Computer Weekly readers have their say
Heed the IT disaster project warning flares
I read Stephen Castell's article about project disasters through failed relationships with suppliers (Computer Weekly, 13 September) with interest.
The eight warning flares he lists are ignored at your peril. The most frequently ignored one is the need for an adequate statement of requirements.
For example, some years ago I was in a software house, developing a system. We were only allowed to talk to a certain level of management about it. In the course of discussion we asked how foreign currency was dealt with, and were told they didn't deal in it. On the first day of testing, the users asked, "How do we handle foreign currency?"
My next example concerns a project that was handled by the book. I set up the project group, and had great co-operation from the parties concerned. Similar sites were visited, computer houses were contacted, given our requirements, and reported back with their recommendations
The companies all suggested the same approach, apart from one small firm, which recommended an old-fashioned approach. The report was submitted to senior management, with recommendations. These were ignored and the small firm given the contract, without any further checks and against strong protests. After six months nothing had been produced that worked and the small company went out of business.
These examples show that you ignore the procedures at your peril, but even if you follow them, ignorance can still cause disaster.
Peter Windle, Unix systems administrator
Joint effort is paying off for Scottish councils
I was pleased to read the article "Councils share cost of monitoring" (Computer Weekly, 30 August), which looked at a performance management project being carried out by a group of 10 Scottish councils. I head up this consortium of councils and we are encouraged with the way in which the project is progressing.
It is always great to see articles in Computer Weekly informing its readership about the positive projects being carried out in the public sector. However, I feel that the article suggests we are further along than we are.
While we are very pleased with the system implemented by Aspiren, the performance improvement in processing claims referenced in your article has been achieved with a great deal of hard work over the past three years by East Lothian's housing benefit staff.
Over the coming months, Aspireview will help us to reduce the claim process to our target of just 20 days, a 33% improvement on the gains already achieved. We are also not quite at the stage where reporting to the Department for Work and Pensions is fully automated. We are working on this phase of the project at the moment and will be submitting reports electronically within the next six months.
I would also like to reiterate the complete involvement of our IT staff in this project, who have at no stage been bypassed. The system avoids burdening them with extra work rather than avoiding them altogether.
Colin Shand, Head of revenues and IT, East Lothian Council
Applying copyright law to open source software
John Kavanagh could be spreading the meme that "a firm does not hold copyright, and any changes to open source software must be contributed to the community" (Computer Weekly, 13 September).
The first claim contradicts copyright law: in the absence of a contract, copyright rests with the author. The second claim is also inaccurate, as any software with a requirement like that is neither open, according to the open source definition, nor free, according to the free software guidelines. Both the OSD and the FSG require that a user be licensed to do whatever they like for their own use with no restriction. The basic premise is that open source or free software is like a book: you can do what you like with a legally acquired copy. Restrictions only apply when you do things that infringe copyright law, like making and giving away copies.
Anthony Youngman, Chelsea
Do contractors offer better value for money?
Your article on pay rates (Computer Weekly, 6 September) doesn't mention how to cope with multiple agencies putting the same job on multiple job boards on multiple days. Anyone who observes job boards must realise this is a problem.
The article also mentions that contractor payments are twice the rate of permanent salaries. In fact if you add hidden costs like bonus, pension, employers national insurance, recruitment fees, cost of HR, accounts and payroll departments, taxes and holidays/sickness, a contractor is better value and more flexible.
'Data shredding' in storage media
In response to the article "Disc's data shredding function could aid regulatory compliance" (Computer Weekly, 6 September)
I was surprised to hear Plasmon's data shredding function was "an industry first" as we have been offering similar features for over a year. Although we are happy to see other suppliers recognising the need for secure data deletion, we would like to highlight the pitfalls of deletion occurring at device level.
The first is the assumption that "data shredding" is actually possible. It isn't. Once data is written on a storage device, it is essentially indelible.
The second is the fact that as data moves through its lifecycle, several copies of the same data end up on different media. Deleting only one copy does little to reduce the risk of exposure.
As your article mentioned, many industries require that certain data be destroyed, often years after it was created. But relying on the storage device to destroy data assumes we know where it is. Most firms don't.
The only way to ensure each data copy is destroyed is to encrypt the data before it reaches the storage device and attach an encryption key. To "shred" the data, you delete its key. As the data's default state is encrypted, there is no need to locate each copy. Destroy its key and no one will ever be able to read the data.
While we applaud any solution that makes it easier to control information, users rarely know or care which media their data will end up on. It is far better to have security, and destruction, built into the data, so firms can be sure they have full control over data, even when it is time to "shred" it.
Ziv Navoth, Decru
On the effectiveness of patching strategies
In response to the article "Mobile adaptive security systems - why a patch in time saves money and effort" (Computer Weekly, 30 August)
Phil Cracknell's article gave a good insight into the difficulties and dangers of various patching strategies. However, the IDS/IPS solution suggested is flawed. Patching without effective network discovery technology or clear prioritisation of assets is like applying plasters with a blindfold on: you will have some success, but will also end up with many uncovered areas, wasting both time and plasters.
Strategically, patching is most effective once there is a real understanding of the total scope of the problem, using effective discovery technology. Doing anything other than that will create more work, with uncertain improvements in the company's overall risk status, and at too high a total operational cost. This inefficiency is caused by a lack of observational context - in other words, finding the "wounds" and assessing their severity.
Active discovery technology provides the observation needed, but it is the context-sensitive analysis that delivers the critical "triaging" function. The goal is to create a system that adapts to the changing threat but only as it pertains to the severity of wounds. It is this orientation - of vulnerability to threat - that delivers the actionable intelligence desperately needed by today's IT countermeasures.
IT directors must take a more proactive approach to network security. Waiting for hackers to find vulnerabilities and suppliers to respond with patches is n0t enough to protect resources.
The best security strategy involves addressing security vulnerabilities before hackers find them. It also involves gaining better observation and orientation of your target surface to the threat and applying appropriate countermeasures prior to attack or incident.
Tim Keanini, chief technology officer, nCircle