Availability is simply the ability to get what you want from the system when you need it. There should not be any barriers outside of the checks and balances that manage the other security perspectives in the CIADA model.

Given that Excel is a fairly robust and prevalent industry application, there are not many software ‘features’ that may deliberately or inadvertently withhold information from its own users; though a side thought would caution against passwords only known by one person which is a simple but important risk.

Beyond this, I am slightly at a loss with regards to the specific availability threats in the context of decision support and reporting with Excel. The threats would be largely similar to any system I think… maybe there is something I am missing under this heading.

Appropriateness and alternatives advice is thin on the ground given that the risks cross solutions. So… um… yeah… (tumbleweed).

Contact me if you think of anything deep and meaningful – tweet me using @stugom or email me using stuart [dot] gomersall at bsguk [dot] co [dot] uk – and we can revise this post with appropriate credits where due.

The post Spreadsheets in the enterprise, considering availability (pt 3/5) appeared first on BSG (UK).

This post looks at the perspective of integrity – defined for this purpose as “concerning the unwanted modification of data.”

Modifying the data in a sensitive data set is a huge risk. Potential ruinous of the result in its entirety and in the context of a decision support system – it is the kind of thing that people lose jobs, homes and businesses over. Shockingly, people may even want to do this for selfish and malevolent reasons… and in an Excel world they can do this without a trace (almost – which is a thought for another post).

The threat is multi-dimensional:
1. Altering a data element directly – like lowering your own sales target in the evaluation sheet
2. Altering referenced data – linking your sales total to salesman of the year Bob’s total
3. Removing key data points – deleting Bob’s biggest sales account entirely
4. the list goes on…

There are complex tools within Excel and, if you speak “formulae” and can trace through multiple sheets simultaneously then you’re all good, you could find the modifications. Which is cool, right? What could possibly go wrong? Well – how do you know you’ve found them all, how long have you got to do the searching and fixing? And most importantly, how do you even know that there is a data integrity problem in the first place? On top of all this, the “business case” for Excel is usually that it is quicker, but by the time you’ve done all of this digging, that business case no longer stacks up.

Of course, even transactional enterprise systems of any type are vulnerable to data threat. The difference is that an enterprise system is layered: the data source and the reporting are separated which is not the case in Excel.

To repeat the rallying cry. Use common sense, think about the data you are handling, analysing, modelling and use the appropriate systems and countermeasures to make your work simple at the same time minimising risk of breaches. Easy, right?

The post Spreadsheets in the enterprise, considering integrity (pt 2/5) appeared first on BSG (UK).

For the sake of this post, I’ll define confidentiality as “concerns regarding the unwanted disclosure of information.”

Confidentiality is complex as it is both role-driven and time-driven, i.e. sensitive data may only be applicable to me in my current role and for a specific timeframe after which it may become stale and elicit invalid results.

Without deploying additional layers (e.g. using the file system layer to assign access via login to specific roles) neither angle is covered by Excel (or any Office-style application). Access is blanket applied – you are in or out of the loop. Hidden sheets help, but security by obscurity is never a great design choice and is not sustainable. And let’s not get started on the concept of using a tool designed for collaboration with others as a store of sensitive and/or confidential information – it is certainly paradoxical!

All of the above really depends on the inherent “value” of the data (or asset) you are trying to secure, if it is public information then, by all means, use Excel. For example, the Guardian makes chart data available via Excel for further analysis. Sensitive financial or people data is another matter. It is crucial to apply a set of reasonable countermeasures to data and systems based on the valuation of the asset from each perspective of the CIADA model.

Assessing the alternatives available to maintain data confidentiality may be simple. If the alternatives are very obscure, very expensive or a change management bridge too far then go back to your valuation of the asset. You may be inflating the valuation based on an incorrect view from the relevant stakeholders. Or maybe rudimentary controls are appropriate as countermeasures.

My rallying cry is simple. Excel is fine, in context. Be sure to complete the valuation of the information asset as well assessment and deployment of appropriate countermeasures over the blind use of a collaboration tool.

The post Spreadsheets in the enterprise, considering confidentiality (pt 1/5) appeared first on BSG (UK).

So there are 5 special senses, we all know that. There are more subtle ‘senses’ like a sense of fear amongst others. But what are the senses of a Business Analyst? Someone who makes letters and numbers in a spreadsheet into a successful system or change initiative. Someone who makes the impossible possible. Someone who tames the wilderness.

Here are some thoughts on the emergent senses of the evolving BA.

> Common sense
Several of my contemporaries, notably @ukadrianreed, have highlighted how common sense is a thing missing from many BA’s armoury at the moment. I fear that BA’s get carried away in seeking to please and getting the validation of that coveted ‘sign-off’ which so blinds us all to the reality and practicality of making commitments on speculative requirements. I wholeheartedly believe that this is a key sensory talent that BA’s need more than ever and it will ensure their survival out in the project wilderness. And it is an unforgiving wilderness at the moment in the change space!

> Sense of clarity
Engaging with people of all kinds is complicated. When developers say the only problem with their system is the user, the BA should take heed. Users are the source of our requirements, they will make all requirements high priority (or Must Have – if you are a Muscovite) and they will bamboozle you with complex rules, spreadsheet models and bizarre user interface needs. It takes a smart BA to sense ambiguity, dissonance and omission of requirements from the user community. Ever had scope creep? Users are wild creatures, unpredictable. Never smile at a crocodile; and never forget a senior user’s requirement to login “just like Facebook”

> Sense of proportion of things
As I noted earlier, users tend to get requirements trigger happy – and all requirements tend to be must have’s. I guess it’s natural, if I ask you what you want tomorrow, it is unlikely you will settle for less than you have today will you? This is where the relative priority of requirements or features is a much better method than absolute requirement prioritisation. It forces users to rank requirements. No two requirements are equal, the jungle has a natural order and so do requirements.

> Sense of connectedness
As a caveat to the relative prioritisation of requirements above, I believe it is incredibly important to note that sometimes – depending on how you have completed your requirements, some requirements may be inextricably linked to one another. It means that a simple ranking process helps, but has exceptions. But where would we be without the odd exception to the rule?

Further to this, but linked to the sense of clarity, it is important to realise connectedness in relation to dissonance and omission. Dissonance may occur (and often does) where requirements contradict each other and sadly, yet predictably, we never notice this in the sessions when the users are relaying their needs and neither do they! But sometimes, things are not connected on the surface. A keen and experienced BA will sense the dissonance; gurus may even do so in the middle of a workshop. Omission is to requirements as the platypus is to land mammals – an entirely unexpected cousin.

> Sense of perspective
As an agent of change, BAs realise that sometimes it is more important to know enough to move ahead, than to know everything right now. The BA profession is not a career stepping stone to being psychic; requirements change over time, they evolve. Much like any king of the jungle, projects and requirements are emergent and as much as we try to manage change – the state of flux is natural. From change control to Agile, all we are try to do is manage the inevitable. It is perhaps better to have a strong sense of perspective, what do we need to know to move ahead: does this validate or invalidate the perceived project benefits? Am I comfortable living on the edge of certainty and uncertainty?

> Sense of style
A business analyst should be creative, imaginative and innovative. Your delivery should have a sense of style that inspires others, wants them to engage with you, your work and be energised by engaging the change that the BA is representing in the project. There is nothing less engaging that boring workshops, black and white models and lots of text. In order to get ahead in the jungle, fauna and flora need to attract others to their wares. Like bright flowers for pollination, BA’s need to attract stakeholders and users to their artefacts to improve the probability of project success through engagement and buy-in.

Looking back on my starting question: I think yes. There are ‘senses’ to a BA. Furthermore, we might even have specialised sensory tools to receive the stimuli that drive those senses…

But for now, as BA’s evolve, the project wilderness is what it is. Happy evolving.

The post Are there senses of a BA? – Stuart Gomersall appeared first on BSG (UK).