PraxIS Mar. 2009

09-03 Contents: Risk survey, SQC Conference report, ISACA Spreadsheet Auditing workshop

ISSN 1649-2374 This issue online at http://www.sysmod.com/praxis/prax0903.htm   [Previous] [Index]  [Next]

Systems Modelling Ltd.: Managing reality in Information Systems - strategies for success  

IN THIS ISSUE

1) IT Risk
      Survey on risk and rationality

2) Quality
      SQC Conference Report

3) Spreadsheets
     Ray Butler and Patrick O'Beirne at EuroCACS Frankfurt 15 March 2009

4) Off Topic
     Graphing website structure

8 Web links in this newsletter
 
About this newsletter and Archives
Disclaimer
Subscribe and Unsubscribe information

_______________________________________________________

Welcome to PraxIS

This month I report on the SQC conference in Dublin on March 4th.

Patrick O'Beirne

_______________________________________________________ _______________________________________________________

1)  IT Risk

Matthew Leitch's survey may be over by the time you read this, but if you are interested in the relationship of rationality to risk then take a look at:

http://www.internalcontrolsdesign.co.uk/factualquiz/andex.html
What circumstances are relevant to decision making under uncertainty?

And after that follow the links to his articles on:
 
The real reasons we avoid risk: A fresh and practical perspective on fundamental theoretical questions

 Making sense of risk appetite, tolerance, and acceptance (revised)

____________________________________________________________
____________________________________________________________   

2) Quality

Software & Systems Quality Conference  Dublin, 4 March 2009

http://www.sqs-conferences.com/ire/program/programme.htm  

Keynote: Testing or Quality – what are we really talking about?

Bob Bartlett, SQC Ireland 2009 and Pierre Audoin Consultants

This is the result of a survey on the Irish Computer Society website. He presented results that compare Ireland vs. Europe (including UK)

Most questions had about 6-10% Don't Know responses, which is reasonable.

"To what extent is your testing team responsible for software quality?"
to a very great extent: 13%, great extent: 45%, some extent 24%
That's 82%.
I expect most professionals would recognise the question as
"responsible for software quality ASSURANCE"
- only those who produce the software can be responsible for its quality as they are the ones who put quality in, or put defects in.

I wondered about the answers given to
"Is compliance testing and verification important to your organisation?"
82% yes, 12% no
Then they asked
"is the growing need for Regulatory Compliance impacting Testing?"
Yes: 75% in Ireland vs 15% in Europe
Not Applicable: 15% Ireland, 80% Europe.
So you have to ask: were the only participants in Ireland from the regulated industries?
No analysis of industry was available.

"In 2009 which is more important to you: cost reduction or increasing software quality?"
Increasing SQ 61%, reducing cost 39%
So, who is speaking here? IMO, it's testers, who keep their job if their company focuses on SQ, and may lose it if the company cuts jobs.

A good question is:
"Within the last two years - a lack of testing has cost the company 'real' money?"
Europe and Ireland were similar with about 20% Yes, 50% No, 30% Don't Know

Some questions were not clear to me: When asked "Do you plan quality standards or accept what you get?"
67% plan, 25% accept.
'accept what you get' reads to me like "software is always accepted regardless of test results " which makes me  wonder why test at all - there must be something else intended there.

1-25% of spend: 57% of respondents saif they allocate 1-25% of their IT spend to quality and testing and a further 28% said 26-50%.
But when asked "What percentage of project costs are typically allocated to testing?"
Don't know scored Ireland: 80% , Europe 65%, with the rest at around 10-30% of project costs.
I infer that the vast majority are guessing.

Finally, the questions on training were revealing:
"Do you provide training in testing for your staff?"
In Ireland, 90% said Yes, against 58% in Europe
22% in Europe said 'Don't know' so that may indicate that more than 20% were not in fact involved in testing.
But here's the testing (!) question:
"How many days of training do you give your staff?"
Don't Know: Ireland 90%, Europe 75%
with the rest divided between 1-5 days and 6-10 days.
So when put to it, those who said "Oh yes we provide training" could not back it up with figures.
It's easy to come to the conclusion that responders in Ireland like to give the proper answer rather than the correct one!

I chaired some sessions and here are my notes from some of the presentations :

Agile testing in a real world environment

David Espley of Progressive Media Group.
Progressive currently use Crystal as the basis for its agile processes
http://alistair.cockburn.us/index.php/Crystal_methodologies_main_foyer

He said they have "Hard and fast rules for quality, Soft rules for delivery"
They insist upon TDD, Fitnesse, Stand ups, Continual integration, Task breakdown, Velocity measurements, Delivering to meet acceptance criteria, Being goal driven, and Designing the system.
Among the lessons learnt so far, he listed "Make sure that you have at least 2 people who understand every technology", and "Keep your sprint plans up to date every day"

Data Protection Issues in a Development &Test Environment

Hugh Jones, a consultant tutor delivering the Irish Computer Society’s (http://www.ics.ie) Data Protection certification programmes.
It was a straightforward overview of DP: key terms were defined, the Data Protection rules, Individual Rights, Registration, Overseas Transfers
The Public Register is on www.dataprotection.ie

He quoted a Ponemon Institute survey of 800 IT professionals that found that 69% use ‘live’ data in testing, and over 50% of those using outsourced testing send ‘live’ data to the outsourcer. The average cost of breach, per record is almost $200 - bear in mind that one breach can release millions of records. Lost business accounts for 65% of data loss costs. He reminded the audience that legislation makes no distinction between Production and Test
For balance, he covered the risks with ‘generated’ test data. Test data should be ‘real enough’, ‘real looking’; if unrealistic, the data will give a skewed result. A common challenge is the retention of data integrity – table relationships, etc.

His ‘Best Practice’ tips for testing included making data protection a test criterion, assessing data sensitivity before using for test, de-identification, anonymisation, randomisation, and keeping the key for codified data separate. He advocated having a non-disclosure agreement within the processor contract.

http://www.ics.ie/dp/DPconfernceApril2009.html
The inaugural ICS Data Protection Conference will take place on the 2nd April at the Hilton Hotel, Charlemont Place, Dublin 2. Topics to be discussed and debated on the day will include: Access requests, data breaches, record management, security, audits, individual rights and many more.

Software Lifecycle Standards for Very Small Software Companies

Rory O'Connor, Irish Software Testing Board; Marty Sanders, Lero

The business reasons for certification to standards are:

Increased competitiveness
Higher customer confidence and satisfaction
Higher software product quality
Increased sponsorship for process improvement
Decreased development risk,
Marketing facilitator (e.g. better image)
Higher potential to export

They decided on 25 employees or fewer in the department, company or project as a Very Small  Enterprise (VSE)
The assumption is that in such a small group of people, some of the overhead in meetings, documentation and general communications is not needed
In Ireland, 61% of our 900 software companies employ 10 or fewer.

The general objectives for their  ISO group (ISO/IEC 29110 working group) were to provide:

Accessibility to current software engineering standards for small companies
Harmonized documentation integrating available standards, but requiring minimal tailoring and adaptation effort
Profiles aligned with the notions of maturity levels presented in other standards
Implementation guidelines (domain specific) on how to perform the processes
Deployment Packages are a series of guidelines explaining in more details the processes defined in the profile
They include Competencies required, Knowledge and skills, Templates(s) empty andfFilled with examples,  checklist(s) to facilitate implementation, assessment and self-assessment.

How you can participate and learn
The plan is to invite companies to participate in the field trials before the standards get published by ISO
The plan is to produce a Final Draft this year
Publication as a standard is scheduled for 2010
In the meantime, deployment packages will be made available on public web sites
http://www.lero.ie The Irish Software Engineering Research Centre


Product Management and the Testing Team

Mary Ryan, Product Innovator  http://www.productinnovator.com
A Product Manager has to identify market and customer requirements, develop a ‘whole product’strategy over the entire product lifecycle, position products, develop a ‘Go to market’strategy and evangelise the product.
This links closedly with QA's input and Responsibilities  in Requirements Management and prioritisation, Use Cases, Change Management, Release Plan, 
QA Test cycles, the development of FAQs, and performance benchmarks.

____________________________________________________________
____________________________________________________________

3) Spreadsheets

Ray Butler and Patrick O'Beirne at EuroCACS Frankfurt 15 March 2009

http://www.isaca.org/Template.cfm?Section=Home&Template=/ContentManagement/ContentDisplay.cfm&ContentID=46074#pre

This one-day workshop:
Offers a comprehensive approach to auditing spreadsheets.
Uses real-world examples and hands-on learning to demonstrate the benefits of such an approach.
The participant will learn more about:
Where to start and the most efficient techniques to use
How to cut down a system of spreadsheets to a manageable audit task
The symptoms that indicate potential or actual problems
How an enterprise can create an inventory of its critical spreadsheets, assess them for risk and prioritise scarce resources
Little-known secrets of Excel's auditing features
The causes of spreadsheet errors
The risk environment and processes around spreadsheet use
Techniques for inspecting a spreadsheet for errors
Techniques to reduce the incidence of errors in spreadsheets
What to look for in software tools 

Spreadsheet Check and Control: 47 best practices to detect and prevent errors

http://www.sysmod.com/scc.htm

_______________________________________________________
_______________________________________________________

FEEDBACK

Simply send your comments to FEEDBACK (at) SYSMOD (dot) COM

Thank you! Patrick O'Beirne, Editor

_______________________________________________________ _______________________________________________________

4) Off Topic

Websites as graphs

http://www.aharef.info/static/htmlgraph/

Shows a web site as a chart of the linkages among the pages.

_______________________________________________________
_______________________________________________________

Copyright (c) Systems Modelling Limited, http://www.sysmod.com . Reproduction allowed provided this copyright notice is included.

We appreciate any feedback or suggestions for improvement. If you have received this newsletter from anybody else, we urge you to sign up for your personal copy by sending a blank email to   EuroIS-subscribe (at) yahoogroups (dot) com

For those who would like to do more than receive the monthly newsletter, the EuroIS list makes it easy for you to discuss issues raised, to share experiences with the rest of the group, and to contribute files to a common user community pool independent of the sysmod.com web site. I moderate posts to the EuroIS list, to screen out inappropriate material.

Patrick O'Beirne, Editor
_______________________________________________________
ABOUT THIS NEWSLETTER
"Praxis" means model or example, from the Greek verb "to do". The name is chosen to reflect our focus on practical solutions to IS problems, avoiding hype. If you like acronyms, think of it as "Patrick's reports and analysis across Information Systems".
Please tell a friend about this newsletter.
We especially appreciate a link to www.sysmod.com from your web site!
______________________________________________________
ARCHIVES
To read previous issues of this newsletter please visit our web site at http://www.sysmod.com/praxis.htm

DISCLAIMER
This newsletter is prepared in good faith and the information has been taken from observation and other sources believed to be reliable. Systems Modelling Ltd. (SML) does not represent expressly or by implication the accuracy, truthfulness or reliability of any information provided. It is a condition of use that users accept that SML has no liability for any errors, inaccuracies or omissions. The information is not intended to constitute legal or professional advice. You should consult a professional at Systems Modelling Ltd. directly for advice that is specifically tailored to your particular circumstances.
_______________________________________________________
PRIVACY POLICY:
We guarantee not to sell, trade or give your e-mail address to anyone.
To subscribe to this Newsletter send an email to
EuroIS-subscribe (at) yahoogroups (dot) com
To unsubscribe from this Newsletter send an email to
EuroIS-unsubscribe (at) yahoogroups (dot) com
EuroIS is the distribution list server of the PraxIS newsletter. It also offers a moderated discussion list for readers and a free shared storage area for user-contributed files. The archives of this group are on YahooGroups website http://finance.groups.yahoo.com/group/EuroIS/
_______________________________________________________