Saturday, March 23, 2002
Testing. The newest book on software testing, and one of the better ones I've read, is Rapid Testing. This book provides a testing process and associated techniques that adds the agility required to meet fast-paced business requirements without sacrificing the due diligence or controls necessary to manage risk.
There is nothing especially new about the processes or techniques that the author proposes and explains; however, the way the processes are designed recasts tried and true methods into a streamlined process. Indeed, if the rapid testing process is correctly implemented it's possible to reduce testing cycle time while improving quality. I like the way the author begins by clearly defining terms. I know from experience that "acceptance test" means one thing in one organization, and something quite different in another. What I especially like, though, is the clear process itself, which consists of four major elements, each of which is thoroughly addressed in the book:
- Integrated test process.
- Static testing.
- Dynamic testing.
In Part II the book provides tips and techniques. Again, there is nothing especially new, but all of the key techniques are covered, including requirements and analysis, test planning, executing and reporting. Black box testing is covered well, as are an array of dynamic testing techniques (equivalence partitioning, boundary value analysis, memory leak testing, use case testing and performance tests.) If you're in a Microsoft-centric environment you'll appreciate the material on memory leak testing, and if you are in a development environment that employs UML or the Rational Unified Process the techniques for use case testing will prove helpful.
Part III provides detailed examples that are based on material presented in Part II. Overall this book lives up to its title by providing a 'safe' and effective process for rapid testing.
Project Management. One of the most exciting finds is Quality Software Project Management. This is, without a doubt, the most comprehensive book available on software project management. I don't make this statement lightly - I have over two dozen books on the subject, and have reviewed a significant portion of them on this site. It isn't the fact that the book consists of 33 chapters and 7 appendices and consumes nearly 1700 pages that makes it comprehensive. What distinguishes this book from the rest are:
- A process-oriented approach that is completely consistent with the PMI PMBOK, fully supports requirements for the higher levels of the capability maturity model, and can be adapted to virtually any life cycle model.
- It completely covers the important elements of planning, scheduling and control, including work breakdown structure development, associating tasks and deliverables, estimating (the focus is on the constructive cost model), advanced scheduling techniques (including critical chain scheduling that has emerged from the theory of constraints body of knowledge), and earned value project management.
- Ties software engineering, system engineering, reliability, SQA and software configuration management to the project process. Many books briefly address these, while this book addresses the requirements, issues and techniques head-on.
- Business plan development, requirements analysis, project deliverables and other artifacts are thoroughly covered.
- The web site that augments this book has errata, templates and checklists (in HTML format), links and other material that supports using the book as a course text.
There are so many things I like about this book, but the size and depth of content makes it nearly overwhelming. My favorite chapters are 21-Metrics, 26-Continuous Improvement, 28-Post Performance Analysis and 32-Legal Issues. However, these reflect my personal interests. The book is, in my opinion, uniformly excellent. The only flaw I found was the scant attention given to releasing an application or system into production, and no mention of how to tie together issue management to the enhancement and maintenance cycle that initiates once an application is in production. However, to be fair, this book is focused on project management and not software engineering. An outstanding companion to this book would be Successful Software Development by Scott E. Donaldson, Stanley G. Siegel, which provides the same in-depth treatment of software engineering as this book does for project management. See Linda's 11 September 2001 and my 5 September 2001 reviews of this book for more details.
Friday, March 22, 2002
- Turning Numbers Into Knowledge: Mastering the Art of Problem Solving. This book isn't as much about numbers as it is about how to think. In fact, numbers aren't introduced until chapter 27, which is exactly midway through the book. The author, Jonathan Koomey, skillfully leads you through the process of learning to think critically, probe, question and analyze. Along the way he helps you to develop a mindset and collection of tools and techniques, which prepare you for the second half of the book that does cover numbers and how to interpret them, transform them into knowledge, and use them to solve problems. This 221 page book is a masterpiece because it's clearly written, offers sage advice and contains easy to perform--yet powerful--exercises throughout. Unless you've mastered critical thinking and problem solving you'll ignore this book at your peril.
- Systems Thinking: Managing Chaos and Complexity (subtitled, A Platform for Designing Business Architecture) is to understanding complexity and perception that Turning Numbers Into Knowledge is to critical thinking skills. Like that book, this one has more to do with techniques and concepts than with what the title implies. To be sure, it does delve into designing business architectures, but the focus is on sorting through complexities and perceiving reality without filters. I'm going to share two examples that underscore this book's approach, and why I think it's one of the more important books one can read:
- Counter-intuitiveness in social dynamics is illustrated with a cause and effect diagram that clearly shows counterintuitive behavior in a welfare system. The diagram shows how a program designed to reduce the number of poor families can actually cause the opposite effect.
- A side story about a birth control project in India illustrates perceptual differences between and among cultures and deeply influenced my own perceptual awareness. The synopsis of this story is the foundation team who was trying to teach birth control gave an incentive in the form of a free transistor radio to anyone who attended their educational lectures. Despite their best efforts the birth rate remained at a steady average of 4.6 per family. This unchanging fact was a source of great dismay and perplexity to the team of Americans who were about to deem the project a failure. Fortunately they dug deeper into the causes and discovered that in India there are no retirement benefits, social security or unemployment benefits. The retirement system is based on three sons. It takes an average of 4.6 births to produce three sons, so the mystery was solved. This short story was used to reinforce a triad of factors that support decision making: cultural, emotional and rational. We tend to examine the rational, which represents only one third of what needs to be considered. The rest of this book contains the same deep insights throughout and gives you the tools and approach to untie that Gordian Knot.
The nine chapters in this book are essays that are written by experts in their fields of expertise, with contributions by Garrity and Sanders who are credited on the cover.There are two documents that will interest anyone who is among this book's primary audience:
Each of the chapters can stand alone, although they are presented in a sequence that build upon the preceding one. Each chapter ends with endnotes and references. Chapter 1 introduces information systems success measurement as a discipline. It does so in clear terms and is consistent with each of the subsequent chapters. Chapter 2, Dimensions of IS Success, is especially strong in that it introduces models, including DeLone and MacLean's model for IS success, and variations that show different viewpoints. It decomposes the dimensions into domains, provides questionnaires, and ends with an appendix that gives example ratings and measurements. This chapter shows how to quantify factors and portray success in hard numbers.
Chapter 3 extends the previous one by providing a 3-D model approach to measurement. Because I work in multi-cultural and multi-national environments I especially liked Chapter 4's focus on cross-cultural environments. In addition, the legal aspects of measurement that is Chapter 5's topic is essential reading. Regardless of your specific interests do take the time to read this short chapter because it applies to anyone in IS/IT. One glaring omission here is UCITA (Uniform Computer Information Transaction Act), which is an optional modification, on a state-by-state basis, to the Uniform Commercial Code (which is covered).
The remaining chapters address (Ch 6) Comprehensive Model for Assessing Quality and Productivity, (Ch 7) Development of Process and Outcome User Satisfaction, (Ch 8) Interpretive Approach to IS Success Measurement, and (Ch 9) Five Secrets to Systems Success. Each contained one or more interesting concepts and/or sparked ideas. Because much of my work as an IT consultant involves process improvement strategies and service level management I found this book to be an invaluable source of information. Each of the chapters contains valuable information, insights and ideas that will be useful to anyone in IT management or service delivery roles.
- IT Efficiency and Business Value, which is a brief, nine-page overview.
- Principles of Effective IT Management, that is more of a book. Its 186 pages, in presentation format, cover all of the key topics and is one of the best documents on the big picture available for free.
My most recent entry in Postcards from the Revolution addresses the business requirements layer in the Tarrani-Zarate Model, and this material is directly related to IT critical success factors and value. Next up in that discussion is the link between business requirements and service level objectives.
Thursday, March 21, 2002
The potential for misinterpreting an observation, statement of fact or a more subtle indicator is great. We're human and subject to mental filters that cloud or color our perceptions.
MIT's Perceptual Science Group has some interesting lessons in perception. I was fascinated (and amazed) by the simple, effective demonstrations of lightness perception and lightness illusions. While this doesn't appear to have much to do with information gathering it, in fact, has everything to do with it because it goes to the essence of cognition. We are knowledge workers, and cognition governs how well or poorly we perform any task that calls for analysis or reasoning.
Another resource that provides background material that connects perception with systems under observation, especially complex systems, is New England's Complex Science Institute's page on Visualizing Complex Systems Science.
Granted, this is not your normal fare for IT professionals; however, it does give insights about how we think and provides guidance on how to sort through complex problems. One final site that I think will interest anyone who wants to dig deep into cognition and perception is The Complexity & Artificial Life Research Concept for Self-Organizing Systems. This site isn't about the cutting edge of science and cybernetics - it covers arts and sciences. The page that interested me the most is about Value Metascience and Synergistic Choice. In plain terms the subject is about how to apply complexity thinking to the world around us.
Before you write this off as impractical theory that doesn't apply to what you do, remember this wonderful quote from Hamlet:
There are more things in heaven and earth than are dreamt of in your philosophy.I think what the Bard was trying to convey is to not dismiss something out of hand because it seems to be outside of what you consider to be your frame of reference. The corollary is a quote from George Orwell's 1984:
I enjoy talking to you. Your mind appeals to me. It resembles my own mind, except you happen to be insane.You decide.
Example. Change control is a key IT operations management process that is governed by policy (more about policies tomorrow), and is accomplished through a series of tasks. Refer to the graphical depiction of the process as you read through it.
Entry Criteria. The change control process is initiated when there is a requirement to make a change. Change is defined as any of the following:
The following are the minimum entry criteria that must be met before the process can move to the task stage:
- New system - application, operating system, database, hardware platform or infrastructure.
- Major upgrade to an existing system - version release, new or upgraded components and/or subsystems (hardware or software), database schema reorganization, etc.
- Minor upgrades to an existing system - patches, modifications to existing scripts or additional scripts (batch, shell, SQL, etc.), minor database schema reorganization (dropping columns, adding or modifying constraints, triggers and stored procedures, etc.) and infrastructure changes that are transparent to end users (i.e., upgrading IOS in a Cisco router, etc.).
- Changes to service level objectives - permanent maintenance window changes, changes to problem management response times, mean-time-to-repair metrics, availability commitments, etc.
- Maintenance to any system that has dependencies with the system being managed - in this special case the subject matter experts (SMEs) will open a change request to document the maintenance being performed on the inter-dependent system even though the SME has no direct control over, or responsibility for, the system. For example, if a particular application exchanges data with an application that is managed and supported by different SMEs, and is owned by a different application owner a dependency exists. The SME for the external application are responsible for initiating change control. However, since the change will affect the second application, that application's SME will open a change request as well. This provision will ensure that the scope of the required impact analysis will extend to all systems that are affected by the change. It will also ensure that each SME remain cognizant of any change or maintenance activity that affects his or her system.
- Release notes, build analyses, installation manuals and any other documentation that is needed to correctly test and install the product (hardware or software).
- Test results from QA (product test/UAT and/or pre-production/staging).
- Operational requirements, such as special training, maintenance window considerations, help desk entry criteria, spare parts, etc.
Validation. The following are checkpoints in the change control process:
- Perform an impact analysis. Deliverable: completed impact analysis.
- Develop planning package. Deliverable: description of change and why change is being made (including benefits and how the change will create value for the users), how the change will affect users during the implementation (scheduled start and end time, impact on maintenance window and service level objectives) implementation plan, roll-back plan, roles and responsibilities, notifications, quality assurance plan.
- Provide operational requirements, implementation plan and change request to application owner and SME for review and approval.
- Application owner approve change.
- Technical owner approve change.
- Submit change control package to change control coordinator.
- Change Control Board reviews and approves the change request.
- Change is implemented in accordance with implementation plan.
- Change action is closed out as complete.
- All entry criteria will be checked for accuracy and completeness by the SME(s).
- Application owner will review and approve the change request before proceeding. SME's supervisor will review and approve the change request before proceeding.
- The change control coordinator will review the implementation plan and change request for accuracy and completeness before including the change as an agenda item at the next scheduled change control board.
- The change will successfully pass all post implementation validation test checkpoints before the change is released into production, else the change will be rolled-back.
- In the event of a roll-back there will be a root cause analysis performed and responsibility for eliminating the root cause and, when applicable, developing a process improvement plan will be assigned to individual(s) by cognizant authority. The change request will also be cancelled and resubmitted after the root cause has been determined and eliminated.
Policies. It may appear that policies are mixed with this process, but they aren't. Tomorrow I am going to provide the policies that govern the process just described, then discuss the relationship between policies and processes.
- The change is successfully released into the production environment or cancelled and resubmitted depending on validation checkpoints above.
- After a change is successfully released into the production environment the change control coordinator will close out the change request as completed.
Wednesday, March 20, 2002
I've also been heavily influenced by the books in Harris Kern's Enterprise Computing Series, all of which are focused on some aspect of service delivery. My exposure to this outstanding series was IT Services Costs, Metrics, Benchmarking and Marketing. Discovering this book was a turning point because it synthesized all of my experience that I'd gained in a quarter of a century in the industry. I quickly snapped up the other books in the series, many of which had the same profound influence on my thinking and/or validated my own experience and knowledge. The best among them are
- IT Problem Management, which widens the scope of help desk operations into a unified view of enterprise-wide problem management processes. It also shows that help desk operations is but a small part of problem management - a fact that seems lost on too many help desk "experts".
- High Availability: Design, Techniques and Processes, augmenting IT problem Management by adding a layer of detail about supporting processes.
- IT Systems Management: Designing, Implementing, and Managing World-Class Infrastructures,which Mike and I recently reviewed - see Mike's 18 March entry in Postcards from the Revolution.
- Mission Critical Systems Management.
- Strategies for Web Hosting and Managed Services (see the book's associated discussion forum for more information).
- IT Service Management Problem and Incident Management
- Tier 1 Support Issues
- Service Level Management Basics
- Policy-Based Service Management
- Managing Service Provider Performance
- Selective Outsourcing
- Measuring and Analyzing Service Level Agreements
- Supply-Side SLAs for Application Service Providers
- Theory and Practice of Internet SLAs
Best regards from Azusa, California. Linda Zarate
Tuesday, March 19, 2002
- My 26 February entry announced the sad news that Process Dashboard was withdrawn. This open source application was designed as a Personal Software Process support tool. I am happy to announce that Process Dashboard is once again available.
- Doug Kaye has launched a newsletter titled IT Strategy, which will come out weekly and cover news items about web hosting services and managed services, and web services. If these topics interest you (and they should) you can sign up for a free e-mail subscription. Spin Control Out of Control. Today was intense and I'm getting caught up. Going through a backlog of unread e-mail I came across two message that, combined, made me chuckle. The first is from an old friend who now works for Microsoft. I'm on his distribution list and I read anything he sends. Here is an excerpt from the announcement that went out to the list:
Internet security is a worldwide issue that affects not just Microsoft's customers, but also anyone connected to the Internet- no one is immune to the problem.It sounded sincere enough. I paid a brief visit to Microsoft's security page, noted the proclamations, then mentally filed it away and planned to follow up at a later time.
Microsoft has taken a proactive approach to this problem by introducing the Microsoft Strategic Technology Protection Program (STPP). This two-phase program represents an unprecedented mobilization of Microsoft's people and resources to integrate product, services and support. In January, Microsoft Consulting Services presented an initial seminar that introduced the components of the STPP program, which includes" Get Secure" and "Stay Secure."
Ironically, the next message was from a service to which I subscribe: e-Week. Here's the stories for today:
- IE, Apache Clash on Web Standard, ...The incompatibility lies in how Microsoft has implemented digest access authentication, a World Wide Web Consortium standard (RFC 2617) that specifies how users can securely log in to Web servers. Digest authentication is widely acknowledged to be the best available Internet standard for this purpose.
The upshot is that IE cannot be used as a Web client for any Apache-based Web application that uses digest authentication. In addition, every non-IE browser we tested couldn't be used as a client for any Internet Information Services-based Web application that uses digest authentication.
- Security Flaws Found in IE 6.0 followed by Microsoft Patch Repairs 6 IE Flaws
On the other hand, e-Week also discussed the opportunities that more mature and proven technologies have, including an article titled Java: Potent Security that discusses the strengths of Java from a security viewpoint compared to Microsoft's newer .NET initiative. Another article from the same publication, Apache Avoids Most Security Woes, indicates that Apache is vastly superior from a security perspective than IIS.
Back in the Fast Lane. I'm caught up and will resume my entries here and in Postcards from the Revolution starting tomorrow.
Securing Business InformationWrestling Demons. I've recently upgraded my desktop system to Windows 2000 and am having my share of problems. One of the most frustrating is the fact that my vanilla, PS/2 keyboard is not recognized! The good news is my system now boots faster. The bad news is I cannot interact with it via my keyboard. The worst news, though, is my keyboard is the Microsoft Internet model. I'm starting to share Mike's disdain for anything coming out of Redmond.
Cookbook approach that makes a complex task manageable
Of all the security books I've read this one stands out as the best for two reasons: (1) it lays out what is needed and the steps to take to develop an enterprise security policy in a clear, logical sequence, and (2) there no gaps in the proposed process. Indeed, it appears that the authors had 'due diligence' as their foremost principle when they wrote this book. In addition their experience is evident by the way they approach the subject and tie it together.
The approach is straightforward: initiate, assess, gather requirements, perform a gap analysis, develop a baseline and implement. What makes the approach unique is the 'divide and conquer' technique that partitions the business into security domains. This has benefits beyond decomposing the complexities of enterprise security into manageable pieces - it can also be linked into enterprise problem management and business continuity planning processes because you're forced to examine your resources and systems, and to prioritize them according to their criticality. I also liked the discussion of policies, which discussed the merits of identity-based and role-based approaches, and included excellent advice on policy auditing. One strong point about this section was the treatment of finding documented *and* undocumented policies. This material is applicable to anyone who is involved in policies and procedures development, regardless of whether or not it's related to security. I also especially liked the chapter on trust modeling. This is one area where I learned much from the book.
I've only touched upon key elements of this book. A review of the table of contents will reveal that it's complete and filled with case studies and important discussions of technologies that can be employed to create an effective enterprise security posture. This book is obviously applicable to security specialists, but is also useful to business continuity planners, service delivery practitioners and service providers. It is, to date, the best book on security from among the 20 I've read, that I've come across. It's also a complete recipe for a successful development and implementation of enterprise security policies, processes and procedures.
Enterprise Data Center Design
Hard to find information that is clearly presented
There is a large gap between IT data center operations and facilities management professionals. This book bridges that gap, at least on the IT side, by clearly explaining the issues and factors that need to be addressed for effective management of a data center that complies with local codes and regulations. Most IT professionals are unaware of the regulatory requirements with which a data center must comply - unless they've been shut down by a city inspector at which point the concept of reliability, availability and support becomes moot. This book provides a good education about this obscure topic, as well as everything else that a data center operations manager should know in order to do his or her job. This doesn't shift responsibilities away from facilities managers, but does give IT and facilities common ground and a shared understanding of each domain's roles and responsibilities. Here's an example of why this is necessary: systems that need to be brought into production usually require platforms, storage and network connections. These consume power, environmental system capacity and require space, all of which are finite and all of which are governed by building, fire and safety codes. Many organizations order equipment first, then notify facilities, when the right way is to jointly plan and manage data center growth. This book provides the basis for doing this, and if followed by both IT and facilities, will ensure smooth and uninterrupted operations and proactive physical capacity management.
The book starts with data center design philosophy, giving the top ten design guidelines. This is followed with detailed design criteria that covers project issues, insurance and local building codes. While these are of more concern to facilities managers, IT needs to be aware of their impact. It also discusses availability profiles, which does directly concern IT. Chapter 3 is also of direct interest to IT because it discusses physical and logical Security, facilities system monitoring and planning for expansion. In fact, this chapter is where IT and facilities professionals intersect.
Chapters 4 through 8 are of more interest to facilities professionals because the topics cover details such as physical capacities and resources, site selection and construction details, implementing raised floors, power distribution and HVAC. Despite the slant towards facilities, reading through these chapters will give IT data center managers insights into the challenges faced by facilities, and will offer a lot of information that can be used to develop safety plans and general housekeeping procedures.
The next chapters (9 through 12) are of interest to both IT and facilities, and cover network cabling infrastructure, shipping, receiving, and staging, hazards and environmental contaminants, codes and construction. These are areas in which IT and facilities need to closely collaborate.
This is the first book that covers data center facilities in a manner that IT professionals will find readable and understandable. It usually takes years of experience and reading facilities-focused materials of which only a fraction is applicable to gain the knowledge that the author provides.
Information Technology: Management Challenge
Essential to seeing the big picture
The eleven chapters in this 199-page book give a roadmap for aligning business and IT, and for effectively delivering value. As such this book should be on the book shelf or reading list for anyone who is involved in IT management or consulting.
Chapter 1 opens with IT as it relates to the global business environment. Much has been said about the global nature of the connected world, but views provided by two essays, reinforced with a case study and capped off with an action checklist sum up the key issues.
The book uses the same discussion-reinforcing case study-action checklist structure in every chapter. I like this approach because it has enabled the author to provide the key issues in succinct terms, demonstrate those issues in action, then give a structure from which you can develop your own plans. I also like the fact that management views written by other writers who are experts in their fields are included in many of the chapters.
Each chapter addresses a specific and important aspect of IT management, and each builds upon the preceding chapter. The sequence is: frameworks for thinking about business and IT (an especially solid chapter because it gives a point of reference for the rest of the book), delivering information, IT for competitive advantage (another excellent chapter!) and managing the development of an IT strategy. Although the book is not divided into sections, the preceding chapters are a foundation for what's to come. The next two chapters cover analyzing IT investments and impact of IT on an organization. These set the stage for the two that follow: implementing the IT strategy and the business manager's role in development. The book concludes with two chapters that cover major trends in IT (this chapter is still valid despite the fact that the book was written in 1999) and management concerns for the future.
The book is well written and thought-provoking. I got through it in a weekend, then spent weeks thinking about much of what was presented, and frequently referred back to key chapters. The action checklists are probably the most valuable parts of the book and are carefully crafted to make you think about key issues as they relate to your organization.
Monday, March 18, 2002
Be afraid ... be really afraid! Web job listings are one surprising source of information. As innocuous as job listings may seem, the paper titled Competitive Intelligence and National Security Threats from Web Job Listings shows that useful intelligence can be gleaned from publicly available sources. If this paper doesn't provoke reflective thought and a bit of paranoia you may be living in a different reality. Remember, when everything is uneventful the optimist will say, "we're safe" and the pessimist will claim that "we're due." I tend towards the pessimistic view when it comes to intelligence.
If the preceding paper didn't get your attention perhaps Civil Liability for Computer Security Professionals will give you pause. Although this paper is not specifically about competitive intelligence, it does show the potential risks a company faces if information that is made available isn't carefully reviewed by competent legal counsel. This document isn't for security professionals only. I think the proper audience should include marketing, content developers and corporate communications/public relations.
Other Matters. If you carefully read the US Government's advice contained in a document titled Intellectual Property: Navigating Commercial Waters you'll discover exposures to which your company may be subjected. This document is not ostensibly about competitive intelligence, but much of it is useful to those who gather or protect information that is considered to be competitive intelligence.
I still have loose ends on my personal web page, but will be rectifying them in the next few days. Mike is in the process of adding sample deliverables to our TEAM Zarate-Tarrani page, but this will be an ongoing process.
Linda left me an opening in her recent entry in Postcards from the Revolution to provide additional content about knowledge management. If you check my latest entry there you'll find five useful documents on the topic. Best wishes from Irvine, California.
I am going to provide a few testing and reliability documents I've recently found, then disappear back into the woodwork until Wednesday. I should be caught up by then and will resume my discussion here about process design and implementation, and will begin my discussion of the Tarrani-Zarate Model in our sister weblog, Postcards from the Revolution.
The testing and reliability documents are:
- 28 Best Practices in Software Testing
- Estimating Defect Density During Test Coverage
- Relationship Between Test Coverage and Reliability
- Software Reliability Handbook
If you want to know more about who we are visit our TEAM Zarate-Tarrani page. Until Wednesday, best regards from Tustin, California.
Sunday, March 17, 2002
IT Architecture: An Executive Overview is an interesting presentation that ties together an end-to-end architecture and organizational structure that supports service delivery. If you're in the software engineering/applications delivery domain you'll see how your world can connect to production support and service level management. This is addressed in even more detail in Processes for Successful Solution Deployment. I especially like this document because it covers production entry criteria and applications acceptance - critical activities that are not always implemented as a formalized process. This paper shows why they should be a part of the interface between applications and service delivery. I also liked the paper on application availability because it contains items of interest to applications and service delivery practitioners, and is one of a slowly growing body of knowledge that views IT as a whole instead of development and support functions.
Parting Notes. In my next entry I'll cover service level management basics, including service level agreements and vendor management.
Subscribe to Posts [Atom]