Just Enough Governance for Notes Blog Tue, 10 Nov 2009 22:10:52 +0500 http://www.governancefornotes.com/blog/governanceblog.nsf http://www.governancefornotes.com/blog/governanceblog.nsf/rss.gif http://www.governancefornotes.com/blog/governanceblog.nsf justenoughgovernancehttp://feedburner.google.com http://feedproxy.google.com/~r/justenoughgovernance/~3/Fvg5tfchDkw/SJON-7WYH95-Project_Held_Hostage Scott Johnsen http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/SJON-7WYH95-Project_Held_Hostage http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/SJON-7WYH95-Project_Held_Hostage
The problem with letting him do things his way was that other developers on the project felt it simply wouldn’t work. More importantly, the business said this solution failed to meet their requirement. The proposed design was pretty cool, but we really needed something that would work AND met the needs of the business.

So why was the CTO so adamant about this? It turned out that this particular developer possessed some unique knowledge because he had been with the company for a very long time and worked on many business critical applications over the years. The CTO was afraid that he might quit if he didn’t get his way on this new project.

I couldn’t believe what I was hearing. Essentially, the CTO wanted to let the project fail in order to retain this guy. Incredible!

I spent a lot of time working with the VP of Development to find a way around this with no real solution in sight. As it turned out, the guy quit within a week. Whew! That was a close call.

In telling this story since then, I’ve come to realize that my experience is not unique. Projects are often held hostage by a key member of the team. So what can you do to prevent your project from turning into a complete disaster when it is being held captive?

There are a few things you can do, but it is important to recognize that losing those sorts of people doesn’t usually end up being as painful as you think it’s going to be.

Following is a short list of suggestions:

• NEVER allow individuals to hold projects hostage to their expertise, experience or knowledge. It is a rare project that ends in success when this happens.
• If a hostage situation occurs, remove the problem immediately. Project delays and challenges will only increase until the problem is addressed. It’s better to make this change on your terms instead of theirs.
• Contact the business immediately to let them know what happened. There may be a delay in the project because of it, but do your best to minimize any negative impact this might have on the schedule.
• Recognize (to the team and yourself) that removal of a key resource may slow a project down at first, but a well managed team will recover quickly and produce a much better result in the long run.

I’d love to hear your ideas on this. Have you been in a similar situation? If so, what did you learn that might be helpful to others who find themselves in a similar situation?
]]> Mon, 19 Oct 2009 08:59:20 +0500 2 Risk Good Practice http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/SJON-7WYH95-Project_Held_Hostage http://feedproxy.google.com/~r/justenoughgovernance/~3/UTCAsOIsIZ8/SJON-7W4RQA-Glass_Houses Craig Schumann http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/SJON-7W4RQA-Glass_Houses http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/SJON-7W4RQA-Glass_Houses Ed Brill's blog recently, though I don't think this is as unique to any one platform as Ed wants you to believe. This is just as easy to do in Domino as it is in Google and comes down to the management of security policies.

How many organizations out there are dutifully managing ACLs using groups? If an unknowing admin were to add say, the "Everyone" group to a group that was nested, at some level, inside the "LocalDomainAdmins" group, how long would it take you to discover that? How many apps would be affected? How long had it been since the change was made? My guess is that there are very few people who would have even known that it happened, let alone, what the damage was.

A deep understanding of the contents of ALL (yes I said all) the groups in your address book is incredibly important. However knowing the effect a group has on the access to applications (mail included) is even more important. The problem is being able to quickly learn what the effective access is to your applications at all times. This can be a full time job and very difficult to do on a regular basis. Just knowing that a group was changed is one thing. Knowing what effect that had is what is really important.

Exactly this issue is what led to the creation of Teamstudio's Admin Suite of solutions. If you are having difficulty knowing who changed what and when, who has access (really!) to which applications, you are not alone. Feel free to give us a call, or contact me directly at craig_schumann@teamstudio.com. I would be happy to show you how we can help.
]]> Mon, 21 Sep 2009 16:13:09 +0500 3 Notes Threats http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/SJON-7W4RQA-Glass_Houses http://feedproxy.google.com/~r/justenoughgovernance/~3/EwNOfw4Q89Q/SJON-7VXHLD-Stagnate_or_innovate Scott Johnsen http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/SJON-7VXHLD-Stagnate_or_innovate http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/SJON-7VXHLD-Stagnate_or_innovate surveyed more than 2,500 CIOs and compared what executives at companies with high-profit growth are doing vs. those at low-growth companies. The results are interesting.

Highlights include:

Do you integrate business with technology to innovate?	High Growth: 64%	Low Growth: 33%
Do you focus your time on providing core technology services?	High Growth: 23%	Low Growth: 40%
Do you aggressively turn data into actionable information?	High Growth: 58%	Low Growth: 36%
Do you expect standardized business processes?	High Growth: 61%	Low Growth: 50%
Do you manage change successfully?	High Growth: 61%	Low Growth: 43%

The full report can be obtained at www.ibm.com/ciostudy.
]]> Wed, 16 Sep 2009 09:17:20 +0500 0 IT Trends http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/SJON-7VXHLD-Stagnate_or_innovate http://feedproxy.google.com/~r/justenoughgovernance/~3/S-oJQ4u6EmE/SJON-7VWG83-Resist_the_list Scott Johnsen http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/SJON-7VWG83-Resist_the_list http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/SJON-7VWG83-Resist_the_list Business Software Alliance survey, these are the 10 industries most often reported for software piracy:

1. Manufacturing
2. Sales/Distribution
3. Service
4. Financial services
5. Software development (Surprising?)
6. IT consulting
7. Medical
8. Engineering
9. Education
10. Consulting

Question: Are these really the worst industries for software piracy? Or do they simply contain the most whistle-blowers?

The September 14 issue of Computerworld has an interesting article on the topic.
]]> Tue, 15 Sep 2009 08:06:24 +0500 0 Worst Practices http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/SJON-7VWG83-Resist_the_list http://feedproxy.google.com/~r/justenoughgovernance/~3/c9uawaE6G3E/SJON-7VRFZQ-One_mans_trash Scott Johnsen http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/SJON-7VRFZQ-One_mans_trash http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/SJON-7VRFZQ-One_mans_trash
Since we have a variety of products to help our customers understand who has access to what, who has accessed what and when, as well as what Notes agents have access to, we tend to learn a lot about our customers Lotus Notes/Domino environments, applications and processes.

One area that is more consistent across our customer base is with regard to data loss prevention (DLP) capabilities. It is surprising to me the number of customers we talk to who either have not implemented a DLP plan or are unaware of such a plan. You might not think your company has much in the way of confidential data, but one man’s trash is another man’s treasure.

Think about what exists on your company’s servers, databases, laptops and file systems across your company. You may not store credit card information, but every company has financial statements, sales projections and employee lists that are valuable to someone outside your organization.

If you haven’t already implemented a DLP solution, it’s worth a look. Not only can this save you from a very expensive and painful data breach, but it can also help you with your data discovery requirements.
]]> Thu, 10 Sep 2009 07:56:16 +0500 0 Good Practice Risk http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/SJON-7VRFZQ-One_mans_trash http://feedproxy.google.com/~r/justenoughgovernance/~3/G61FdTLKSow/SJON-7VPFR8-Guess_What_I_Forgot John Kingsley http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/SJON-7VPFR8-Guess_What_I_Forgot http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/SJON-7VPFR8-Guess_What_I_Forgot
Anyway, I have been to the gym dozens of times, but sometimes something gets left off. Have you tried running with a dead MP3 player? It turns out that any manual process, like getting ready to go to the gym or releasing a new update of an application, can occasionally have missed steps. No matter how often you do it, no matter how well documented your procedures are. Missing a step in the gym prep routine isn't usually a big deal. But missing a step in releasing that application can be. I know one of our customers didn't have that single property to Require SSL connection turned on, and ended up having to pay for credit protection for thousand of customers.

I am sure you all have your own horror stories. The moral of the story is if you can automate your release procedures so that you can have a repeatable process where nothing gets skipped, you should. It also turns out we have worked with a lot of companies to do this, and could probably help you as well.
]]> Tue, 08 Sep 2009 07:42:40 +0500 0 Good Practice Build Process Risk http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/SJON-7VPFR8-Guess_What_I_Forgot http://feedproxy.google.com/~r/justenoughgovernance/~3/3JWE-Acbl5k/SJON-7ULT8Z-Automation_Station Scott Johnsen http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/SJON-7ULT8Z-Automation_Station http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/SJON-7ULT8Z-Automation_Station Automation Station

As we have discussed many times on this blog, eliminating tedious manual chores from Lotus Notes Administrators will reduce the chance for errors. We have also discussed how this will allow Admins to work on more interesting tasks. One of the things we don’t talk about much is how adding automation to your repertoire will allow them to deliver a more consistent, agile and auditable service for your business.

According to a recent Analytics Automation survey done by InformationWeek, half of respondents claim to have saved 50% of all full-time employees previously involved in those processes. That’s impressive.

As businesses expand and contract in response to today’s evolving business realities, Admins must find ways to capture, track and analyze changes to applications, ACLs, application agents, etc. This is not an easy task certainly, but it’s critical because understanding those changes is the basis for securing data, improving service levels and meeting compliance requirements. Automation of key tasks can certainly help here.

Finally, enforcement of existing regulations, changes to those regulations and new regulations is very likely to improve. The worldwide financial crisis experienced over the last 2 years and the almost guaranteed overhaul of the health care system in the United States are only two of the reasons we can be sure more regulations are coming and better enforcement of those regulations are likely to occur. As such, the auditable service you provide will become even more important than it is today. Doing so through automation will not only be helpful, it could very well be required!
]]> Tue, 04 Aug 2009 17:31:07 +0500 0 Good Practice http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/SJON-7ULT8Z-Automation_Station http://feedproxy.google.com/~r/justenoughgovernance/~3/fVs8qeP_O0A/SJON-7U5SKJ-So_You_Think_the_User_Interface_Doesn't_Matter John Kingsley http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/SJON-7U5SKJ-So_You_Think_the_User_Interface_Doesn't_Matter http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/SJON-7U5SKJ-So_You_Think_the_User_Interface_Doesn't_Matter opportunity to drive several different vehicles than my normal transportation. I was on my way home and it started to rain, Now how do you turn on the wipers? Is it that dial or on that stick thing? No, that's the rear wiper. Oops, that's the sun roof, not what I wanted on a rainy day. I finally got that thing working.

Now it is getting dark - how do I turn on the lights? It's dark outside and now it's dark inside and I can't even see where a switch might be. But I know if I open the door a light will go on inside - better pull over first before opening that door. Fortunately, the turn signal is one of those things that is consistent for every car (it's the stick on the left side of the steering wheel - you push it down to tell people you are turning left and push it up to tell people you are turning right. I say that because evidence suggests not many people know this.) And you know the other thing that is consistent between cars? The ever intuitive push-and-hold to set your pre-sets on the radio.

The point, is, if your controls are consistent between your applications, it is easier for your users when switching from one to another. And it doesn't really matter that the icon for save is a floppy disk (at least it is a 3.5 inch disc, not a 5 1/4 one!) - people just know what it means. And don't worry - the terminology will eventually catch up (who knows what a Return key did?).
]]> Mon, 20 Jul 2009 16:56:46 +0500 3 Coding Practices http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/SJON-7U5SKJ-So_You_Think_the_User_Interface_Doesn't_Matter http://feedproxy.google.com/~r/justenoughgovernance/~3/EEnvR35cLWU/KFRA-7U2J88-Data-Integrity-Audit Scott Johnsen http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/KFRA-7U2J88-Data-Integrity-Audit http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/KFRA-7U2J88-Data-Integrity-Audit

• Question: Do you know who is accessing and changing vital or sensitive data?
• Comment: Collect the access logs for all critical applications and documents. Design all applications to support document change histories.
  

• Question: Are you confident you know who has access to your high impact production applications?
• Comment: Make sure all application access is regularly audited. Preventing abuse by unauthorized users is the foundation of any data integrity policy. This is outlined in the Security Management policy.

(read more)

• Question: Do you know which applications are being used at all?
• Comment: Abandoned applications may contain sensitive data. Do not let unused applications remain on the server.
  

• Question: Do you have an easy way to deal with replication conflicts that preserve data that would otherwise be lost?
• Comment: Many users just delete a replication conflict when they are discovered. Do not let this to happen as important data may be lost.
  

• Question: Can you be alerted when an error is introduced before a customer or user finds it?
• Comment: Even though notification occurs after the error has occurred, you are in a position to address the issue proactively. Early identification of problems can help you resolve them more easily, and user notification before they realize there is a data issue can result in improved customer satisfaction.
  

• Question: Is your QA environment a mirror of the production environment?
• Comment: During testing is the best time to identify any potential data integrity weaknesses. Use QA to monitor issues in order to keep to a minimum the number of users encountering problems.
  

To sum up: You should start with any new data management policy by first identifying where your existing issues are. While these issues are being addressed, institute the necessary prevention and monitoring changes to help prevent these issues from reoccurring. On the prevention side, a lot can be accomplished with training and application modifications. ]]> Fri, 17 Jul 2009 09:49:04 +0500 0 Application Development Best Practices Coding Practices http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/KFRA-7U2J88-Data-Integrity-Audit http://feedproxy.google.com/~r/justenoughgovernance/~3/k5Tb1Av2aAU/KFRA-7TYQE6-Data-Integrity-Risks-from-External-Systems Scott Johnsen http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/KFRA-7TYQE6-Data-Integrity-Risks-from-External-Systems http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/KFRA-7TYQE6-Data-Integrity-Risks-from-External-Systems

Defined processes for analyzing and assessing whether data integrity requirements have been met

Detailed rollback plans including plans for how to restore integrity of existing data and new data created post-deployment

Coded and tested rollback functionality, if applicable

Documented process for determining if the planned rollback can successfully restore data integrity

Identification of parties responsible for decision making in the event that roll-backs or other drastic actions are required

Upgrades to applications that require data transformations pose similar risks and should be handled with the same level of care.
]]> Wed, 15 Jul 2009 15:05:46 +0500 0 Data Management Risk http://www.governancefornotes.com/blog/governanceblog.nsf/d6plinks/KFRA-7TYQE6-Data-Integrity-Risks-from-External-Systems