needed to effectively implement a security organization.
The chapter on common mistakes is worth its weight in gold, as are the appendices, which cover staffing levels, qualifications (this is valuable to HR), and IS security metrics.
Regardless of company size or scope of your security organization, this book will save literally hundreds of hours of research, document development and planning. Even for a small company of 25-100 employees this book will pay for itself many times over, and for a large company the value that this book (and the companion book I mentioned above) represents can run into the tens of thousands of dollars.
Friday, May 03, 2002
I've been discussing process improvement and business value. I found a book that combines the two in a neat, coherent package: Software Process Improvement: Concepts and Practices. The value of this book is that it examines software process improvement from the perspective of business value instead of why it makes sense from a software engineering process point of view. I found this refreshing because too many books on this topic are focused on the technical advantages and give lip service to business benefits, if they are mentioned at all.
Another interesting aspect of this book is the chapter on using the Capability Maturity Model with small projects and/or in small organizations. The discussion shows how a heavy process improvement approach can be effectively used to good advantage in scaled-down environments. Considering how many large organizations are struggling with implementing the CMM this chapter alone makes buying this book worthwhile because it shows how to get a handle on the daunting task of implementing the CMM.
Parts of the book that I especially like are: Communicating Project Drift Through Cost/Benefit Scenarios and Linking Strategies To Organizational Goals. Another strong chapter is Technical Infrastructure for Process Support, which provides clear direction for implementing a process-based paradigm.
This book is not a primary text on the subject and is probably not the first that someone new to SPI should turn to (I recommend Successful Software Process Improvement by Robert B. Grady as an introductory text), but is full of practical ideas for someone who works with SPI.
Thursday, May 02, 2002
The newest issue of CrossTalk is out. Although I normally post new issue announcements for this excellent magazine in Notes from the Field, the May issue is more in line with recent discussions here. The top articles in the May 2002 issue are:
Software EngineeringThere is also an Open Forum article of interest titled Information Security System Rating and Ranking by Dr. Rayford B. Vaughn Jr., Ambareen Sira, and Dr. David A. Dampier. You can download this article for off-line reading.
- Best Practices
Wednesday, May 01, 2002
It seems that I make an entry and it turns into a series. The MS Word document titled A Business Goal-Based Approach to Achieving Systems and Software Engineering Capability Maturity neatly connects the dots between business processes and software engineering.
Related to process and the earlier series on project management, Measurement Based Guidance for Software Projects adds metrics and process to project management. Measuring Process Improvement is a more general document that is applicable to both IT and business. However, in order to improve processes you must first understand the process being analyzed as a candidate for improvement. One characteristic that most processes share, and one of the more common improvement drivers, is cycle time - how long it takes to complete the process. Time is, indeed, money. The Cycle Time Improvement Guidebook is about engineering process improvement. While it is not strictly a business- or IT-specific guidebook it contains all of the essential information and a strategy for identifying improvement opportunities and how to exploit them.
Tuesday, April 30, 2002
More on Process. I place process above all else. Tools without processes frequently turn into shelfware and are a monument to poor management practices, abysmal leadership and the major disconnect between IT and business imperatives. Once processes are in place they cannot remain static, or they will soon become monuments themselves - monuments to lethargy, not invented here syndrome and source material for Dilbert cartoons.
There are books, articles and philosophies devoted to process improvement. Pick one. However, if you are sincerely searching for a workable approach The Purpose Driven Process Improvement Guidebook may have what you're seeking. I was impressed with the approach and found the PowerPoint presentation on purpose-driven process improvement to be a quick-start introduction. Another excellent view of process improvement is the 5-step approach by the same authors who created the Purpose Driven Process Improvement Guidebook. Highly recommended.
Monday, April 29, 2002
Linda and Kate covered service delivery in their recent entries while I addressed project management and metrics. The following documents will, in many ways, tie together these disciplines:
Sunday, April 28, 2002
My entry on 25 April wrapped up thoughts and associated documents on project management. This entry's theme is metrics. There is a direct relationship between software project management and metrics, as well as between service delivery and metrics. A good place to start is Practical Approach to Software Metrics, which is a primer. Also see previous metrics entries because this is a recurring topic.
Metrics need to be placed within a context of the development life cycle. An interesting approach to life cycles is the hybrid process model that combines the spiral and waterfall life cycles. This is but one example and certainly not the only viable model. However, you have to credit the authors for creativity and some excellent ideas. Armed with a primer and one model that incorporates two common life cycles into a hybrid, the next step is to survey metrics practices. This document presents best practices that you can learn from to develop (or improve) your metrics program. If you want to assess your metrics posture the Excel metrics self-evaluation tool will give you a baseline and the basis for launching a process improvement initiative.