Sunday, February 24, 2013

Project Management - Basics of PRINCE2

PRINCE2 stands for Projects IN Controlled Environments and is a widely used project management method.  First came PRINCE in 1989 as the UK government standard for IT project management.  Since then it has been adopted by the public and private sectors world-wide and revised several times; PRINCE2 was the most significant rewrite.  The most recent version was released in June 2009, which has split the manual into two, covering project managers and project sponsors.

PRINCE2 is processed based, with processes covering starting a project, directing a project, initiating a project, managing stage boundaries (sign off and moving between stages), controlling a stage, managing product delivery (there is an emphasis on product based planning) and closing a project.  This is all done in an environment of seven themes:  business case, organization, quality, plans, risk, change and progress.

It’s approach to running a steering group or project board is very clear and there is an emphasis on roles and responsibilities.  There is a lot of documentation but you don’t have to do it all and what you do complete really helps people understand the project scope and get things right.

PRINCE2 doesn’t cover working with people and as team management and getting the best out of the people is what we all do every day, this seems like a big oversight on the part of PRINCE2, especially as project boards form such a critical part of the standard.  The PMBOK talks about the need for a project sponsor, but doesn’t go into any more detail, so it’s not much better in my opinion. In my experience, a board, or steering group, ensures much wider buy-in for the deliverables and benefits across the organization. The downside of boards is that they are harder to set up and manage, and sometimes having one person who provides executive sponsorship can be all that is needed to make decisions quickly. Boards can also be overkill for small projects ? as can a lot of PRINCE2 documentation.

Saturday, February 23, 2013

Management - Difference Between Management And Leadership

Difference Between Management And Leadership
 
 

Leadership is a facet of management

Leadership is just one of the many assets a successful manager must possess. Care must be taken in distinguishing between the two concepts. The main aim of a manager is to maximize the output of the organization through administrative implementation. To achieve this, managers must undertake the following functions:
  • organization
  • planning
  • staffing
  • directing
  • controlling
Leadership is just one important component of the directing function. A manager cannot just be a leader, he also needs formal authority to be effective.  In some circumstances, leadership is not required. For example, self motivated groups may not require a single leader and may find leaders dominating. The fact that a leader is not always required proves that leadership is just an asset and is not essential.


Differences In Perspectives

Managers think incrementally, while leaders think radically.  This means that managers do things by the book and follow company policy, while leaders follow their own intuition, which may in turn be of more benefit to the company. A leader is more emotional than a manager .


Subordinate As A Leader

Often with small groups, it is not the manager who emerges as the leader. In many cases it is a subordinate member with specific talents who leads the group in a certain direction.   When a natural leader emerges in a group containing a manager, conflict may arise if they have different views. When a manager sees the group looking towards someone else for leadership he may feel his authority is being questioned.


Loyalty

Groups are often more loyal to a leader than a manager. This loyalty is created by the leader taking responsibility in areas such as:
  • Taking the blame when things go wrong.
  • Celebrating group achievements, even minor ones.
  • Giving credit where it is due.

The Leader Is Followed. The Manager Rules

A leader is someone who people naturally follow through their own choice, whereas a manager must be obeyed. A manager may only have obtained his position of authority through time and loyalty given to the company, not as a result of his leadership qualities. A leader may have no organizational skills, but his vision unites people behind him.

Management Knows How It Works

Management usually consists of people who are experienced in their field, and who have worked their way up the company. A manager knows how each layer of the system works and may also possess a good technical knowledge. A leader can be a new arrival to a company who has bold, fresh, new ideas but might not have experience or wisdom

In conclusion managing and leading are two different ways of organizing people. The manager uses a formal, rational method whilst the leader uses passion and stirs emotions. William Wallace is one excellent example of a brilliant leader but could never be thought of as the manager of the Scots!


Management - Elements Of Good Communication Skill

Good communication skill means the ability to be understood, but it also means more than that. Have you ever noticed how good conversationalists have the ability to light up a conversation and inspire others to join in? You can learn to be like that too. Remember - any good conversation is a two-way process. It's only as good as the responses you get - but you can really improve the number and types of responses you get by honing your communication skill.

Here are a few aspects of what it means to have this skill to initiate and sustain an interesting, enjoyable conversation that everyone feels better for having participated in.

Use language and images with are familiar to your listener
You shouldn't really be surprised if you don't get much of a response if the people you're talking to don't understand you or can't relate to what you're talking about, can you? A conversation is not the time to show off what big words you know or how much more knowledgeable you are than the person you're talking to.

Watch your tone
As well as the words you use, you will no doubt be aware you can change the tone of your voice to portray a different meaning. You wouldn't speak to your boss in the same way you would reprimand your child for stepping into the road, would you? In any conversation, you need to make sure that your tone is right if you are not to offend the people you are talking to or make them worry about answering you.

Be respectful
It's a fact that we 'get on' better with people who are like us. All that means is that we find them easier to talk to. We know they will share a lot of views that we have - or at least if they don't, they will respect out views and not shout us down without allowing us to speak. Good communication skill is about letting other people speak their mind too.

Stick to the point
Don't try to 'steal' a conversation by changing the point just because you don't like it or can't think of anything to add on the topic - that's pretty bad manners!

You don't need to be the center of attention
Good conversationalists are happy to share the limelight and they don't feel the urge to steer the conversation round to focus on them or if they do, they withstand the urge! If you find yourself trying to steal the show often, slow down. Try to focus a little more closely on what is being said. That should give you some ideas of a question you may want to ask which develops the topic of the conversation or asks for clarification.

Know when it's appropriate to change the subject
Whether you were the one who started the conversation or not, change the subject when there appears to be nothing new to say or when others begin to fidget or act bored. That glazed eye look is always a dead give-away!

Don't ask too much
There's a difference between a conversation and an interrogation- or there should be! Firing too many questions at people without giving any of your own information back makes people feel pressurized and uneasy, so don't do it.

Sound and look interested in other people
There's a world of difference between giving someone the third degree and expressing a friendly interest in what they're saying. Face the person you're talking too and use an open posture with unfolded arms, leaning forward slightly but not too close to them that it becomes unnerving.
Eye contact is also great for making people feel valued when you talk to them. Let them know you're listening by acknowledging statements with a nod, comment or a question when appropriate.

Open-ended questions are best
People with good communication skill get other people talking. A good way to do this is by asking open-ended questions which can't just be answered with a simple 'yes' or 'no'.

Have something of interest to say
Keep up with current affairs and trends and take an interest in what is going on in the world around you. That way you should always have something interesting to say - and that's a pretty useful start for a conversation!

Management - Active Listening

Poor listening skills impact the problem solving and interpersonal skills process from the front line to top management. Poor listening skills will almost ALWAYS result in lost time and revenue and effect the organizations efforts to form strong service oriented teams to compete in today's market place. As we all know, service behaviors have a direct impact on the organization's reputation and active listening skills are an intricate part of the puzzle to better service delivery for both the internal as well as the external customer.
Ideas to improve "Active Listening"
  • Communicate The Vision
  • Coach & Counseling
  • Motivating & Inspiring
  • Team Building
  • Setting Objectives
  • Building Trust
  • Setting An Example
  • Delegating
  • Receiving Feedback
  • Giving Feedback
  • Convincing
  • Resolve Conflicts
  • Negotiate
  • Review Performance

Management - Being Good Manager or Leader

Ideas to be Good Manager and Leader


1. Enterprising in nature:
Highly successful leaders are always enterprising in nature. They are proactive in trying out newer things to enhance the business.

2. Collaborators:
You need to be a good collaborator if you wish to be a good manager and a leader. Collaboration helps in problem solving and it also imbibes sense of belonging and sharing of responsibility amongst the team members.

3. Self Motivation – An example:
A good leader needs to be self motivated and show an example. He can meet challenges head on and put forward plans to achieve results, high-handedly. If you can motivate yourself even during tough times, you are sure to become a good leader one day.

4. Delegation of work:
A manager needs to learn how to delegate work in order to be a good leader. Also, he needs to make sure that work delegated is being done effectively and efficiently and if not, he should be ready to step in and sort out issues.

5. Learning from Failures – There is always another chance:
A manager needs to learn that failures are not the right tools to gauge success. Failures happen all the time. The most important part is to learn from mistakes, adapt to changing times and keep moving on for achieving desired results.

6. Learning and listening:
A good leader should be a good listener and open to learn even if it comes from his team members.

7. Providing feedback:
Employees like to get feedback for their work in order to learn for the next time. They feel more balanced after getting feedback because they feel respected and cared.

8. Being a coacher:
Good managers are also coachers in nature – They never shun away in sharing knowledge and experience within and across teams so as to put forward a collective effort in achieving the common goals.

Friday, February 22, 2013

Windows 8 - How To Remove The Send To Option From Windows Context Menu

The context menu is a list of options that appear when you right click on a file or folder. These options let you easily move, copy or view the details of the selected item. The context menu has a Send To option. Clicking on this option lets you send a copy of the selected item to various removable drives or locations. It is possible to remove this option if the context menu has become cluttered or for any other reason. Follow these Windows 8 problems guidelines to do this.
Disable the Send To option
  • Go to Search by hitting Windows Key and C together.
  • In the Apps search field, enter regedit.exe and hit Enter. Double click on the registry editor icon to open the Registry Editor window.
  • There is a registry list in the left pane of the window, locate the option labeled HKEY_CLASSES_ROOT and click on the arrow beside it. This expands the selected list.
  • Select the option titled AllFileSystemObjects and expand it.
  • Among the list, select shellex and expand it.
  • Proceed and expand the ContextMenuHandlers list.
  • In the list that appears, select Send To.
  • The default value of this context menu option will be displayed on the left side. To get the default value, double click on it. You will see the value as {7BA4C740-9E81-11CF-99D3-00AA004AE837}.
  • Select the value and hit the Delete button.
  • Click Ok.
The Send To option will be removed from the context menu list as soon as you do this. This means that you don’t need to restart the system for this. To verify that the option is no more listed, open any folder on your hard disk drive and right click on any file. Check if
Help and Support for Windows 8 problems
the Send To option is seen above the option labeled Cut. You might also need to restore the option later. Follow these steps to do so.
Restore the Send To option
  • Repeat the steps mentioned above and open the registry editor window.
  • Navigate to the window that lets you edit the Send To options default settings.
  • Double click on the Send To option and enter the following value in its default field. {7BA4C740-9E81-11CF-99D3-00AA004AE837}.
  • Click Ok.
  • This will restore the Send To option in the context menu.

Wednesday, February 20, 2013

Change Magement - ITIL

Goals for Change Management
• Increase System stability, integrity & performance
• Decrease System maintenance, time & effort
• Enhance business alignment and flexibility
• Set availability goals
• Increase user satisfaction and IT staff productivity
• Improve audit and accountability
• Decrease “emergency” fixes
• Eliminate repeat changes
• Decrease risk
• Increase visibility of internal controls
• Integrate with other ITIL Departments

Steps to Implement Change Management
• Extensible Workflow:  Robust workflow reinforces a best practices framework by routing each Request for Change (RFC) through a process designed to manage the entire change lifecycle: request, screen, authorize, implement, release, and review.

• User Roles:  The creation of configurable roles allows IT decision makers to define responsibilities and access levels, ensuring that team members focus on tasks appropriate to a defined scope and avoid operating at cross purposes - o r beyond their authority.

• Impact Analysis:  Resource management functions enable Change Management to forecast change risks for interdependent resources and identify users potentially impacted by a proposed change.

• Notification/Communication:  There is a need to enforce notification of relevant decision makers and team members at each step in the change lifecycle and promote communication before, during, and after change, as opposed to under-communicated or after-the-fact discussions typical of unauthorized/unplanned change activities.

• Auditing:  Create a change log to track all significant events in the change lifecycle, thereby creating an historical document that can be referenced during the change lifecycle, post-release review, rollback, or for compliance with regulatory legislation such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA), or the Payment Card Industry (PCI) Data Security Standard.

• Measurement: Change management metrics aid IT accountability and visibility by providing detailed measurement of factors such as the number of changes managed; success vs. failure rates; and cost of change.

• Compliance Reporting: Change Management should have detailed reporting capabilities to allow for quick response to requests for insight into change activities by focusing attention on change status, cost, impacted resources, priority/category of change, and change by user or department.

• Overview: Create a Dashboard to provide a detailed overview of the entire change management process, highlighting past and ongoing change activities.

Suggestions for Change Management
• Hold Benchmark sessions for representatives from major functions of IT

• Determine performance issues, frequent outages, length of time for changes to be implemented

• Business Process Evaluation: interview process and functional owners to gain a deeper understanding of IT and business change management processes

• Perform a detailed technology analysis walk-thru for a sample of change throughout the systems to understand how changes are actually implemented - identify strengths and opportunities

• Decide on software - how will Change tickets be opened? (self-service Service Desk)

• Create templates to track changes (place on Intranet) (review changes  send on to approval matrix - once approved then on to implementation phase and then scheduled)

• Create approval process flow

• (Endeavor) to validate software packages for errors and to push changes from staging to production (distributed or mainframe)

• Create Flowcharts - Brochure

• Increase Awareness

• Analyze Data - Create Dashboard

• Set up 3x weekly Change Advisory Board meeting (1 day for Internet Hosting)

• Document standardized policies and procedures

• Establish good communication, protocol for notifying end users of change Meet audit and compliance objectives (HITECH, HIPPA concerns?)

• Create reports - Daily, Monthly, Analytic (how many changes were successful, unsuccessful, cancelled, backed-out, etc.)

• Emergency Changes (paging system - needs approval from Manager on Duty and possibly VP)
 
Additional Facts According to industry surveys

• 80% of IT-related problems that lead to downtime are directly attributable to changes made to the environment.

• SCM and help desk tools, while useful for their intended purpose, lack the multilevel approval workflows, impact analysis tools, and advanced communication features needed to effectively manage change in distributed, high-demand IT environments.

• Frameworks such as the ITIL prescribe approaching change systematically, with emphasis on treating each change as a lifecycle consisting of definable components that are segregated, analyzed, and efficiently executed.

• Levels of Measuring the Maturity of an IT Organization’s Management of Change (Gartner)
Level  0 - Chaotic Use no problem tracking, have ad hoc response methods with heavy reliance on employee knowledge/skill and information communication
Level  1 - Reactive Have a Service Desk and some form of problem tracking (often using a help desk tool); employ root cause analysis
Level  2 - Proactive Enter into service level agreements and use some form of change and configuration management

Level  3 - Service Employ service level management and event correlation, Negotiate, define, and manage the levels of IT services provided to the enterprise

Level  4 Value Act as strategic contributor to business opportunity by leveraging IT resources

Change Management - How to Implement Service Management

Introducing Service Management into an organization need not be viewed as the huge project that many people seem to think it must necessarily entail. In fact, a good way of going about the task is to think of it as a Service Improvement Programme or a Continual Service Improvement Programme (CSIP).

Most organizations considering implementing Service Management already have several, or perhaps many of the ITIL processes in place. For example, it is difficult to see how an IT department could serve its customers without having at least something that approximates to a Service Desk and, at very least, an Incident Management process, no matter how immature, already in place. Similarly, the existing IT staff will already be using a toolset that provides some kind of mechanism for recording, tracking and closing incidents.

So, in many ways, the organization will already be engaged in Service Management to some extent - even if it is a very limited implementation. The Service Improvement Programme approach, then, is not only a valid option, but a sensible one. The operation can utilize the Continual Service Improvement (CSI) approach to get from its current state to its desired future state.

Here are the steps:

* Where are we Now?
* Where do we Want to Be?
* How will we Get There?
* How will we know we have Arrived?

Those four simple steps are the steps of a Service Improvement Programme. An organization with just a Service Desk and Incident Management process in place might elect to focus on introducing Problem Management, for example; or perhaps, simply improving their existing Incident Management process. This can be properly planned, executed and bedded-in before considering what to do next.

Continuing in this manner, using cycles of improvement, you effectively have a Continuous Service Improvement Programme. ITIL has value for the organization since it provides the overarching, grand vision to which these cycles of improvement will be working. This approach can be very powerful. You don't have the potential disruption and other challenges associated with managing a larger-scale project and over the course of time, you can achieve significant improvement.

In adopting this approach, after each individual cycle (programme), you would stop and take steps to consolidate your position before eventually deciding to move-on. This means ensuring that the improvements are driven deeply into the working methods of the people who are responsible for your service provision. It is better to do one cycle of improvement well than to attempt to implement a whole raft of changes and, as a consequence, end-up doing them all poorly.

Let's take a look at each of the steps of a Service Improvement Programme:


Where are we Now?
This step involves the activity usually known as 'base lining'. The idea is to take some kind of measurement of your current position. If you wanted to improve Incident Management, for example, you might use one of the process maturity measurement frameworks, such as CMMI (Capability Maturity Model Integration), to assess the current level of maturity of your existing process. Alternatively, the base lining step might simply involve taking some simple measurements such as the number, or percentage, of incidents correctly classified at first point of contact. The idea is to take a measurement (or measurements) that can be later used to prove that an improvement did indeed result.


Where do we Want to Be?

This involves setting a specific, measurable goal for the improvement programme. Remember the SMART acronym? Goals should be:

S - Specific M - Measureable A - Achievable
R - Realistic T - Timetabled

For example, you might have a goal to improve the number of incidents correctly classified from the existing 50% to a desired 80% (just an example) within the next one month period. Notice how that goal is (SMART).


How do we Get There?

Generate a plan for the introduction of the improvement - whatever it is. This plan should contain everything necessary to get the change successfully implemented. If your organization already has Change Management in place, for example, it would include the RFCs (Requests for Change) necessary to introduce the change initiative. If your operation does not yet have formal Change Management in place, then the plan would make use of existing internal processes for introducing change.


How will we know we've Arrived?

This is again down to measurement. If your goal had been to improve Incident Management, for example, then perhaps you might expect to see some of the following measureable outcomes:

* Increased Customer Satisfaction
* Better Classification of Incidents at First Point of Contact
* Quicker & More Accurate Escalation of Incidents
* Reduced Time-to-Fix/Respond to Incidents

If you already have Problem Management in place, then additional measureable outcomes might include:

* Better use of KEDB (Known Error Database)
* Reduced Impact of Incidents Using Workarounds
* Better Handling of Major Incidents
* Improved Identification of Problems at the Service Desk

The above items can all be measured and could all be a part of the initial base lining step (Where are we Now?). They can then be compared to the new measurements taken after the improvement initiative.


Which Improvements to Target

Using the above approach, significant improvement can be made over the course of time with minimum disruption to Business-as-Usual operation. The challenge is to choose the improvements that will deliver the most benefits. Of course, getting a few quick-wins is a very useful approach that will help to gain buy-in from those most-affected by the changes. So this should always be taken into account when prioritizing improvement initiatives.

A Particular challenge for many organizations is the matter of Configuration Management. A lot of organizations are not doing it, at present, or are not doing it well. A good CMS (Configuration Management System) with a strong process well-integrated with Change and Release Management processes is right at the heart of effective Service Operations. Getting these things right can lead to huge benefits to the business in terms of cost-savings realized from minimized disruption from necessary change.

In addition, a good Service Catalogue properly integrated within a Portfolio of services will help to get everyone in IT into the Service Management mindset i.e. that IT's job is that of providing services to the business; rather than just keeping the infrastructure working. Good tools can help to get these things right but it is important to choose tools that work the way you want.


Will we Ever Finish Implementing Service Management?

Perhaps the best answer to this is - no!

These days, Service Management is seen much more as a dynamic entity. There will always be changes to cope with; and we will always be finding better ways of dealing with that change. We will always be adapting our thinking as well as our working methods and tools, so Service Management is always likely to be a journey; and not a destination.

Tuesday, February 19, 2013

Project Management - What Should Project Managers Do When Projects Fail?

We’ve all been there at least once. The moment you get that phone call or email, and the project first turns the corner, and starts on the downward spiral to failure. What do you do? What is the best course of action when projects start to fail?

Unfortunately professional project managers, regardless of knowledge, experience, or background, all experience failure from time to time…and we hate it. While we can’t always predict failure or avoid it, there are tactics we can do to help it. Some of these tactics include some of what we already know, such as putting together risk response and management plans, holding regular team planning meetings, and practicing good document control.

However, there are things that can come up and hap pen at the last minute that can send a project down hill. Here are some best courses of action on how project managers can deal with failing projects:

1. Don’t Panic. When you receive a problematic email or phone call from a customer, team member, or sales rep, the first thing you should not do is panic. This can be difficult, especially if the person on the other line or that has written the email is emotional in some way. Your response should be calm and address the situation.

If you don’t have a solution right at that moment, at least respond to the email or phone call and let him or her know that you are looking into the situation and will get back to them as soon as possible. If needed, take a time out and go for a walk to help clear your mind. While you may think it’s not the best time to take a walk, giving yourself a minute to calm down and think about the situation could be your best asset. Addressing the situation with a clear head and a fresh state of mind can really help.

2. Check the Schedule. Once you have addressed the concerns, informed the customer, sales rep, and team, the next step should be addressing the schedule. What stage is the project at? Where is the project? How will this change impact the schedule in terms of project milestones and deliverables?

3. Devise a Solution. Once you have taken care of the first two items, now it’s time to put together a solution. Again, what is the concern at hand? How will it impact the schedule? How will it impact deliverables? Sometimes a solution cannot solve all three of these items. For instance, making a change in the late stage of a project may impact the schedule and risk on time delivery of a particular product, which could lead to an angry customer. However, it is best to work with the customer to see if negotiating on any level is possible.

All in all, there may be many reasons to cause a project to fail. They may not even be necessarily linked to a customer, there could be internal factors as well such as staffing, technology, or even lack of resources. However, these typically can be addressed during the risk management and assessment stage at the beginning of a project.

By practicing the above steps to address a failing project, and keeping these in mind while you are working, you will be able to address the signs of project failure and respond to them immediately. The customer and your team will thank you for it, and will ultimately lead to overall project success.

Project Management - Project About To Fail?

As a project manager, you are responsible for the overall success of a specific project. Suppose that, when 70% of the total duration of a project is complete, suddenly you realize that your project is going to fail. Being quite perplexed, you will look for probable solutions. Here are some important tips that will surely help you in this dire situation:
  1. Defining Project Success Criteria and Expectations Properly
    There must be a specific roadmap for the success of the project as well as clear and realistic objectives. Any sort of mistake in this regard would ultimately lead to the failure of the project.
  2. Adequate Planning
    Planning for the project progress must be a continuous process. Any sort of changes should be made in the planning process instantly whenever felt necessary.Every member of the project member should be confident about the necessity of these changes. Proper attention must be given in this regard. This process will be really helpful to minimize the possibility of project failure.
  3. Improving Communication
    Proper communication is the most important matter for the overall progress of the project. The project manager has to identify whether there is any sort of communication problem between the team members of the project. He/she should always be alert about the fact that all of the stakeholders of the project should get messages properly and in time. Moreover, he/she should always discuss with the team members and give proper value to their suggestions.
  4. Solving Leadership Problems
    Successful leadership is required for every stakeholders of the project, from top to bottom. Everybody should be clear about who is responsible for what in a project. The project manager has to find out whether there is any sort of incapability in leadership that is evident from any person involved in the project, and he has to guide him properly so that all problems regarding this issue are quickly sorted out.
  5. Ensuring Plenty of Resources
    The appropriate authority must ensure the quick availability of required resources (both physical and human), otherwise it will be quite impossible for the project manager to ensure that the project ends successfully. Sometimes it will be required to hire resources, and the management should take prompt decision to hire those resources.
  6. Setting Realistic Deadline
    In the case when an impractical deadline is set up for finishing project activities, it will surely lead to inevitable frustration and disappointment. That is why, the project leader should always give proper attention about setting up a completely reasonable deadline. If he/she feels that this deadline cannot be met, he/she must come forward to review the overall progress of the project and set up a new deadline, if possible. Otherwise, he/she should delegate more tasks to the project members to speed up the whole process. In case of necessity, he/she should hire appropriate staff to ensure the smooth progress of the project.
  7. Being Conscious about the Budget
    If the project manager becomes certain that the remaining activities of the project cannot be finished successfully with the available budget, he/she should start minimizing the cost and become totally alert in further activities. The project manager should also make sure that the overall quality of the project is not compromised at any level while minimizing cost.
  8. Ensuring Strong Monitoring
    As far as the project manager is concerned, he should always be strict enough to ensure the proper monitoring of activities related to the project. Without perfect monitoring, there are every chances that situations may arise which will lead to the last-minute surprise and ultimate failure of the project.
  9. Improving Risk Management System
    Less focus on risk management would certainly lead to Project Failure & most often the point of failure would be at the tail end, so all the cost spent on it might get sunk with low or zero ROI. That is why, the project manager should review the risk management strategies regularly so that in any case of emergency, he/she can stand firmly and make quick decisions.
  10. Making Certain about the Involvement of Senior Management and Business Owners
    The project manager should always ascertain the proper and timely involvement of the senior management or business owners about all sorts of decisions taken during the project period. This will assist him/her to take necessary measures when required.

Sunday, February 17, 2013

Security - How can I tell if my computer is infected?

My anti-virus program found and removed a virus from my PC. I've also run several anti-spyware programs. They found and removed like 10 or more Trojans from my computer as well. My antivirus program says I'm clean and protected and it doesn't really seems to be a virus on my PC. However, I can't just use every possible security product to make sure that my computer is completely virus-free. I don't want to format the hard disk and reinstall Windows either. I'm just wondering if I'm infected or not? How can I tell if my computer is infected? Thanks.
More and more people are using computers nowadays, however not everyone is paying too much attention to its security and some of them even have no clue whether or not his/her computer is infected. Of course, if you don’t see any obvious symptoms of infection, you may think that your PC is virus-free at the moment, but are you sure?

The truth is that there’s no way to prove that your computer is absolutely clean. You may use every possible scanner or bunch of up-to-date tools, but the possibility of infection still remains. You will probably agree that no tool catches everything. So how can you be sure about your computer?

For instance, let’s take the most common symptoms of malware infection:
  • warnings from your anti-malware software,
  • unusual activity on your system,
  • slower computer performance,
  • occurrence of unauthorized remote connection,
  • inappropriate internet speed,
  • questionable pop-ups telling you that your computer is in danger and needs a scanner or other program you’ve never heard of,
  • problems with booting or rebooting before login and etc.
Actually, everything that is mentioned above might be a symptom of infection and might be not. In other words, occurrence of these symptoms not necessary means that your computer is infected as well as not having them won’t guarantee that your machine is totally clean. Even if your computer works perfectly, it doesn’t prove anything. You might be OK and might be not. There’s simply no way to know.

The news, obviously, isn’t very exciting… But what can you do? Well, at first you should stop claiming that your PC is virus-free, and second, you should do everything to increase this likelihood greatly. Basic steps are presented below:
  • install and run and anti-virus program, always check if this software is still valid and database is up-to-date,
  • use only licensed software programs and don’t forget to update them (in case any vulnerabilities, discovered after purchase, will be corrected),
  • chose adequate firewall settings (control the software and hardware which is using a router),
  • be careful when sharing information with other computers, because one infected computer may spread its infection to others through the connection channel,
  • use your PC rationally.
The last point refers to your activities and consciousness. No one will help you if you keep on opening spam or unsolicited attachments, surfing through unsafe websites and other places where you can easily get malware, spyware or virus infection. It is strongly advisable to be careful with internet content as well as with CD’s, USB sticks or other input devices before opening and using them.

To sum up, no tools or safety measures can protect you from yourself. But if you follow all recommendation honestly, you will be able to say that your computer is as clean as possible.

Security - Most Dangerous Things to Have on Your Network

1.       Anything with a DHCP serviceBe it a wireless router, personal firewall, or a virtual machine instance on a bridged connection, adding anything that runs DHCP onto a production network can cause problems for everyone on that VLAN. Remember DHCP is a broadcast service, and when a client asks for a lease, it will take the first one it hears offered. What’s going to be faster, the device you just connected, or the overworked three-year-old server?

2.       An open share with all the application installersIt really sounds like a great idea. Create a share, give everyone read access, and put installers for all the different applications you use in that directory so folks can easily find and install what they need, when they need it. If you have a site license for everything in that folder, it is not a bad idea. If you bought ten licenses for Adobe Acrobat, and 100 people find and install it, suddenly it is a compliance and licensing nightmare. Never leave software installers on the network where regular users can get to them unless you are prepared for a massive annual true-up bill.

3.       The second, third, fourth…and Nth  remote control toolThere’s nothing wrong with having a remote control application installed on your workstations and servers so you can assist users and manage systems. The problem comes in when you have eight different admins and they each have their personal favourite. Each remote control app you install on a workstation is another port listening, another memory hog, another app to patch, and another way for an attacker to break in. When you do that to a server, the potential impact is even worse. Choose one, choose wisely, and ban all the rest.

4.       Bulk email toolsWhat’s the quickest way to get your entire IP range on a blacklist? Leave an open relay. What’s the second quickest? Let someone in marketing  install a bulk mailer application that starts spewing out hundreds if not thousands of emails per hour. Seriously, get in front of this by working with marketing to ensure they have a satisfactory external bulk mailer service so you don’t have to deal with being blacklisted.

5.       Password crackersWhile authorized personnel working within the context of security might use a password cracking tool to either audit the network, or attempt recovery of data, a password cracking tool can easily be run improperly, resulting in the lockout of every user account on the network. These tools, in the right hands and run in closed environments, can be very useful, but so too can a blowtorch. Both can cause serious damage when used incorrectly.

6.       Open Guest NetworksAn open guest network may seem like a great “tool” both for your guests, and for when you need to test something outside the confines of your corporate LAN, but can be easily misused, and even when separated from your internal network, they usually use the same Internet connection as your corporate network does, which means bad traffic coming from your guest network still comes from your corporate network as far as the rest of the Internet is concerned. Use a captive portal and run IDS on your guest network so you can control who uses it, and make sure they don’t misuse it.

7.       Anything that is out of supportIt doesn’t matter how great a job that app does, or how much the business complains that they can neither live without it, or replace it, anything that is no longer supported needs to get the heck off your network. I have seen dozens of upgrades get 90% of the way through, only to encounter that one legacy app no one even remembers setting up, that some group has built their entire mission critical workflow around, and that cannot be upgraded to work with your new system. Make it the 11th commandment – Thou Shalt Not Run Any Unsupported App.
8.       Anything that can send an unlimited number of alertsThis one kills me every time I run into it, and I run into it at practically every customer I work with. Some monitoring systems is set up to send out email alerts when something bad happens, like a server goes down or a service stops, and it is misconfigured such that it sends thousands of email alerts as quickly as it can spawn them. That in turn overwhelms your email system, which slows everything else down, and you spend more time deleting the alerts than you did fixing the problem that caused them. Alerts are good, when they have reasonable limits.

9.       Bittorrent applicationsBittorrent is an extremely useful protocol, that can be used for downloading a variety of different binaries, most good. A misconfigured Bittorrent client uses up a tremendous amount of bandwidth though, so if you are going to use this tool, be very careful how you configure it, and ensure that only authorized users run these tools.

10.   Security auditing softwareOkay, before everyone hits the panic button on this, hear me out. Security auditing tools, when installed on a security professional’s workstation, run with the knowledge of what they are for, and the authority to use them, are just fine. When they are run by a Curious George and run against the entire network during the production day, they can wreak havoc, locking out accounts, crashing services, and generally causing everyone a bad day.

Security - Major Software Vendors Security Patching Schedule

An important aspect of patch management and your patching schedule is to understand the patch release cycles adopted by the most important software vendors. In this post, we take a look at some statistics on this topic and how patch release cycles have changed over the last few years.

The big players in software industry are taking security seriously. They are becoming more efficient in fixing security issues and the results are evident. Six vendors: Microsoft, Adobe, Mozilla, Apple, Oracle and Google, together released 257 security bulletins/advisories fixing 1,521 vulnerabilities in 2011. In 2010, these vendors fixed 1,458 vulnerabilities. Basically, a typical machine that is not patched will be exposed to between 30 to 50 new security vulnerabilities each month from the last time it was patched.

Microsoft

Microsoft releases their security updates every second Tuesday of the month. The well-known release schedule for security updates helps users to plan their deployment accordingly. It is recommended that new patches are tested before they are applied in a production environment because some patches may cause issues in some cases, from preventing a service to start or crashing the system. Occasionally, when critical vulnerabilities are identified or if they were disclosed to public, Microsoft will release a fix out of the ordinary schedule.

100 security bulletins were released by Microsoft in 2011, addressing 240 vulnerabilities. These are fewer than the figure for 2010 when there were 106 security bulletins released, addressing 266 vulnerabilities. The number of critical security issues detected in Microsoft products is decreasing; however the number of security updates remains high due to non-critical security issues.

Adobe

Adobe adopted the Microsoft model to release their security updates on “Patch Tuesdays”. This is because customers wanted a single patch cycle for both Adobe and Microsoft so that it would be easier for them to maintain their systems fully patched. Adobe products were a preferred target for hackers and security researchers over the past few years and numerous fixed were released as a result.
A total of 29 security bulletins were released by Adobe in 2011, addressing 197 vulnerabilities. This is one less bulletin than in 2010 when there were 30 security bulletins, addressing 202 vulnerabilities.

Mozilla

Mozilla releases a new version of Firefox that includes the latest security fixes every six weeks. Occasionally they release updates containing security fixes out of the normal six-week cycle.
59 security bulletins were released by Mozilla in 2011, addressing 93 vulnerabilities – fewer than the 84 security bulletins released in 2010, addressing 102 vulnerabilities.

Apple

Apple does not pre-announce or release their security updates on a regular schedule, thus making it difficult for companies to prepare for patch deployment in their environments. Apple’s software is also based on a large number of third party components that have their own vulnerabilities. For example, an update for Mac OS X will probably include fixes for Apache, MySQL, Java, OpenSSL, PHP, Python and so on. The problem with this is that there is a period of time that passes between the instance the vulnerability is fixed in the third-party component and the time when Apple updates the component in their system.

Apple do not provide a severity rating for their bulletins, but usually they contain a large number of fixes and must be all considered critical.

The number of security bulletins released by Apple has been pretty constant over the last few years – between 30 and 40 bulletins per year. 38 security bulletins were released by Apple in 2011, addressing an impressive number of 402 vulnerabilities. The same number of bulletins was released in 2010. Two years ago the number of vulnerabilities hit 468.

Oracle

Oracle releases their security updates using two schedules. Java updates are released three times per year in February, June and October. All other products’ security updates are released once per quarter in January, April, July and October.

As the updates are concentrated in quarterly batches all security bulletins from Oracle include a large number of security fixes for a large number of Oracle products (except for the Java updates) and they are all rated critical.

Occasionally – one to two times a year – for some high impact vulnerabilities, Oracle does provide an out-of-band security fix. 334 vulnerabilities were fixed in the nine security bulletins provided by Oracle in 2011. This is more than the 273 vulnerabilities addressed in 2010.

Google

Google releases security updates for Google Chrome all the time, even three times a month. Their release cycle is fast and the product is updated on a continuous basis. This is ok for home users that leave the product to automatically update itself, but for enterprises that want to test patches before applying them in a production environment it can be overwhelming: Google Chrome gets a larger number of security fixes, and twice as often, than all Microsoft products together. The number of vulnerabilities discovered in Google Chrome is also on the increase.

22 Google Chrome updates contained security fixes for 255 vulnerabilities in 2011. This is more than the 147 vulnerabilities addressed by security fixes in 2010.

Security - Network Security 101

1. Policies

The best laid plans of mice and men oft go awry, and nowhere can this happen more quickly than where you try to implement network security without a plan, in the form of policies. Policies need to be created, socialized, approved by management, and made official to hold any weight in the environment, and should be used as the ultimate reference when making security decisions. As an example, we all know that sharing passwords is bad, but until we can point to the company policy that says it is bad, we cannot hold our users to account should they share a password with another. Here’s a short list of the policies every company with more than two employees should have to help secure their network:
1. Acceptable Use Policy
2. Internet Access Policy
3. Email and Communications Policy
4. Network Security Policy
5. Remote Access Policy
6. BYOD Policy
7. Encryption Policy
8. Privacy Policy
A great resource for policy starter files and templates is the SANS Institute at http://www.sans.org.

2. Provisioning Servers

When asked why he robbed banks, American criminal Willie Sutton answered “because that’s where the money is”. If you could ask a hacker why s/he breaks into servers would probably reply with a similar answer “because that’s where the data is”. In today’s society, data is a fungible commodity that is easy to sell or trade, and your servers are where most of your company’s most valuable data resides. Here are some tips for securing those servers against all enemies – both foreign and domestic. Create a server deployment checklist, and make sure all of the following are on the list, and that each server you deploy complies 100% before it goes into production.

Server list

Maintain a server list that details all the servers on your network – SharePoint is a great place for this. At a minimum it should include all the name, purpose, ip.addr, date of service, service tag (if physical), rack location or default host, operating system, and responsible person. We’ll talk about some other things that can be stored on this server list down below, but don’t try to put too much data onto this list; it’s most effective if it can be used without side to side scrolling. Any additional documentation can be linked to or attached. We want this server list to be a quick reference that is easy to update and maintain, so that you do.

Responsible party

Each server must have a responsible party; the person or team who knows what the server is for, and is responsible for ensuring it is kept up-to-date, and can investigate any anomalies associated with that server.

Naming convention

Naming conventions may seem like a strange thing to tie to security, but being able to quickly identify a server is critical when you spot some strange traffic, and if an incident is in progress, every second saved counts.

Network Configuration

Ensure that all network configurations are done properly, including static ip.addr assignments, DNS servers, WINS servers, whether or not to register a particular interface, binding order, and disabling services on DMZ, OOB management, or backup networks.

IPAM

All servers should be assigned static IP addresses, and that data needs to be maintained in your IP Address Management tool (even if that’s just an Excel spreadsheet). When strange traffic is detected, it’s vital to have an up-to-date and authoritative reference for each ip.addr on your network.

Patching

Every server deployed needs to be fully patched as soon as the operating system is installed, and added to your patch management application immediately.

Antivirus

All servers need to run antivirus software and report to the central management console. Scanned exceptions need to be documented in the server list so that if an outbreak is suspected, those directories can be manually checked.

Host intrusion prevention/firewall

If you use host intrusion prevention, you need to ensure that it is configured according to your standards, and reports up to the management console. Software firewalls need to be configured to permit the required traffic for your network, including remote access, logging and monitoring, and other services.

Remote access

Pick one remote access solution, and stick with it. I recommend the built-in terminal services for Windows clients, and SSH for everything else, but you may prefer to remote your Windows boxes with PCAnywhere, RAdmin, or any one of the other remote access applications for management. Whichever one you choose, choose one and make it the standard.

UPS and power saving

Make sure all servers are connected to a UPS, and if you don’t use a generator, that they have the agent needed to gracefully shut down before the batteries are depleted. While you don’t want servers to hibernate, consider spinning down disks during periods of low activity (like after hours) to save electricity.

Domain joined

Unless there’s a really good reason not to, such as application issues or because it’s in the DMZ, all Windows servers should be domain joined, and all non-Windows servers should use LDAP to authenticate users against Active Directory. You get centralized management and a single user account store for all your users.

Administrator account renamed and password set

Rename the local administrator account, and make sure you set (and document) a strong password. It’s not a foolproof approach, but nothing in security is. We’re layering things here.

Local group memberships set and permissions assigned

Make any appropriate assignments using domain groups when possible, and set permissions using domain groups too. Only resort to local groups when there is no other choice and avoid local accounts.

Correct OU with appropriate policies

Different servers have different requirements, and Active Directory Group Policies are just the thing to administer those settings. Create as many OUs as you need to accommodate the different servers, and set as much as possible using a GPO instead of the local security policy.

Confirm its reporting to management consoles

No matter what you use to administer and monitor your servers, make sure they all report in (or can be polled by) before putting a server into production. Never let this be one of the things you forget to get back to.

Unnecessary services disabled

If a server doesn’t need to run a particular service, disable it. You’ll save memory and CPU, and it’s one less way bad guys will have to get it.

SNMP configured

If you are going to use SNMP, make sure you configure your community strings, and restrict management access to your known systems.

Agents installed

Backup agents, logging agents, management agents; whatever software you use to manage your network, make sure all appropriate agents are installed before the server is considered complete.

Backups

If it’s worth building, it’s worth backing up; no production data should ever get onto a server until it is being backed up.

Restores

And no backup should be trusted until you confirm it can be restored.

Vulnerability scan

If you really think the server is ready to go, and everything else on the list has been checked off, there’s one more thing to do – scan it. Run a full vulnerability scan against each server before it goes production to make sure nothing has been missed, and then ensure it is added to your regularly scheduled scans.

Signed into production

Someone other than the person who built the server should spot check it to be sure it’s good to go, before it’s signed into production. By “signing” it, that user is saying they confirmed the server meets your company’s security requirements and is ready for whatever the world can throw at it. That person is also the second pair of eyes, so you are much less likely to find that something got missed.

3. Deploying workstations

Making sure that the workstations are secure is just as important as with your servers. In some cases it’s even more so, since your servers benefit from the physical security of your datacenter, while workstations are frequently laptops sitting on table tops in coffee shops while your users grab another latte. Don’t overlook the importance of making sure your workstations are as secure as possible.

Workstation list

Keep a list of all workstations, just like the server list, that includes who the workstation was issued to and when its lease is up or it’s reached the end of its depreciation schedule. Don’t forget those service tags!

Assigned user

Track where your workstations are by making sure that each user’s issued hardware is kept up-to-date.

Naming convention

It’s very helpful when looking at logs if a workstation is named for the user who has it. That makes it much easier to track down when something looks strange in the logs.

Network Configuration

You’ll probably assign IP addresses using DHCP, but you will want to make sure your scopes are correct, and use a GPO to assign any internal DNS zones that should be searched when resolving flat names.

Patching

Since your users are logged on and running programs on your workstations, and accessing the Internet, they are at much higher risk than servers, so patching is even more important. Make sure all workstations are fully up-to-date before they are deployed, update your master image frequently, and ensure that all workstations are being updated by your patch management system.

Antivirus

Here’s how to handle workstation antivirus: 100% coverage of all workstations; workstations check a central server for updates at least every six hours, and can download them from the vendor when they cannot reach your central server. All workstations report status to the central server, and you can push updates when needed – Easy.

Host intrusion prevention/firewall

Consider using a host intrusion prevention or personal firewall product to provide more defense for your workstations, especially when they are laptops that frequently connect outside the corporate network. Make sure that the configuration does not interfere with your management tasks, like pushing antivirus updates, checking logs, auditing software, etc.

Remote access

Like servers, pick one remote access method and stick to it, banning all others. The more ways to get into a workstation, the more ways an attacker can attempt to exploit the machine. The built-in Remote Desktop service that comes with Windows is my preference, but if you prefer another, disable RDP. Ensure that only authorized users can access the workstation remotely, and that they must use their unique credential, instead of some common admin/password combination.

Power saving

Consider deploying power saving settings through GPO to help extend the life of your hardware, and save on the utility bill. Make sure that you have Wake-On-LAN compatible network cards so you can deploy patches after hours if necessary.

Domain joined

All workstations should be domain joined so you can centrally administer them with unique credentials.

Administrator account renamed and password set

Rename the local administrator account and set a strong password on that account that is unique per machine. Trust me, one of these days you will have no choice but to give some travelling user the local admin account, and if that is the same across all machines, you will then have to reset them all. Use a script to create random passwords, and store them securely where they can be retrieved in an emergency. It seems like a lot of work up front, but it will save you time and effort down the road.

Local group memberships set and permissions assigned

Set appropriate memberships in either local administrators or power users for each workstation.

Correct OU with appropriate policies

Organize your workstations in Organizational Units and manage them with Group Policy as much as possible to ensure consistent management and configuration.

Confirm its reporting to management consoles

Validate that each workstation reports to your antivirus, patch management and any other consoles before you turn it over to the user, and then audit frequently to ensure all workstations report in.

Backups/ Restores

You probably won’t perform regular full backups of your workstations, but consider folder redirection or Internet based backups to protect critical user data.

Local encryption

There is no excuse for letting any laptop or portable drive out of the physical confines of the office without encryption in place to protect confidential data. Whether you use Bitlocker, TrueCrypt, or hardware encryption, make is mandatory that all drives are encrypted.

Vulnerability scan

Perform regular vulnerability scans of a random sample of your workstations to help ensure your workstations are up to date.

4. Network equipment

Your network infrastructure is easy to overlook, but also critical to secure and maintain. We’ll start with some recommendations for all network equipment, and then look at some platform specific recommendations.

Network hardware list

Maintain a network hardware list that is similar to your server list, and includes device name and type, location, serial number, service tag, and responsible party.

Network Configuration

Have a standard configuration for each type of device to help maintain consistency and ease management.

IPAM

Assign static IP addresses to all management interfaces, add A records to DNS, and track everything in an IP Address Management (IPAM) solution.

Patching

Network hardware runs an operating system too, we just call it firmware. Keep up-to-date on patches and security updates for your hardware.

Remote access

Use the most secure remote access method your platform offers. For most, that should be SSH version 2. Disable telnet and SSH 1, and make sure you set strong passwords on both the remote and local (serial or console) connections.

Unique credentials

Use TACACS+ or other remote management solution so that authorized users authenticate with unique credentials.

SNMP configured

If you are going to use SNMP, change the default community strings and set authorized management stations. If you aren’t, turn it off.

Backups/Restores

Make sure you take regular backups of your configurations whenever you make a change, and that you confirm you can restore them.

Vulnerability scan

Include all your network gear in your regular vulnerability scans to catch any holes that crop up over time.

Switches

VLANs

Use VLANs to segregate traffic types, like workstations, servers, out of band management, backups, etc.

Promiscuous devices and hubs

Set port restrictions so that users cannot run promiscuous mode devices or connect hubs or unmanaged switches without prior authorization.

Disabled ports

Ports that are not assigned to specific devices should be disabled, or set to a default guest network that cannot access the internal network. This prevents outside devices being able to jack in to your internal network from empty offices or unused cubicles.

Firewalls

Explicit permits, implicit denies

‘Deny All’ should be the default posture on all access lists – inbound and outbound.

Logging and alerts

Log all violations and investigate alerts promptly.

Routers

Routing protocols

Use only secure routing protocols that use authentication, and only accept updates from known peers on your borders.

5. Vulnerability scanning

Weekly external scans scheduled

Configure your vulnerability scanning application to scan all of your external address space weekly.

Diffs compared weekly

Validate any differences from one week to the next against your change control procedures to make sure no one has enabled an unapproved service or connected a rogue host.

Internal scans scheduled monthly

Perform monthly internal scans to help ensure that no rogue or unmanaged devices are on the network, and that everything is up to date on patches.

6. Backups

Tape rotation established

Make sure you have a tape rotation established that tracks the location, purpose, and age of all tapes. Never repurpose tapes that were used to backup highly sensitive data for less secure purposes.

Old tapes destroyed

When a tape has reached its end of life, destroy it to ensure no data can be recovered from it.

Secure offsite storage

If you are going to store tapes offsite, use a reputable courier service that offers secure storage.

Encryption

Even reputable courier services have lost tapes; ensure that any tape transported offsite, whether through a service or by an employee, is encrypted to protect data against accidental loss.

Restores confirmed regularly

Backups are worthless if they cannot be restored. Verify your backups at least once a month by performing test restores to ensure your data is safe.

Restricted access to tapes, backup operators groups

Backup tapes contain all data, and the backup operators can bypass file level security in Windows so they can actually back up all data. Secure the physical access to tapes, and restrict membership in the backup operators group just like you do to the domain admin group.

7. Remote Access

Only approved users and methods

Set up and maintain an approved method for remote access, and grant permissions to any user who should be able to connect remotely, and then ensure your company policy prohibits other methods.

Two factor authentication

Consider using a two factor authentication – like tokens, smart cards, certificates, or SMS solutions – to further secure remote access.

No split tunneling

Protect your travelling users who may be on insecure wireless networks by tunneling all their traffic through the VPN instead of enabling split tunneling.

Internal name resolution

If you are going to do split tunneling, enforce internal name resolution only to further protect users when on insecure networks.

Account lockouts

Set strong account lockout policies and investigate any accounts that are locked out to ensure attackers cannot use your remote access method as a way to break into your network.

Regular review of audit logs

Perform regular reviews of your remote access audit logs and spot check with users if you see any unusual patters, like logons in the middle of the night, or during the day when the user is already in the office.

8. Wireless

In addition to the items in the network equipment list above, you want to ensure the following for your wireless networking.

SSID

Use an SSID that cannot be easily associated with your company, and suppress the broadcast of that SSID. Both aren’t particularly effective against someone who is seriously interested in your wireless network, but it does keep you off the radar of the casual war driver.

Authentication

Use 802.1x for authentication to your wireless network so only approved devices can connect.

Encryption

Use the strongest encryption type you can, preferable WPA2 Enterprise. Never use WEP. If you have barcode readers or other legacy devices that can only use WEP, set up a dedicated SSID for only those devices, and use a firewall so they can only connect to the central software over the required port, and nothing else on your internal network.

Guest Network

Use your wireless network to establish a guest network for visiting customers, vendors, etc. Do not permit connectivity from the guest network to the internal network, but allow for authorized users to use the guest network to connect to the Internet, and from there to VPN back into the internal network, if necessary.

BYOD

Create a “Bring Your Own Device” policy now, even if that policy is just to prohibit users from bringing their personal laptops, tablets, etc. into the office or connecting over the VPN.

9. Email

Inbound and outbound filtering

Deploy an email filtering solution that can filter both inbound and outbound messages to protect your users and your customers.

Directory Harvest prevention

Ensure that your edge devices will reject directory harvest attempts.

Antivirus/Antispam/Antiphishing

Deploy mail filtering software that protects users from the full range of email threats, including malware, phishing and spam.

10. Internet Access

Provide your users with secure Internet access by implementing an Internet monitoring solution.

Filter lists

Use filter lists that support your company’s acceptable use policy.

Malware scanning

Scan all content for malware, whether that is file downloads, streaming media, or simply scripts contained in web pages.

Bandwidth restrictions

Protect your business-critical applications by deploying bandwidth restrictions, so users’ access to the Internet doesn’t adversely impact company functions like email, or the corporate website.

Port blocking

Block outbound traffic that could be used to go around the Internet monitoring solution so users are tempted to violate policy.

11. File shares

Here’s where most of the good stuff sits, so making sure your secure your file shares is extremely important.

Remove the Everyone and Authenticated Users groups

The default permissions are usually a little too permissive. Remove the Everyone group from legacy shares, and the Authenticated Users group from newer shares, and set more restrictive permissions, even if that is only to “domain users.” This will save you a ton of time should you ever have to set up a share with another entity.

Least privilege

Always assign permissions using the concept of “least privilege”. “Need access” should translate to “read only” and “full control” should only ever be granted to admins.

Groups

Never assign permissions to individual users; only use domain groups. It’s more scalable, easier to audit, and can carry over to new users or expanding departments much more easily than individual user permissions.

Avoid Deny Access

If you have a file system that tempts you to use “Deny Access” to fix a problem you are probably doing something wrong. Reconsider your directory structure and the higher level permissions, and move that special case file or directory somewhere else to avoid using Deny Access.

12. Log correlation

If you have more servers than you can count without taking off your shoes, you have too many to manually check each one’s logs manually. Use a logging solution that gathers up the logs from all your servers so you can easily parse the logs for interesting events, and correlate logs when investigating events.

13. Time

Use a central form of time management within your organization for all systems including workstations, servers, and network gear. NTP can keep all systems in sync, and will make correlating logs much easier since the timestamps will all agree.

Change Management - The Importance of an Effective ITIL Change Management Process

ITIL Change management process

When planning for change, an ITIL change management process will be most effective since it will ensure the use of standardized methods and procedures for the effective handling of any scheduled IT infrastructure changes. By following ITIL’s best practices will also mean that the risks of any negative impacts on other systems caused by an ill planned change management process are drastically minimized.

An ITIL change management process can be a daunting task for system administrators because it may include changing a whole or part of a company’s IT systems infrastructure. It is of paramount importance that this task is planned and structured effectively, since ultimately the aim is to enhance and boost a company’s productivity.

Generally speaking, administrators like to have the same standard environment across their networks as much as possible. This doesn’t mean that employees in finance will have the same software that the development team has but it generally does mean that people in the same department will have the same software and system setup. People who aren’t in IT might see this as a waste, possibly even think that administrators do this to save time or do less work but there are a number of very good reasons for this.

At least once a month administrators are faced with the task of patching their network which is generally done after hours to avoid having an impact on productivity. Administrators know that patching is not just about downloading a patch and pushing it out to the network, because sometimes patches do not play nice with certain applications and there are many reported cases where, after installing a patch a machine no longer boots and instead displays the dreaded blue screen of death. To avoid such hiccups an administrator generally has test machines mirroring each and every system setup out in his network. He first updates his test machine, tests that critical business applications work as expected and only once he is satisfied that these patches create no issues will he push patches out to the rest of his network now.  This of course is only valid as long as users do not decide to take matters into their own hands and install other software that the administrator is unaware off. This is a perfect example, in which an effective Change Management System process should come into play.

Leaving one’s work station open and allowing users to install anything they want to can create a lot of problems. It’s not just that the administrator’s testing efforts can be thrown to waste because what he tested on wasn’t what he found once the patches were installed on workstations; employees might not know the implications of what they’re installing and they might not be aware of the licensing requirements.

Time and time again we hear about how some military personnel installed file sharing software and mistakenly ended up sharing classified information. We cannot really expect that someone who is proficient in using office applications will automatically know the implications of installing software. An employee might not take the time to read the license agreement of the free application he downloaded thinking that it was okay to use without realising that free use was only allowed in a personal and not a business environment.

Implementing an ITIL change management process

What we can expect is that an administrator needs to be aware of what’s running on their networks, and for this to be achieved, the proposed change management process must clearly define what needs to be done in order to control and monitor all company activities on the network. Change management is obviously a vast subject but one doesn’t need to implement every single part, In this case, a systems administrator will only need to focus on employing a solution that will promise complete control and management of the company’s network infrastructure, thus eliminating the occurrence of major disasters!
In my opinion, following an effective change management process, a systems administrator should at least achieve the below in order to gain full control of a company’s network:
  • Communicating and enforcing policies so that employees can know and follow when doing anything which will cause a change to the organization, be it installing software or even changing a systems configuration. Such a policy doesn’t have to be complicated, in fact simple works best, so you could have a policy whereby any employee who requires changes gets them implemented by an administrator.  This policy can also be enforced through the work station itself by configuring rights that restrict users who aren’t authorized from performing certain tasks.
  • Monitoring is also essential. I think that as a bare minimum one needs to periodically monitor what applications and what hardware is installed on each workstation. Even in an environment where employees have restricted rights one cannot trust that they will not find a way around your policies. Monitoring is not hard to implement, by either using scripts or free software to report on applications and hardware. For additional convenience and peace of mind one can also deploy software that informs the administrator when changes occur, this can be set both in real time as well as on a schedule. Having such a system in place would reduce the load on the administrator as their attention would only be required when changes happen.
Even by implementing only these two basic steps of an ITIL change management process, an organization can ensure that their administrators can keep tab on what is deployed on their networks and their configuration. The administrators will be in a position to tests changes before they occur thus saving the organization from possible downtime. Administrators will also be able to safeguard the organization from possible liability due to the use of illegal or incorrectly licensed software and if properly implemented this will also have a minimal impact on employees – all in all, such a change management process results in a win-win situation for everyone.

Change Management - Things to consinder when implementing Change Management

1. Clarify what Change Management will accomplish in your organization. Many corporations struggle with defining ITIL in general and Change Management in particular. The most common misunderstanding is the assumption that implementing Change Management will fix issues that are related to Release Management or Configuration Management. Change Management focuses on the oversight and approval aspects of the process, ensuring that only authorized changes are being worked on. It is more related to organization change than the operational aspects of change.

2. Articulate the benefits of Change Management to each level of the organization. Using a top-down organizational approach is usually the most effective way to establish Change Management. When the leaders of an organization demonstrate the commitment and participation to implement a Change Management program, the better the chance for success. Getting buy-in at all levels is critical to the success of the program. The first step to achieving a successful buy-in is identifying all stakeholder groups that are affected by such an implementation. Stakeholders need to understand the benefits on a personal and organizational level (What’s in it for me?). Clearly defining and presenting to each stakeholder what those benefits will be, and conversely, establishing and enforcing policies that address the penalties and repercussions for bypassing the process is essential. Finally, to ensure buy-in and understanding among everyone, be sure to communicate the same message to everyone involved as to what those policies will cover.

3. Define what a Change is. The most important concept to convey is that everything in the IT world can have a change element to it. Nothing should fly under the radar. All Installs, Moves, Adds and Changes (IMAC’s) to the infrastructure, and any software changes should fall under the control of Change Management. Even the most seemingly innocuous changes can cause major disruptions if no one knows about them. This can be especially true if you are implementing Change Management in an immature, silo-structured organization.

4. Establish clear roles and responsibilities for the Change Advisory Board (CAB), Change Manager, and Change Authority. Creating an Executive Committee for the CAB is a good way to keep the executives engaged in the process without subjecting them to the low level details that change management sometimes involves. Having executive sponsorship increases your leverage when encountering parties resistant to changing the status quo. An effective and successful Change Manager is one who proactively ensures that the right resources, both technical and business, attend the CAB and present viable, justifiable changes. The Change Manager can be the final arbiter in resolving disputes over classifications and prioritizations. (Some organizations use the Executive Committee for issue resolution). Ensure that the Change Authorities who are representing changes to the CAB are well-informed and can speak to their items when challenged. Their role is to present the business case, the impact analysis, the resource plan and execution plan for each change. The CAB is not just an IT operation. A successful CAB will have a wide rotating mix of participants from the IT, Operations and Business groups. Embrace the flexibility that the CAB offers by limiting the standing participants and ensuring only those resources that can add value to the discussions are invited to the meetings.

6. Establish and Stabilize the Change Management Process before introducing tools. In theory, it seems logical to buy a tool that can guide your change management implementation and utilize it as a key component of your change program. In practice, this approach is rarely effective. Introducing new processes, making them more efficient and finalizing them will lay the groundwork for defining the requirements for a tool selection. You can then better evaluate a tool fit for your purposes instead of getting lost in the various options that most tools present.       7. Define Key Performance Indicators (KPI) and Critical Success Factors (CSF) that highlight the improvements that Change Management brings to the organization. Bring metrics to Senior Management’s attention on a regular basis showing how CM is benefiting the organization.
  • Sample CSF’s should reflect that CM is:
  • A repeatable process that can make changes quickly and accurately
  • Protecting the integrity of the service when making those changes
  • Delivering process efficiency and effectiveness
  • Sample KPI’s should be established around:
  • Reduction of unauthorized changes
  • Reduction in change related outages
  • Reduction in emergency changes
  • Actual cost of a change vs. planned (budgeted) cost

  • 8. Ensure back-out plans are documented and realistic. Although no one ever intentionally introduces defects into the production environment, it is a fact of life that problems will sometimes arise as a result of new submissions. To combat these instances, there must be a robust contingency plan in place to minimize the amount and length of production outages. Ensuring that the Release Management team comes prepared to the CAB with both their implementation plan and back-out strategy is an essential check-point for the Change Manager.

    9. Accentuate the positive by building on successes and leveraging lessons learned. Discussing lessons learned, whether good or bad, is important for everyone involved to better prepare for the next instance.

    While it is important to correct bad behaviors after a release, it is just as important to highlight what went well. Showcase success stories and integrate lessons learned into plans for further roll-outs.

    10. Use the Change Management Initiative to promote other ITIL processes. Many organizations are only familiar with the Change Management component of ITIL. · Use the success story from implementing Change Management to promote the benefits of the other processes and how it will improve the overall performance of IT. Change Management cannot be truly effective in isolation.

    When Release and Configuration Management processes are absent, consider combining all three into a centralized function. The three processes have many close links to each other and together can stabilize an organization’s production environment. In summary, implementing Change Management is and should be viewed as a major strategic undertaking. It is much more than a simple process roll-out. As a starting point, organizations need to know where they stand in terms of ITIL maturity, where gaps exist, and where they want to be. Any ITIL implementation is a major change program that warrants a roadmap, a realistic project plan and associated communications to achieve the desired outcomes. It also requires training of the support organization as well as the users receiving the service on new processes and procedures. Piloting the new processes or performing dry runs will furthermore ensure smooth transition and higher effectiveness.







    Project Management - Key FAQ

    What Does a Project Manager Do?

    In a typical project, the manager will be assigned to leading the project and take full accountability for reaching the goals and objectives. The project manager is the leader of the project and is responsible for ensuring that the following tasks are completed in a timely manner:
    • Gaining approval for the project purpose and terms of reference
    • Assembling, governing and motivating the team, in cooperation with team leaders and supervisors
    • Ensuring the project is feasible through managing the development of a feasibility study
    • Planning the project in detail
    • Allocating and monitoring the resources (people, money, time, technology etc.)
    • Tracking the project and reporting on the progress to the senior stakeholders (sponsor, customer)
    • Making strategic decisions and solving issues
    • Controlling the achievement of the goals and objectives
    • Reviewing and terminating the project

    What Skills are Required for a Project Manager?

    Depending on the features, type, size, and nature of a given project, a broad set of skills and abilities and a deal of knowledge and experience are required for a project manager to manage the project successfully. It is convenient to arrange all the required skills and abilities into the following 3 groups:
    • Individual Skills. These skills allow a project manager to be as effective as possible when planning and managing work around and within projects. They include good persuasive and self-motivation skills, good skills in oral and written presentation, good analytical skills, decision making, goal setting, high energy, credibility, time management.
    • Team Skills. This set of skills provides managers with the ability to assemble, lead, manage and motivate teams and groups of people involved in projects. These skills include communication, group decision making, problem and conflict management, team collaboration, time management, reporting, others.
    • Technical Skills. Finally, these skills determine how well a manager can operate equipment and devices as well as use various techniques and methods to drive the project. They include technical knowledge and education, experience in using specific tools and devices, planning complex tasks, managing creative thinking, financial planning, monitoring, contract management, negotiation, others.

    What is the Role of a Steering Group (Committee)?

    For large-scale and complex projects, there may be a need to establish a Steering Group, especially when there are several project sponsors or champions involved. A Steering Group or Steering Committee provides a valuable channel for resource input and commitment from the sponsors and customers. Project management best practices demonstrate that formation of a Steering Group is beneficial to all project participants because members of the Group generally provide necessary guidance, strategic planning and oversight to the project.

    A Steering Committee is assigned to an appropriate role from the very beginning of a project. Although the role does not involve committee members in the management, it provides the members with authority to make project change at strategic level and receive progress reports for review and analysis. The role allows a Steering Group to:
    • Be involved in project needs analysis and identification of project goals and objectives
    • Provide guidance and support regarding the preparation of the original project management plan
    • Advise the management team on any subsequent changes to the agreed goals and objectives (in terms of scope, time-scale or cost) as may be necessary as the project proceeds
    The Steering Committee role also covers the duties for approving and implementing any changes which affect scope, time-scale or cost of the project. The members are supposed to provide consulting and guidance regarding the implementation process.

    What is the Role of a Project Leader?

    A Project Leader is a senior person who is charged with the responsibility of managing the project through leading and coordinating the implementation process. The project leader is likely to be an executive or director who has sufficient authorities and rights to make strategic and tactical decisions on project management. An individual assigned to the project leader role is ultimately responsible for:
    • The overall delivery of the project as well as delivery of every phase and stage across the project life-cycle.
    • Providing support to and championing the project
    • Coordinating the line management of the project manager
    • Attending reviewer meetings for reviewing how the project proceeds
    • Ensuring that the project is being performed according to the agreed plan
    • Ensuring that the personnel committed to the project give sufficient time and effort to the project

    What is the Role of a Project Reviewer?

    A Project Reviewer is a person or a group of people appointed towards the end of the project planning phase to give assurance to the senior management that the case for proceeding with the project has been properly developed and budgeted to enable successful delivery and acceptance of project products.

    The Project Reviewer is supposed to be not affected by or interested in the project. It is just an independent consultant or expert who provide advice on how to proceed with the project in a better way. The role of an independent project reviewer covers the following duties:
    • Taking a broad and independent view of project progress
    • Receiving necessary information from the project manager prior to the end of each review (milestone) meeting
    • Analyzing project data to decide whether sufficient evidence has been presented by the project manager and whether the project can move on to the next phase of the project management plan
    • Ensuring that all goals and tasks underpinning the current milestone have been completed
    • Revising agreed milestones if needed
    • Provide expert judgment regarding resource availability and utilization
    It is essential that the project reviewer should not undertake the sponsoring (championing) duties but remain independent on and uninterested in the project. Furthermore, the role should cover areas involved in either direction management or implementation of the project.

    What Main Levels of Authority Do Exist in a Typical Project?

    In a typical project, there are 4 main authority levels determining what roles and duties an individual involved in a project is expected to perform throughout the project life-cycle. These levels are listed and described below:
    • Senior Management. Senior project staff will be responsible for establishing the conditions and culture of the project environment, so that an organization which is the project customer will select and implement appropriate solutions to support its needs and requirements. Senior management authority covers these roles: Sponsor, Project Manager, Program Manager, Customer.
    • Middle Management. Middle management personnel will be responsible for ensuring that a project is selected, allocated, steered, completed and terminated satisfactorily. They will take care of making the project approved and ready for change. The roles are: Team Leader, Supervisor,
    • Operational staff. This level of authority allows team members to use the tools and techniques defined by the senior management and supervised by the middle management to manage projects effectively. The only role is Team Member.
    • Advisory. People and organizations that cannot directly influence a project or authorize a change but that can provide competent advice and recommendations regarding project development and improvement will occupy this level of authority. The roles of the level include: Expert Advice, Facilitator, Observer.
    Please note in some projects the management authority levels have another combination of the roles, often with a rather deeper hierarchy of duties and responsibilities. For example, in a construction project the role of project manager is often assigned to Middle Management level.

    What is ROI for a Project and How to Calculate It?

    In terms of project management, ROI (Return on Investment) is a quantitative measure that tells senior management of a project what amount of financial (funds) and/or non-financial (technology, knowledge, materials) resources they get back from doing the project for what they invest in the project.

    Project ROI is calculated and analyzed before the project gets started. It is a mechanism of making decision on whether invest resources in the project initiative. When an investor (sponsor) evaluates a project, he/she calculates ROI to do the following:
    • Justify the project
    • Rationalize expenditure
    • Pursue to take a specific course of action
    ROI is an indicator that can be calculated. Here’re the key inputs for making ROI calculations:
    • Cost. An amount of money required for maintaining and operating the project
    • Benefits. An amount of financial effect the investor gains from the project.
    • Annual Cash Flow. A difference between the project cost and financial benefits.
    • Non-monetary benefits, including quality, timeliness, quantity etc.

    What is a Cost-Benefit Analysis?

    In any project environment there is also a set of choices to do the project. There can be multiple choices or alternatives, and the challenge here is to determine which one best fits into the project requirements and goals and leads the project to success. A cost-benefit analysis is the way to examine and estimate available choices and then decide which choice is worthwhile.

    A cost-benefit analysis is an attempt to estimate alternatives surrounding a project and determine the impact of every alternative to the project. The analysis regards cost and benefit as the key parameters for estimations. It allows identifying the components of available benefits and costs through creating project appraisals and estimates.

    A cost-benefit analysis is used to compare the monetary expectations of a project with the project costs for each solution available. The analysis estimates such parameters as the average cost for project HR, capital costs, labor cost, etc.

    What is the Purpose of Scope Management?

    The purpose of managing scope of a project is to clearly describe and gain agreement on the logical boundaries of the project. It is managed under the scope management process which aims to determine what’s in and out of the project. Scope statements are used as the primary documents to define what activities and requirements are within the boundaries.

    The process of managing scope covers other aspects of project management. The more information about scope is clearly defined and agreed on, the clearer and more vivid a project becomes. Here’re the major aspects of project management being addressed by scope definition:
    • Deliverables that are in scope and out of scope
    • business requirements and assessment rules
    • The major project implementation processes that are within scope
    • Types of data required for doing the project in scope
    • Organizations that are interested in or affected by the project

    What are the Key Requirements to Running a Project Portfolio?

    In simple words, a portfolio of projects is a combination of interrelated and dependent projects that are linked to one or several programs to reach the program goals by completing individual project objectives. When an organization considers running a project portfolio, it should meet the following key requirements:
    • Commitment and Acceptance. Senior management of the organization needs to commit to the effectiveness of using project management and to ensure acceptance of the portfolio by personnel.
    • Trained Staff. In the organization there should be people who have been trained adequately in following the principles and practices of successful project portfolio management.
    • Information Systems. Senior management should provide systems and tools required for exchanging information and document flows between people involved in the projects.
    • Methodological Foundation. There should be a methodology to effectively plan and manage the projects, by creating a PM office and assembling multiple teams.
    • Organizational Structure. Senior management should build an organizational structure consisting of individuals, teams, departments and divisions to establish and support the duties, responsibilities and roles of the personnel involved in the portfolio.

    What is Project Scoring and How to Rate Projects Using a Scoring Model?

    The term “project scoring” is mainly used in project portfolio management to define a set of criteria to select and prioritize projects and programs that belong to a single portfolio. It is a structure process that aims to evaluate the projects and programs against some criteria to determine the execution order and relevance.

    The project scoring process can be performed under a range of methods and techniques that define how to score projects and what rating to use. Essentially, scoring means evaluating projects against a set of criteria to define rating per project and create weighted score value for all the projects available for the evaluation. The process allows prioritizing parallel and ongoing projects and programs within the same portfolio.

    It is the matter of the PMO to decide what model of rating and scoring to apply to their particular portfolio and projects. Below we suggest some basic criteria to rate and weight portfolio projects:
    • Belonging: can you say the scope of your project lets decide that the project belongs to your organization and is inside of the current operational environment? As much the project belongs to the organization as much benefit it potentially provides.
    • Relevance: What is the amount of impact does your project or program cause towards the operational environment? Can you say the project is relevant? Relevance defines the project’s ability to deliver the most fitting change to the environment.
    • Cost saving: does the project or program provide operational savings? Is there any evidence that the project contributes to cost reduction?
    • Marketability: Can your solution be used in other organizational units? Does the project offer some market-focused opportunities that allow an organizational unit to succeed in the market?
    • Profitability: What impact does the solution have to the organization’s profit margin? Can you confirm that by doing the project you increase the profits?

    What are the Key Steps of the Portfolio Management Cycle?

    Project Portfolio Management (the acronym PPM) is the effort to coordinate and lead the tracking and control of a portfolio’s components to ensure that effective decision making is available to the entire portfolio as well as to every single component, while supporting successful achievement of specific organizational objectives. The components are projects, programs, other types of collaborative work.

    In order for the senior management team to manage their project portfolio, they need to perform a range of steps that define the lifecycle of the PMM process. Here’re 9 key steps:
    1. Identify and define strategic business goals that explain what the organization wishes to reach
    2. Select right projects and programs that support and contribute to the achievement of the goals
    3. Prioritize the work (projects and programs) and assigned it to the portfolio
    4. Start managing projects and programs
    5. Review and control performance
    6. Complete portfolio status and terminate or re-prioritize all projects and programs that are failed/completed
    7. Continue performing remaining projects and programs
    8. Deliver all the work successfully
    9. Perform the activity of lessons learned and close the portfolio.

    What is the Hierarchy of Project Managers in a Project Portfolio?

    It is the ranking of duties, responsibilities and obligations of managers involved in managing a portfolio of projects in the highest authority level. It determines three roles of project managers and their subordination level as to each other. Here’re the project manager roles in the hierarchy:
    • Program Manager (also known as Change Manager). This person gains the Senior Management authority level to control and oversee the state, direction, and progress of the portfolio. It is a strategic role to ensure that the portfolio delivers the business benefits expected. The Program Manager gets reports from and governs the Project Manager and Project Leader.
    • Project Manager. It is the most popular role. A person assigned to this role is supposed to have a broad experience and good skills in project planning and implementation. The Project Manager may manage two or more projects of the portfolio at once and have the Project Leaders as directly reporting personnel
    • Project Leader. This role lets a leader to manage a stage or phase of a portfolio project or a small project in the portfolio. It is similar to the role of team leader but the difference is that the project leader has the right to govern the project along with human resources while the team leader is allowed to make team-based decisions only.

    How Does a Program Differ From a Project? (Program vs. Project)

    There are a number of differences between program and projects. Unfortunately, many organizations when managing their strategic planning process regard programs as large and complex projects. That’s the biggest mistake.

    Programs significantly differ from projects. The main difference is that a program aims to identify and understand stakeholder needs and expectations in order to reduce ambiguity through negotiations, while a project appears to achieve clear, certain and well-defined objectives using the least possible resources. In other words, program management addresses the problem of reducing “ambiguity“, while project management resolves the issue of reducing “uncertainty“.

    As processes, program management and project management differ from each other because the former focuses on creating interfaces between projects whereas the latter aims to deliver a specific outcome.

    Here’re the details of the comparison “program vs. project
    A project has:
    • Fixed duration
    • Preset objectives
    • Focus on tasks
    • Process-based life-cycle
    • Project manager as an overseer
    • Single deliverable
    A program has:
    • Undefined duration
    • Floating objectives
    • Focus on goals
    • Product-based life-cycle
    • Program manager as a creative decision maker
    • Multiple interrelated deliverables

    What Does a Program Manager Focus on, As Compared to a Project Manager?

    The competencies of a program manager are different from those of a project manager. A program manager has a mindset that is different from the one of a project manager. Therefore, both roles have different focuses. Here’re the differences:
    A program manager focuses on:
    • Applying specific and unique performance-based skills
    • Defining stakeholder requirements and expectations
    • Using a threat-based risk approach for managing risks
    • Resistant to changes with adverse effects on program goals
    • Using a visible and decisive management style
    A project manager focuses on:
    • Applying typical performance-based skills and approaches
    • Identifying emerging needs and expectations from stakeholders
    • Using a value-based risk approach for managing risks
    • Increasing organizational effectiveness
    • Using political and negotiation-based management style

    Is There a Common Process for Managing Programs?

    Yes, there is a single common process of managing programs and project portfolios. The process appears to be effective in most PM methodologies. Here’re the key steps of the process:
    • Linking. Once projects are identified and planned out they are linked to a master program, which is performed and controlled under the authority of a project management office.
    • Set Prioritization. Projects within a program are prioritized, so that allocation of scarce resources can be done according to priority. There is clarity for project staff about the best use of the available resources to do the projects.
    • Create Dependencies. The projects and their tasks are linked to and connected with each other, so that the dependencies make it possible for personnel to get a big picture view of the whole program.
    • Track Deadlines. Project delaines are identified, tracked and managed in response to the program management plans and in relation to dependent or associated projects.
    • Manage Changes. There is a change management process that identifies and terminates any projects that seem to irrelevant to the organizational strategy due to changes occurred.
    • Avoid Overlaps. Any projects that appear to be overlapping with each other or duplicating each other are revealed and terminated.

    What are the Key Steps of the Program Management Cycle?

    Program management can be regarded as a process that consists of the following steps:
    • Formulation. This step aims for determining reasons for starting a program, seeking alternatives, evaluating options, and making a choice.
    • Planning. The planning step defines a strategy for program management and identifies the bets possible options and approaches for implementing the program.
    • Implementation. It is intended to execute the program in line with the strategy and using the approaches. Support of related projects operational activities is provided.
    • Appraisal. This step involves assessment of benefits achieved through the implementation, review of program purpose and capability, and redeploying the program, if required.
    The purpose of these steps is to develop a program in a stable and predictable environment. Each of the steps breaks down into a range of activities specific to a particular program and associated projects.

    What is Project Management? How Does It Contribute to Implementing a Change?

    Essentially, Project Management (PM) is a discipline of implementing a change effectively and efficiently through continuously planning, development, implementation, monitoring and control of projects in order to bring significant benefits to an organization or/and an individual through the change.

    PM is a methodology of managing initiatives and efforts to produce a desired outcome (product or service) according to requirements specified. When an organization uses PM, it can make a beneficial change by:
    • Ensuring that finite resources (human, time, funds, technology, knowledge etc.) are utilized on the right projects
    • Combining the energy of personnel in implementing the change
    • Managing related changes in an organized way
    • Assessing and mitigating risks sounding success of the change
    • Defining goals and key success areas
    • Establishing quality objectives
    PM discipline makes it possible to do a change by using a methodological path of implementation. It allows using a management approach to regard the act of making a change as a process of managing a project that can be presented as a series of phases such as:
    • Planning
    • Start
    • Execution
    • Control
    • Closure
    Having such a model of the project implementation process an organization gets a powerful tool to make a change. An organization can do the following:
    • Define a project aimed to make a beneficial change
    • Transform the change into a need to be addressed by the project
    • Organize the project into a set of manageable stages, tasks and activities
    • Obtain appropriate and necessary resources, including people, technology, funds, others.
    • Assemble and manage a team to perform the work
    • Make a plan of how to do the work using finite resources
    • Monitor and control progress
    • Report progress to senior management and stakeholders
    • Terminate the project when its goals are accomplished
    • Review the results achieved to identify whether the project has addressed the need.
    • Review lessons learned