First, you have to take into account that costs such as the cleanup cost likely could have been readily avoided simply by having tight computer security standards to begin with. That expense had as much to with the security vs user convenience issue as it did with Windows. Any environment can be made insecure by caving to user desires regardless of the operating system in use.
A properly locked down windows environment can be fairly secure, the problem is that users can no longer use their computers the way they want to and they complain. User complaints such as those typically win out until such time as convenience starts to cost real money for cleanup. The cost of incompetence or catering to users should not be factored into any cost case for any product.
Think outside IT, to something like shipping oil overseas. The fact that a single given ship has an incident that costs tens of millions of dollars to cleanup because the captain was incompetent and ran aground does not take away from typical shipping costs at all. It simply shows the cost of administrative or managerial incompetence. If you want a true cost comparison you need to compare sites that follow best practices for the industry and look and see what their costs are.
Understand I am/not/ saying that Microsoft would / is the cheaper product, but comparisons that include incompetence are misleading at best.
Didn't the supreme's just set a precedent for excessive damage awards when they whacked the exxon valdez award a couples years back? Why not use that ratio as precedent for all such future damage awards?
Think of this as an extension of the whole broken windows theory. When you are surrounded by broken windows you treat a neighborhood as bad (never mind the residents). When a person is surrounded by blighted neighborhoods then the only thing they can see is blight. Improve the environment, change the neighborhood - it can only help change the residents.
Audit works has been about 20% of my workload over the last few years. Auditing isn't about having the perfect environment (which I've never yet seen), it's about being able to say "I have conducted business in a good faith manner following industry best practices" - and that is what allows you to win in court. When management brings you in for an audit they are expecting someone to find these kinds of problems and point them out. They need someone who is/not/ a staff member, has no stake in things, no political ax to grind to come in and verify that things really are OK. I've seen environments like the client I'm with now that went years without an outside auditor before I came in and these are typically the ones that you hear about on the news for massive breaches.
Auditing is about trust and the reassurance that your systems are running under industry best practices and do not have undocumented security risks. Often times it takes an outside auditors report to get through red tape so that budget/can/ be allocated. Management (and it's not uncommon for audits to be paid for outside of IT's budget) needs to have something that they can trust and that they can use to have a legally defensible position. The auditors job is to find holes, identify problems, explicitly identify risk, review personal and so on and then document it. That being said, the auditor always runs the risk of being asked to fix what they find, so the auditor needs to be realistic in their work.
Insurance policies, industry certifications, millions in losses and public goodwill all ride on these reports. Some auditors are afraid of writing a critical report as they fear they will personally be poorly reviewed by the client if they do, or they do not want to risk offending the client and losing repeat business. This is where lawsuits come in, so that the integrity of the audit is placed before fear of losing repeat business. That being said, writing reports that tell a client they don't know jack and have to redo everything and that they should hire some additional personnel without offending anyone is an art form if it's own sake.
Checklist of what is wrong with this candidate coming from someone who leans Democrat:
She is sexist. (openly made comments against men)
She is racist. (openly made comments against whites)
She is against constitutional rights. (on the record against the 2nd amendment)
She is against civil rights. (Supports RIAA)
Now if this same candidate was openly against black females she would have immediately been slaughtered by the press. It's time the press stop sucking up to Obama and start doing some critical reporting. When is this attitude of/certain/ racism and/certain/ sexism being ok in politicians going to be rejected?
Good question on what best practices means and who defines it. I will define best practices as "Those practices that industry has determined by consensus as being the right way to do something". Sometimes vendors describe their own best practices, but what they describe is not always the consensus in the field. I worked as a consultant for one of the major vendors for a while, and we ran into this in the field where the vendors best practice did not match the consensus in the field.
One of the things I have done to describe things in the past where a consensus had not been reached is tell clients something was a "common practice". I think any practice has to spend time in the common practice area before it can become a best practice, and I would be explicit with my clients if something did not match best practices. I have also many times told clients that there is more than one "school of thought" when it came to something with contradictory common practices.
Sources of best practices that I have used beyond my personal experience:
The best resource of all without question have been the people that were senior to me that were willing to let me ask 101 questions on "why" they did something. Learning to listen when someone describes why something was or wasn't done a certain way and to look past the immediate technical solution I thought was best was the most important thing I ever developed.
You bring up good points about discrediting others and I think they deserve to be addressed.
Certainly there are consultants that will try to discredit departments when they go in order to increase billable hours. On a practical level discrediting staff doesn't take you very far as they are often the people you will need to work with. Without question staff often knew I would evaluate them and this could put them on edge, getting them to realize I'm not there to get anyone fired was one of the first things I had to do.
In practice once I got going people relaxed once they realized wasn't out to get them fired and didn't stay wound up very long as they knew they needed to improve certain skill sets. I was often able to justify many an IT persons ability to have work pay for something like community college classes in SQL, as well as identify underutilized staff and showing management someone might deserve a bigger role. I did a lot of things like getting existing staff to start new skills sets by showing how the company would benefit - for example getting someone started with a career in patch management or packaging.
What is more common than discrediting people is for the consultant to identify areas that need work (if the company didn't know or suspect this to begin with you probably wouldn't be there to begin with) and seek to turn those areas into additional engagements. You might be surprised but I can't recall administrators that ever raised an non-budgetary objection for to proposed work for three simple reasons. First being they always considered themselves overworked and lacking the time to begin with, second because they will be the ones to benefit in lifecycle when it's done and third because it gave them a chance for additional training which can only improve their personal careers.
Certainly bad or missing documentation is the norm, it's something few technical people enjoy doing so it typically gets neglected. That being said, bad documentation alone would rarely be enough to cost anyone there job. To illustrate some of the reasons the previous administrators in my present place are gone:
Failure to adhere to industry best practices - example: they never tested things like SQL backup jobs
An architecture that was fundamentally broken - example: they split a production and reporting server for load balancing and then back ended them to the same 4GB SQL server
Failure to test before production - example: previously wasting a $50,000 SQL server (which has been online and unused for a year now) by never testing before a failed migration to production
Making SQL jobs that were needlessly complex - example: they had SQL jobs with several additional layers of complexity that were not needed
Lack of even basic security awareness - example: one SQL server was unhardened and sitting outside the DMZ - it's database was then backed up into a production server inside the DMZ by script
Needless complexity - example: a process that previously took 12 days labor was readily chopped into 4 days labor
Documentation so bad that is proved they were incompetent - example: flowcharts that were logically impossible and demonstrated circular logic
You are both on and off the mark. First, I'm an enterprise architecture consultant for a living, I've done lifecycle administration in the past and do some now. I've certainly done audits, even to the point of being brought overseas, but that was only about 20% of my work. Once the audit is done my job was typically to follow up with how to bring things up to par. Staffing, architecture, servers, licensing and bandwidth considerations all come into play and receive my recommendations. I am far more likely to identify areas where training and skills development can be used to improve existing staff than recommend the removal of incompetent staff in entirety - my present assignment being an exception.
The first thing that is done after the audit is the architectural design document, this is needed before changes to production can be made. Implementation would typically be 60% of my time, with most of the rest devoted to training local resources. Risk assessment should be a requirement for any design documentation, this includes everything from staff skill levels to server backups and off site disaster recovery plans and is certainly part of any design document I write.
I certainly agree with you about getting someone else in for training, I get the feeling that the story poster runs a very small IT department and may not have that resource. Unfortunately the posters dilbert situation is probably spot on as you identified, and there is nothing you can do against management incompetence unless you get very lucky. (I once did a mandatory annual outside audit/review for a government agency where I identified significant risks that the agency management had no budget to fix - it turned out someone actually did read the reports and they were able to provide additional funding to resolve their issues based on my report). Sometimes documentation of risk is all you can do, as one manager explained to me years ago when I didn't want to document things that were in my head "if you can't be replaced, you can't be promoted".
Who's bragging, AC? I made simple statement of facts, and you respond with a witless personal attack hiding as an anonymous coward. The fact that details like VLAN's got left off are moot, you fail to miss the point. The point is what kind of documentation to write, not what details are needed. The needs of the poster could be anywhere from documenting the configuration of email servers, DNS, Active Directory, SQL databases, VOIP or a hundred other things.
I covered enterprise architecture, showing what the big picture is - this is his requirement, not a checklist of inane details such as rack space diagrams. The fact that your questioning the usage of an architecture design document merely shows your lack of experience. I have learned much over the years by listening to people more senior than me who were willing to talk, I suggest you should do the same.
The previous administrators are now gone for incompetence and the process of damage control and bringing their environment into best practice has begun.
Present client I am at I inherited a network of about 15,000 clients that was previously managed my a very incompetent IT department. Started by looking at the existing flowcharts and discovered that almost everything that was documented was wrong... Long story short I have been spending a fair bit of time reverse engineering their production environment so that we could accurately document it. Unfortunately we had come to the conclusion that we can use/nothing/ that the previous administrators left behind for documentation. You don't want someone like me coming in and looking at your documentation and declaring you incompetent, it can cost you your job.
You haven't detailed the size of your organization to know if you will need sign off from other departments or not. If possible try to get sign off so that they have a reference and you can create a standard that can be used to fix things and to ensure your designs don't get trampled by a new admin in another department. You really need to provide more detail on your environment for people to answer you.
I do most work in Visio, starting at 50,000 feet and working my way down. At this level I need to document network topology, server distribution and database server distribution. I work my way down from there using a zoom in style that has served me well for 30 some clients. Depending on the size, complexity and your area of responsibility you may need to flowchart anywhere from a 2-3 levels to potentially dozens of disparate processes. You haven't mentioned much about process development, I assume you want people to know how to do at least critical portions. Never write a process without flowcharting it, this will save you grief by getting people to focus on the process instead of a step by step set of directions. It takes someone fairly good to document the complex and make it look simple, that is your job at this point in time.
The bottom line is that your documentation should show dataflow for each critical system. As long as you can do this someone else can step in and work with what you have, even if they may not understand a given piece. One of the big advantages of flowcharting everything (especially processes!) is that this will readily show you weakness and holes that may have been previously overlooked. When flowcharting complex processes don't be afraid to have a single point represent an entire additional complex process that can be distictly referenced of it's own accord (as an car repair manual of mine once described the process to replace a crankshaft "Step 1. Remove Engine".) If you try to put to much detail in a given process you lose your audience and the value of the documentation.
Bottom line when I am done with a design document it covers server, network, database and client topology in varying levels of detail with dataflow. A typical design document I would turn over would be 150 pages with most of that broken down into different sections describing what was done, why it was done, the best practices followed for build, and best practices for lifecycle. The document typically does not get read by any one person, instead it would be a reference for a number of different departments that will each reference it according to their own needs.
I don't understand, their reality distortion field has got to be worth millions in it's own right. Nice thing about chapter 7 is they have to auction/everything/. I wonder if you can buy their data and load up their servers to see what they were really thinking. Perhaps someone can buy whatever rights they thought they had and donate everything to the FSF.
I had to go through that a few years ago. Lenovo sells a number of laptops without cameras, so look at what they have. As for phones, that can be even harder.
Last time I had to buy a phone like that it took me half an hour to get it through rep's at Verizon's head that I wasn't looking for a cheap prepay phone..... When all was said and done I had a choice of three phones in the store, and had to settle for a floor display for an out of production phone.
You test with both, dependent upon the situation. I spelled that out for you in plain English. I'll break it down even further for you to make it even easier to understand. If you are working with HII or drivers you work with physical hardware that represents production. If you are working with most lifecycle (patch management, software and almost anything else done in lifecycle) than you work with VM sessions. If you can't understand this now than you are beyond my ability to help.
I never suggested that you don't do hardware based (HII etc) testing on functional hardware. Before you pass judgement and make yourself look like an ass as you just did, read what I wrote, not what you think I might have said - it was carefully worded. I'll go through and break it down since you had trouble comprehending what I wrote.
All of the above effectvely dictate a large increase in staff and lab resources to do testing. This means you need to more staff and other resources for increased lab testing above what is already had. I've seen very few enterprise lab's that aren't running near capacity as it is.
Since most testing is done under VMWare this also dictates new investment of equipment, time and training resources on Microsoft's virtualization platform.This means you have an entire additional set of test scenarios to run, unless you are running a lab at half capacity for equipment and manpower, your going to have to increase both. This also means you have to increase training resources for both IT staff who will need to learn Windows 7, Virtual PC and then turn around and transfer that knowledge through the organization and ultimately to the end user.
It also means I can't just use the same ESX server to do the testing that was already in place. You may not have bother reading through what Microsoft has said they will do, however I did and I noticed Microsoft has restricted which CPU's will run their virtual session. They could easily restrict their virtual session from running under an already existing virtual processor in a VM session. Regardless running a virtual session under a virtual session will tie up more server resources than a singular virtual session. This translates into more overhead and burden on the server and that translates into additional hardware costs.
Nowhere did I say anything about not running HII testing or otherwise on physical hardware. Save your personal attacks for when you happen to know what your talking about.
Your point is a valid one, and without question I have been bitten by that rattlesnake too many times. I can assure that a fair number of the people I have talked and worked with (myself included) have taken a hearty look at Ubuntu 64bit edition as they have also been bitten. If Microsoft forces the issue by saying they are going to remove XP from the table altogethor than Ubuntu 64 will start to get serious field tests.
It isn't a question of capability for desktop work for Linux (I largely view that is capable), it's a question of compatibility and training costs. The bottom line is - can it meet operational needs - can it do so cheaper than something else? The upgrade path many organizations have is XP32 bit for as long as possible followed by either Windows 7 64bit or Ubuntu 64bit. Ubuntu seems to have nailed many of the desktop support issues that other distros have missed and I have no doubt they are the leading Linux based contender right now.
I always have to look at things from two different perspectives, personally and professionally. Personally I run VM Ware at home and I love it, professionally asking me to have tens of thousands of users running it would be a logistical boondoggle. The bottom line is that you support what best meets operational requirements are, even if you don't like it. I use firefox personally, but trying to roll it out on a widescale for an enterprise would have a significant cost for training, compatibility testing and software rewrites to work with another browser.
The whole concept of what Microsoft wants you to do is to start using Windows 7 on a daily basis and only load up XP as needed on an ad hoc basis. While Microsoft can waive their licensing costs, what they can't wave is other vendors licensing costs, and many of those vendors charge per OS seat in production.
Certainly at some point enterprises will need to move away from XP, but their is no cost effective argument for doing so in the next several years. The requirements to move a large enterprise with thousands of supported applications to a new platform can literally take years just in terms of testing alone - and thats with a dedicated lab staff. Your point on narrow virtualization is off, I've worked with implementing things like Altiris SVS and while something like that may be what Microsoft has in mind, it's not what the enterprise is going to see. They are going to look at this as they would a VMWare session. They are going to want to keep as much on XP as they can from a cost management standpoint.
The bottom line is that you are going to end up having to support two operating systems at the same time on recent hardware (MS has said the CPU selection is limited - I haven't yet seen how limited) on top of supporting the virtualization technology. They think this will solve the issue of backwards compatibility holding off implementing Windows 7 at the enterprise level, when this will only add more problems than it solves.
You could do something like using Linux off of PXE boot and have that host and automatically load a Windows XP session. This type of setup is used in places like kiosks where you have a hostile user environment and need the ability to easily restore XP as needed. This would present a single operating system to the user, avoid license issues, allow easy access from a troubleshooting standpoint and so on.
My issue with Microsoft is that they want you to run Windows 7 on a normal basis and then load a virtual XP on an as needed basis. This put enterprises in the business of supporting two platforms per PC and will significantly increase their support costs.
I have worked as an enterprise consultant and architect for the last several years working with enterprise environments upwards of 75,000 desktops and 15,000 servers in everything from government to finance servers that link up directly with stock exchances (NYSE, Tokyo etc). I noticed you did not refute the points, but only show your immaturity and inexperience in your response. You completely missed the point that Microsoft wants people to run both in a desperate bid to start getting enterprises to actually roll out Windows 7. My point is that you don't want to run both, that it wont solve the problems that Microsoft thinks it will.
You fail to understand why Microsoft is doing this, it certainly isn't so that a home user can run Windows XP and load up an old game. Microsoft is offering this because enterprises refuse to move away from what is known to work - XP. They obviously think that by offering a virtual PC session of XP that they will alleviate their customers concerns about losing the largest base of available software for any operating system and because it is known to be compatible. They are doing this because people like me are making official recommendations not to migrate to Vista or Windows 7 and they are trying to remove what they perceive to be an objection.
You have obviously never had to look at identifying and testing 3-4000 applications for something as simple as a service pack rollout. The experience you may have with patching your personal computer and perhaps a few friends has no relevance to patching or upgrading thousands of desktops. When you move away from your personal system to supporting tens of thousands of systems and need to keep them up and running through major upgrades, hardware replacements or operating systems rollouts you will have a place to speak.
You seemed to have completely misread my post and show your ignorance in your response. I have been working with variations of VMWare since 2004 and have set up both labs and production servers using it. My point had nothing to do with hardware compatibility of the virtualized system other than to test pass through of legacy XP drivers through Window 7. My issues were with setting up and supporting multiple platforms in an enterprise environment.
The issues that you may encounter running a tightly controlled ESX server hosting Windows Server or so on are nothing at all like those that would be encountered by the lay person hosting a virtual OS on their desktop. Microsoft is proposing that a customized form of Virtual PC would be run using Windows 7 as the host. In the future I suggest you read what someone has written before ignorantly attacking that person.
This comes from someone who does large enterprise (15,000 - 75,000) infrastructure support at the architect level - so perhaps someone from Microsoft will read this. The problem that Microsoft has here is a failure to understand the needs of their enterprise customers. The inclusion of this feature shows that Microsoft has not really listened to their enterprise class customers. In principal this sounds like a really neat idea, now let me explain why this is dead on arrival.
This introduces two platforms to perform patch management on instead of one. At the enterprise level this is a/really/ big deal.
This introduces two platforms to perform software compatibility / certification testing on. Now instead of testing Acrobat on XP, one must also test it on Windows 7.
This introduces two platforms to perform hardware compatibility testing on. The testing of drivers has just increased significantly.
My support costs for helpdesk and desktop support have just increased as I have now introduced something new to non-technical staff that will require training.
All of the above effectvely dictate a large increase in staff and lab resources to do testing. Since most testing is done under VMWare this also dictates new investment of equipment, time and training resources on Microsoft's virtualization platform. It also means I can't just use the same ESX server to do the testing that was already in place.
This greatly complicates large scale image deployment. You need to test your hardware image for both Windows 7 and the XP image. Will that XP only scanner work when Windows 7 wont properly recognize it?
License costs - If I'm running two operating systems, I still have to pay licensing costs for the XP session on top of the Windows 7 host. This could easily double the cost of applications like Antivirus software.
The real problem though is the poison pill. They have greatly reduced CPU support to only a select few CPU's. If I'm supporting 20 to 60 hardware platforms, this becomes a/really/ big deal as I now have to cost justify Windows 7 and replacing hardware that otherwise would otherwise not need replaced in order to have a consistent image across the enterprise. Unless I'm performing an entirely new roll out and replacement I can't cost justify that expenditure. And if I don't replace the hardware to have a consistent image I will have two radically different platforms to support over a three to four year hardware lifecycle which greatly increases support costs.
The bottom line is that I can't do a seamless implementation into the environment, the amount of overhead for the extra testing, training, hardware, certification means that it simply cant cost justify. Microsoft needs to remember that their two biggest competitors are XP and Linux. Any CIO worth his salt is going to ask one very simple question when presented with these costs. "Why aren't we sticking with Windows XP to begin with?".
I'm not opposed to things like VMWare, I have set up labs professionally for clients as a consultant and personally have paid for the workstation application and run it at home. I think it's great for IT needs, but the above issues should help explain why this feature is not the answer that Microsoft thinks it is. On a personal level I like this feature, and will almost certainly run it at home, so I speak professionally, not personally.
It can make sense to do it yourself dependant upon the value of your time vs a contractor. If your cost is $50 an hour, than the cables and tools have to come in cheaper than that. If you can't afford a contractor than you'll need to learn to do it yourself. You'll also need to do it yourself if you need custom length cables. Some tips from what I have learned.
Don't buy cheap tools! Buy a good quality Paladin or equivalent crimper. Home Depot sells them and they are readily available online.
Buy a good quality tester cable tester from Fluke or equivalent. There might be a halfway decent occasional use one for under $200, but better to be safe on this one.
Buy your RJ45 plugs in bulk online. Don't buy them retail or you will pay too much money.
Buy a good quality punchdown tool, dont buy a cheap one.
Study up on how to make the cables, it should not take more than a few hours to get it down.
If you will need to run cables through the walls and plenum than things can change quite a bit, especially for a commercial building. That is where you need to read up on code and the like.
Test, test, test! Every tests should be repeatable, don't consider it good until you have done so. Use your cable tester for doing the tests. Just because your notebook detects 1000 Mbps connection does not mean you have a good quality connection. Lastly, if you have to buy the tools personally, save the receipts as these are considered "Tools of the trade" and you may be able to write them off on taxes.
No guns of course, that would be politically incorrect and might harm these poor misunderstood souls that seek to board the ships and we don't dare hurt their feelings. Playing catch and release with pirates is the politically correct thing to do nowadays. Instead we'll get the UN involved to send them a sternly worded letter saying No! Works every time, just ask the survivors in Darfur etc....
I've worked in credit with large balance fraud, a skilled fraud investigator can find fraud in very short period of time. I have worked with law enforcement for some of the bigger stuff. The guys in the credit world are better at busting that kind of thing. I could call up a contact at the secret services and the conversation would go like this:
1. Here's your victim 2. Here's the crime 3. Here's the perps bogus ID, address and so on 4. Here's the perps real information
All the secret service agent had to was verify my information, get a warrant and fetch the perp. Yes this could and did include finding people overseas. When you do something like that for a living it becomes easy to work with.
The point is to cut of their source of funding, which primarily comes through credit cards. Cut off the funding source and you remove most of the profit for a lot of these rackets. The point of number three is try and get law enforcement involved to make arrests. Criminals go where the money is, attack the money and you make it a less lucrative crime. Big difference between something like that versus something like the drug trade is cash vs credit.
If you really want to make an impact you need to target their source of funds. Getting Visa and Mastercard to get very proactive about shutting down their funding source would do far more than any threat of arrest ever will. These criminal rings do these things (spam, bogus software etc) because they are easy source of money. Visa and Mastercard are so slow in shutting down illicit sites that the time it takes allows them to make a handsome profit.
Easy low cost way to do this. 1. Allow the public at large to easily report suspected fraud to a centralized web site. 2. Assign investigators from the credit card companies to monitor the site and check out reported fraud reports. 3. Have the finance investigators work with requisite police agencies world wide.
Until you shut off the easy finance spigot these will continue to proliferate. Let's face it, does it really take a prolonged investigation to see if AntiVirus 2009 or the latest penile enhancement pill just might be bogus? Right now the criminals act with impunity because it is profitable, and the credit card companies have a laissez affaire attitude because they also make money. You need to convince the credit card companies to be more willing to forgo their fees and do their part.
Slashdot Mirror
First, you have to take into account that costs such as the cleanup cost likely could have been readily avoided simply by having tight computer security standards to begin with. That expense had as much to with the security vs user convenience issue as it did with Windows. Any environment can be made insecure by caving to user desires regardless of the operating system in use.
A properly locked down windows environment can be fairly secure, the problem is that users can no longer use their computers the way they want to and they complain. User complaints such as those typically win out until such time as convenience starts to cost real money for cleanup. The cost of incompetence or catering to users should not be factored into any cost case for any product.
Think outside IT, to something like shipping oil overseas. The fact that a single given ship has an incident that costs tens of millions of dollars to cleanup because the captain was incompetent and ran aground does not take away from typical shipping costs at all. It simply shows the cost of administrative or managerial incompetence. If you want a true cost comparison you need to compare sites that follow best practices for the industry and look and see what their costs are.
Understand I am /not/ saying that Microsoft would / is the cheaper product, but comparisons that include incompetence are misleading at best.
Didn't the supreme's just set a precedent for excessive damage awards when they whacked the exxon valdez award a couples years back? Why not use that ratio as precedent for all such future damage awards?
Think of this as an extension of the whole broken windows theory. When you are surrounded by broken windows you treat a neighborhood as bad (never mind the residents). When a person is surrounded by blighted neighborhoods then the only thing they can see is blight. Improve the environment, change the neighborhood - it can only help change the residents.
Audit works has been about 20% of my workload over the last few years. Auditing isn't about having the perfect environment (which I've never yet seen), it's about being able to say "I have conducted business in a good faith manner following industry best practices" - and that is what allows you to win in court. When management brings you in for an audit they are expecting someone to find these kinds of problems and point them out. They need someone who is /not/ a staff member, has no stake in things, no political ax to grind to come in and verify that things really are OK. I've seen environments like the client I'm with now that went years without an outside auditor before I came in and these are typically the ones that you hear about on the news for massive breaches.
Auditing is about trust and the reassurance that your systems are running under industry best practices and do not have undocumented security risks. Often times it takes an outside auditors report to get through red tape so that budget /can/ be allocated. Management (and it's not uncommon for audits to be paid for outside of IT's budget) needs to have something that they can trust and that they can use to have a legally defensible position. The auditors job is to find holes, identify problems, explicitly identify risk, review personal and so on and then document it. That being said, the auditor always runs the risk of being asked to fix what they find, so the auditor needs to be realistic in their work.
Insurance policies, industry certifications, millions in losses and public goodwill all ride on these reports. Some auditors are afraid of writing a critical report as they fear they will personally be poorly reviewed by the client if they do, or they do not want to risk offending the client and losing repeat business. This is where lawsuits come in, so that the integrity of the audit is placed before fear of losing repeat business. That being said, writing reports that tell a client they don't know jack and have to redo everything and that they should hire some additional personnel without offending anyone is an art form if it's own sake.
Now if this same candidate was openly against black females she would have immediately been slaughtered by the press. It's time the press stop sucking up to Obama and start doing some critical reporting. When is this attitude of /certain/ racism and /certain/ sexism being ok in politicians going to be rejected?
One of the things I have done to describe things in the past where a consensus had not been reached is tell clients something was a "common practice". I think any practice has to spend time in the common practice area before it can become a best practice, and I would be explicit with my clients if something did not match best practices. I have also many times told clients that there is more than one "school of thought" when it came to something with contradictory common practices.
Sources of best practices that I have used beyond my personal experience:
Certainly there are consultants that will try to discredit departments when they go in order to increase billable hours. On a practical level discrediting staff doesn't take you very far as they are often the people you will need to work with. Without question staff often knew I would evaluate them and this could put them on edge, getting them to realize I'm not there to get anyone fired was one of the first things I had to do.
In practice once I got going people relaxed once they realized wasn't out to get them fired and didn't stay wound up very long as they knew they needed to improve certain skill sets. I was often able to justify many an IT persons ability to have work pay for something like community college classes in SQL, as well as identify underutilized staff and showing management someone might deserve a bigger role. I did a lot of things like getting existing staff to start new skills sets by showing how the company would benefit - for example getting someone started with a career in patch management or packaging.
What is more common than discrediting people is for the consultant to identify areas that need work (if the company didn't know or suspect this to begin with you probably wouldn't be there to begin with) and seek to turn those areas into additional engagements. You might be surprised but I can't recall administrators that ever raised an non-budgetary objection for to proposed work for three simple reasons. First being they always considered themselves overworked and lacking the time to begin with, second because they will be the ones to benefit in lifecycle when it's done and third because it gave them a chance for additional training which can only improve their personal careers.
Certainly bad or missing documentation is the norm, it's something few technical people enjoy doing so it typically gets neglected. That being said, bad documentation alone would rarely be enough to cost anyone there job. To illustrate some of the reasons the previous administrators in my present place are gone:
You are both on and off the mark. First, I'm an enterprise architecture consultant for a living, I've done lifecycle administration in the past and do some now. I've certainly done audits, even to the point of being brought overseas, but that was only about 20% of my work. Once the audit is done my job was typically to follow up with how to bring things up to par. Staffing, architecture, servers, licensing and bandwidth considerations all come into play and receive my recommendations. I am far more likely to identify areas where training and skills development can be used to improve existing staff than recommend the removal of incompetent staff in entirety - my present assignment being an exception.
The first thing that is done after the audit is the architectural design document, this is needed before changes to production can be made. Implementation would typically be 60% of my time, with most of the rest devoted to training local resources. Risk assessment should be a requirement for any design documentation, this includes everything from staff skill levels to server backups and off site disaster recovery plans and is certainly part of any design document I write.
I certainly agree with you about getting someone else in for training, I get the feeling that the story poster runs a very small IT department and may not have that resource. Unfortunately the posters dilbert situation is probably spot on as you identified, and there is nothing you can do against management incompetence unless you get very lucky. (I once did a mandatory annual outside audit/review for a government agency where I identified significant risks that the agency management had no budget to fix - it turned out someone actually did read the reports and they were able to provide additional funding to resolve their issues based on my report). Sometimes documentation of risk is all you can do, as one manager explained to me years ago when I didn't want to document things that were in my head "if you can't be replaced, you can't be promoted".
Who's bragging, AC? I made simple statement of facts, and you respond with a witless personal attack hiding as an anonymous coward. The fact that details like VLAN's got left off are moot, you fail to miss the point. The point is what kind of documentation to write, not what details are needed. The needs of the poster could be anywhere from documenting the configuration of email servers, DNS, Active Directory, SQL databases, VOIP or a hundred other things.
I covered enterprise architecture, showing what the big picture is - this is his requirement, not a checklist of inane details such as rack space diagrams. The fact that your questioning the usage of an architecture design document merely shows your lack of experience. I have learned much over the years by listening to people more senior than me who were willing to talk, I suggest you should do the same.
The previous administrators are now gone for incompetence and the process of damage control and bringing their environment into best practice has begun.
Present client I am at I inherited a network of about 15,000 clients that was previously managed my a very incompetent IT department. Started by looking at the existing flowcharts and discovered that almost everything that was documented was wrong... Long story short I have been spending a fair bit of time reverse engineering their production environment so that we could accurately document it. Unfortunately we had come to the conclusion that we can use /nothing/ that the previous administrators left behind for documentation. You don't want someone like me coming in and looking at your documentation and declaring you incompetent, it can cost you your job.
You haven't detailed the size of your organization to know if you will need sign off from other departments or not. If possible try to get sign off so that they have a reference and you can create a standard that can be used to fix things and to ensure your designs don't get trampled by a new admin in another department. You really need to provide more detail on your environment for people to answer you.
I do most work in Visio, starting at 50,000 feet and working my way down. At this level I need to document network topology, server distribution and database server distribution. I work my way down from there using a zoom in style that has served me well for 30 some clients. Depending on the size, complexity and your area of responsibility you may need to flowchart anywhere from a 2-3 levels to potentially dozens of disparate processes. You haven't mentioned much about process development, I assume you want people to know how to do at least critical portions. Never write a process without flowcharting it, this will save you grief by getting people to focus on the process instead of a step by step set of directions. It takes someone fairly good to document the complex and make it look simple, that is your job at this point in time.
The bottom line is that your documentation should show dataflow for each critical system. As long as you can do this someone else can step in and work with what you have, even if they may not understand a given piece. One of the big advantages of flowcharting everything (especially processes!) is that this will readily show you weakness and holes that may have been previously overlooked. When flowcharting complex processes don't be afraid to have a single point represent an entire additional complex process that can be distictly referenced of it's own accord (as an car repair manual of mine once described the process to replace a crankshaft "Step 1. Remove Engine".) If you try to put to much detail in a given process you lose your audience and the value of the documentation.
Bottom line when I am done with a design document it covers server, network, database and client topology in varying levels of detail with dataflow. A typical design document I would turn over would be 150 pages with most of that broken down into different sections describing what was done, why it was done, the best practices followed for build, and best practices for lifecycle. The document typically does not get read by any one person, instead it would be a reference for a number of different departments that will each reference it according to their own needs.
I don't understand, their reality distortion field has got to be worth millions in it's own right. Nice thing about chapter 7 is they have to auction /everything/. I wonder if you can buy their data and load up their servers to see what they were really thinking. Perhaps someone can buy whatever rights they thought they had and donate everything to the FSF.
I had to go through that a few years ago. Lenovo sells a number of laptops without cameras, so look at what they have. As for phones, that can be even harder.
Last time I had to buy a phone like that it took me half an hour to get it through rep's at Verizon's head that I wasn't looking for a cheap prepay phone..... When all was said and done I had a choice of three phones in the store, and had to settle for a floor display for an out of production phone.
You test with both, dependent upon the situation. I spelled that out for you in plain English. I'll break it down even further for you to make it even easier to understand. If you are working with HII or drivers you work with physical hardware that represents production. If you are working with most lifecycle (patch management, software and almost anything else done in lifecycle) than you work with VM sessions. If you can't understand this now than you are beyond my ability to help.
Nowhere did I say anything about not running HII testing or otherwise on physical hardware. Save your personal attacks for when you happen to know what your talking about.
Your point is a valid one, and without question I have been bitten by that rattlesnake too many times. I can assure that a fair number of the people I have talked and worked with (myself included) have taken a hearty look at Ubuntu 64bit edition as they have also been bitten. If Microsoft forces the issue by saying they are going to remove XP from the table altogethor than Ubuntu 64 will start to get serious field tests.
It isn't a question of capability for desktop work for Linux (I largely view that is capable), it's a question of compatibility and training costs. The bottom line is - can it meet operational needs - can it do so cheaper than something else? The upgrade path many organizations have is XP32 bit for as long as possible followed by either Windows 7 64bit or Ubuntu 64bit. Ubuntu seems to have nailed many of the desktop support issues that other distros have missed and I have no doubt they are the leading Linux based contender right now.
I always have to look at things from two different perspectives, personally and professionally. Personally I run VM Ware at home and I love it, professionally asking me to have tens of thousands of users running it would be a logistical boondoggle. The bottom line is that you support what best meets operational requirements are, even if you don't like it. I use firefox personally, but trying to roll it out on a widescale for an enterprise would have a significant cost for training, compatibility testing and software rewrites to work with another browser.
The whole concept of what Microsoft wants you to do is to start using Windows 7 on a daily basis and only load up XP as needed on an ad hoc basis. While Microsoft can waive their licensing costs, what they can't wave is other vendors licensing costs, and many of those vendors charge per OS seat in production. Certainly at some point enterprises will need to move away from XP, but their is no cost effective argument for doing so in the next several years. The requirements to move a large enterprise with thousands of supported applications to a new platform can literally take years just in terms of testing alone - and thats with a dedicated lab staff. Your point on narrow virtualization is off, I've worked with implementing things like Altiris SVS and while something like that may be what Microsoft has in mind, it's not what the enterprise is going to see. They are going to look at this as they would a VMWare session. They are going to want to keep as much on XP as they can from a cost management standpoint. The bottom line is that you are going to end up having to support two operating systems at the same time on recent hardware (MS has said the CPU selection is limited - I haven't yet seen how limited) on top of supporting the virtualization technology. They think this will solve the issue of backwards compatibility holding off implementing Windows 7 at the enterprise level, when this will only add more problems than it solves.
You could do something like using Linux off of PXE boot and have that host and automatically load a Windows XP session. This type of setup is used in places like kiosks where you have a hostile user environment and need the ability to easily restore XP as needed. This would present a single operating system to the user, avoid license issues, allow easy access from a troubleshooting standpoint and so on.
My issue with Microsoft is that they want you to run Windows 7 on a normal basis and then load a virtual XP on an as needed basis. This put enterprises in the business of supporting two platforms per PC and will significantly increase their support costs.
I have worked as an enterprise consultant and architect for the last several years working with enterprise environments upwards of 75,000 desktops and 15,000 servers in everything from government to finance servers that link up directly with stock exchances (NYSE, Tokyo etc). I noticed you did not refute the points, but only show your immaturity and inexperience in your response. You completely missed the point that Microsoft wants people to run both in a desperate bid to start getting enterprises to actually roll out Windows 7. My point is that you don't want to run both, that it wont solve the problems that Microsoft thinks it will.
You fail to understand why Microsoft is doing this, it certainly isn't so that a home user can run Windows XP and load up an old game. Microsoft is offering this because enterprises refuse to move away from what is known to work - XP. They obviously think that by offering a virtual PC session of XP that they will alleviate their customers concerns about losing the largest base of available software for any operating system and because it is known to be compatible. They are doing this because people like me are making official recommendations not to migrate to Vista or Windows 7 and they are trying to remove what they perceive to be an objection.
You have obviously never had to look at identifying and testing 3-4000 applications for something as simple as a service pack rollout. The experience you may have with patching your personal computer and perhaps a few friends has no relevance to patching or upgrading thousands of desktops. When you move away from your personal system to supporting tens of thousands of systems and need to keep them up and running through major upgrades, hardware replacements or operating systems rollouts you will have a place to speak.
You seemed to have completely misread my post and show your ignorance in your response. I have been working with variations of VMWare since 2004 and have set up both labs and production servers using it. My point had nothing to do with hardware compatibility of the virtualized system other than to test pass through of legacy XP drivers through Window 7. My issues were with setting up and supporting multiple platforms in an enterprise environment. The issues that you may encounter running a tightly controlled ESX server hosting Windows Server or so on are nothing at all like those that would be encountered by the lay person hosting a virtual OS on their desktop. Microsoft is proposing that a customized form of Virtual PC would be run using Windows 7 as the host. In the future I suggest you read what someone has written before ignorantly attacking that person.
The bottom line is that I can't do a seamless implementation into the environment, the amount of overhead for the extra testing, training, hardware, certification means that it simply cant cost justify. Microsoft needs to remember that their two biggest competitors are XP and Linux. Any CIO worth his salt is going to ask one very simple question when presented with these costs. "Why aren't we sticking with Windows XP to begin with?".
I'm not opposed to things like VMWare, I have set up labs professionally for clients as a consultant and personally have paid for the workstation application and run it at home. I think it's great for IT needs, but the above issues should help explain why this feature is not the answer that Microsoft thinks it is. On a personal level I like this feature, and will almost certainly run it at home, so I speak professionally, not personally.
If you will need to run cables through the walls and plenum than things can change quite a bit, especially for a commercial building. That is where you need to read up on code and the like.
Test, test, test! Every tests should be repeatable, don't consider it good until you have done so. Use your cable tester for doing the tests. Just because your notebook detects 1000 Mbps connection does not mean you have a good quality connection. Lastly, if you have to buy the tools personally, save the receipts as these are considered "Tools of the trade" and you may be able to write them off on taxes.
No guns of course, that would be politically incorrect and might harm these poor misunderstood souls that seek to board the ships and we don't dare hurt their feelings. Playing catch and release with pirates is the politically correct thing to do nowadays. Instead we'll get the UN involved to send them a sternly worded letter saying No! Works every time, just ask the survivors in Darfur etc....
I've worked in credit with large balance fraud, a skilled fraud investigator can find fraud in very short period of time. I have worked with law enforcement for some of the bigger stuff. The guys in the credit world are better at busting that kind of thing. I could call up a contact at the secret services and the conversation would go like this:
1. Here's your victim
2. Here's the crime
3. Here's the perps bogus ID, address and so on
4. Here's the perps real information
All the secret service agent had to was verify my information, get a warrant and fetch the perp. Yes this could and did include finding people overseas. When you do something like that for a living it becomes easy to work with.
The point is to cut of their source of funding, which primarily comes through credit cards. Cut off the funding source and you remove most of the profit for a lot of these rackets. The point of number three is try and get law enforcement involved to make arrests. Criminals go where the money is, attack the money and you make it a less lucrative crime. Big difference between something like that versus something like the drug trade is cash vs credit.
If you really want to make an impact you need to target their source of funds. Getting Visa and Mastercard to get very proactive about shutting down their funding source would do far more than any threat of arrest ever will. These criminal rings do these things (spam, bogus software etc) because they are easy source of money. Visa and Mastercard are so slow in shutting down illicit sites that the time it takes allows them to make a handsome profit.
Easy low cost way to do this.
1. Allow the public at large to easily report suspected fraud to a centralized web site.
2. Assign investigators from the credit card companies to monitor the site and check out reported fraud reports.
3. Have the finance investigators work with requisite police agencies world wide.
Until you shut off the easy finance spigot these will continue to proliferate. Let's face it, does it really take a prolonged investigation to see if AntiVirus 2009 or the latest penile enhancement pill just might be bogus? Right now the criminals act with impunity because it is profitable, and the credit card companies have a laissez affaire attitude because they also make money. You need to convince the credit card companies to be more willing to forgo their fees and do their part.