|
|
Friday, April 19, 2002
Posted by Mike Tarrani
3:16 AM
Security (again!). Security is a recurring theme here and in Notes from the Field, and it's time for another installment. One excellent resource for IT security is Ben Rothke's web page. Ben is a columnist for Information Security Magazine, among other things, and his home page contains a wealth of information. The real gems are:
Thursday, April 18, 2002
Posted by Mike Tarrani
5:24 PM
ITIL, ITSMF and Service Level Management. Linda's 14 April entry was on the mark. With established international standards we do not need another methodology, and we definitely don't need proprietary methodologies. She and I have over 50 years of IT operations, service delivery and production support experience between us. We've seen the methodology of the month, silver bullets and all of the other panaceas, and none are a total solution. Are the ITSMF's best practices perfect? No, but they do reflect the experience of IT professionals the world over.One of the problems with the ITSMF's core documents, the IT Infrastructure Library, is the books are expensive. This is, in my opinion, a barrier to adoption. I am going to chip away at that barrier by sharing ITSMF files that I've collected with the goal of creating awareness. I'm going to start with a PowerPoint presentation that gives an overview of the ITIL: Why ITIL? Since the ITSMF uses the ITIL this presentation is important. The following files, which address various ITIL and ITSMF domains, will show the inner workings:
Wednesday, April 17, 2002
Posted by Anonymous
6:56 PM
Preparations. One of the projects in which I'll be engaging is to develop reference data for issue management. I'm currently reading Managing Reference Data in Enterprise Databases to get ideas about how to build a taxonomy, populate it and manage the data. Although the project is in support of service level management, the role I have is squarely in the knowledge management domain.Knowledge Sharing. Since I'll be working with peers who may not be fully conversant with knowledge management I'm gathering artifacts that will explain the basics. One such artifact is a PowerPoint presentation titled KM Tour. It's a brief overview and should help me to fit my role into the project objectives. Another artifact is a PDF document titled Assessing Knowledge Assets. This document goes beyond the scope of my role, but it does place knowledge management into a practical context. Nice to Know. If you have an interest in knowledge management or leveraging human capital (two different, but related topics), the following documents will be of interest:
Tuesday, April 16, 2002
Posted by Anonymous
9:11 PM
Privacy is a hot topic, but hotter still is the thorny issues surrounding how to best protect it. Linda reviewed a chilling book titled World Without Secrets in her 17 April entry in Notes from the Field. This book, and its associated web page, paint a bleak picture of privacy. One of my main sources of information on the topic is Lisa Rein's weblog. I also do a considerable amount of research from other sources because privacy issues are main concerns of my specialities, knowledge management and competitive intelligence.One solution that is being hotly debated is the concept of a national ID card. The key issues are contained in a Gartner research note titled Establishing a National ID Card: Definition and Debate. However, this issue is international in scope. Smart ID Cards in Europe: Different Views, Uncertain Future gives the perspective from Europe, while we can learn from Hong Kong’s Multiapplication Smart ID Card. At the state level the Gartner research note titled Can the Smart State Implement a Smart Driver’s License? asks valid questions. Interestingly, another Gartner research note asserts that The Global Economy Already Has IDs. At some point, though, it will behoove you to understand the underlying technology and the strengths and weaknesses of smartcards. Mike and Linda steered me to Get Smart : The Emergence of Smart Cards in the United States and their Pivotal Role in Internet Commerce as a well written introduction to the business and technical issues, and I join them in highly recommending it if you need to quickly learn about smartcards.
Posted by Mike Tarrani
7:32 PM
Security & Contracts. I've been posting book reviews and other security-related information here and in Notes from the Field since the inception of these weblogs. Contracting is another recurring topic. A recent eWeek security series titled Contracts Getting Tough on Security ties the two topics together. If you write RFPs and evaluate vendors you'll find best practices. If you write proposals you'll find compelling reasons to start developing a set of security processes and strategy to use as a response to RFP requirements. I canot resist a shameless commercial plug here: TEAM Zarate-Tarrani develops security strategies and processes that will prepare you for responding to RFPs.
Posted by Mike Tarrani
4:04 PM
Friends don't let friends use MS Project. If you want a project management application that correctly levels resources, can correctly compute earned value, and is made by a company that understands project management you should look at SureTrak Project Manager 3.0 (see Linda's 27 May 2001 review on Amazon).I just finished reviewing an outstanding book on how to use this powerful program: Planning Using Primavera SureTrak Project Manager Version 3.0 by Paul E. Harris . Although SureTrak Project Manager 3.0 ships with adequate documentation and the program is intuitive, there are three good reasons to buy this book: - The product documentation covers every feature - the information about planning and managing projects using this powerful tool is scattered throughout, making it difficult to tap into SureTrak's power without wading through an overwhelming amount of nice-to-know, but non-essential detail.
- Although anyone who has used Microsoft's ubiquitous MS Project will have no problem getting started with SureTrak, they will miss the true project management features of SureTrak that are not present (or don't correctly work) in MS Project. This book identifies those features and shows how to use them effectively.
- The author goes beyond merely describing how to use SureTrak by showing you how to use effective project management techniques, many of which take years of managing projects to discover.
The book is structured as a series of 20 lessons (called workshops) that are designed to step you through setting up a project, and planning and scheduling it. If you follow them in sequence you will be able to not only set up a project using SureTrak's rich feature set, but will also pick up general project management techniques along the way. An example of one such technique is how the author classifies projects into four levels for planning and controlling. These levels are based on project complexity, with Level 1 being the simplest and suitable for short projects, to Level 4 for complex, high-value projects. You are given the planning and tracking criteria for each project type, which allows you to tailor your approach as well as ensure that you don't over-manage simple projects or under-manage the complex ones.You are also shown how to use the more powerful features, such as the many project views (work breakdown structure, activity or resource), managing the sophisticated calendaring functions, and effectively using the resource profiles and reporting features. I particularly like the way earned value is treated. The author shows how to use SureTrak's facilities for managing to earned value, as well as explaining this essential technique (which, by the way, is now a part of the Project Management Institute's PMBOK 2000 version). Another bonus is the way scheduling is explained by walking through adding logic to activities. You'll not only be shown how to perform this task, but given reasons why you should use one approach from among four possibilities to establish relationships. In this example the choices are start-to-start, finish-to-start, start-to-finish and finish-to-finish. The book is clear, concise and heavily illustrated with screenshots from SureTrak. The tutorial style and the way the lessons are sequenced will get you quickly up-to-speed with SureTrak and give you the knowledge and skills necessary to employ it with minimum reference to the manuals that come with the software. If you're more interested in Primavera's high-end product, P3, please refer to my Amazon review of Planning Using Primavera Project Planner P3 Ver 3.0 by the same author. As an end note I've gathered links to websites that may be of interest: Our weblogs also contain a wealth of information - use the search feature to find information about earned value, WBS, PMBOK, PRINCE2 and other topics that you may be researching.
Monday, April 15, 2002
Posted by Mike Tarrani
7:22 AM
Administrative Note. Over the next few days my ISP will be doing maintenance. Most of the documents we provide here reside on the server that hosts tarrani.net. You may experience Document not found errors during the next 48 hours. If there are any documents that you absolutely need during this period let me know and I'll e-mail them to you.
Sunday, April 14, 2002
Posted by Mike Tarrani
3:33 AM
I just finished reading Computer Forensics: Incident Response Essentials by Warren G. Kruse and Jay G. Heiser. The authors, both of whom have impeccable credentials, have managed to distill a complex subject into a book that can be understood by anyone with intermediate-level computer skills. More importantly, computer forensics is a relatively new sub discipline of IT security, making this book important in that there are few books on the topic.I'll start with the beginning and end of the book, each of which are focused on legal aspects of forensics. The book begins by explaining what forensics is, and giving a three-step process that covers the essentials at a high level: - Acquire evidence
- Authenticate it
- Analyze it
Although this process is presented at a high level, important details, such as the importance of establishing and maintaining a chain of custody, how to collect and document evidence and key issues to consider when presenting the evidence in court are covered. This discussion is picked up again in Chapter 12, Introduction to the Criminal Justice System, in which applicable laws, advice on dealing with law enforcement agencies, and the distinction between criminal and civil cases are discussed. There is sufficient detail and pointers to put sources of information to arm you with the bare essentials.Between the opening chapter and Chapter 12 described above are chapters devoted to basic techniques and procedures for tracing email, specific operating system issues (the book deals with UNIX and Windows), encryption, codes and compression and other common challenges an investigator will face. The material is not overly technical, and is presented in easy-to-understand prose. Anyone who works as a network or system administrator, provides desktop support, or is an advanced end user will have no problems following the techniques that are presented or the underlying technical details. If you're seeking an advanced text this book will probably disappoint you, although there is sure to be some new trick or fact that you'll learn. For example, I have over 25 years of IT experience and was fascinated by the discussion of steganography (an information hiding technique). There were other chapters that I quickly skimmed because I was well-versed in the subject matter. What I like about the book is the easy approach, which makes it easy to develop the fundamental skills necessary to perform forensics. The few other papers and books on the subject are far more advanced and the learning curve is a barrier. This book will give the new security investigator a foothold in the topic upon which he or she can build. I especially liked the appendices, which provide an excellent framework for incident response. One of the best features is the detailed roles and responsibilities, which are well thought out and reinforce the axiom that security is everyone's business. Another outstanding feature is the flowcharts for various incident types, such as denial of service, hostile code, etc. These can be used verbatim in a security policies and procedures manual, as can the incident response form provided in Appendix B. I also liked the valuable URLs provided throughout the book. I knew of many, but was surprised to find invaluable resources that I didn't know about. Even though much of this book presented information I already knew, I still enjoyed reading it because I picked up facts that I didn't previously know, and was reminded of legal aspects of forensics and security that I'd forgotten. The appendices alone make this worthwhile to even advanced readers, and the fact that it provides an entry point into forensics for new practitioners makes this book invaluable as a training tool and vehicle for professional growth.
|