Tuesday, December 14, 2010

How to have all partitions mounted on startup in Ubuntu

Follow trongbang86 on Twitter

I'm using Ubuntu now. It's really impressive. However, every time I open my laptop, it's quite annoying to double click on the partition to have them mounted before use. After doing some research, the following is a tip to overcome that.

Go ahead and install ntfs-config. If you don't know how to install software in Ubuntu.

Once ntfs-config is installed, go to System > Administration > NTFS Configuration Tool to launch it.

Where it says , type what directory you want the drive to appear in. /media/Windows is a good choice if you can't think of anything else.

The window hiding behind that one allows you to enable write support for the device, too.

Follow trongbang86 on Twitter

Sunday, December 5, 2010

Processes required to ensure that Information Assets are suitably protected

Follow trongbang86 on Twitter
About me
Level: Intermediate
Prerequisite: Experience in Risk Management Process

1. Identification and Analysis
>establish the context
*understand the business and its processes
*identify competitors
From that, we can know which and how the information can become useful when other competitors can get it
>establish the security goals or success criteria (depending on each company)
*what the critical aspects of the business
Companies working in different fields have different critical information so they require different approaches ensure the protection for information assets
*to what extent they need to be protected
>identify possible threats
*what can happen that makes information leak
*what if questions
*brainstorming and so on
>determine the causes
*what leads to the threat
*is there only one reason or a combination of many things
>analyse the threats:
*based on the causes, establish the relationship between the threats and the current context, i.e. how it is linked to the customers, outside competitors and other entities in the current context
*specify the likelihood of the threats. How likely for the threats to become true? And how frequently it can happen
*determine the possible impacts according to 1) time, political and financial 2) CIA: confidentiality, integrity and availability
*determine the changes of the possible impact in certain durations such as 1 hour, 1 day or 1 week
*determine the triggers for the threats.
What are the events or actions that can start off the threats?

>prioritize the threats
Which one is most likely to happen? Which one is less likely to happen but has a severe impact on the business
>write up user stories that record the course of actions performed by users.
It is a good idea to write down the possible steps that can happen so it can ease discussions among people and a good starting point to estimate the impacts
>write up a document for tracking and to assist others in understanding what has been done

2. Control/Reducing the impact
>understand users’ capability
Different users have different level or capabilities so we can’t expect too much from them.
>determine appropriate controls
*Depending on the level of users’ understanding and capability, we have to choose appropriate controls.
*Balance between the costs of the controls with the impacts of threats. If the controls don’t give any better than the threats in terms of the costs, we have to think if we should go for it or not.
*Take the complexity of the controls into consideration because if their complexity is over the capability of users then users might try to get around with the controls.
>if the cost of controls is not worth considering the impacts, we might put the corresponding threats in a queue and we have to set appropriate indicators and contingency plans for them. If some events that can make the impacts far more than the indicators occur, we have to take actions.
>keep the all the protection in a consistent and appropriate manner. Don’t mess up with a lot of various controls that can lead to confusion
>collaborate with users and help them understand
Organize training classes for users to educate them, make them understand the importance of the security in place and how to operate them

3. Tracking
>assign accountability
*Who is responsible for tracking the threats
*How often to carry out the tracking process
*How to collect the information
*Who need to be reported to
For example, 2 people have to reassess the threats once a month. After that, they need to write up a report and give to CEO for reviews.

>determine the level of warning, or when requiring immediate actions
*Different threats have different levels and types of impacts so it’s better to set out an indicator for each threat. When some threats are over the threshold, we have to take actions immediately.
*It’s not appropriate if we set the level of impacts, for example, from 1 to 5; then we say that, for example, when the level is higher than 3, we have to take actions.  The reason is different threats have different types of impacts and we cannot sometimes make them identical.

4. Report, review and improvement
>continual review and improvement
>determine the format for the reports
It’s better to have reports written in different ways because different people will have different views such as managers and CTO.
>involve appropriate people in the review process
>recheck the level of impacts for the threats
>check for new threats
*check for business processes to see whether there are any changes that can lead to new threats
Follow trongbang86 on Twitter

The Barriers to creating a detailed Threat Risk Assessment

Follow trongbang86 on Twitter
About me
Level: Intermediate
Prerequisite: what is BSI HandbookWhat Risk AssessmentTemplate for Threat Risk Assessment (TRA)

+difficult to understand the business processes. For example, 
>how many departments needed and what are they
>how they cooperate along with each other
>what the input and output of each department are
>how the transferring processes of information between departments happen (manual or electronically)

+difficult to capture and represent information in a logical way. For example,
>what the means used to carry information, is it in the information system electronically or it’s kept manually
>how to describe the information assets so we can make sense out of them when we come back later all. The reason why it bothers is we have multiple assets with the same name or nearly identical name but with different meaning. Therefore, it’s sometimes a challenge when we want to go back or put reference to them
>information asset has many-to-many relationship with threat à how to store the relationship so that we can query them on the fly. If, for example, we got an information asset, we want to know how many threats can be applied on it and vice versa.
>should we relate a threat with another information asset by using the ID number of the information asset or using its descriptive name? which one is more helpful in understanding?

>we don’t know exactly what can happen along with the possible impacts. Even though we put much effort in creating a detailed threat risk assessment, they will change with the growth of our company. So when the threats become true, the impact we can measure at that time can be far different from what we recorded. The reasons can be 1) our analysis was wrong 2) the context has changed, therefore the possible impacts also changed
>we don’t have all the information in place: 1) the company culture was not so well organised that all the useful information can be appropriately saved for future uses 2) processes are not well established so there are no certain scheme for the usage of data or information à hidden information

+lack of context
>is an information asset useful and critical when considering if it were exposed to competitors? à requires knowledge in that specific industry
>is an information asset useful to customers? To what extent we should expose that information asset? Can the customer have full access to the information? à we need to research what other companies are doing and how they are doing that.

+how important and critical the information assets are
>we have to brainstorm and analyse with “what-if” questions
>which one needed to be introduced to clients
>and which one needed to be hidden or secured for internal use

+how to cope with the expansion of information assets when identifying them
>how to keep track all of them
>which ones are really information assets
>some information assets don’t exist naturally but logically in the employees’ understanding. What are they? And how to get them? à need to understand the business and its scope

+what approach to be used in order to fully address all the possible threats
>what if questions
>BSI handbook and so on
>where they can occur and how
>what triggers them
>which vulnerability

>how to measure the impact by using dollar terms
The reason is after we finish off, we need to submit a report regarding this to the CFO. In other words, we need to give a report to business people and what they can understand is monetary things.

>what can happen
>how to know the political impact à market analysis to see other competitors
>how to measure the frequency
>what is the maximum loss that can happen

>what kind of controls needed? Preventive or corrective?
>how much it costs to carry out the control
>whether the benefits really outweigh the impacts of threats
>whether it’s suitable for the users or not
*considering the users’ physical ability
*considering the complexity of the controls

Follow trongbang86 on Twitter

Benefits of ISO 27001, COBIT, ITIL, ISO 9001 and ISO 14001

Follow trongbang86 on Twitter
About me
Level: Intermediate
Prerequisite: Basic Understanding of ISO 27001, COBIT, ITIL, ISO 9001 and ISO 14001

+Benefits from ISO 27001
>security risks are managed in a cost effective way.
>customer confidence when interacting with these companies.
>business confidence of companies in the knowledge that their security is assured.
>achieve international standards.
>avoid adhoc in information security management.
>guidelines on establishment, implementations of information security management systems.
>improvement in the information security management systems of companies such as enhancement in monitoring, review and maintenance of the information security management systems.

+ Benefits from COBIT:
>better alignment between business and IT.
>set directions, improve monitoring and in time corrective actions based on providing a better view to IT from a managerial perspective.
>an internationally recognised control framework.
>provides an environment which is responsive to business needs.
>mapping of IT goals to business goals and vice versa.
>clear process ownership à process-oriented à reduced incidents.
>clear performance indicators à better control.

+ Benefits from ITIL:
>consistency and standardised processes.
>suitable for merging and acquisition to bring coherence in management structure.
>save time and money due to not having to reinvent the wheel (with checklist and procedures).
>better governance to IT.
>integrate IT across the enterprise.

+Benefits from ISO 9001:
>more efficient and effective operations
>disciplined business because of common understanding in repeatable and consistent processes.
>fewer failures in quality of products and services.
>quicker response when things are going wrong.
>discovery of inherent errors/failures in the existing processes when implementing the standards.
>clear understanding of what to do and how it is to be done, especially important for new comers.
>improved employees’ morale.

+Benefits from ISO 14001:
>provides a guideline on committing purposes of environmental management systems.
>shows that companies are environmentally responsible.
>increases profits due to better resource management such as energy conservation.
>lower insurance rates when complied to this standard.
>improved relationship with customers and employees.
>better awareness à safety benefits at the work place.
>a ticket to some European markets.

+Benefits in common:
>less expensive to prevent or to do good things from the beginning rather than cleaning up everything.
>cost reduction due to better management.
>standard compliance is a way to attract customers.
>some business domains require the compliance to these standards.
>gain business alignment: when implementing these standards, all the sectors including finance, business management, and technical management have to work together. Hence, business alignment can come naturally when the implementation has been successful.
>instil the feeling the best of the best among the company’s employees.
>share understanding because of having a common language
*everybody has to get onboard when implementing the standards. Employees will be trained and they can get a better understanding of their company.
>improved marketing
*some companies use the certification as a mean to do marketing, to expand their market.
>encourage the organisation’s capability of learning as well as individuals
Follow trongbang86 on Twitter

A comparison of the business and technical drivers for ISO 9001 and ISO 14001

Follow trongbang86 on Twitter
About me
Related Article: A comparison of the business and technical drivers for ISO 27001, ISO 27002, COBIT and ITIL
Level: Intermediate
Prerequisite: Basic Understanding of ISO 9001, ISO 14001, and ISO 27001

ISO 9001 is about Quality Management Systems – Requirements. This is an international standard that companies can state to be compliant to if audited and certified. This standard originated in manufacturing but now applied in various disciplines.

So ISO 9001 is completely different compared to ISO 27001, COBIT and ITIL in terms of business drivers and technical drivers. This standard is to deal with the quality of executing processes, not measuring and assessing IT controls (COBIT) , not to improve IT services(ITIL) and not for governance(ISO 27001).

ISO 9001 is to ensure the quality of processes and improve them continually. It provides a systematic approach to managing companies’ processes so that they can consistently produce products with the quality satisfying customers. The end result of ISO 9001 is a quality management system in which all processes of a company are standardised. It means the processes are well documented and each participant in the process has a clear role regarding what he/she has to be responsible for.

ISO 9001 states all the requirements companies must meet in order to have a better quality management system but it doesn’t specify in detail how to reach that. It’s similar to ISO 27001 which also includes only a set of requirements to be fulfilled. On the contrary, COBIT and ITIL provides details with performance indicators, checklists because they are frameworks.

From the business perspective, ISO 9001 is not only applicable in IT but in many different fields, and it’s to assist companies in improving their quality management systems, thereby gaining satisfaction in customers. In contrast with ISO 9001, ISO 27001 is to provide customers the confidence in interacting with companies. And for COBIT, it is to provide managers with an in depth view for the performance of the system. And ITIL is to improve the internal IT service level.

Another quality standard to be analysed is ISO 14001. ISO 14001 is part of ISO 14000 families which is about Environmental Management Systems (EMS) and it is the major core of ISO 14000. ISO 14001 helps companies reduce the negative effects on the environment. It’s very difficult but crucial in balancing between building an effective EMS and maintaining profitability. That’s what ISO 14001 is all about. Moreover, environmental impacts have never been hotter so companies are trying to implement this standard with three purposes according to the understanding of the writer: 1) to reduce the impacts 2)to comply with government’s policy 3)to appeal customers.

ISO 14001 offers guidance on introducing and adopting EMS. It also offers certifications for companies who want to be compliant. Compared to ISO 27001 and ISO 9000, it’s also guidance on implementing a systematic approach to setting objectives and targets, to demonstrating they have been achieved, and to improving EMS continually. Besides that, it also doesn’t dictate clearly how to reach the objectives.

Even though identifying the environmental impacts of business’s activities is part of ISO 14001, it does not specify levels for the impacts. The reason is that each industry has different types of impacts with different levels. Therefore, the standard needs to be tailored for each industry which is not the intention. That is why ISO 14001 is a set of generic requirements like ISO 27001 and ISO 9000.

Considering the business drivers for ISO 14001, it can be seen that companies who are implementing this standard are aiming to comply with government standards or to be eco-friendly. There’s nothing related to the information systems (IS). Moreover, it can keep customers and even employees happy by assuring the ethical aspects because they know they are buying products from or working for an environmentally responsible company. According to Rockstad, ISO 14001 is an open opportunity to enter European market due to Europe’s environmental concerns. Besides that, he also states implementing ISO 14001 can actually reduce costs due to recycle programs for waste and better usage of raw material.

As for technical drivers, ISO 14001 doesn’t assist companies in building a more robust IS but to make a change in the business activities and the existing infrastructures so that they can be more eco-friendly while maintaining profitability. However, it does give an insight into the existing processes when implementing so that managers can recognise flaws in the processes and can improve them. Specifically, when implementing ISO 14001, companies have to do gap analysis to compare the current overall performance of their processes with the requirements in ISO 14001. In order to do that, they have to analyse and reengineer their processes. Then they have to understand the standard requirements so they can do comparison. After that, they can see what is going wrong or not done efficiently in their companies.

Follow trongbang86 on Twitter

Wednesday, November 24, 2010

Barriers in implementing quality systems such as ITIL, COBIT, and ISO 27001

Follow trongbang86 on Twitter
Level: Intermediate
Prerequisite: Basic understanding of some industry standards such as ISO 27001, ITIL and COBIT

To implement a successful quality system such as ITIL, COBIT and ISO 27001; there are more than just technologies. For the companies implementing those quality systems, the following barriers I have observed are the things we have to deal with:

>they don’t really understand what they can benefit from that. In other words, it’s difficult to get their buy-in. We need to educate them and give them success stories as well as concrete benefits.

>normally, it’s costly to implement the quality systems, especially for large companies with existing heavy and not well-documented processes. Without sufficient fund, it’s almost impossible to implement an appropriate quality system and as already mentioned above, companies want to see tangible benefits. Otherwise, they feel they are being charged for something that doesn’t have a clear target.

>as for managerial view, they sometimes cannot get transparency from their auditors or certification bodies. They don’t really know what are happening. The reason might be the process is so complex and the auditors are not explaining themselves clearly. Besides that, it can be the case in which the management skill of the auditors are not strong enough so managers are kept outside and they don’t know what is happening actually except for some general status reports. Management skills are also mentioned here simply because implementing any quality systems is also a project.

>now there are diverse quality systems on the market, and all are saying they are the best. That can make companies confused. They need consultation that can assist them in understanding and taking appropriate actions.

>for quality standards to become really helpful, auditors should understand the business of the companies they are working for. It means they should have a very close relationship with the companies which is not easy at all. Sometimes it can take months to really understand the whole process and time is critical for companies.

>lack of management’s support, implementing a standard is a project in itself and it is believed that to make a project successful, there must be adequate support in terms of resources and political forces from the managers.

>lack of training, education and communication
Any technologies, any quality systems are built to support people. Without people, they cannot give any positive results. However, quality systems are sometimes complex and it’s recommended to teach the users so they know why they have to do that and how to do that. The reason is that they don’t have the same level of capabilities and background.

>the indicators are not set clearly. After or during implementing the quality systems, business executives want to see the progress. Hence, this is a required skill for auditors to balance between technology and business to create views that can be understandable for different people in the business. Once again, we have to remember the background of the people we have to submit reports to so we have to transform technical things to monetary information.

>moreover, it can be the case in which the auditors hired are not helpful. Put it another way, they don’t have enough knowledge or they just have only the understandings for some standards but not the general view that can guide the company in selecting which standards are suitable for them. After that, they should show companies the way to implement the quality systems based on the existing infrastructure of the companies. To do this, once again, they need to understand the companies and map the current infrastructure against the standards to analyse the gaps and to see what needs to be improved.

>sometimes after implementing the quality systems, they don’t feel they are getting something that is of value to them. The reasons can be 1) they didn’t have enough knowledge in choosing which systems are right for them 2) it takes time to have something new become really beneficial and tangible because the gains from these quality systems are sometimes intangible such as efficiency and staff/customers’ satisfaction. Furthermore, everything needs improvement. It means they need to keep doing it and keep improving it continually so that it can show its value. 3) lack of information due to lack of appropriate goals and indicators set out when companies decided to build the quality systems. Sometimes, the lack of information can lead to misinterpretation of the results of building the quality systems.

>misled intention: some companies are running after these standards because they want to have good reputation not because of the quality or benefits. Hence, after getting the certifications of these standards, everything gets back to normal and no continual improvement will be performed probably. To make this really happen, the companies need to put in more commitment, especially from the managers.

Follow trongbang86 on Twitter

A comparison of the business and technical drivers for ISO 27001, ISO 27002, COBIT and ITIL

Follow trongbang86 on Twitter
About me
Level: Intermediate
Prerequisite: Basic Understanding of ISO 27001, ISO 27002, COBIT and ITIL

Firstly, ISO 27001 is a security standard but COBIT and ITIL are frameworks with best practices. ISO 27001 are often used in conjunction with ISO 27002 because ISO 27001 include only requirements for what needs to be done and ISO 27002 introduces the guideline for doing that.

According to the diagram, COBIT covers more domains than ISO 27001 and ITIL but with little guidance. However, ITIL is easier to do with more checklists and procedures. Besides that, ISO 27001 is a standard so it’s deeper in the domains. Specifically, COBIT has 4 processes and 34 domains, ITIL has 9 processes and ISO 27001 has 10 domains.

Generally speaking, COBIT for measuring and assessing IT controls, ITIL to improve internal IT services, and ISO 27001 for IT governance.
The function of COBIT is to map IT processes to business objectives. ITIL is to address service management. ISO 27001 is to get companies compliant to international standards regarding various aspects of security management such as establishment, implementations and improvement of information security management systems.

COBIT is to maximize the benefits derived through the use of IT with appropriate governance and control by providing managers, auditors with a set of acceptable measures, indicators.
COBIT can provide a systematic approach to identify root causes of deficiencies.

COBIT is business-oriented. COBIT is usually chosen by companies who are performing audit to give their manager an in-depth view of their infrastructure’s efficiency.

ISO 27001 is a standard but ISO 27002 is best practices and it’s really a guideline regarding how to implement ISO 27001. In each domain in ISO 27001, there are specific requirements that companies need to fulfill in order to be compliant but there’s no specific guideline or technical requirements such as which infrastructure must be built, how to build. That’s why ISO 27001 and ISO 27002 often go together.

ITIL is quite similar to COBIT but ITIL is more IT service-based and COBIT is more process-based. In other words, the unit for measuring in ITIL is service but process in COBIT.

According to the website SecurityProcedure, the end result of implementing COBIT is information system audit, for ITIL is manage service level and for ISO 27001 is the compliance to security standard.

From the implementation view, ITIL is probably the easiest one to be implemented because it is best practices with checklists and guidelines. Besides that, ITIL can be implemented partially according to the website SecurityProcedure. Hence, a company can decide to implement one layer first such as IT service delivery layer, IT release management; then it can implement the others in the next year. However, for ISO 27001 and COBIT, it’s unfeasible because they take into account a broad view of the whole system first, and then go to implementation phase. As for ISO 27001, it is a standard related to 3 aspects of a company: people, process and technology; so it requires a deep understanding of the company’s profile. However, the final choice is still up to companies. It actually depends on their budgets and their goals.

ITIL has a more robust certification system for IT professionals. However, there are some criticisms regarding the price of the books. They are not affordable for non-commercial users. In other words, it seems to be too proprietary. For COBIT, it’s not a standard and companies cannot say COBIT compliant. However, ISO 27001 is an information security management system standard and can be compliant to.

Moreover, from a technical view, companies get compliant to ISO 27001 to avoid ad hoc in information security management; to establish, implement and improve continually the system. For COBIT, it’s to map IT goals to business goals and vice versa, to create clear ownership of processes with clear performance indicators. And ITIL is to improve IT services.

COBIT Introduction

CobiT / ISO 20000 / ITIL / ISO 27001                       

The Business Advantages of ITIL

Using iso27001 to your advantage

Follow trongbang86 on Twitter

Tuesday, November 23, 2010

Communication in Requirement Acquisition of Software Development

Follow trongbang86 on Twitter
About me

The software industry is one of the fastest growing industries around the world today and there has been much research carried out in order to cope with the complications resulting from the abstract nature of software. Increasingly, the term 'Software Development Lifecycle' (SDL) is becoming very popular in the computing world. According to Maciaszek and Liong (2005, p.5), SDL refers to the alterations that occur in the life of the software. It consists of five main phases. They are requirements analysis, system design, implementation, integration and maintenance (Maciaszek & Liong 2005, p.5). Each phase has its own complexity and discipline. However, it is commonly believed that the first phase, requirements analysis, is extremely critical to the development of a project because it provides input to the subsequent phases.
Sommerville (2007, p.118) defines the word 'requirements' as the description of the system-provided services and its operational constraints. From that, he identifies that requirements analysis encompasses the activities of eliciting, analyzing, documenting and validating the services and constraints. The first activity is more user-oriented but the others are more skill-oriented. It means that communicating with users is dominant in the elicitation activity and the other activities mainly focus on the skills of software developers (SDs).
There have been a great number of engineering books written and much research carried out on the methodologies for SDs to improve their technical skills. In contrast, there is only a small amount of research on the methods to improve SD's communication skills. Generally, it might be believed that the success and failure of a certain project is the responsibility of the Software Company. Yet, to a certain extent, it is also the responsibility of the customers who order the software. The reasons are that SDs cannot presume what the customers need and they cannot develop a complete system without knowing the customers' expectations. Hence, the communication between customers and SDs is very important. However, this factor is often ignored and left for SDs to deal with. Therefore, it is worth considering this aspect in SDL. The scope of this paper does not allow for discussing regarding the techniques to elicit users' requirements. Rather, this research will focus on addressing the following questions:
  1. What are the common problems that lead to a low level of SD's communication skills?
  2. What are the possible solutions for those problems?
With the combination in comprehending the common problems and the possible solutions, a better skill in dealing with the customer in order to deeply understand the software requirements can be achieved.
There is a very strong connection between requirements elicitation and communication. Sommerville and Sawyer (1997, p.63) state that the process of using communication with software-involved users such as customers to identify requirements for software is referred as 'requirements elicitation'. Therefore, communication seems to play a very important role in the whole process of SDL. According to Sommerville and Sawyer (1997, p.2), most of the problems that can lead to the decline or failure of a system are associated with identifying software requirements. They also suggest some of the common problems: (1) the real needs of the customers are sometimes ignored, (2) the inconsistency and incompleteness of requirements can occur, (3) changes to requirements would be very expensive after they have been agreed and (4) misunderstandings between customers and SD can happen. It is likely that all the problems mentioned above are caused by the lack of communication or communication breakdown. In some cases, the impacts of the problems can be so significant that the whole project might collapse. Hence, it is almost certain that finding solutions for those problems is of importance.
Communication can improve the quality of software. Strano, Mohan and McGregor (1989, p.6) define communication as 'the sharing of information, ideas or attitudes between or among people' and it is obvious that the software requirements are the 'information, ideas or attitudes' that SD must obtain from the customers. Hence, if SDs can communicate effectively, the objectives for the software being developed can be fulfilled. In addition, Christensen and Thayer (2001, p.406) claim that 'Communication is the key to keeping the project moving in the right direction'. In other words, effective communication is the most important factor that can ensure the success of a project. The reason for this could be that it ensures the clarification of what is expected by the customers.
In discussing 'Overcoming Communication Barriers Between People', Hahn (2005) suggests the common barriers in communication are different points of view, background differences, poor listening, distorting filters, language problems and differing emotional states. However, the suggestions for the communication barriers (CBs) are mentioned in normal daily circumstances. It is advantageous to study to what extend the barriers can influence the development of a software. In addition, at the time this paper is conducted, there might be no books or research that addresses these suggestions in the software industry so the following ideas related to these CBs will be presented from a personal view.
First, differences in viewpoints can be detrimental to software development and this problem is becoming more serious as the trend of outsourcing continues to flourish. Customers would have different perceptions if they come from different cultures. Hence, SDs should take this into account; otherwise software cannot be implemented properly. Furthermore the background differences between SDs and customers also attribute to the difficulties in communication. For instance, a stock trading company can demand stock software that requires SDs to have certain levels of relevant knowledge in order to develop it. When SDs are trying to interview the user from the company, they can misunderstand what the user require because the language they use is different from the language of the user. Moreover poor listening can result in CBs. It might be known that SDs usually pride themselves on their high technical knowledge and this is really an impediment to any conversations between SDs and normal users. As can be seen, this factor can lead to the SD's presumption of the user's expectation. However, the fact that SDs might not have enough knowledge will cause many misconceptions in developing the software. Another CB is twisting filters. This barrier might be created when indirect communications occur. For example, when the information from customers is reported by secretaries to the project manager, the differences in viewpoints or the insufficiency in the understanding of the software being developed of the secretaries can distort the information regardless of their efforts to present it correctly. Besides the CBs mentioned above, it is also important to consider the problem of using language. Given the same word, different regions can have different meanings, especially for those who do not speak the same language. It would raise serious misunderstandings between SDs and their customers. Finally, the effectiveness of communication can be affected by emotional states. Strano, Mohan and McGregor (1989, p.10) state that provoking unfriendliness in the other participants of a conversation can be the cause of distorting messages. Another example is dealing with upset people. They tend to ignore or distort what the other person is expressing and is usually unable to present feelings and ideas properly. It does not mean that all of the communication should be abandoned when the emotional state of the customers or SDs is not appropriate but it does mean SDs have to be aware of what is behind the conversation between them and the customers.

Right People
Selecting right people is very crucial to the success of any communication. The reason could be the credibility of each participant. For example, when developing stock software, obtaining the software requirements from a user with more than ten years of work experience is more reliable than from a user with no work experience. The degree and the specific factors attributed to the required credibility vary depending on the software being developed. Because the aim of this paper is not to improve the technical skills of SDs, the methods to identify right people will not be addressed. However, there are many books written to address this aspect; for instance, Thayer and Dorfman (1990, p.489) suggest a list of criteria for selecting right people depending on the context and the functions of the software. In discussing how to improve the quality of software, Barkley and Saylor (2001, p.276) mention if the sender is not credible, regardless of the information, communication will be ineffective. It is likely that the users chosen to obtain the software requirements have a significant impact on the communication. Because of their credibility, the SDs would feel encouraged to absorb more information. Hence, this solution seems to be able to resolve all the indicated problems.
Listening and Empathizing
Listening is critical in eliciting the user's requirements. However, it might be the least developed skill for SDs. The reason could be the high esteem of SDs. The real expectations of the user can be ignored if the SDs assume that they know all the concepts of the software. The fact that SDs assume that they know all the concepts of the software can lead to the ignorance of the real expectations from the user. Barkley and Saylor (2001, p.277) suggest the requirements of effective listening can be letting others convey their ideas without interrupting and empathizing with their point of view. The second requirement 'empathizing' could also be a solution to the differences in background between SDs and normal customers because it helps SDs try their best to understand customers' viewpoints from different perspectives.
Two-way mode for sharing knowledge
As indicated, one of the common problems in communication is the barriers in language and background of SDs and the customer. It seems, therefore, reasonable to encourage SDs to have two-way communication with the customer. In other words, the process of finding requirements  is not only asking the customer for information but also a real conversation where SDs and the customer exchange their knowledge in order to have a common understanding of the software. In discussing 'Communication on Agile Software Projects', Ambler also agrees on the idea to have 'two-way street' for sharing information to have effective communication. Hence, this way of sharing knowledge is not a new idea but it might be often misconceived by SDs that finding the user's requirements is only asking questions to the user. In addition, this method can also be a solution to the differences in viewpoints because it assists SDs in finding the gaps in understanding between them and the user, especially when the differences in cultures can become an issue in communicating.
Constant review
Misunderstandings always occur no matter how SDs try to overcome. It is applied to not only software development but also normal daily conversations. With regard to this fact, constantly reviewing and clarifying what has been communicated appear to be one of the best solutions to improve the process of eliciting the user's requirements. By identifying the discrepancies between the SD's understanding and the user's expectation, it seems to be able to solve all the common problems discussed above. Kishore and Naik (2001, p.114) cite in the Walkthrough method, one of the review methods, SDs 'walk' the user through the software's prototype and explain each requirement. From the explanation, it appears to be possible for both SDs and the user to discover any differences in the expected system. Kishore and Naik (2001, p.114) also encourage SDs to review the requirements obtained from the user constantly.
Communication plays an important role in software development, especially in the requirements elicitation phase. Indeed, the improvement in communication skills can assist SDs in understanding the system requirements from the user. However, due to the barriers discussed in this paper, it is a difficult mission to be accomplished. There are four possible solutions for those barriers. They are selecting right people, listening and empathizing, sharing knowledge in a two-way mode and constant review. The implementation of these solutions can lead to the improvement of the communication between SDs and the customer, thereby improving the quality of the software being developed.

Communication comes in many different forms. It includes verbal and nonverbal forms such as speaking, writing, reading, listening and body language. Because of this complexity, it is very difficult to cover all the possible solutions to improve communication in this paper. Further research can investigate into the solutions for the situations in which misconceptions have happened. In other words, it is important to find a way that can assist SDs in preventing further misconceptions to recur.
Ambler, SW 2009, Communication on Agile Software Projects, viewed 15 December 2009, <http://www.agilemodeling.com/essays/communication.htm#EffectiveCommunication>
Barkley, BT and Saylor, JH 2001,Customer-Driven Project Management: Building Quality into Project Processes, McGraw-Hill, USA.
Christensen, MJ & Thayer, RH 1947, The Project Manager's Guide to Software Engineering's Best Practices, Angela Burgess, USA.
Hahn, M 2005, Overcoming Communication Barriers Between People, viewed 15 December 2009, <http://ezinearticles.com/?Overcoming-Communication-Barriers-Between-People&id=119628>.
Kishore, S & Naik, R 2001, Software requirements and estimation, Tata McGraw-Hill, New Delhi.
Maciaszek, LA & Liong, BL 2005, PRACTICAL SOFTWARE ENGINEERING : A Case Study Approach, PEARSON Education, US.
Sommerville, I 2007, Software Engineering, 8th edn, Addison – Wesley, USA.
Sommerville, I and Sawyer, P 1997, Requirements Engineering: A good practice guide, John Wiley & Sons Ltd, England.
Strano, Z, Mohan T & McGregor, H 1989, Communicating, Harcourt Brace Jovanovich Group, Australia.
Thayer, RH & Dorfman, M 1990, System and software requirements engineering, IEEE Computer Society.
Follow trongbang86 on Twitter

Sunday, November 21, 2010

About me

Follow trongbang86 on Twitter
My name is Bang. I was born in 1986 in Ho Chi Minh city, a southeast city of Viet Nam.
I spent four years at Le Quy Don high school. It was a great experience for me to study there with all of my great friends and the knowledge I gained. I finished high school in 2004.
After that, I continued to study in International University in Vietnam for four years. During that time, I found a great part time job that I kept working afterward. I got a Bachelor of Science in Information Technology in 2008.
After graduated from university, I went to work as a software engineer for 2 years at the company in which I had my internship before, called Gold Point Company. Started as a developer, I soon became a team leader. I studied lots of new things there not just technical stuff but also managerial skills. Dealing with many challenges that gave me a great amount of experience, I recognized that I could do more than what I had done. Consequently, I determined to quit the job and started my new university life in Australia.
I am persuing a Master degree at Macquarie University in Information Technology. I am quite an ambitious man. I always try to create new opportunities even when facing with difficulties. Working with my best, I hope to have a chance to work in some very professional companies around the world such as IBM and Sun.

Follow trongbang86 on Twitter
There was an error in this gadget