Data Security and the Cloud it Rode in on….

A couple of days ago my inbox filled me with intrigue when I saw the email from InformationWeek containing a link to one of their latest articles. The title: “7 Cloud Computing Myths Busted” by Serdar Yegulalp.

Since I’ve written a few articles on cloud computing and I’ve been interviewed for a couple others, I considered this “must” reading. Indeed, it is a very good article. Here, I particularly wanted to talk about Serdar’s myth #2 – Cloud computing is the end of privacy as we know it. This is something we all should be concerned with and – from the looks of data security concerns articles and discussions going around – we are…even if we are often not doing anything more than talking about it.

Cloud Computing and Data Privacy

So, is cloud computing really the end of privacy? Storing data and running apps in the cloud – meaning the apps are being run off of someone else’s server somewhere and your data is being stored somewhere that you likely will never see – doesn’t sound very secure on the surface, does it? Does that make you feel comfortable? No? It shouldn’t. But it isn’t the end of the world and the same prudence with data security that we take when handling data and apps within our own environment should be in place to secure your data outside our environment – it just requires some extra attention and policy adjustments on our part and possibly some extra verbiage in a contract that with the cloud provider of choice.

Mr. Yegulalp states: “What makes cloud computing such a fierce target for privacy advocates is not only the newness of the technology, since every freshly minted technology is a possible privacy suspect. It’s also the fact that cloud computing, on the face of it, can cause a huge degree of aggregation across multiple IT spheres. When you have many disparate things suddenly all under one roof, it translates into “single point of failure” and “all your eggs in one basket.” It’s not your data anymore, either; it’s someone else’s, and whatever happens will happen on his watch. There’s a chance that provisions about your data security aren’t even in the contract you signed.”

He is dead on with that insight. Afterall, most data leaks and theft happen within organizations as inside jobs, so the paranoia we’re all feeling is somewhat justified. And when you start storing your data on someone else’s system, you might not have the law on your side if expectations of privacy become a legal issue.

Our providers of cloud services must be proactive about their handling of data security, it must be built into the contracts you sign and you should be able to expect them to go above and beyond the call of data to make you feel comfortable about the safety of your data. And if you don’t have that comfort level, then move on to the next provider. But it’s up to you to see to it that the cloud services provider you are using is looking after your data. It’s not impossible to ensure this, it’s not impossible for them to maintain the safety of your data…it just takes prudent IT practices and forward-thinking policies.

One example – Mozy, the online backup service provider – addresses security/privacy concerns by allowing customers to provide their own high-grade encryption keys. The backed up data then cannot be read by anyone else – including Mozy. If you leave the service, the key goes with you rendering your left behind data useless to anyone else.

Summary

Cloud computing doesn’t mean the end of solid data security and privacy. It just means – as is the case with just about any new technology – that we will all need to be more aware of what we’re doing, adjust our practices and expectations accordingly and implement new policies that will help to secure our data in these cloud environments and help our cloud service providers to do the same.

Project Management Templates

Over the past several couple of weeks I’ve discussed many project management-related templates and documents that are commonly used. And along the way over the past 10 months there have been a few other templates and documents discussed.

In an attempt to provide a one-stop document to link to all those templates and documents discussed so far, I’m going to pull them all into this article as a list with available links. Hopefully, having the accumulated list available in one place will be helpful to our readers.

Again, not all of these will be links to templates…some will merely be links to documents that have been discussed in greater detail in previous articles.

• Statement of Work
• Project Status Report
• Communication Plan
• Communication Plan
• Risk Management Plan
• Lessons Learned
• Lessons Learned
• Requirements Traceability Matrix
• Market Analysis
• Project Management Methodology
• Quality Management Plan
• Project Request Document
• Project Charter Document
• Business Case Document
• Change Order Request
• Change Order Request
• Resource Request
• Onsite Visit Progress Report
• Procurement Plan
• Lessons Learned Survey
• Disaster Recover Plan

Summary

As discussed in most of these articles, if having the actual template in a Word doc format would be helpful, just let me know and I’ll be happy to send it to you if I have it. In some cases, I may be able to send you an actual example document from a real project allowing you to better see how I’ve populated some of the information with meaningful data. I’ll revise and republish this article as I make more templates and documents on these and similar topics available that I think would be useful to our readers.

The Importance of Testing

Any IT solution that is implemented without the proper amount of testing performed throughout the project is a definite recipe for disaster. Testing is an ongoing process – both formally and informally. It happens in development, it happens in the actual testing phase, it happens just prior to deployment and it happens post-deployment.

In his book “Project Management Nation”, Jason Charvat discusses the importance of testing throughout an engagement and identifies the different types of testing that we usually carry out in both informal and formal processes. By sharing this information here, I am not fully endorsing it, however I do find it interesting and likely beneficial to our readers.

The Importance of Testing

Without a well-thought testing effort, the project will undoubtedly fail overall and will impact the entire operational performance of the solution. With a poorly tested solution, the support and maintenance cost will escalate exponentially, and the reliability of the solution will be poor. Therefore, project managers need to realize that the testing effort is a necessity, not merely as an ad hoc task that is the last hurdle before deployment.

The project manager should pay specific attention to developing a complete testing plan and schedule. At this stage, the project manager should have realized that this effort would have to be accommodated within the project budget, as many of the testing resources will be designing, testing, and validating the solution throughout the entire project life cycle—and this consumes work-hours and resources. The testing effort begins at the initial project phase (i.e., preparing test plans) and continues throughout until the closure phase.

Testing Criteria

It is essential to conduct tests under realistic conditions. Often times the testers on a project deliberately go out to destroy the solution during the testing phase in order to do a proper test. Some sensible ground rules for acceptance testing are necessary and need to be established before any testing commences. Typically, some of these rules should include the following:

• Using real data and real operators.
• Test the solution as the developers build it. This way, errors can be corrected immediately.
• Involve project members who understand design and user specifications.
• Determine what is included within the test and what is not.
• Involve users of the project who know how the system will be used.
• Test to see that interfacing the new solution to the current infrastructure has no unexpected consequences.
• Allow time for repetition of those unsatisfactory test results in the project schedule.

Types of Testing

There are many different types of testing that can take place on an IT project, and the project manager must verify exactly which tests will be required and when. Below is a list of the most common types of testing that usually encountered on a project:

Detailing the Project Management Audit Process

Diving a little deeper PM audit process as described in the book “Information Technology Control and Audit”, we will look at the audit planning, the actual PM process review, the act of working with the PM and team to identify risk, and the communications necessary to ensure that the audit process is as successful as possible.

Audit Plan

The audit plan will detail the objectives and the steps to fulfill the audit objectives. As in any audit, a project management audit will begin with a preliminary analysis of the control environment by reviewing existing standards and procedures. During the audit, these standards and procedures should be assessed for completeness and operational efficiency. The preliminary survey should identify the organization’s strategy and the responsibilities for managing and controlling development.

Project Management Process Review

A project management process review would assess the adequacy of the control environment for managing projects. The review points listed represent checkpoints in the project management process. Auditors can use these checkpoints to determine both the status of the project’s internal control system and the status of the development project itself. These reviews eliminate the necessity of devoting large amounts of audit resources to the development effort. As long as the development process is well controlled, the need for audit involvement is minimized.

Project Management

Auditors may assist the project manager in identifying project risks and evaluating plans to mitigate and manage risks (e.g., training, devoted resources, management support, and end-user commitment). Auditing can provide management with an independent review of project deliverables (e.g., project charter, task list, schedule, budget). Auditing may also review the project task list and budget to verify that all project tasks are defined and all milestones have a deliverable.

During the planning phase the auditor can facilitate communication between functions and raise issues that may impact the quality or timeliness of the project. In a development project, resources from various departments need to come together to implement an automated process that may affect multiple user functions. Because of various audit projects, auditors develop an overall knowledge of the organization and establish relationships in multiple departments. These relationships are helpful in a development project for making sure information is flowing between the development team and other functionaries. Consider the following groups:

• Primary users
• Secondary users
• Vendors and consultants
• Programmers and analysts
• Database administrators
• Testing teams
• Computer operations
• Interfacing systems
• Implementation team
• Production support (i.e., maintenance programmers)

Verify that adequate resources are assigned responsibility for tasks and have the time to complete assignments. This includes development, computer operations, user, and support functions (e.g., help desk).

Communication

The first area to communicate is the auditor’s role in the systems development project. It is very important to make sure that the management and development teams’ expectations of the auditor’s role are understood and communicated to all participants. In order to influence the systems development effort, the auditor must develop an open line of communication with both management and users. If a good relationship between these groups does not exist, information might be withheld from the auditor. This type of situation could prevent the auditor from doing the best job possible. In addition, the auditor must develop a good working relationship with the manager, the analysts, and the programmers. Although the auditor should cultivate good working relationships with all groups that have design responsibilities, he or she must remain independent.

Recommendations

Throughout the development project, the auditor will be making control recommendations. Depending on the organization’s culture, these recommendations may need to be handled informally by reviewing designs with the project team or formally by presenting recommendations to the steering committee. In either case, the auditor must always consider the value of the control recommendation versus the cost of implementing the control. Also, recommendations should be speci?c, identifying the problem and not the symptom. This allows the proper controls to be implemented and tested.

Recommendations are often rejected because of a time and cost factor. Managers may sometimes feel that implementing an auditor’s recommendations will put them behind schedule. The auditor must convince management that if the recommendations are not implemented, more time and money will be spent in the long run. Informing management of the cost of implementing a control now rather than shutting down the system later to repair it or leaving possible exposures open will help convince management of the need to spend time and money now.

More on Project Communications Plans

As I’ve been stating recently, I feel it is necessary that both new and old project managers have access to as many potential processes and templates as possible – especially those working as consultants that may be acting outside of PMOs with their own processes and governing policies.

I’ve previously posted the article entitled “The Project Communications Plan” and have supplied actual communications plan documents to many readers over the past few months. The offer still stands – email me if you want a copy.

Carl Pritchard presents nice information on the details and uses of the project communications plan in his book “The Project Management Communications Toolkit.” For the benefit of our readers – mainly to give you different perspectives and templates to choose from, I am presenting Mr. Pritchard’s outline below.

The Communication Plan Defined

Purpose

The communications plan provides direction on which stakeholders should be discussing project business with which other stakeholders, the tools they should use, and the degree to which they should be sharing, documenting, and storing that information. Because of the number of stakeholders involved in a single project and their diverse roles, the communications plan orchestrates project communication through a cohesive approach to information sharing. It is a critical deliverable to the planning process.

Application

The communications plan is shared openly with all internal project stakeholders to help them understand how they should communicate and with whom. For external project stakeholders, the communications plan is normally filtered to present information only germane to their role and use.

Ideally, the list should be built in a spreadsheet program that allows the user to filter stakeholders by communications modes, contacts, frequency, or other category as appropriate.

The communications plan should reflect communications as dictated by the contract, memorandum of understanding, or statement of work, as well as any other protocols that became self-evident during the project’s evolution. Different project participants will use the communications plan in different ways:

• The project manager uses the communications plan to ensure that the various stakeholders are aware of their communications responsibilities to each other and to the organizations.
• Team members use the communications plan as a combination contact list and guide, with an interest in the types of communication preferred by the various users.
• Senior management and customers may use an abridged version of the communications plan to be clear on when to expect certain reports and documentation, and for contact information on their primary points of contact.

Content

The communications plan is a matrix of information, normally built in a spreadsheet program with the following data:

• Stakeholder name
• Primary contact
• Secondary contact
• Telephone
• E-mail
• Postal mail address
• Preferred communications mode
• Best time
• Frequency of communication

Because it is built in a spreadsheet format, the communications plan can be sorted and reordered in a variety of ways. If the types of communication (status reports, team meetings) are most important, they may be the first column, followed by frequency of communication and stakeholders (recipients and attendees, respectively). If physical proximity is an issue, the primary consideration may be the postal mail address, which can be sorted to determine which stakeholders are in common regions or locales.

Because communications breakdowns are frequently rooted not in miscommunication, but by a lack of communication, the notion of the “best time” for meetings, reports, contacts, and phone calls is crucial. If certain team members can only attend project meetings before 3 p.m. because of personal concerns, the project communications plan should highlight those interests. If a customer is never available before 10 a.m. for phone calls, such concerns should be noted as well.

Approaches

The communications plan is one of the most publicly available of the project documents. Because it serves as the framework for open communication among team members, the customer, and other stakeholders, complete and abridged versions of the document may exist, depending on the audience. If varying versions are used, some form of version control (e.g., 1.0 = complete plan, 1.1 = customer abridged, 1.2 = management abridged) should be applied.

The communications plan serves as more than just a phone directory. It provides information on the communications sensibilities and sensitivities of all of the personnel involve.

Considerations

While the plan is widely available, some stakeholders are proprietary about their contact information, and those concerns need to be respected. The communications plan should not become a medium for those who wish to broadcast information randomly to all project parties. It should be used to focus communications on an as-needed basis.