securing business intelligence evolvent · all type and logos fpo art: all photographic art...

SUMMER 2005 1

Business Process Management An Evolvent Case Study – Page 8

Records Management — Integration with Email – 2

The Value of Security Performance Measurement– Page 16

SECURING BUSINESS INTELLIGENCE

EVOLVENTMAGAZINE SUMMER 2005

SECURING BUSINESS INTELLIGENCE

EVOLVENTMAGAZINE SUMMER 2005

Thought LeadershipEvolvent offers a variety of Thought Leadership publications. For information on these publications, please visit www.evolvent.com or call the Marketing Department at 703.379.2146. To be added to our mailing list, email [email protected].

Welcome to our new Partners

SUMMER 2005 3

IN THIS ISSUE:Page 4 Extracting Value from IT Bill Oldham, Chief Executive Officer, Evolvent

Page 6 Welcome to the New Evolvent Technologies Bill Oldham, Chief Executive Officer, Evolvent

Page 8 Business Process Management An Evolvent Case Study Geoff Howard, Chief Technology Officer, Evolvent

Page 12 Records Management— Integration with Email Paul Ramsaroop, Chief Operating Officer, Evolvent Ben McEachin, VP of Strategic Programs, Evolvent

Page 16 The Value of Security Performance Measurement Guy Sherburne, VP Security Practice, Evolvent

Page 21 Next Steps in Content Management – Concept Searching Colonel Stephen M. Wolfe, USAF, MSC, DBA Director, Operations Directorate & Chief Knowledge Officer

Page 24 Multi-Dimensional Report Cards: The Rest of the Story Dutch Holland and Henry Lieberum, Holland & Davis LLC

Page 26 Agile Devolopment Geoff Howard, Chief Technology Officer, Evolvent

Page 29 Wireless Security: Repeating Past Security Mistakes? Guy Sherburne, VP Security Practice, Evolvent

Evolvent MagazineSummer 2005

editorsJennifer Cupka

Stella Ramsaroop•

Contributing WritersBill Oldham

Geoff HowardPaul RamsaroopBen McEachinGuy Sherburne

Col. Stephen M. WolfeDutch Holland

Henry Lieberum•

[email protected]

Evolvent Magazine, published by Evolvent Press

•Statements contained herein

may constitute forward-looking statements that involve risks and uncertainties. Due to

such uncertainties and risks, readers are cautioned not to place undue reliance on such

statements.

Copyright © Evolvent, 2005 All rights reserved.

��

��

��

29

26

24

21

16

12

8

6

4

4 Evolvent Magazine

BILL W. OLDHAMCEO

Extracting Value from ITJuly 2005 – Washington, DC

Welcome to the Summer 2005 Evolvent Magazine!

“Extracting Value from IT: Better Process, Better Results”…This issue of our magazine is focused on increasing the business value derived from information technology projects through a focus on better processes. Covering areas of innovation such as records management, business process management and security performance measurement – this magazine offers thought-provoking and insightful research for the federal and commercial customer.

Business Process Management (BPM) has begun to evolve beyond the cottage industry and early-stage products of the last few years to have real, enterprise-class solutions. In this issue, our analysts and engineers present a case study of a BPM implementation.

Evolvent’s growing practice in Records Management (RM) also contributes an article on the issue of email integration with RM solutions and the policy and process issues involved.

Evolvent’s Information Security practice lead, Guy Sherburne, focuses on the need for and the development of a security performance measurement model – building on the theme that true security requires an integrated approach with performance measurement and quality management for a best practices result.

Our first guest article in this edition is contributed by Colonel Stephen M. Wolfe of the Air Force Institute for Operational Health focused on the innovations of concept search technologies and the impact of dynamic, detailed taxonomies on information management and retrieval.

Next, long-time partners and recurring contributors, Dutch Holland and Henry Lieberum, contribute an essay on multi-dimensional report cards and their insights into how to use these instruments to the best effect.

Evolvent’s software development leaders have also collaborated to present an opening article in a series on “agile development,” building on the theme that better processes in system development can reduce costs and improve results.

We have tried to focus these essays on innovations in technology and process and explore new ways of thinking about technical problems to spark renewed creativity for the federal government and commercial customer.

On a personal note, as the CEO of Evolvent, our customers and associates alike continue to share with me their difficulties implementing information technology solutions. The imperative to extract greater value from shrinking IT budgets and still ensure that technology continues to create value for the enterprise is a challenge to all of us who deal with IT on a daily basis. Our belief at Evolvent is that new solutions, new processes and new ways of thinking about business problems empower those of us in the technology trade to really make a difference for those we serve.

We hope you enjoy this edition of the Evolvent Magazine and look forward to working with you in the coming months.

Best regards,

Bill W. OldhamCEO

Intel#:

Actual media date/bugdet updated in IION:

Intel ad title:

Ad run dates:

Intel MPN:

MPN dates:

MPN information verifi ed in IION

Reader# approved in IION matches fi nal mech.

Ad has approved status in IION

Release based on completed signatures above

Intel Media Placement Number Verifi cation Verifi ed Toll-free number & URL verifi cation Verifi ed

Acct Mgmt

Acct Mgmt

Acct Mgmt

Acct Mgmt

Acct Mgmt

Budget Coord

Budget Coord

Budget Coord

Project Mgmt

014216-001

G1090 FED IT Consolidation April ad

3/15/05-6/1/05

014216-001

3/5/05-9/1/05

Toll-free# called

Toll-free# called to live person

URL checked

Client notifi ed if URL not yet live

Release based on completed signatures above

Ad Approval Date:

Ad#:

Proofreader

Acct Mgmt

Acct Mgmt

Acct Mgmt

Project Mgmt

HP-Slug_0-5

Frutiger 57 CondensedFrutiger 67 Bold CondensedFutura CE Bk BoldFutura CE Bk BookFutura CE Bk Book ItalicFutura CE Md MediumHelvetica Neue 47 Light CondensedHelvetica Neue 47 Light Condensed Oblique

Title:1st insert:

Version:Pubs:

Color/B&W:Pickup ref:

Live:Trim:

Bleed:Gutter:

Scale:

Art Director

Copywriter

Project Mgr

Print Prod

Studio Dir

Buddy Check

Creative Dir

Acct Mgmt

Proofreader

Legal

Client

Product Info

03-09-2005 14:13:08 Updated:Laser%

PUBLICIS & HAL RINEYSAN FR ANCISCO

ApprovalsFonts:

Released

015338-G1090-HP_A1_NAFED.IND Document03

Additional production notes:Green is 50C 0M 100Y 0KVendor to extend image to cover bleed (magenta keyline)Keyline on trim does not printBody copy is 70KGray boxes are 15K

EPro: kramer_laura Actual art:All type and logos

FPO art:All photographic art

Job: NAFED-G1090-015338

3-9

IT Consolidation April Pg Revise

A1Govt Executive

4C014360_G1013-HP_A1_NAFED.IND

7" x 9.75"7.75" x 10.5"8.75" x 11.375"

Val d'Orito/Peter Locke

Eric Osterhaus

Gina Turnbull

Amy Henderson

By

By By DateDate

Date

100

Microsoft Extreme Ad Approval

HP-PRD-05-498HP-PRD-05-501

HP-PRD-05-502

HP-PRD-05-499

HP-PRD-05-500

ESG-NA-PH-05-064

ESG-NA-PH-05-066

EuroGraphics415.397.3371

47337 14 jv KodakDATE: 03/10/05 VER:01

Visit our Web site to download a free guide to IT Consolidation that includes useful federal case studies.

CALL 888-830-5174

CLICK hp.com/buy/fedmag3

HP has a field-proven strategy that makes IT Consolidation real for federal agencies. Perhaps the most important aspect of IT Consolidation is actually getting it done. After all, The Economist recently noted that “66% of all IT projects either fail outright or take much longer to install than expected because of the complexity.”1 However, execution can trump complexity with HP as your partner. HP provides a proven consolidation process and industry-leading partners like BEA,TM Oracle,® Microsoft® and Red Hat.® And you have access to the world’s broadest range of Intel® XeonTM Processor and Intel® Itanium® 2 Processor-powered technology like the HP Integrity rx4640-8 Server. No wonder, year after year, HP has helped more federal agencies capitalize on change and further their agencies’ missions.

HP STORAGEWORKS

HP PRINTING AND IMAGING

HP PROLIANT AND INTEGRITY SERVERS

HP NOTEBOOKS AND DESKTOPS

HP OPENVIEW ENTERPRISE MANAGEMENT SOFTWARE

The world’s broadest range of industry-standard products with the largest global service network.

1. “Make It Simple,” The Economist, 2004. The information contained herein is subject to change without notice. Intel, the Intel Logo, Intel Inside, the Intel Inside Logo, Intel Centrino, the Intel Centrino Logo, Intel Xeon, Intel SpeedStep, Itanium, Pentium and Celeron are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Microsoft and Windows are registered trademarks of Microsoft Corporation in the United States and/or other countries. ©2005 Hewlett-Packard Development Company, L.P.

1% INSPIRATION. 99% EXECUTION.

IT Consolidation. 1% inspiration. 99% execution.IT Consolidation. 1% inspiration. 99% execution.

6 Evolvent Magazine

For the last five years, change has been a celebrated constant for the Evolvent Technologies corporate family. The physical characteristics have changed a

great deal from the basement office in one of our original founder’s D.C. townhome to our present corporate suite in Falls Church, Virginia and satellite offices in San Antonio, Texas and Charleston, South Carolina. However, the more important changes have been the expansion of our capabilities and the constant focus on our clients’ mission requirements. As leaders in the fields of information assurance and enterprise information management, our Evolvent associates look at the business problems of security and business intelligence from a fundamentally mission-oriented perspective. How we build better information systems that are more secure and more information-rich are critical business problems for our clients in the federal and commercial sectors, and they require us to think not just about technologies but the people and processes involved as well. On June 30, the Evolvent family changed again as Paul Ramsaroop, Doug Stock and I purchased the remaining shareholding of founding stockholder Peter Ramsaroop. The culmination of a buyout process that began in January 2004 with the buyout of Roger Stull was completed as Paul, Doug and I joined forces with several new financial partners to take Evolvent to the next level.

Paul serves as President and Chief Operating Officer and will continue to lead our delivery organization. Responsible for the growth and development of our enterprise information management expertise, Paul brings a unique blend of technology fluency and business acumen to the solutions Evolvent provides. It has been a pleasure building Evolvent with Paul and our founders, and I look forward to continuing our successes together. Paul and I would like to welcome the addition of Doug Stock to the executive team and as a partner for the development of a truly world-class federal IT services company. Doug will become Executive Vice President and assist Evolvent in all areas of developing and growing the business. An executive with more than 25 years of corporate experience, Doug brings an extraordinary professionalism and customer focus to our leadership team. Three other individuals have played and continue to play a vital role in the development and growth of Evolvent:

Ben McEachin, Vice President of Strategic Programs. As a retired Chief Master Sergeant, Ben has spent over 26 years in the United States Air Force serving at the White House, Office of Information Security Policy for National Security Council and the Pentagon. He holds a M.S. degree in Information Technology from the University of Maryland University College and holds the Chief Information Officer (CIO) certification from the General Services Administration.

Guy Sherburne, Vice President, Security Practice and Chief of San Antonio Operations. Guy is responsible for the development, implementation and maintenance of DoD security service contracts. He previously served as Senior Systems Security Engineer at PEC Solutions, Inc. and as Senior Systems Analyst at Troy Systems, Inc. Before that, Guy served 26 years in the USAF, including serving as Chief Security Inspector for the NSA Inspector General and Chief Security Inspector for the Air Intelligence Agency Inspector General. His accomplishments encompass CENTCOM Special Security officer for Operation Southern Watch, the evacuation of South Vietnam, NASA’s Apollo-Soyouz mission (first joint U.S. and Soviet Space docking mission) post-launch debriefing and was named Strategic Air Command Information Security Program Manager of the Year. Guy has certifications in Information Assurance Management, SCI Security Management, and Force Protection Management. Guy holds a Bachelor of Science in Computer Information Systems from Park University in Missouri.

Geoff Howard, Vice President and Chief Technology Officer. Geoff has a diverse background covering technology, management and science over more than 10 years. Geoff’s technical experience covers all aspects of software architecture and development with a focus on internet technologies, and includes security, hardware and networks. His experience on varied complex projects has led to an ability to apply technology and best practices effectively to accomplish business and mission objectives. Geoff holds a B.A. in Physics from Cornell University.

Welcome to the New Evolvent Technologies

SUMMER 2005 7

Welcome to the New Evolvent TechnologiesNow that you have met our leadership team, what are our goals for the future? Our goals are simple:

For Our Customers, Evolvent will:• Build and maintain technology solutions for the federal

customer that improve the operating practices and capabilities of the customers we serve

• Provide “best practices” solutions for each and every customer

• Provide clear and measurable “value-add” to our customer’s mission

• Provide customer-focused, expert professionals

For Our Associates, Evolvent will:• Provide professional corporate support and direction

• Provide opportunities for professional growth and training

• Develop and maintain a Career Enhancement Plan for every associate

• Provide a compensation and benefits package in the top 25% of the industry

For the Company, Evolvent will:• Maintain excellent past performance ratings with all

clients

• Achieve low turnover of associates

Finally our Mission… Evolvent Technologies’ mission is to provide federal customers with innovative technology solutions in enterprise information management, knowledge management, information assurance/cyber security, and support services. Our associates are customer-focused, knowledgeable professionals with a commitment to excellence in support of the customer mission. Our corporate team strives to provide associates and customers alike the resources and training to create success stories in every effort. Our commitment is to make a positive difference for the organizations we serve.

BILL OLDHAM

Chief Executive OfficerWashington, DC

See Evolvent at:

48th Annual AAMA ConferenceNovember 10–12, 2005 at the Riviera Hotel and Casino, Las Vegas, NV

2006 Annual HIMSS Conference February 12–16, 2006 in San Diego, CA • For more information about our receptions for members of the MHS, please call the Evolvent Marketing Department at 703.379.2146

2006 Tricare Conference January, 2006 at Marriott Wardman Park Hotel, Washington DC

8 Evolvent Magazine

Business Process ManagementAn Evolvent Case StudyBy Geoff Howard, Chief Technology Officer, Evolvent

SUMMER 2005 9

In an early attempt at a woodworking hobby, I decided to make a piece with a simple concave curve. I had an old inherited wood plane and set about shaping a raw block of wood with it. After

several frustrating hours, I finally concluded that I did not know what tool was right for the job, but I did know that I did not have it. While it may have been technically possible to finish the way I had set out, it would have taken far more time and effort than necessary. Though there were several right tools to choose from (in a wide range of prices), there were clearly many wrong ones.

Integrators and developers have to be just as careful in their choice of tools. Evolvent associates recently were tasked to develop a correspondence and action tracking and management system tailored for a particular agency. The task was daunting: high expectations, tight budget, critical need, short timeline and changing requirements. Thankfully, we had experience with the right tools – a class of software typically known as Business Process Management (BPM).

Though the original task called for no additional software, we recommended a COTS tool. While we may have been able to save some money building from scratch, the project would have had a much greater risk of failure. To paraphrase an old adage, it is unwise to pay too much, but it is worse to pay too little. For if you spend too much, you lose some money, but if you spend too little, you waste all the money and still do not have what you need.

Case SummaryThe agency had been using a system based on Outlook Task and Microsoft Binder, routing tasks from Assignment to Draft to Coordination to Final Response. It had become universally clear in practice that this system was the wrong tool for the job. A large percentage of tasks were completed late. Tasks were often misrouted or lost. The system was tedious to use and time-consuming to learn so that mistakes were commonplace. Management had no ability to report on the status of even individual tasks. Finally, because the existing system could not be used from outside the office, the staff had no way to complete their work remotely.

The goals identified by our engagement included:

■ Comprehensively replace the functionality of the existing Outlook Task based system

■ Route, track, and display current status of each individual task

■ Automate the “up the chain” portion of routing tasks (so the assignee is not expected to remember every step of the routing process above them)

■ Decrease time spent on management of workflow process

■ Decrease training required for new staff

■ User-friendly and intuitive graphical user interface (GUI)

■ Web-based and integrated with the enterprise intranet

■ Common log-in with the enterprise intranet

So why was a BPM tool the right choice? Most of today’s BPM software provides Business Administrators with a framework and powerful tools for quickly designing and modifying the flow of work through a process. Designing a workflow still requires some technical skill sets, but a skilled user or integrator sees enormous productivity gains in many aspects of building a workflow application. As a result, we were able to quickly adjust to needs as requirements were refined, added, and removed during development. For example, a key project stakeholder introduced a significant new set of steps several days before our scheduled launch. Because of the flexibility provided by the tool, we were able to meet his request by the end of the day.

By leveraging the BPM framework, we were able to deliver many key features quickly with a very small team:

■ Log correspondence received from internal and external sources

■ Assign and route the correspondence to the responsible office, or a specific user for follow-up action

■ Assign due dates for various stages

■ Route the correspondence response to one or more office(s) with collateral responsibility or to customer leadership for review and feedback

■ Provide coordination input

■ Approve and sign the prepared response documents

■ Add comments

■ Attach electronic documents

■ Access comments and documents attached by other users

■ Track the status of the correspondence items using both audit trails and an intuitive graphical “map” updated in real-time for each process

■ View the audit trail of active and completed (archived) process instances

■ Report on correspondence processed with the application

Designing a workflow still requires some technical skill sets, but a skilled user or integrator sees enormous productivity gains in many aspects of building a workflow application.

10 Evolvent Magazine

Challenges and Lessons LearnedPerhaps most important in undertaking a BPM application to digitize any business process is to incorporate the right balance of structure and flexibility into the finished process. Too much flexibility can be confusing to users and rob the system of its power to enable and enforce business rules. Too little flexibility will make the system impractical to use in real-world situations. Even with the right tools, of course BPM projects are not without the challenges expected in any enterprise project. The ease with which workflow routing can be changed puts an added burden of flexibility on developers coding the back-end business logic. We have found it critically important to ensure that the developers understand not only the current requirements but also have a clear idea of how those requirements could change as the project meets real-world use. Integration with existing systems is also an area requiring special attention, skill, and planning. In this latest project, we found that the integration of user accounts through LDAP required some re-work of existing systems to address the new intended uses. Our experience with in-depth COTS deployment, integration, and customization shows that most customers find some out of the box functionality is not desired in their implementation. Sometimes streamlining or removing confusing and unused features is as critical to a project’s success as any requirement. We recommend specifically dedicating time to evaluating all such features and either correcting them or working them clearly into the training.

ConclusionMany federal agencies are struggling to meet the same challenges in managing correspondence and action tracking. With the right tool, quantitative performance improvements can be realized, and effective management can flow from visibility into the state of the system. ■

Perhaps most important in undertaking a BPM application to digitize any business process is to incorporate the right balance of structure and flexibility into the finished process.

SUMMER 2005 11

Fast deployment + Quick user adoption = Rapid SuccessEnterprise content management. Web content management. Imaging.Document management. Records management. Digital asset management.Business process management. Compliance management. Collaboration.

Minimize your company’s financial liability and litigation risk by effectively managing and archiving critical

business and financial information. Stellent® Records Management controls the creation, declaration,

classification, retention and destruction of all types of business records. This DoD 5015.2-certified solution

extends the records management process to all authorized users, reduces record discovery time, and delivers

rapid success through fast deployment and broad user adoption. Globally, over 3,000 businesses trust Stellent

to rapidly solve their enterprise content management challenges. Visit www.stellent.com/recordsmanagement

or call 1.877.332.9567 ext. 4 for a quick overview of the best business decision you can make for your company.

©20

04 S

telle

nt, I

nc. A

ll rig

hts

rese

rved

.

RecordsManagement&RapidSuccessThequick download.

100 00011 10 00101 0001010110 011 0101 1 00111 1010 0101 101 100 110 0100 10 01010010 0100 110010100 001100 10 1101 10 11010111 100111001 001 0100010 001 10010010110 001 010010 001 1000 110 100100 10 1100011011 0100 010100110 101 11001010110 0101110101 0101010 1010 001 01000100 10010010110 10 01010110 01 001 010110 101 0010101 1001011101100 101 101011100 01 010101 0111010 010 00110 011 010 0010111 101 01100 010 11000110111 110 10 00101 011010110 011 10001 01 001 0101010100 10 10110 0111010 0101110 01 010111 101 011001 00100100 00101110 0100 011 10010010110 0100 001 100110 0110 101100 00110 1010010 101 1 01 110101 1101 101100 10011001000 10 0100 10 0101110 0001010110 110 01 11001111 01 10010 010001 1011110 010 101 10100 001 101 010 0011011 0111010 010101001 10 011 1001 01 01001001 01 0011101 010010 0111 01010 010 1010100 01 1101010111001 111 01010 10 10110 0010011 10 001 001010 0111010 0101101 0010 100110 11001001010 01 1 0110 101100 0111011 0100110 10 100110 1 10101 101 01101 01 0101 10001001101 01 101001 1100011011 0100 10 10110 010100110 010111 001 10010010100 110010101100 01 01 0

Problem Statement■ Email is vital to the operations of virtually all

organizations – public or private sector - and contains much information that is subject to records management policy, yet the retention strategy, business processes, and technological capability for most organizations remains in a state of flux.

Electronic mail (email) frequently includes information, transactional data, or other content that is subject to records management policies and federal legislation or protocols established internally or by the National Archives and Records Administration (NARA). Email storage/retention and archiving strategies are thus increasingly integral to the problem of records management in general.

■ Email is the “long pole in the tent” of records management, subject to many regulatory requirements yet also subject to difficulties regarding compliance.

Functional Requirements EvidenceEvolvent’s team of analysts and consultants have been gathering evidence of the business processes and records management capabilities of major organizations and departments to determine the strategic needs and pitfalls of establishing enterprise-wide electronic records management capabilities. In this process, several key points for the consideration of email integration in particular have been apparent:

■ Training:

o Records Officers typically have had very little training in the discipline and requirements for the role.

o Experienced Records Officers may also suffer from little ongoing training and resources.

■ Business processes with respect to records management varied widely. For example:

o Training of records officers varied in process and content from group to group.

o Communications of records management requirements and compliance varied in process and content from group to group.

o Technology solutions had been considered and in some cases adopted by various groups in an attempt to comply with records management requirements leading to an integration challenge for future efforts.

■ Communications:

o Few Records Officers were aware of the push towards Electronic Records Management even though organizational leaders continue to provide policy documents stressing compliance issues and the importance of ERM.

■ Ad Hoc StaffIng:

o Records Officer duties are frequently an additional duty for which personnel are not compensated or trained.

o Records Officers that perform this function part-time said the requirements are more than a person can handle on a part-time basis.

Records Management — Integration with Email

Paul Ramsaroop, Chief Operating Officer, EvolventBen McEachin, VP of Strategic Programs, Evolvent


100 00011 10 00101 0001010110 011 0101 1 00111 1010 0101 101 100 110 0100 10 01010010 0100 110010100 001100 10 1101 10 11010111 100111001 001 0100010 001 10010010110 001 010010 001 1000 110 100100 10 1100011011 0100

010100110 101 11001010110 0101110101 0101010 1010 001 01000100 10010010110 10 01010110 01 001 010110 101 0010101 1001011101100 101 101011100 01 010101 0111010 010

0100 001 10011000110 011 010 0010111 101 01100 010 0100 001 10011011000110111 110 10 00101 011010110 011 10001 01 001

0101010100 10 10110 0111010 0101110 01 010111 101 011001 00100100 00101110 0100 011 10010010110

0110 101100 0 010010 101 1 01 110101 1101 101100 10011001000 10 0100 10 0101110 0001010110 110 01 11001111 01 10010 010001 1011110 010

101 10100 001 101 010 0011011 0111010 010101001 10 011 1001 01 01001001 01 0011101 010010 0111 01010 010 1010100 01

1101010111001 111 01010 10 10110 0010011 10 001 001010 0111010 0101101 0010 100110 11001001010 01 1

0110 101100 0111 011 01 00110 10 100110 1 10101 101 01101 01 0101 10001001101 01 101001 1100011011 0100

10 10110 010100110 010111 001 10010010100 110010101100 01 01 0111 0100110 01010 10 10110 0010 0111 01

01 01011011 101 001 001010 10100101110110 10 00101 01110101 1 10010110

010100110 010111 01001011 10 100 101100 01111011 10 0100 01101 0101101 10010010110 10 001 10101001 010010

00101 101010 01 1101 10 0101 00101 010101 01101 01 1101010111001 0101001011 0100 00010101 1 10101 10 11011

11 0110 10 1001000 10 1 0010010 010100110 010111 01101 010101 00101 01 01 1001001101001 01

SUMMER 2005 13

100 00011 10 00101 0001010110 011 0101 1 00111 1010 0101 101 100 110 0100 10 01010010 0100 110010100 001100 10 1101 10 11010111 100111001 001 0100010 001 10010010110 001 010010 001 1000 110 100100 10 1100011011 0100

010100110 101 11001010110 0101110101 0101010 1010 001 01000100 10010010110 10 01010110 01 001 010110 101 0010101 1001011101100 101 101011100 01 010101 0111010 010

0100 001 10011000110 011 010 0010111 101 01100 010 0100 001 10011011000110111 110 10 00101 011010110 011 10001 01 001

0101010100 10 10110 0111010 0101110 01 010111 101 011001 00100100 00101110 0100 011 10010010110

0110 101100 0 010010 101 1 01 110101 1101 101100 10011001000 10 0100 10 0101110 0001010110 110 01 11001111 01 10010 010001 1011110 010

101 10100 001 101 010 0011011 0111010 010101001 10 011 1001 01 01001001 01 0011101 010010 0111 01010 010 1010100 01

1101010111001 111 01010 10 10110 0010011 10 001 001010 0111010 0101101 0010 100110 11001001010 01 1

0110 101100 0111 011 01 00110 10 100110 1 10101 101 01101 01 0101 10001001101 01 101001 1100011011 0100

10 10110 010100110 010111 001 10010010100 110010101100 01 01 0111 0100110 01010 10 10110 0010 0111 01

01 01011011 101 001 001010 10100101110110 10 00101 01110101 1 10010110

010100110 010111 01001011 10 100 101100 01111011 10 0100 01101 0101101 10010010110 10 001 10101001 010010

00101 101010 01 1101 10 0101 00101 010101 01101 01 1101010111001 0101001011 0100 00010101 1 10101 10 11011

11 0110 10 1001000 10 1 0010010 010100110 010111 01101 010101 00101 01 01 1001001101001 01

Given the scale of most federal organizations and the volume of email messages likely to be considered “records” and subjected to compliance, it is clear from Evolvent’s analysis that training, communication, and ongoing technology & policy support will be critical to the successful development/deployment of an electronic records management capability for most agencies. Records Officers interviewed perceive several current document or content management systems as their records management system. These systems, however, provide no retention or disposition instructions for documents housed therein. Many Records Officers interviewed stated that while it would be great to have an electronic records management system, it must be able to integrate with current business systems. Evolvent’s research and functional requirements gathering is in process and the firm is seeking further information regarding integration requirements and in particular, our analysts are focused on uncovering the business processes which would need to be supported.

INTEGRATION OPTION 1:

External Records, managed by Enterprise Record Management System (ERMS) In this option, records exist completely outside the system and the ERMS is given a pointer to the external object’s location – whether physical or digital. The record’s retention and disposition lifecycle is then prompted by the ERMS and actions must take place manually.


External Data, copied into ERMS as RecordIn this option, the ERMS is given a digital copy of a record or part of a record, which must continue to exist in some other system or physical location. The ERMS then manages its copy, leaving external systems free to use the original data as they normally do. This reduces the integration to a one-way “push” of information, most likely at the time of creation.


Tight integration with ERMS In this option, the ERMS directly retains and manages the primary data or file, and external systems interface with records and document data through the ERMS Application Programming Interface (API) or its out of box front-end.

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

Prototype Capability and Integration AlternativesEvolvent’s prototype solution for records management is based on integrating the Stellent Records Management product and its capabilities in three major conceptual integration alternatives.

Strategic ConsiderationsAll three of these strategies may have a place over time, and all can work in parallel with different groups of data if desired.

Obviously, the tighter the integration, the better the ERMS can assist in compliance with retention and disposition

schedules. However, even the lightest integration is superior to the manual and fragile procedures many

organizations are utilizing to manage records now, which may not provide any tools for compliance.

Each of these scenarios may apply to the management of email records subject to policy and goals. Stellent provides turn-

key integration with the Outlook mail client which enables end users to easily copy emails,

attachments, or both, as records. Various implementation strategies can be deployed to allow

relatively simple choices for end-users who are not trained Records Managers. It may also be possible to specify system-wide rules for email handling to automatically add types of email traffic in the proper records series. This option corresponds to a mail-client focused version of Option 2 above and would be more appropriate to enable compliance with an email retention policy that requires intelligent distinctions to be made between types of email that need to be retained and the proper classification of those records.

Other options for email integration more suited to a retention policy targeted at all emails received or sent would require integration at the Exchange server, where exchange data at some granularity would be automatically registered with (strategy 1 above) or copied to (strategy 2 above) the ERMS system. In practice such an attempt at a blanket retention policy would likely prove to be unsustainable for an organization the size of most federal agencies. One option would be to couple a selective retention policy with a retention of whole or partial backups of the Exchange system data.

SummaryEvolvent’s practice in records management continues to uncover processes and technological dependencies that shed light on the integration and policy requirements of true enterprise-level RM. Our consultants continue to find new strategic considerations and nuances that can be leveraged to assist the federal sector in its records management initiatives. For more information, please visit www.evolvent.com ■

100 00011 10 00101 0001010110 011 0101 1 00111 1010 0101 101 100 110 0100 10 01010010 0100 110010100 001100 10 1101 10 11010111 100111001 001 0100010 001 10010010110 001 010010 001 1000 110 100100 10 1100011011 0100 010100110 101 11001010110 0101110101 0101010 1010 001 01000100 10010010110 10 01010110 01 001 010110 101 0010101 1001011101100 101 101011100 01 010101 0111010 010 00110 011 010 0010111 101 01100 010 11000110111 1110 10 00101 011010110 011 10001 01 001 0101010100 10 10110 0111010 0101110 01 010111 101 011001 00100100 00101110 0100 011 10010010110 0100 001 1100110 0110 101100 00110 1010010 101 1 01 110101 1101 101100 10011001000 10 0100 10 0101110 0001010110 110 01 11001111 01 10010 010001 1011110 010 101 10100 001 101 010 0011011 0111010 010101001 10 011 1001 01 01001001 01 0011101 010010 0111 01010 010 1010100 01 1101010111001 111 01010 10 10110 0010011 10 001 001010 0111010 0101101 0010 100110 11001001010 01 1 0110 101100 0111011 0100110 10 100110 1 10101 101 01101 01 0101 10001001101 01 101001 1100011011 0100 10 10110 010100110 010111 001 10010010100 110010101100 01 01 0111 0100110 01010 10 10110 0010 0111 01 01 01011011 101 001 001010 10100101110110 10 00101 01110101 10010 101100 010 10110 10010010110010100110 010111 01001011 10 100 101100 01111011 10 0100 01101 0101101 10010010110 10 001 10101001 010010 00101 10101001 1101 10 0101 00101010101 01101 01 1101010111001 0101001011 0100 00010101 1 10101 10 110111 01 00010101 1 10101 001 1000 0100101 10 00110111 0110 10 1001000 10 1 0010010 010100110 010111 01101 010101 00101 01 01 1001001101001 010 10 100101110110 001 0111 10 0100 0111010 101011101 101 100110 01101 01 01 111001 1 010110101 010100110 010111 0100 1 010100110 10 00101 10 0100110 0110100 10 001 10100100 00110111 10 0111010 0101010100 110010110 01 1011010 001110010 101 0110010101110 110101101110 0010 0011 01000 10 001 10010010110 101 010111 010110101000 10 0011 1001000101 01010 001 110 11001001000 11001011 01 101 010 000101011 11001110101100 101 0110110 0010 110 01 010101011 01 100100 001 0111010 011010 10 100 0111010 0101010100 10101100101 10010010110 001101 01010 0001101001001110100 00011 10 00101 0001010110 011 0101 1 00111 1010 0101 101 100 110 0100 10 01010010 0100 110010100 001100 1 1101 10 11010111 100111001 001 0100010 001 10010010110 001 010010 001 1000 110 100100 10 1100011011 0100 010100110 101 11001010110 0101110101 0101010 1010 001 01000100 10010010110 10 01010110 01 001 010110 101 0010101 0011111010 0101 1001011101100 101 101011100 01 010101 0111010 010 00110 011 010 0010111 101 01100 010 11000110111 10001010010110 0001010110 110 01 11001111 01 10010 010001 1011110 010 101 10100 001 101 010

00110 011 010 0010111 101 01100 010 11000110111 1110 10 00101 011010110 011 10001 01 001 0101010100 10 10110 0111010 0101110 01 010111 101 011001 00100100 00101110 0100 011 10010010110 0100 001 1100110 0110 101100 00110 1010010 101 1 01 110101 1101 101100 10011001000 10 0100 10 0101110 0001010110 110 01 11001111 01 10010 010001 1011110 010 101 10100 001 101 010 0011011 0111010 010101001 10 011 1001 01 01001001 01 0011101 010010 0111 01010 010 1010100 01 1101010111001 111 01010 10 10110 0010011 10 001 001010 0111010 0101101 0010 100110 11001001010 01 1 0110 101100 0111011 0100110 10 100110 1 10101 10

1 01101 01 0101 10001001101 01 101001 1100011011 0100 10 10110 010100110 010111 001 10010010100 110010101100 01 01 0111 0100110 01010 10 10110 0010 0111 01 0100110 011 010 0010111 101 01100 010 11000110111 1110 10 00101 011010110 011 10001 01 001 0101010100 10 10110 0111010 0101110 01 010111 101 011001 00100100 00101110 0100 011 10010010110 0111 0100110 01010 10 10110 0010 01

��

��

��


SUMMER 2005 15

pressure to deliver high value to its customers with limited resources. Now, more than ever, our customers are demanding a visible return-on-investment for each dollar invested in security. Adding to the difficulty is the capability to identify security benefits when security incidents do not occur—how much security is necessary for protection? The absence of incidents or threats do not equate to an effective security process. In over thirty-five years of Department of Defense and corporate security work, in all recognized security disciplines, I discovered that to have success in a security process, you need to comprise a structured method of measuring your success or failure in implementing the process. Without a structured performance measurement process, the level of security hinges on guesswork – best estimates. A business or process that works on guesswork is doomed to failure.

According to a KPMG 2002 Security Survey, “only 43 percent of those responsible for information security [Cyber Security] could tell them how much was spent on security…30 percent did not know what percentage of the IT budget is spent. In addition, only 35 percent were involved in some form of measure process that reported security performance.1” What the KPMG survey tells me is not only do organizations not know what is involved in security, those outside the security functions do not know if their cost for security is adequate, not enough, too much, or how effective their process truly is. Too many of my peers would choose not to provide performance measurement reports to their boss for fear of negative feedback from senior management. I have always viewed the measurement data as necessary for identifying the health of senior management’s security process and justifying additional budget expenditures when necessary.

he benchmark of a leading-edge organization is their

successful implementation of a performance measurement process that ensures customer confidence, protected information, increased performance, and improved return-on-investment (ROI). The security performance measurement process should support the organization measurement process and include each security discipline – Physical Security, Personnel Security, Information Security (data protection), and Cyber Security, as referred to as IT Security, Information Assurance or Information System Security. A security performance measurement process enables activities to evaluate the effectiveness and efficiency of their programs, processes, and people and to drive improvements, productivity, and translating strategy into action. The Cyber Security profession is under ever-increasing scrutiny and


THE VALUE OF SECURITY PERFORMANCE MEASUREMENTGuy Sherburne, VP of Security Practice, Evolvent

1 2 3 4 5 6 7 8 9 10

Is there a need for a Security Performance Measurement Process? Senior management in government and corporate organizations are requiring more justification to show a ROI in security. High-performance organizations are always interested in developing and deploying performance measurement processes. As I previously stated, without a security performance measurement process, the health of your security process hinges management decisions based on guesswork. Cyber Security performance measurements succeed when they are aligned with the organization’s strategy, mission, vision, values, and other corporate performance measurements. An integrated security performance measurement process should provide each employee with the knowledge of their contribution to the success of the corporate cyber security process and measurable expectations. The security measurement process requires strong upper-level management support, practical security policies and procedures, quantifiable performance metrics, and results-oriented metrics analysis. Ultimately, through a measurement process, senior management will be in an ideal position to determine where to invest in additional protection or where to discontinue non-productive controls.

What should be included in Security Performance Measures? To fully appreciate the performance and financial cost of an effective security process, activities need to develop adequate measurements for each of the security processes used within the organization. Keep in mind that the absence of threats does not equate to the “presence of security,” and focus on defining what the security process would look like—then develop a system to measure performance. To effectively measure the ROI for security, organizations should consider including performance metrics for each of the following security processes, and then develop one overall metric for security – senior management needs a snap shot

on the health of their security program, not an in-depth surgical strike view.

1. Information Security, also known as data protection, covers user need-to-know authorization; how data is safe guarded, marked, handled and manipulated; control mechanisms; transmission protection requirements (mail and electronic), and policy development, to name a few of the sub-topic Information Security requirements. Applying security will necessitate a determination of the protection requirements for critical data and the cost of providing adequate security. Identifying the correct performance measurement parts of Information Security to measure is essential as one element in measuring your security process and determining a sound ROI.

2. Physical Security – Most technicians would equate physical security to a guard force, not realizing the multitude of layered physical security mechanisms that may or may not be necessary to provide adequate protection for data, personnel, and the systems that process critical data. Placing all resources and emphasis on network and system security provides little protection if the backdoor to the business is left open by weak physical security measures. Knowing what physical security mechanisms provide the necessary security and ROI is as critical as determining data protection requirements.

3. Personnel Security – Often overlooked is the cost of determining levels of trust amongst activity personnel. Personnel hold the keys to the doors that control access to data, data reliability, and adherence to the activity security policy. How many organizations have individuals performing critical data support services that have financial problems, are depressed, have substance abuse issues, fail to adhere to corporate security policy, or share corporate information with adversaries or competitors? How effective is your employee pre-screening or investigative process? How effective is your continued employee evaluation process when it comes to security compliance? Are you spending too little or too much for the personnel security process? There are several elements critical to the personnel security process that should have a performance

measure process implemented. Knowing which elements are critical and then applying an appropriate measurement tool requires extensive knowledge of each security process that involves personnel.

4. Cyber Security, often referred to as Information System Security, IT Security, or Information Assurance, is a process that ensures protective measures to safeguard networks, applications, and systems are extensive, equal to the multitude of threats and vulnerabilities that exist. Metrics could be developed to measure each aspect of Cyber Security such as risk assessment, penetration testing, system security patching, firewall maintenance, and policy development. Government activities would want to measure their effort in performing system certification and accreditation, training system users, administrators, developers, and cyber security personnel. Cyber security training costs could be rolled up under the personnel security, or the organization could decide to measure the security training costs separately within each security process, depending on the organization’s complexity.

Try to remember that the primary security processes briefly discussed are inter-connected. Properly implemented, the four programs provide an all-around protective and measurable environment for each organization. To be useful, metrics need to provide relevant performance trends and point to improvement actions that might be applied to problem areas.

Benefits of a Security Performance Measurement Process? As most of us are aware, financial constraints and market conditions compel organizations to operate on reduced budgets. The degree to which each process is applied n an organization determines the overall success or failure of each organization’s overall security process. Do you know the health of your security programs? Consider the following statements before you answer:

SUMMER 2005 17

1. You have enough security to protect your organization, the information used, and the systems that process the information.

2. You do not have enough security to protect your organization, the information used, and the systems that process the information.

3. You’re not sure if you not have enough security to protect your organization, the information used, and the systems that process the information.

4. You’re not sure what security items need a performance measurement process applied.

If your assessment of your security process falls within anyone of the four statements above, then you need to implement a security performance measurement process – unless you are not concerned with spending money or protecting critical data. There are several government regulatory, financial and organizational reasons to measure security performance. Ultimately, successful organizations ensure each internal critical process has metrics linked to the corporate strategy and demonstrate the value of services and initiatives. Successful organizations consider security as a critical process.

How Is Security Performance Measurement Used? First, some clarity is necessary. One security performance measurement strategy is not suited for each activity. Each of the four security processes is implemented to varying degrees

within each organization. Security implemented within industry differs from how security is implemented within the government. Some of what security performance measurements could be used for includes:

• Establishing precise security goals and objectives

• Identifying and correct security issues

• Identifying processes, management practices, and improvement opportunities

• Document accomplishments and illustrating a ROI

Good security performance measurements do not need to be unique, but they should fit the organization’s strategy, value, and culture, and should be shaped by senior management. Solid security metrics provide for measurable results to demonstrate progress toward meeting activity goals and objectives - insight into security’s ROI. Additionally, emphasis on measuring and improving security performance will create a new climate of understanding security and how security is integrated within each organizational process, plus the benefit of security fitting within the other corporate processes. Security performance measurement will yield substantial corporate benefits when applied in a structured approach focusing on the strategic plan, goals, and performance. The measurement

process provides the mechanism for reporting on performance to senior management, helping to support the cost-effectiveness of the security process. The 30-plus years experience in measuring security processes is incorporated within the Evolvent Security Practice and the products we delivery to our customers.

Conclusion The success of any security program should be judged by the degree to which meaningful results are produced. An in-depth, comprehensive, performance measurement analysis program will provide substantial information for decisions that directly affect the security posture of the organization and the continued success of the organization’s business or mission. Knowing what to precisely measure requires experience and an understanding of requirements in each security process. Having knowledge or experience in only one or two security disciplines will provide a limited snap shot on the health of your security process. An understanding of all security disciplines and the organization’s business process is essential for a complete picture of security health.

1 2002 Global Information Security Survey, KPMG, http://www.kpmg.com/microsite/informationsecurity/isssurvey.html

TO FULLY APPRECIATE THE PERFORMANCE AND FINANCIAL COST OF AN EFFECTIVE SECURITY PROCESS, ACTIVITIES NEED TO DEVELOP ADEQUATE MEASUREMENTS FOR EACH OF THE SECURITY PROCESSES USED WITHIN THE ORGANIZATION.


11 12 13 14 15 16 17 18 19 20

SUMMER 2005 19

NOTE: Mr. Sherburne has an extensive background applying performance measurement processes all the way back to the very early 70’s. His initial involvement with measurement analysis work was to develop statistical data that depicted crime rates, types, and locations that were fed to law enforcement patrol personnel. Later on in his Air Force career, he gained extensive process improvement and metrics skills under the Total Quality Management process to include formal training in TQM Assessment, skills applied while he was a member on the Air Intelligence Agency and as the Team Leader for Security on the NSA Inspector General Team. During the past six years, since his retirement from the Air Force and entry into the corporate world, Mr. Sherburne has honed his performance measurement skills using the Six Sigma process. Recently, he has begun to structure the security processes within the Evolvent Security Practice using the Carnegie Mellon “Capability Maturity Model Integration (CMMI) for Operational Organizations. His recent performance measurement success resulted the in Evolvent Security Practice assuming the Army Medical Command’s Information Assurance Operational enforcement tasking for all of the Army’s medical activities. ■

11 12 13 14 15 16 17 18 19 20


SI International is proud to serve the Federal government. We define, design, build, deploy, and operate mission-critical information technology and network solutions (IT). We deliver a full spectrum of state-of-the-practice systems and services with astrategic focus on the Federal government’s most urgent initiatives.

www.si-intl.com

SI.INTLFllpageColor3 6/15/05 1:42 PM Page 1

SUMMER 2005 21

SI International is proud to serve the Federal government. We define, design, build, deploy, and operate mission-critical information technology and network solutions (IT). We deliver a full spectrum of state-of-the-practice systems and services with astrategic focus on the Federal government’s most urgent initiatives.

www.si-intl.com

SI.INTLFllpageColor3 6/15/05 1:42 PM Page 1

Next Steps in Content Management -

Concept Searching

In addition to the explicit STINFO information, over 658,000 documents exist within the AFIOH enterprise. These documents reflect the Institute’s norms, values, expertise and process outcomes and are, in a sense, less tangible than the risk communication contained within the STINFO, because they do not share the same breadth and context. The sheer size and limited accessibility of this enormous repository of information detracts from its intrinsic value. The content resident in these documents provides a wealth of information and potential knowledge dating to 1949, but it lacks structure and accessibility is limited. AFIOH now finds itself at a crossroad where the difference between future success and less-than-success will be determined by the Institute’s ability to “locate, leverage, and blend available explicit knowledge

with internally generated tacit knowledge.”1 Customer operational needs, internal perceptions and motivations, strategies, relevant knowledge and awareness of human and financial capital resources combine to serve as the foundation whence raw facts are interpreted and transformed into something that is actionable. Connecting leaders with relevant and timely operational health knowledge in an efficient manner provides competitive advantage over his/her adversary. That said, one can conclude that AFIOH’s ability to communicate risk is enhanced with advancement of its ability to collect, index, and classify information into an objective structure aligned to validated missions within the AFMS. Current Air Force content management platforms provide end users with the basic ability to create folder structures wherein unstructured information (a.k.a. documents) may be placed. Once the author of a product places it into one or more folders, the document becomes accessible to other users via key word search engines. For many years, this capability was sufficient to manage an organization’s generated content.

However, as organizational shared drives began to reach their capacity, leaders at the Air Force Medical Support Agency (AFMSA) Knowledge Exchange (Kx) Program Management Office and AFIOH realized that an extraordinary amount of unstructured risk assessment and surveillance information exists that may be relevant to the peacetime and wartime missions of the AFMS.

Knowing that AFIOH alone has over 665,000 documents, how do we as a medical service know which ones are relevant to unique missions and their associated product lines in order to ensure we are communicating the most relevant information to the decision maker? Answer – we don’t know! In October 2004 AFIOH and the AFMSA Kx Program Manager initiated efforts to develop a functional Concept Model to demonstrate the automated collection, indexing, and classification of unstructured information against functional, expeditionary, and organizational taxonomies. Revealing the capability of an automated collection, indexing, and classification methodology meant having a benchmark to compare results against. To test the Concept Model AFIOH compared a conventional process whereby after action reports from Operations ENDURING FREEDOM and IRAQI FREEDOM were collected, indexed, and classified with the automated Concept Model. The purpose of after action reporting is to identify issues that arose during operations, good or bad, and task mitigation to an appropriate authority for action. Purpose was to ensure ‘lessons learned’ were quickly translated into an action that corrected a deficiency – operational performance was the motivation, timeliness and accuracy being key success factors. The

Colonel Stephen M. Wolfe, USAF, MSC, DBADirector, Operations Directorate & Chief Knowledge Officer

For over 50 years, the Air Force Institute for Operational Health (AFIOH) has promoted global health, protected military members and communities, and enhanced preparedness and effectiveness through the development and implementation of creative solutions to operational health problems. Environmental and health surveillance, risk analysis, process re-engineering, consultation, and technological innovations have generated over 7,000 Scientific and Technical Information (STINFO) reports focused on the AFIOH mission of supporting both operational commanders and the Air Force Medical Service (AFMS).


conventional (manual) process began with nine officers, each from different medical career fields, reading groups of reports with the objective of placing each into one of several common information categories. This process took four months and involved countless reviews and meetings to resolve differences in perception; each report had a different format, and many were either inappropriately tasked to a wrong location or incompletely tasked due to lack of subject matter expertise of a particular reviewer. The Concept Model was designed to facilitate the automated process. AFIOH created an expeditionary taxonomy consisting of classes of terms and class clues that were extracted from the Air Force Medical Logistics Office allowance standard database for AFMS wartime missions. Using this “objective” taxonomy from a validated source resulted in AFIOH collecting, indexing, and classifying 208 after action reports in just 28 seconds (We did it twice to be sure)! Instead of creating a folder/file structure and dragging and dropping copies of the same document to many folders based on an individual’s limited perspective, the use of classes and class clues from taxonomies allowed AFIOH to rapidly classify each after action report into their appropriate areas for action. Many times one report would touch on 3 to 4 subject areas. Each report was linked to multiple folders, ensuring that the information was reaching its appropriate destination for action. Taxonomies align with an organization’s mission and contain classes and class clues, allowing sophisticated search engines to use extracted key words and phrases to identify main concepts. If a user knows the concept but not the correct terminology, he/she can conduct a search to retrieve documents that closely relate to the clues provided by the end user. As an example, suppose we use the Medical Subject Heading Taxonomy (MeSH) developed by the National Library of Medicine and conduct a search on “colon cancer.” In addition to the directly related documents that were found, the AFIOH Concept Model capability used the MeSH taxonomy to find related topics to include polyps, cancer learning, virtual colonoscopy, colonoscopy, and colorectal. Transforming relevant information into actionable knowledge has three intuitively significant benefits. For leadership, they are able to rapidly organize their organization’s explicit and implicit content to facilitate more effective communication and decision-making. For staff, cross-functional operating units are able to push relevant information to interested persons, reduce process timeline, utilize untapped resources, and enhance outcome quality. For the organization, it avails contemporary and relevant information that assists and expedites task performance and decision making advancing individual and group performance via enhanced situational and issue-specific knowledge. ■

1 “ Relentless Growth”, Christopher Meyer, 1998

“How do I zero in on what is really relevant?”

Dozens of vendors claim to offer the optimal combination of Precision and Recall. However, only one, conceptSearching, delivers both High Precision and High Recall with no trade off. Due to the unique ability to correctly weight compound terms (ie. multi-word phrases)

Since most concepts are expressed in short phrases, rather than in single words, used in isolation, our unique technology is positioned to underpin groundbreaking “intelligent” applications.

conceptSearching is delivered as a “middleware concept service” on a native web services platform, and is designed for ease of integration, interoperability. The technology works as well as a portal service as it does down on handheld devices.

The architecture delivers significant productivity improvements over current enterprise search technologies. Benchmarked, by some of the leading integrators against the traditional enterprise search vendors, conceptSearching was found to deliver vastly improved precision and recall.

Clients such as AT&T, Homeland Security, Airforce Medical, Pfizer, and USDA have all bought into the conceptSearching concept—shouldn’t you too?

conceptSearching

delivers the following:

• The highest Precision combined with Recall of any enterprise search engine

• The only technology that can relevance rank multi-words or phrases

• Native web services platform embracing high level API’s and XML

• “Intelligent concept Services” as simple plug and play middleware applications.

• Compelling ROI and productivity increases, well beyond competitive offerings

• Best in class Search, Classification and agent technologies

• Integrates with Google delivering best in class search with The worlds largest Index

Concept Searching LLC,7918 Jones Branch Drive, Suite 600,

McLean, VA, 22102Telephone 703 669 2606

[email protected]

Through an appropriation in the defense-spending bill for 2002, the University of Pittsburgh Medical Center and the Department ofDefense have created a strategic partnership called the IMITS Program. Focused on utilizing advanced technologies to provide qualityhealthcare services regardless of location, IMITS enables clinicians to have access to and view various types of medical information frompathology slides to CT scans, as well as to consult with specialists at distant locations.The system allows for swift diagnoses of variousconditions where specialty medical care may not be readily available, such as at a rural physician’s office or a remote military installation.University of Pittsburgh Medical Center and the Department of Defense have formed this partnership in large part due to a decline inboth private and military sectors of specialists who are essential for the accurate diagnosis and treatment of medical conditions.

Continued congressional funding in 2004 and 2005 supports the development of new advanced clinical technologies and the expansionof the IMITS program into the Pacific Region. The IMITS platform will be extended into multi-health specialty areas while focusing onemerging advance care technologies. This initiative allows the creation of “Centers of Excellence” within the Department of Defensethat can export medical care knowledge to areas around the globe. Through the expanded IMITS program UPMC and the Departmentof Defense will continue to share information technology resources and expertise that will contribute to the development of improvedsystems of care.

Forbes Tower • 200 Lothrop Street • Pittsburgh, PA 15213-2582p: 412-432-5197 • f: 412-432-7568

Integrated Medical InformationTechnology SystemA Partnership between University of Pittsburgh Medical Center and the Department of Defense

IMITS Network

IMITS PROGRAMS

TELEPATHOLOGY

Travis AFB

Eglin AFB

Keesler AFB

TELEAUDIOLOGY

Lackland AFB

TELEOPHTHALMOLOGY

Lackland AFB

TELERADIOLOGY

Eglin AFB

MacDill AFB

Lackland AFB

Wright Patterson AFB

PLATELET GEL

Lackland AFB

TELEMENTALHEALTH

Lackland AFB

MEDICALSIMULATION

Lackland AFB

University of Hawaii

ECMO

Lackland AFB

University of Hawaii

035-006 IMITS Info Pg-REV-6-06 6/27/05 12:19 PM Page 1


Multi-Dimensional Report Cards: The Rest of the StoryBy Dutch Holland & Henry LieberumHolland & Davis LLC

When vendors begin to do work for large and very sophisticated clients, they frequently encounter what seem to be “complex report cards” with a variety of performance dimensions. While some grading items stand out clearly on report cards, other items do not seem to stand out at all, even thought they are very real.

Is a report card the same as a contract? No. A report card is usually broader than a contract, including items or dimensions that are frequently not written into the contract for a specific project. The report card does grade whether or not the contract has been or is being met by the vendor, but it may go much further.

Dimensions of Performance We recently worked with a vendor and such a large customer to clarify the basis for grading the vendor’s performance in the relationship. After some detailed work, the following report card was judged by the customer as “just what we are looking for.” The report card was divided into three different dimensions of performance:

P1: Project Performance, including: a. Safety— results, processes, and practices b. Build to specifications— the physical asset completed to specifications c. Cost— total costs incurred to meet all aspects of required performance d. Schedule— timeliness of completion and milestones on all aspects of performance

P2: Conformance of Working Methods, including: a. Work methods conforming to customer methods b. Requirements for documentation of all aspects of work c. Customer information systems requirements met d. Ability of customer to “see into the work as it was being accomplished” (i.e., “transparent turnkey”)

P3: Analysis and Reporting, including: a. Leadership in “issue and solution” reporting b. Ability of vendor to explain “current status and reasons for being there” c. Problem solving methods in line with customer expectations d. Management reporting aligned with customer requirements

Total PerformanceThe total performance of the vendor was judged based on the following “crude formula”:

Total Performance = P1 x P2 x P3The formula (with “multiplication signs”) was designed to make several key points:

1. Total “performance” in the mind of the customer would be the resultant of all three dimensions of performance

2. An unsatisfactory rating on any one factor would result in an unsatisfactory total score.

3. An extremely high score on any one dimension would not offset a low score on another dimension.

This relatively sophisticated report card seems a far cry from the conventional criteria of “performance, cost, and schedule,” and in many ways it is. Gone are the days when we can righteously say, “Well, you got your deliverable on target, on time, and on budget. Maybe we didn’t get there just the way we planned, but we got there, and you, Mr. Customer, ought to be satisfied with that.”

Root Causes of Multi-Dimensional ScorecardsA number of “overlapping” forces are at work in business today that have been the root causes of “report card sophistication.” Most of these factors should be no surprise to us.

SUMMER 2005 25

• Fiduciary responsibility— Customers are clearly accountable for how the organization spends the shareholder’s or the public’s money. And in addition, customers are accountable for knowing where that investment is at any one point in time as well as having “sufficient financial controls in place” to be able to properly manage the investment.

• Risk Management— Customers are building assets (buying deliverables) to be used in their core businesses. Managing the risks associated with the creation of any new asset is a business requirement that any engineering department will be accountable for. The customer will require “early warning of any impending issue that will impact the asset coming on line” as well as complete information about the game plan to resolve the issue.

• Best Practices— The large sophisticated customer is likely to have many projects underway at any one time including projects in many parts of the world and projects for multiple organizations/divisions/regions. From the customer enterprise point of view, these ongoing projects will need to be compared, analyzed, indexed, and evaluated (i.e., “racked and stacked”) to find best practices as well as lessons learned (and mistakes not to make again). Therefore, vendors will be required to conform to reporting and analysis standards to permit this kind of customer company-wide thinking.

• Management metrics— “You can’t manage what you can’t measure” is an old saying that has been taken to heart by the large sophisticated client. Years of refining metrics, developing indices, and designing balanced scorecards have lead to carefully decided and implemented measures that customers pay attention to. Vendors will need to be able to perform against such metrics if they are to be seen as “in the hunt” for future work.

Required ActionsWhile each vendor and customer should work out the details of the report cards for each job, the following general actions should be considered:

1. Get into the Details— The vendor and customer start the project and the relationship by clarifying the details of both.

2. Agree to the Report Card— The vendor should pro-actively propose the report card and get customer discussion, buy-in, and buy-off as early in the job as possible.

3. Frequently Evaluate Performance— Timely face-to-face evaluations of the grades on the report cards should be made, with the vendor taking the responsibility to initiative the evaluation.

4. Respond to the Punch List— Each evaluation should lead to a “punch list” of business actions required by both the vendor and the customer in order to keep the business relationship and the project on course. Key words for the punch list are “execute, execute, execute!”

5. Communicate— The three most important success factors underlying the use of a report card are communicate, communicate, and communicate. In fact, communication around the project and the report card should be looked at as “work processes” processes that can be mapped, improved, and managed to get needed results.

Bottom line, if vendors are to thrive in the world of the sophisticated big client, they must pick up the gauntlet and do business the “new way.” Kicking against the use of multi-dimensional grading is pointless. Labeling the “method conformance” (P2) and “analyses/reporting” (P3) requirements as “fluff” and “a waste of time” are self-defeating. They are tactics that can only thin the ranks of competitors to those few who can fully meet all customer needs and requirements. ■

GONE ARE THE DAYS WHEN WE CAN RIGHTEOUSLY SAY, “WELL, YOU GOT YOUR DELIVERABLE ON TARGET, ON TIME, AND ON BUDGET. MAYBE WE DIDN’T GET THERE JUST THE WAY WE PLANNED, BUT WE GOT THERE, AND YOU, MR. CUSTOMER, OUGHT TO BE SATISFIED WITH THAT.”


AGILE DEVELOPMENT

Geoff Howard, Chief Technology Officer, Evolvent

If you were asked to describe a typical software development process, chances are you would outline four basic stages: Requirements, Design, Development, and Testing. This cycle is so ingrained in the consciousness of developers, managers, and customers that in some circles it is seen as an inviolable self-evident truth. They are ingrained in expectations, Statements of Work, and job descriptions. How can you meaningfully design without accurate requirements? How can you produce quality code without a solid design? How can you test without working code?

Modern development techniques have been challenging the seemingly obvious answers to the questions and the assumptions behind the Waterfall process, as the typical process is commonly known. Far from mere intellectual exercises, these new ideas are bearing fruit in real-world projects - both large and small.

The Trouble with WaterfallWhat are the problems addressed by these new ideas? Perhaps you have been a part of a project where during the final stages, a key stakeholder points out that the software doesn’t do “X” – some important feature. The development team points out that “X” was not in the requirements and will require significant re-work now. Perhaps the problem lay in the development team’s understanding of the requirements. Perhaps the need for this requirement only became clear with the perspective of the finished product. Perhaps the requirements gathering process was not detailed enough. Perhaps this requirement was so obvious to the stakeholder in the midst of the other requirements that it was not imagined as a thing that needed to be specified.

In these situations, who is to blame? Typically, each will blame the other. Developers and their managers should have thought more about what they were doing or asked

more questions. Project stakeholders should be more specific with requirements and not add new requirements after design.

A core issue that the newer adaptive methodologies aim to address is that it may be unreasonable to expect either of these parties to have performed differently. It has proven to be an empirical fact that gathering accurate requirements is a non-trivial process that requires at least a skilled business analyst with a strong technical background. In practice however, even the most skilled analyst will not gather useful requirements when the key stakeholders do not or cannot provide all the information necessary. While it would be easy to dismiss this as a personnel problem instead of a process problem, the reality is not that simple. Internal stakeholder disagreements, changing business politics, unforeseen circumstances, and many other factors are frequent drivers of inaccuracy in initial requirements gathering and cannot realistically be expected to change. Finally, even accurately gathered requirements that do not change are not always successfully communicated to or understood by the hands-on technical implementers. Translating prose requirements to system and software specifics is certainly attainable but does take a high level of skill, and it offers plenty of opportunity for error.

The Agile ApproachSo how do the new adaptive methodologies address these issues? Without taking this brief introduction out of scope, we can easily summarize the new alternative to heavy up-front requirements and design stages. Agile development teams embrace change. They anticipate and accept incomplete and changing requirements.

How do teams accomplish this without inviting chaos, slipped deadlines, and failed projects? The difference

SUMMER 2005 27

goes deeper than a mere attitude adjustment for technical teams (though anyone on the other side of the development stick would instantly appreciate this change alone).

One key strategy employed can be described as “continuous delivery.” There is a lot to accomplishing this, but the idea is simple. Rather than one big “delivery” at the end of a major project phase, developers deliver working software continuously throughout development. In short timeframes ranging from a few weeks to a few months, the project is brought to a “deployable” state. Each cycle is progressively closer to what is needed in the finished project, with critical features delivered as early as possible. Whether each of these are put into production or simply moved to a staging area does not matter, and these decisions can be made based on other concerns.

What are the benefits of this strategy? Stakeholders get useful software more quickly and can verify that requirements are being properly addressed by the code delivered. Missed requirements and unforeseen needs can be identified earlier. Developers get the benefit of frequent feedback about their success in interpreting and meeting the actual expectations and needs of the stakeholders.

Of course, no methodology is a magic bullet, and care must be taken to make such projects successful.

Technical teams and stakeholders alike certainly need to be prepared for this methodology. It must be expected that the time saved in reduced (not eliminated) up-front requirements gathering must be invested in the careful, ongoing discussion that must characterize each delivery target. Project planning is significantly different following this paradigm, and all participants must be prepared for this. Discipline to guard against unnecessary scope creep is even more crucial as the working delivery targets tend to give stakeholders excellent ideas for new features and directions. These should not be rejected out of hand, however, they should also not be blindly accepted either.

It is critical that the development team possess the skills necessary for success at continuous delivery. Teams must produce code that is flexible, yet no more complicated than necessary. This takes experience, leadership, and discipline.

Developers and stakeholders alike must work as a team toward mutual success and give up the use of requirements as offensive or defensive weapons against each other.

ConclusionThere is far more to say about the implications and tools of agile development methodologies, and these will be touched on in future articles. I hope it is clear though that for many development projects, an adaptive approach may be the best choice. ■

AGILE DEVELOPMENT TEAMS EMBRACE CHANGE. THEY ANTICIPATE AND ACCEPT INCOMPLETE AND CHANGING REQUIREMENTS.


SUMMER 2005 29

How many of you recall when electric typewriters were the most advanced piece of equipment you

would find in a military or commercial office for day-to-day support of business activities? Well, for those who do not recall, the electric typewriter provided critical support for business and military activities well into the early 80’s - just over 20 years ago. There were major data processing centers, however, for the most part, typewriters were the main stay of business operations. What is not well known was the security vulnerabilities associated with electric typewriters, such as the early signs of “key stroke monitoring.” Electronic emanations, particularly in electronic typewriters with “memory,” created numerous headaches for military activities processing classified information. Information could even be obtained from the typewriter ribbons and a few other items. The security issues with electric typewriters were not readily known until after their full deployment - especially in critical and highly sensitive information processing areas. Data processing centers were not without their own tempest issues, a subject too long to discuss and not the subject of this article. As with the late identification of electric typewriter security issues, wireless security problems were not clearly identified until well into their full deployment. To say that the advancements in tech-nology have been astounding in the past

could be compromised. Recently, several government guidelines were published providing security configuration guidelines for wireless devices. The potential for malicious code threats to wireless technology appears to be limited at this time. However, it will only be a matter of time before we start to see PDAs attacked by a virus or worm and the code for writing such programs available. Sometime in the late 80’s and early 90’s, local area networks (LAN) began to infiltrate government and business work environments. With this deployment came previously unknown threats and new vulnerabilities. Prior to LAN environments, those in the security professions had the ability to clearly identify how information was stolen, damaged, or lost. We could also apply physical security measures or capabilities that ensured sensitive information protection. We also had time to address security issues as the primary threats to early technology. These threats required close proximity to the electronic device to create problems. With the advent of LANs, the capabilities to clearly identify all parts of an investigative process became a significant challenge. The capability to compromise the integrity of the LAN environment no longer required the threat to be located within a close proximity of their target. They could be thousands of miles away when they initiated LAN or system attacks.

twenty years would be an understatement. Shortly after the introduction of “standalone” computers to the work environment in the mid-80’s, we began to experience a few viruses that were contained on “freeware software.” Some of the early viruses created more of a headache, with some amusement, rather than causing system or file damage. There were a few exceptions where a virus could change disk parameters making data accessibility nearly impossible. The theft of electronic data was primarily accomplished through shoulder surfing, theft of magnetic storage media, or looking through the trash for discarded ink jet printouts. Keystroke monitoring was advanced further along from the electric typewriter era. Like the typewriter ribbons, the printer ribbons from early printer systems created the same problems as their early predecessors. Within the Department of Defense, the early stages of “computer security” were starting to be established – the initial deployment of “the Rainbow” series of IT security policy and guidance. However, like the security issues found with electric typewriters, the security issues with standalone computers were not discovered and addressed until well into their full deployment in the work environment. With today’s wireless technology, PDA data storage is at risk if proper protection is not applied, and if encryption is not used for transmission then sensitive information

Wireless Security: Repeating Past Security Mistakes by Guy Sherburne, VP Security Practice, Evolvent


years, early wireless PDAs mirrored the capabilities of early standalone computers nearly from their first deployment. Having gone through the late identification of security issues associated with electric typewriters and standalone computers and through the explosion of LANs to WANs to MAN network architectures, and just how fast wireless PDAs were taking hold, our Evolvent Cyber Security team commenced on a journey to assure we would not be playing catch up once again. The primary problem discovered early with wireless technology was the apparent lack of product standardization, which created tremendous challenges and also presented unique threats and vulnerabilities. How do you explain

The challenge was obvious, and the solution required security professionals to head back to school to learn about networks, protocols, switches, system forensics, virus protection, firewall configuration, and so forth. Just when it had appeared that security was finally making ground on the advancements in technology, along came the drove of malicious code writers who took flight immediately following the Y2K hype. Who could forget the Melissa and Love Letter viruses or the rapid worldwide explosion of the SQL Worm malicious code? Creative hacker incidents achieved headlines in the business and government sectors throughout the world. As technology advances, so do the threats and vulnerabilities that emerge,

For the past six years, members of the Evolvent Cyber Security team have implemented a security process to a government IT application, system, and network development customer. In those six years, our customer has neither been exposed to a virus, malicious code, or hacker, nor impacted by a denial of service event. For the first five years, we accomplished this effort with the tremendous support of the customer’s technicians who participated as team members for security - without a firewall or intrusion protection system. The implemented security process has carried forward to our client’s wireless network deployment effort, a security process that assures a standardized approach to the architecture, integrating security from the beginning.

THE EXPLOSION OF THE WIRELESS REVOLUTION HAS ECLIPSED THE SPEED OF GROWTH PREVIOUSLY EXPERIENCED WITH STANDALONE COMPUTERS AND THEN THE LAN ENVIRONMENTS. creating greater security challenges. Unlike the electric typewriter and standalone computers, the new threats were invisible to the normal user of computers, servers, and networks. For our government and commercial clients, members of the Evolvent Cyber Security team, experienced in security back to the electronic typewriters, had instituted a proactive security partnership with their clients. This resulted in not a single one of our customers experiencing an incident, loss of finances, or loss of customer confidence. The explosion of the wireless revolution has eclipsed the speed of growth previously experienced with standalone computers and then the LAN environments. Although cellular telephones had been around for a few

CONSIDERING THE POSSIBLE ADVANCEMENTS IN WIRELESS TECHNOLOGY, A PROACTIVE SECURITY APPROACH IS PARAMOUNT TO ENSURE A SECURE ARCHITECTURE.

Wireless technology is just getting started if you take into account all the possibilities that could develop! Considering the possible advancements in wireless technology, a proactive security approach is paramount to ensure a secure architecture. The cost of applying security after an incident has always increased the investment in technology. Applying security during the initial stages of technology deployment has reduced the cost of recovery after an incident. Wireless technology is firmly on the road to eventually replace hardwire networks. Is your wireless network more or less secure than your old wire network? Are you using a proactive approach to wireless security? Is your wireless security process measurable to assure a positive return-on-investment? ■

an RF threat to a client that is only interested in functionality of the newest technology gizmo? Using a proactive teaming security approach, our Evolvent team instituted a wireless security process that is solid and has a fluid baseline for deploying a client’s wireless architecture. The Evolvent Cyber Security team has gained critical hands-on exposure to wireless architectures, allowed to conduct various security tests previously not thought of, and developed a solid process for securing a wireless environment over the past six years. Keeping the security lessons of the early electronic typewriter firmly in our thoughts, the Evolvent Cyber Security team continues to promote a proactive security process that is applicable for all technologies.

SUMMER 2005 31

AFCEA NOVAARMED FORCES COMMUNICATIONS & ELECTRONICS ASSOCIATION

AFCEA NOVA is the largest Chapter in the AFCEA International family, with approximately 5,500 mem-bers, and countless other associates and friends in industry, government, & academia. We are are blessed with the Hometown Advantage of having the Pentagon in our back yard, and the Nation's Capital right next door -- which means that AFCEA NOVA luncheons, conferences, and special events always feature top speakers and cutting edge topics, not to mention the best networking in town. For more information, visit www.afceanova.org. AFCEA International is a worldwide association founded as the Armed Forces Communications and Electronics Association; but it encompasses more than just the military. AFCEA International repre-sents the top government, industry, and military professionals in the fields of communications, elec-tronics, intelligence, information systems, imaging, and multi-media. AFCEA's purpose is to support global security by providing an ethical environment that encourages a close cooperative relationship among civil government agencies, the military, and private industry.

Your link to the local, regional, and national defense community

For more AFCEA NOVA information, visit: http://www.afceanova.org��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

Fielding the Best Team for SPAWAR Systems Center Charleston!

Evolvent, a small business leader in Information

Assurance, has built a team of industry leading small,

medium, and large businesses with capabilities across

the spectrum of the SSC Charleston requirement.

securing business intelligence evolvent · all type and logos fpo art: all photographic art...

Documents