Vendor Management and the Labour Party

Vendor Management and the Labour Party

I wrote a blog on linkedin, on what I call Vendor Management. This is based on my experience as an IT Security and Compliance consultant, and leans on ISO 27001. Some of the words in this article, mirror what I say in the linkedin post. I argue that rule one is to have a policy which must deal with how to apply a risk based approach to the supply chain. This means segmenting suppliers into value or risk classes, using a classic risk matrix of estimating probability of failure vs. the impact. This will help one understand how important any supplier is to the business. The policy should also have authorisation limits and policies to counter the threat of corruption and life-cycle policies inc. sunset clauses to ensure it remains relevant. The policy must define the monitoring requirements, which may create liabilities on both sides and also the need for terms to exit the contract, and remediation where the supplier unilaterally exits the market.

All IT supply must be under contract which must be appropriately authorised financially, legally and technically, i.e. someone must have signed of on the risks of confidentiality, availability and integrity. The nature of the contract and risk analysis will depend on the importance of the supplier to the enterprise. Contracts need to establish the right to use, rights to software updates, the rights to bug fixes and engineering effort under a service level agreement, the right to request enhancements, contingency in the case of the vendor’s market exit such as code escrow, functional future proofing (most importantly compliance functionality), intellectual property transfer and its exclusions, termination conditions and data protection commitments and controls. Contracts must be monitored and compensation agreed for failure to meet service levels which may exist on both sides, for example, the buyer will need to ensure it meets the agreed licensing rules and payments, and the supplier that any availability guarantees are met.

The Party must consider getting its software portfolio and IT Organisation ‘branded’ as of a suitable and professional quality. The GDPR defines a 3rd party certification as proof of that an organisation’s controls are adequate and the Party must for many reasons also register its HR systems with, possibly both, “Investors in People” and “A great place to work” , as it’s clear that professional advice and goals are needed to fix the problems obvious in the behaviour of several Regional Directors and first identified by the Chakrabarthi Report.

Do the Labour Party have a robust vendor management policy? The critical software product for compliance is probably the financial system, and to drive this, the membership system is required to record facts required for selection and to record if members are in good standing. Also do the Labour Party own a data centre (or two) or do they use a cloud provider? It’s obvious that some software is SaaS. Has due diligence been done, has a risk register been created for the portfolio? Not everyone will remember but Nationbuilder, no longer used by the party, which was the volunteer management product failed during the 2015 general election. This is important to get right and with questions raised by Unite’s evidence to the Forde Enquiry the audit and authorisation functionality of our financial systems must be questioned as must recent portfolio acquisitions such as Anonyvoter.

This is all kept secret, and it would seem that many NEC members have little interest in this part of the job.

The important thing here is that these problems have been solved before, and there is agreement on the right way to do things. The Labour Party can’t make this stuff up, as the whole of local government have just discovered with the imposition of Commissioners in Liverpool.  …

Whatsapp?

Whatsapp?

I am a bit confused over the whatsapp privacy update furore. Whatsapp say it’s only about business correspondence, Alec Muffet agrees, and so does the Independent Schneier thinks it’s a bad thing, and points at Nick Slatt’s article which adds to my confusion by pointing out that early users of whatsapp had the opportunity to deny Facsebook access to their data and that European users are managed under a different policy to ensure Facebook’s compliance with the GDPR. I am an early user and so they shouldn’t be mining my address book however they maybe doing so for my correspondents, particularly any US correspondents. However, I wonder if they or Facebook still consider the UK regime as equivalent to that of European Union, the Independent article confirms it does. I don’t consider the update notice to be a collection of consent that is freely given nor ‘informed’, as the future purpose is not clear, at least not to me but I may not have to worry yet. The problem is Facebook, both the company and the service, if we’re serious about our privacy, we’d stop using it but until then they can obey the law. …

Technical debt, depreciation and risk

Technical debt, depreciation and risk

I wrote and posted a piece on Technical Debt on my linkedin blog. Its post comment, based on the concluding paragraph says, “I look at “Technical Debt” in the context of IT budget planning and suggest that it is not such a useful concept. Using standard risk management analysis is a more effective means of planning a maintenance budget which should consist of funding for both error & risk remediation. Depreciation is a better financial model for the problem.”

There must be much written about the nature of depreciation from physical wear and tear, to the need and cost to replace due to increasing failure; perhaps I should look for some reading on how this applies to information systems. I question if software is an asset in terms of accounting theory, I suppose so because it has value in more than one accounting period, but can it be realised? I also question the value of placing a cash value on software in use, identifying its cost to acquire is potentially simple, its residual value is much harder and synchronising this change to a single corporate depreciation rule can be difficult.

Some things I considered writing about include the number of times while trying to clean up or rationalise corporate IT estates to be told that, “you’re not touching that!”. We used to joke that they’d lost the system which pays the board’s bonuses, but these systems were almost always obsolete and acted as a technology sink keep product in the portfolio that should have been abandoned. Recently I came across the phrase, fictional capital, these systems had an unknown value and the decision to leave them alone seemed based on a pessimistic and fictional view of their value. I sometimes suggested turning them off to see who squealed but this advice was never accepted.

Also it needs to be considered that the maintenance budget is a function of the size of the information systems portfolio and much of it is a fixed cost. If you don’t spend the money the systems stop and they do not vary with output.  …

On DMCA takedown of youtube-dl

On DMCA takedown of youtube-dl

The EEF thought fit to comment on an RIAA DCMA takedown using §1201 of the DCMA aimed at a program called youtube-dl hosted on Github; I forwarded it via Facebook with a cryptic, acronym laden comment, and not surprisingly, some of my correspondents suggested I could have been more helpful and understandable. So I wrote an article on Linkedin, although much of it can be gained from the EFF article, however, this version includes a bit on oppressive economics of copyright maximalism, and a comment noting that Github have reposted the repo and revised their process to ensue their policies of supporting developers is fully considered when considering takedown notices. ...

Excel and Track & Trace

Excel and Track & Trace

The UK’s world class “Track & Trace” application “lost” 16,000 cases for over a week, as reported in the Register. Plenty of people have decided to comment and so I thought I’d join in and posted my thoughts in a linkedin blog, although I start this post with a quote from the Register, including the fabulous phrase, "Ridicule and despair, those shagged-out nags of our Johnsonian apocalypse, once again trudged exhaustedly across the plaguelands of England". For more see below/overleaf ...

ARM in play again

ARM in play again

I was interested to learn that ARM is in play again, although curious to learn that Nvidia might be its suitor, and even more interested to learn that Nvidia has overtaken Intel as the world’s largest chip fab. How did that happen? Nvidia sell on consoles as well as PC/laptops and games platforms are it seems another good whose demand has been boosted by CV19 and that the global demand for cycles has been driven by HPC and AI recently where the Nvidia  are competing architecturally with Intel, although they need a CPU to complete their portfolio. It may be a better fit than I’d thought.

I have to laugh a bit, as Intel drove the final RISC players out of the market by leveraging the volume of the consumer product design, and it would seem, have been bitten in the arse by the same thing. These products require volume, and production will coalesce towards the low price duopoly.

ARM was bought by Softbank, for £24bn cash, just under 4 years ago; they are a Japanese venture/hedge fund which has famously had it its own problems. I wonder what they did with the money as some of their principals are now bleating for state protection as Nvidia is a allegedly an inappropriate owner of the chip designers. The Verge heralded it as another proof that intellectual property has value. The Register reports that the big stake holders have been insuring themselves against losing access to the intellectual property.

In this article on the BBC, they returned to Herman Hauser, one of ARM’s founders, who voted against the deal in 2016 who shares his fears for access to the technology of bought by another market participant, and possibly the decommitment to the Cambridge campus, which is a security of supply issue, but this Govt. is unlikely to do much and it should be safer owned by someone who wants the ideas rather than an organisation which just considers it a red-ink line in the P&L. …

There’s no divorce in Bitcoin

There’s no divorce in Bitcoin

I attended a presentation hosted by the BCS, and given by Ron Ballard, based on his article in IT Now, “Blockchain: the facts and the fiction”. What he said inspired some thoughts and reminded me of others, some of which I have previously published on my blog. I wrote an article, called Learnings of Bitcoin, which was meant to be a spoof on the Borat film title and posted it on my linkedin blog, The article looks at the tight coupling of Bitcoin, and its consensus mechanism, the proof of work, together with its costs and vulnerabilities. It examines the goal of eliminating trust authorities and its questionable ability to meet the necessary roles of money as a means of exchange and a store of wealth. In the comment pushing it, I say, "This might be a bit basic for some, but you can't have a coinless immutable blockchain, at least not one based on 'proof of work'.", at which point you need to consider if there are better data storage platforms for your use case. I use more words to explore these issues below/overleaf ....

delicious bookmarks recovered

I found my delicious bookmarks, and decided to remove the easily identified as gone away and expose the tags, on the way, I removed those without descriptions. The links came from from ~3525 to ~1800. I was fascinated by del.icio.us when I first discovered it, and used it as a micro blog. This is how it now looks in wordpress, but I need to put the anchor text, descriptions & tags through an ascii to html converter. The code is on github, in repo called delicious tools. The next stage is to allow them to be queried using the tags (or not, if I think it's worth it). The wordpress plugin on broken links continues to identify those that are broken, and I usually unlink them. If interested, 'read more' …

On Record Management

On Record Management

As part of my series on devising systems to create logs to protect an organisation and its staff against charges of criminality, I posted an article on my linkedin blog called “Doing Record Management well”. It doesn’t surprise me that there is an ISO Standard (ISO 15489) on the subject, but it does surprise me that I hadn’t heard of it until I started to research some of the articles in this series.

I have a research note on my wiki, which links to the Bank of England policy and also quotes Deutsche Bank’s policy, which is available because they post it on internet. I quote it here,

Deutsche Bank’s code of conduct, see page 25, says, among other things,

“Maintaining accurate books and records is fundamental to meeting our legal, regulatory and business requirements. You are responsible for maintaining accurate and complete records and for complying with all the controls and policies our bank has in place. You should never falsify any book, record or account that relates to the business of our bank, its customers, employees (including your own activities within our bank) or suppliers. You must never dispose of records or information that may be relevant to pending or threatened litigation or a regulatory proceeding unless you are authorised to do so by the Legal Department. You must also comply with applicable record retention policies.”

DB Code of Conduct
 …

Knowledge Graphs

Knowledge Graphs

I attended a Capco/Semantic Web Company webinar, on Knowledge Graphs which provoked these thoughts, on how far we’ve come, new solutions to old problems and the social inhibitors to new technology adoption. The complexity of the data administration problem is why specialist tools have been developed and matured to the point that Gartner produce a Magic Quadrant on Meta Data Management tools, in which the Semantic Web company’s Pool Party appears as a visionary. The MQ report is currently being distributed, as is normal, by one of the “Leaders”, Informatica.

Andreas Blumaur, who was one of the speakers, repeated his suggestion, start small with committed users and that possibly the best 1st solution is a semantic search. (I thinl I’ll have another look at implementing something on my wiki.)

I have felt for a while that semantic web technology could be used to match work to resource in the cloud, with cloud entities advertising their capability using XML, it shouldnn’t be a stretch and with Azure, these systems are being defined in XML. The other application that interests me is if the XML/RDF models can be used to create a model of the person in the enterprise, maybe implemented in SQL; my current researches have not been fruitful. …