Open Source
by Tom Murray
 
As we look forward to the rough financial seas for state government, the topic of where Open Source software fits in Vermont state government continues to arise. 
 
The state, like many institutions, has tended to use the established, proprietary software for a variety of reasons. For example, Microsoft's Word allows for documents to be emailed with a very high probability that the receiver can open the attachment. Several agencies have dabbled with open source products, and the state's new web portal uses open source software. Other than compatibility and maximizing the value of all the software products that have already been purchased (for example a laptop that came with a Microsoft's Office license), there is no particular sense of loyalty to these vendors, so we are open to discussing "open". 
 
I have asked DII's Deputy Commissioner Dave Tucker to establish a work group to examine open source and to determine where it fits within Vermont state government. We would like the work group to be a balance of progressive, open source advocates as well as individuals that can bring the benefits of products like Microsoft's to the discussion. If you are interested in joining this work group please email david.tucker@state.vt.us. 
 
Social Networks and You
by Kris Rowley
 
There has been a lot of talk about social networks in the news lately. Social networks are web sites such as MySpace and Facebook to name a couple, where people can go to make new friends, socialize with known friends and share information about themselves. This trend toward online social networks started out in colleges as a way for students to stay in touch with friends at home as well as college friends during breaks or after graduation. This form of socializing has grown tremendously over the past few years. There are now sites focused toward college students, others designed for professional networking, some for the general public and I am sure others for most interest’s people may have. I have mentioned MySpace and Facebook only because they are well known by most people, but they are not the only social networking sites out there. Like most things, this started out a something good. Also, like most things, someone had to spoil the fun.
 
I decided to discuss Social Networks this week because someone I know had a Facebook page that was hacked recently. The result was that her site was converted into a porn site. The hacker also sent out emails, from this woman’s email address to people in her address book. Needless to say, the emails were not nice. As a result, she had a lot of explaining to do to a lot of people.
 
This incident, in the big picture was not horrible. It was embarrassing and troublesome, but not horrid. News worthy social network stories involve young people who have killed themselves because of cyber bullying, people who have lost jobs because of what they have posted on their own site, public embarrassment of public figures who have had their pictures taken in compromising situations and posted for the world to see. President-elect Obama had his web site hacked. There are many examples of identity theft, cyber stalking, and other criminal activity associated with social networks.
 
You may be able to discern at this point that I do not like social network sites. As the Security Director for the State of Vermont, I have reason not to like them. Social network sites such as Facebook and MySpace, for example, are perfect models for the three D’s of insecurity: insecure by design, insecure by default and insecure in deployment.
Security is clearly not part of the business model for the owners of these popular sites. My key messages to you is, if you use these sites or are thinking about using them; assume that what you post is going to be public. If you give out personal information on one of these sites, assume someone will use it against you at some point.
 
One of the key advantages that hackers have is that there is an end-user population out there hungry for peer interaction and imbued with trust. I am not going to get into pop psychology, just trust me that this is a true statement. Now, with trust and eagerness for interaction and to “have the most friends on a friends list,” people invite all kinds of people into their site. Hackers love this! And use it against people.
 
Now don’t feel bad if you have fallen for a social engineer/hacker trick. It even happens to people who should know what to watch for and how to protect themselves. These hackers are very good at what they do.
 
Trust and eagerness gone awry, was demonstrated in an experiment by two hackers at the 2008 Black Hat briefings. (Black Hats are “bad guy” hackers and yes, they have public conventions….that is a story for another week.) Any way, two White Hat hackers (yep, “good guy” hackers) set up a fake profile of a well known security expert, with his blessing. In very short order, the “security expert” was contacted by the CSO of a security vendor, a Fortune 100 CSO, an information security magazine editor and many others who never questioned whether this was indeed the security expert they thought it was. Nor did they hesitate to share information with someone they thought they could trust.
 
The White Hat hackers did not exploit this misplaced trust, but concluded that if their faux “security expert” had shared a malicious website link or application, those trusting folks would have unknowingly become victims in a heartbeat.
 
You may now be asking what you can do to protect yourself. My first suggestion would be to cancel your subscription to the site, however, that is a totally biased suggestion. Short of that, my recommendations are:
•           Only invite people you know into your site. Or people that your friends know and trust.
•           Don’t give out any personal information that someone could use against you.
•           Do not post pictures or text on your site that you would be embarrassed by if your children/parents/spouse viewed or read it.
•           Remember, many employers view these sites. Don’t put yourself in a position to lose a job because of what you post.
•           The government also checks sites frequently. Do not post threatening content!
•           If someone you don’t know starts asking you questions, be careful what you say.
•           Do not trust anyone on a social network site!!! Not even your “friends.” Your “friend” might be a hacker posing as someone you know. Talk to your friends via email or on the phone….better yet, in person!
•           If you have children who use these sites, monitor them closely! Pedophiles can determine where a child lives or goes to school via clues in photos or by what a child might tell them. 
•           Lastly, if you do get hacked or threatened, call your local police or State Police. Most states have a cyber crimes unit that handles these kinds of issues.
 
Be paranoid! It may save you a lot of trouble in the future.
 
Agency of Administration Server Consolidation Project Success
by Christine Hetzel, PMP
 

 
In 2008, the Agency of Administration (AOA) embarked on a multi-phase project to optimize server infrastructure and supporting network and hardware devices used across the Agency. AOA departments include Buildings and General Services, the Department of Information and Innovation, Finance and Management, Human Resources, Libraries and Tax. 
    
With a few exceptions due to business requirements, the Agency has completed Project Phase 1, by successfully moving all server infrastructure and supporting network and hardware devices into common data centers housed at the 133 State Street and National Life.  
 
They endeavor to continue to collaborate on all IT initiatives as well as share technical resources wherever possible. In 2009, the existing AOA Governance Team and Technical Operations team will be working side-by-side to continue to merge common technologies, share resources and leverage virtualization wherever possible to address ever tightening budgets. 
 
Projects on the horizon include back up and recovery, anti virus protection, patching distribution and the implementation of a common active directory.
 
Congratulations to all project team members who worked tirelessly on this project to ensure minimal impact to their user community.
 
SPAM Report
by Joe Lenahan
 
As part of the Exchange 2007 mail service,  DII uses Symantec Mail Security (SMS) 8360 series gateways to help guard against spam and viruses.   Below are some statistics on the amount of spam the SMS mail gateways received between October 1, 2008 and December 31, 2008.
 
During that time there were a total of 14,351,837 messages that were received by the SMS mail gateways. Of those messages, 3,399,991 messages (23.6%) were determined to be clean and delivered to users’ mailboxes. Of those 3.3 million messages delivered there is a small percentage (1-3%) of spam that may get through.
 
With that being said there are messages that users believe to be spam that are not considered spam by the Symantec appliances (see link below for Symantec’s definition of spam). “Spam” that is the result of business you have conducted online where you gave someone your email address is actually not spam, although it may be unwanted. Emails that get through to your mailbox that are true spam can be put in the Spam Complain folder. 
 
 
What’s New in Records Management Standards
by Darwin Thompson
 
The Department of Information and Innovation (DII) and the Vermont State Archives and Records Administration (VSARA) , through iSTART, has issued three new state standards related to records management.
 

• Records Management 
  
  • This best practice establishes a set of statewide recommendations for the responsible management of public records.
• Recordkeeping Metadata
  
  • This guideline provides guidance and advice to public agencies in the selection and use of recordkeeping metadata that support the interoperability, management, accessibility, and preservation of government records.
• Imaging /Scanning
  
  • This guideline offers a best practice checklist for imaging records. 

 
State standards are available online at:  vermont-archives.org/records/iSTART/standards/
 
Enterprise SharePoint (MOSS) Infrastructure Project Update
by Tom Jenny, PMP
 
MOSS Infrastructure Design
The SharePoint project team and our vendor have been working very hard on completing the detail system design documentation. This is probably the most critical project deliverable in this planning phase of our project as it defines the overall architecture of our enterprise SharePoint platform. We’ve had multiple rounds of design review discussions and document revisions. We’re in the midst of the final design review process and expect to have the design completed and into the hands of Michael Morey, the Enterprise Architect/CTO, for his sign-off next week. We’re currently running about a month behind our planned schedule.
 
SharePoint Governance Plan
As we discussed in our last newsletter, the SharePoint project team and i3solutions (our SharePoint partner) have also been hard at work developing a draft governance plan. That draft was delivered to DII management for review just before the holidays.
 
The plan includes establishing a Governance Board for which DII has solicited membership from various stakeholder agencies and departments. David Tucker, Deputy Commissioner of DII will be chair of this board and has scheduled a kickoff meeting for later this month. “We have identified a number of key players from both the IT and business/program sectors who have all agreed to serve on this important board”, David said. “I’m very much looking forward to working with this group of individuals on this important project.” The first priorities for this board will be to develop their charter and begin to work on finalizing the Governance Plan that has been drafted by the project team and i3solutions.
 
Why are we building a SharePoint Governance plan?
Microsoft defines Governance as “…the set of roles, responsibilities, and processes that you put in place in an enterprise to guide the development and use of a solution based on SharePoint.” Without proper planning and oversight, deploying SharePoint sites can become difficult to control and manage. It is critical to implement a process that links Vermont’s various business objectives with the SharePoint site implementations that will support those business objectives. A governance plan establishes the balance between proper control mechanisms and the innovative use of SharePoint collaboration capabilities. The plan is a roadmap for administering, maintaining, and supporting the efficient use of SharePoint technologies. By using proven governance techniques and best practices, Vermont can align its policies for using SharePoint with its organizational culture and overall mission while still enabling teams and individuals to effectively collaborate and share information.
 
When I asked DII Commissioner and CIO Tom Murray about his views on governance he responded; “Vermont cannot afford to implement systems, particularly a platform like SharePoint, on a trial and error basis trying to work out the best way to do things ‘on the fly’. Jointly developing a governance model that defines roles, responsibilities and rules for system use along with open two-way communication will ensure the successful adoption of SharePoint technologies while maintaining an appropriate amount of control.”
 
Another key component of effectively utilizing SharePoint is for agencies and departments to employ best practice document and records management standards with regard to SharePoint implementations. Careful planning as to what information will be stored in SharePoint and how it will be organized and managed is the key to a successful implementation. Many organizations that have let SharePoint fly without addressing these important issues are experiencing what has become known as “SharePoint Sprawl”. Some of these large enterprises have found that in no time they end up with hundreds or even thousands of mini-sites where there are multiple copies of the same documents or information in different locations or “content silos”; thus defeating the purpose of using SharePoint.
We are working closely with the Vermont State Archives and Records Administration (VSARA) and promote participation in their Targeted Assistance Program (TAP) http://vermont-archives.org/records/tap/index.htm for all agencies and departments looking to take advantage of SharePoint. Through a well thought out governance plan and the collaboration between DII and VSARA we hope to ensure the most effective use of SharePoint for Vermont and its citizens.
 
Next month we’ll talk more about governance and I will provide highlights of my conversation with Lou Borie, Chief Coordinator for the Natural Resources Board (NRB) about how they plan to use SharePoint in support of their mission.
 
Project Management Methodology – “You Changed WHAT?”
by Patricia Houston
 
Just a few days before Christmas, I received a phone call from a good friend of mine (for the purpose of this article we will call her Sue). Sue was at a completely loss as to how to console her four year old son and was soliciting her closest friends for words of advice.
 
Sue explained to me that this Christmas season she and her husband had decided to change the lights on the tree from their traditional white lights to multi-color bulbs. Apparently their four year old had not noticed this change while the family was decorating the tree, but as soon as the decorations were up and the happy family gathered around the tree for the official tree lighting, the four year old noticed. Rather than the anticipated shouts of delight when the lights came on, Sue’s ears were met with wails of despair and she turned to see a four year old with big brown eyes full of tears.
 
Sue’s question to me was “what should I do?”, but I couldn’t stop myself from wondering “what could she have done?”
 
As my friend found out, four year olds hate change and I would say so do ninety-four year olds and everyone in between. It is human nature. Can you think of a time when someone “changed the bulbs” on you thinking you’d love the new look? Did you find yourself or someone else you know wailing in protest (silent or not)? I know I have. 
 
There are a lot of reasons people dislike change. Perhaps we find ourselves resisting a change because we didn’t have a say in it, or we are worried that the change will negatively impact us, or perhaps we think, as the shocked four year old declared, “it is not pretty anymore”. No matter the reason we don’t like the change, we are more than likely going to encounter change again and again - especially in our current economic times.
 
One school of thought is the more effectively we learn to deal with change, on an individual and organizational level, the more likely we are to survive and even thrive in it.
 
In his book “Paulson on Change”, Terry Paulson quotes his uncle’s advice: “It’s easiest to ride a horse in the direction it is going”. In other words, don’t struggle against change; leverage it to your advantage.
 
Over the next few months, we will be exploring how we can manage change and use change to our advantage. We will look at ways to recognize when a change is coming, prepare for the change, and manage the change.
 
Then when we change the bulbs, people won’t mind the colors.
 
Requirements Trawling, Part 6 - Requirement Reuse
by Rick Daniell
 
In our last newsletter article, I continued the discussion on “Requirements Trawling”; specifically we covered a concept called “Apprenticing” which, as you may recall, involves having the Business Analyst actually engaged in the business process in order to experience the requirements first hand.
 
In this article I would like to introduce the concept of, “Requirement Re-use”. This concept involves the idea of treating the requirements as “artifacts” that can be re-used in future projects. In many situations the requirements for one system can be translated and re-used in another project. This “re-use” of requirements can save tremendous time, energy and money when it comes to gathering requirements. The key to successful requirement re-use is having an organized methodical approach to requirements management.
 
In our next newsletter article we will bring the series to a close and recap each of the various techniques.