Knowledge Graphs

Knowledge Graphs

I attended a Capco/Semantic Web Company webinar, on Knowledge Graphs which provoked these thoughts, on how far we’ve come, new solutions to old problems and the social inhibitors to new technology adoption. The complexity of the data administration problem is why specialist tools have been developed and matured to the point that Gartner produce a Magic Quadrant on Meta Data Management tools, in which the Semantic Web company’s Pool Party appears as a visionary. The MQ report is currently being distributed, as is normal, by one of the “Leaders”, Informatica.

Andreas Blumaur, who was one of the speakers, repeated his suggestion, start small with committed users and that possibly the best 1st solution is a semantic search. (I thinl I’ll have another look at implementing something on my wiki.)

I have felt for a while that semantic web technology could be used to match work to resource in the cloud, with cloud entities advertising their capability using XML, it shouldnn’t be a stretch and with Azure, these systems are being defined in XML. The other application that interests me is if the XML/RDF models can be used to create a model of the person in the enterprise, maybe implemented in SQL; my current researches have not been fruitful. …

Can’t make it up

Can’t make it up

A note on LinkedIn on why managements need IT usage policies to prove their compliance and to act legally and fairly towards their employees. I suggest that ISO27001 is useful as a technical standard and COBIT as an organisational one.

This was written in the light of a couple of cases I had to deal with as an accompanying rep. or as an advisor.

You can’t claim that users are not performing if you can’t prove the IT systems work as documented. You can’t pursue a conduct disciplinary against people operating a policy. You can’t fulfil FOI or SAR requests if the data retention policy is suspect. You can’t be sure that corruption has not occurred if there is inadequate segregation of duties.

Having policy will help the organisation answer the following questions. Is our software supported?  Why and how was that data deleted? What should be logged? Who has permission to read, amend and run these programs and/or this data? Are our vendors signed up to our IT security goals? Why do you not know this?

This is all defined in these standards, and the GDPR makes certification to good practice evidence of good will. ISO27001 and COBIT are the big boys in town to prove technical and organisational protection.

You can’t make it up anymore. …

Some IT technology & economics history

Some IT technology & economics history

I have finally installed a version of CA-Superproject under W98/Virtualbox and the experience reminded me of a couple of things, about the software, about its final custodian, Computer Associates (CA) and also some critical software project management issues. I have written a more formal note on Linkedin and this is my mirror/pointer to that; the rest of this article précises that article. For more, see overleaf/below. …  …

Technology lessons

Technology lessons

It seems there is insufficient evidence to prosecute Boris Johnson for misconduct in a public office; the police had been investigating him as a result of his alleged relationship with Jennifer Arcuri  in the light of decisions taken by the Mayor’s Officer to support her business. It should be noted that he did not declare his relationship as a potential conflict of interest. His day-time visits to her home, so presumably during working hours, were, it seems, for ‘technology lessons’; it reminds me of the private eye euphemism of “Ugandan discussions”. One disturbing part of the affair is that the emails seem to be unavailable., possible in contravention of the GLA’s & Mayor’s statutory record keeping rules and duties. The rest of this blog looks at alternative legal approaches to investigating if wrong doing has occurred; it highlights the role of ISO 27001 in specifying good IT Management and Security practices and that compliance/certification may be seen as part of a legal defence against liability for a security breach. Without good IT Security controls, essential audit questions cannot be answered.

In order to help consider how that might have happened, I have just written a short note on how ISO 27001 deals with deletion. It is clear that the rules and means of making data deletions need to be specified and controlled. ISO guidance on “Asset Management” specifies good practice for data management and the section on “Logging & Monitoring” details how business actions need to be, well …, logged and monitored. Without these tools, we cannot know who took any actions, and who instructed that these actions occur. I talk about the well known exception to the storage principle, that data needed for disputes or compliance must not be deleted until these needs aee no longer in place. If these tools, are not available, perhaps we should be asking, why not? Who said that these controls were too expensive? The GDPR establishes that using a certified code is an important indicator that the organisation has “adequate technical and organisational protection”.

While Johnson’s relationship with Arcuri is not what led me to look at the Bribery Act, I wrote a short note on that and discovered that a bribe is

[any] act designed to obtain or having the effect of obtaining advantage through the ‘improper performance’ of another person.

Now it’s over to the GLA’s Oversight Committee. …

Fighting Corruption

Fighting Corruption

Sadly I have been looking to see what’s being said about Corruption and Anti-Corruption. I made a wiki post which includes some links on management strategy, which includes an article from McKinsey’s Journal which offers a brief taxonomy of corrupt practices, this is augmented by Transparency International’s tool kit, to which I link. TI also note that, “The UK Bribery Act, which was passed in 2010, introduces an offence of corporate failure to prevent bribery.”. There are also some specific action plans inc. current advice from the MoJ. Interestingly, to me, the action plans share many ideas from risk management practices and IT Security controls that I have been working with for many years, and that having a robust programme of controls is the only defence against the aforementioned corporate crime.

Construct a taxonomy, develop controls, measure the effectiveness of the controls and fix those that are broken.

This costs money and time, and companies may lose business because of it. No-one says it’s easy.

I have now made a post on my linkedin blog, which while repeating some of that I say here, looks at the MOJ Guidance and their six principles and offers some important definitions of pertaining to bribery.  I highlight the concept of ‘improper behaviour’ from within the legislation. …

Theory matters!

Theory matters!

I have just posted a blog on linkedin about business and IT strategy.  I say a bit more here! This was provoked because I was doing some research for a job application which involves IT strategy. I was considering the alignment of business strategy with that of the IT department and what I might say. I outlined three models, although they were all developed a while ago, I think they all have relevance today. The three models address business strategy, software portfolio management and architectural pattern selection. Business strategy should drive portfolio and project management choices. While business strategy will outline how to do what must be done, it also defines what will not be done.  Portfolio management determines the allocation of development funding, priority, maintenance funding, project risk appetite, people skills, project governance and software sourcing policy and as result of choices made, one can select the appropriate platform super architectures, of which you may need more than one. I conclude that theory matters. See more below/overleaf … …

Why Zoom?

I have posted a blog on Why Zoom? has become so popular in terms of getting consumer mind share.

I wonder if it’s based on Microsoft forgetting its history. I am sure the ultra low cost of using Zoom helps but Microsoft’s entry cost for Skype is the same and at the end, someone has to pay for the server room cycles.

Perhaps in the hypergrowth stage best of breed works but I suspect that an integrated offering will win out in the end.

 …

Where is BS20001 when you need it?

Where is BS20001 when you need it?

I have been looking at my CISSP notes on Business Continuity and they all state that getting your people into work is as important as ensuring the IT can survive the disaster. Also, people have been reducing the likelihood of a data centre loss and to be frank that’s not what’s happened. No question but that much planning has been found wanting as companies whose strategy in terms of meeting their public duty in the case of a disaster has been to allow competitors to step in. Both Waitrose and Laithwaite’s web sites have failed over the last seven days; these will probably be because of both staff nonavailability and insufficient capacity to cope with increased demand.

I also wrote a piece on my linkedin blog about the vulnerabilities that a sudden switch to mass working from home may cause, looking at vulnerability management, data leakage protection and obliquely vendor management. …

Snowflake SQL & Big Data

Snowflake SQL & Big Data

Yesterday, I attended Snowflake's World Summit yesterday. My experience of working for US companies has taught me some cynicism about the naming of such events, but both the CTO and business founder are both French and ex-Oracle employees. They have obviously caught a mind share, the meeting was heaving and very heavily overbooked. I attended the plenary sessions, which consisted of a reference story and during the break spoke to one of their pre-sales engineers who was very helpful. This article looks at the architecture, examines its scalability design, the hardware solutions underpinning the solution and comments on the accuracy of Stonebraker's predictions. For more, use the "Read More" button ...