jump to navigation

Security 01/29/2013

Posted by TBoehm30 in Uncategorized.
Tags: , ,
5 comments

I have a spreadsheet with over 150 passwords on it. I have to change my work passwords every 45, 60, and 90 days depending on the system. I ask myself ‘is this more secure?’

I’m no security expert, and sometimes the rules really bug me. Why do I need to change my password? Why should I have different passwords? What is the risk if I don’t follow the rules? I wanted to vent a little, so I started this article. Then I did my research to better understand the issue. Here is what I learned:

The security experts tell us to change our password often. The best reasons I have seen have to do with holding off the attackers long enough for the password to have changed. If an attacker gets ahold of a password file, from a backup tape, the trash, or breaking in; then they could use that to log onto any accounts that haven’t changed the password.

The nice thing about those password files is that they are encrypted, or hashed, so that hackers don’t actually put in your real password, they use the hashed version from the file. If you simply change 1 letter, or add a number, then the hash is different and can’t be hacked. The problem is that a hacker could break the encryption and actually figure out your password pattern. Then they could easily guess your next password giving them access to your account.

What are the odds that you or I would be singled out for attack? Hopefully, those odds are not very high, but how much risk are you willing to take? If your whole company system gets stolen, copied, shut down, or broken, how much blame do you want to take? It’s probably better to just suffer by changing your password.

Why can’t all my passwords be the same? The problem with that is that hackers can get passwords from the least secure system. Even worse, is that the people who run all of those other systems have access to your unencrypted password. Joe, at buycoolstuffhere.com, created the site simply to steal people’s password with a good username. He then uses those codes at every financial web site until something works. Then he has full access to your money.

Why do I have to answer security questions? The security questions are usually there in case you forget your password. The answers are usually pretty simple to find on the internet and are the most risky for casual users. People in the public eye are constantly having their email spilled to the public by people who figured out what street they lived on when they were growing up. Some advice from the internet is to have answers that are not really answers, but hints to your password. What was the name of your first pet? “My favorite song lyric”

Bad passwords and pins: American Express has an authentication pin that has to be 4 digits. When I tried to give them numbers I could remember, they told me it had to be a date. Why would they decrease the security possibilities from 10,000 down to 365?

I can see my payroll info online if I remember an 8 digit pin number. The problem is that I am running out of unique numbers that I can actually remember. For me to remember an 8 digit number, it must be a full date, or part of a phone number; I don’t have any other long numbers that are burned into my brain well enough to not forget.

Internal security is just as important as external security. Most companies won’t get hacked by strangers in a way that will cause them any material harm. It is the employees who pose the most danger. If your employees have access to everything, what’s to stop them from downloading the customer list and selling it to the competition? It is important to divide up all data, and only give access where it is needed for people’s jobs. Look at SOX requirements even if they are not necessary; they make sure that users don’t have too much access to the system. That may be why you are limited on your own system, and sometimes can’t even get data you actually need.

So, until a better security system is built, I’ve got over 150 passwords to remember. My spreadsheet doesn’t actually have the real password listed, just a hint to it. The file itself is password protected, heaven help me if I forget that one.

Do you have a good security story? Leave it in the comments below. Do you know that it’s a global world and Technology makes it happen?

ERP – Who to Choose 12/30/2012

Posted by TBoehm30 in ERP.
Tags: , , , , , ,
2 comments

I’ve often been asked “Did we choose the right system?”  Usually it is right after we experience a serious bug, or something goes wrong causing a project delay.  Would another system have prevented this particular issue?

The answer is always ‘Yes’.  We did pick the right software, despite the current problems.  And ‘Yes’ another system would probably have allowed us to avoid this problem, but would have caused others.  As long as we followed our plan, identified our priorities and compared correctly, we know we chose as best we could.

So what was the plan?  What do you need to plan in order to choose a new software system?

Requirements

The single most import aspect of choosing your new software is the list of requirements.  You need to understand what you need to succeed, and a list of benchmarks so that you know when you get there.  Everyone in the company should have the opportunity to help prioritize the requirements.  This is the chance to visualize the company running at peak operational efficiency and growing as fast as possible.  The new software needs to be able to accomplish all of the current requirements plus future needs.

You need to think about your requirements from a perspective of the future.  Will it be scalable enough?  Does it have the modules to cover functionality that you don’t need now, but could find a use for when there is time to experiment?  What other tools will you need to go along side your new software?  How much data does it need to accept and how?  What other systems will you connect it to?

I make a long list of requirements, and then prioritize them from most important to least important.  Then I like to make a single sheet listing the top requirements with room for evaluation and notes.  These note pages can be used as a scoring sheet for objective comparisons between systems.

Support

You will need a lot of support during the years of using this software.  Make absolutely certain that the company you choose will have smart people who can guide you when you have problems.  You might have to call other companies already using the system to get a good idea of how their support program works.

Some companies charge extra for support, and some have fixed contracts that automatically include support.  You will need to know the structure of support before going into negotiations to buy your new software.

Implementation

Working with another company to implement new software is not an easy project.  You must be ready to accept them as partners.  They should have lots of experience working with companies in your industry and of your size.  They should be ready to explain the process, their expectations, how long it should take and how many people need to be involved.   You need to get a feel for the difficulty of an implementation, and how much work your team will do compared to how much work will be done by outsiders.  Training will take up a large amount of implementation and could be done in different ways; how much time will this one take? 

When getting trained, you will have to make choices on the basic setup of the system and how much to change the out-of-the-box configurations.  Most large software allows you to process similar functions differently depending on requirements; you must have an idea of how many different choices there are to be able to compare the different choices of software.

Loading Legacy Data

Your system will begin either fresh with no data, or have old data loaded into it.  You will need to get some idea of the difficulty of loading data into the system.  Some data may be easily added using standard formats like Excel; and some may require more effort.  You may have to load data compiled from different systems; it will have to be mapped to the new system.  How much help will you get?  How much experience do they have mapping data from your old system?  How successful have other companies been with loading data?

Setup

Obviously your new software will need to run on a computer.  Whether that computer is located in your own office, at a server farm, hosted by a third party, or transparent to you in a SaaS environment is totally up to you.  Make sure that your needs are covered by the company producing your new software.  It would be a regrettable decision to buy software that couldn’t be run as a service and then ask them to setup SaaS.

Interfacing with Other Systems

Any software your run should not be run in a vacuum.  It will need to create send data to people and systems, as well as receive data from people and systems.  You may want automatic interfaces setup to continuously communicate with existing systems.   This should all be possible on any new software that you choose to buy.

One of the main reasons I left my first job was that the software I used couldn’t communicate with anything.  Even creating a report was difficult.  I knew that software like that was doomed to obscurity and I needed to get out before I was left in the dust.

Make the Choice

Using your prioritized criteria, you should be able to make a good decision of which software to purchase.  Don’t look back for regrets; you made your decision the best way you could.  There will be problems that you will be able to solve, don’t let that destroy all of the hard work you put into making the right decision.

Have you been through the decision process?  Did it work for you?  Do you like the new software?  What would you have done differently?  Let me know in the comments.

Be happy with your new software.  You now understand that it’s a global world and Technology makes it happen.

Choosing Your New ERP System 11/29/2012

Posted by TBoehm30 in ERP.
Tags: , , , , , , ,
1 comment so far

After you’ve gotten the approval to start the process for a new ERP software system, it is time to start the search and make the decision of what to buy.  It is a project on its own just to make that decision.  It should take one to three months to go through all of the options to determine the best solution.

The way to begin this project is to lay out your plan.  You need to have an idea of what steps you will take and how long you have to finish.  The plan needs to include who will be involved, how much, and who gets to make the final decision.

The first part of the plan is who will be included.  This is an important project and the right people need to be included on the team.  A senior manager that knows how important the project is, and has authority to set priorities needs to be on the team.  Others as representatives of major departments need to be included.  The best person to represent the department doesn’t have to be the highest manager; you need to include the one who understands what is needed, but also has the time to attend the meetings.

As you get a commitment from enough people to fairly represent the company, you will create a meeting schedule.  Once a week may be enough to start, but eventually you will have vendor responses to review and demonstrations to watch.  This will increase the time commitment from the team.  These people need to understand that this project is just as important as their ‘day jobs’.  They will need to dedicate some time to this project, even if it means doing overtime on their normal responsibilities.  This part is crucial because ignoring the project for too long will ensure failure.

Probably the most important part of the selection process is the requirements.  The team needs to define their requirements for the new system and prioritize their needs.  Not all software will do exactly what they need in the way that they want it, so they need to be ready to determine what is critical and what is nice to have.  The requirements should start with replacing what they already do, and then consider what is needed for the future of the company.  You will need to include the details of current operations such as Purchasing, Selling, Accounting, etc.  Also think about reporting, dashboards, paper output and screen design. 

Along with the processes, you will have to consider the technical aspects of the software.  Will you want it in the cloud or on premises?  If you are thinking about the cloud, do you want software as a service (SAAS) or platform as a service (PAAS)?  You need to know the difference, and understand the language so that when a vendor describes their solution you can correctly interpret what they are saying.

Can your IT department support the new demands of the software?  Will you need new people to create reports, customize the software, and support the growing demand for security?  These are import discussions to have before choosing the final software.

Once you have a good set of requirements, you can send out some sort of questionnaire, request for proposal (RFP), or other document to a list of vendors.  Their responses should be evaluated by the full team to determine a short list for demos.

You can have 4 or 5 short demos if your list of vendors is still too long to decide.  That should help you narrow the choice down to 2.  These demos need to be held to under two hours, and the vendor needs to be aware that you will cut them off if necessary.  Doing a lot of demos can be overwhelming to the team and they will forget what the first demo looked like at the end of the process.  You need to make sure that discussions are timely and that notes are taken for later review.

Your final choice should be made from the top 2 vendors.  These final vendors should be given the opportunity to show you their best presentation.  Give them the amount of time that they need to impress you.  This might take several hours for each of them and require a couple of days worth of time from your committee.

I like to prepare a document for the team that lists out the requirements and gives them the ability to write notes about each requirement and give each a grade.  The grades can then be tallied to objectively decide which software is better.  If notes are made using the same format, they are easier to compare.  The notes also make it more difficult to forget the important parts.

One of the hardest parts of this process will be to notify the losing company that they were not chosen.  They may come back with lots of questions that will require more work and put you in an uncomfortable position.  One time, I had a salesman email my boss describing how unfair my process was, and how they thought they were being strung along when the decision had been made in advance.  While embarrassing, I had the full documentation to show that no decision was made until the end, and the notes showed the grades where the number 2 company was very close, but clearly the second choice.

Once you make the decision and notify the winning company of your intentions, it is time to sign a contract.  Make sure that you have professional negotiators at the table to get the best deal possible.

Now that you have decided on your new ERP or other large software project, the fun is just beginning.  You already have a good team who understands the issues, and are ready to work.  They know that it is a global world, and Technology makes it happen.

ERP Training and Power Users 06/28/2012

Posted by TBoehm30 in Trainiing.
Tags: , , , , , ,
4 comments

A full ERP implementation project will contain plenty of training.  All the members of the company need to start from scratch to learn the use of the new system.  I’ve scheduled classes where we have 10 days of classes plus three alternates a week or two later for anyone who missed it.  The thing to remember is that is just for the basics; you will spend much more time with the people destined to become your ‘Power Users’.

The main classes that will be scheduled are for beginning 101, learn how to navigate type instruction.  When users logon for the first time, they need an idea of what to expect, how to get what they need and what they are allowed to do.  Everyone will need that class so it will be the biggest or most offered class.

After the beginning class, you will need some specific classes.  The Accounting group will need to go into detail on the accounting screens.  The Manufacturing groups will need specifics on how to run MRP, use Work Orders, order Supplies, etc.  The Customer service group will need to understand Sales Orders, Cases, how to change documents, and update notes.  The point is that these classes will be smaller and need to include only the groups that focus on the topic being taught.

Most project managers and organizers will stop there.  They will teach what is needed and then allow the users to figure out if they need further functionality or further help.  It has been my experience that users don’t know to ask for more.  They will start using the system in the way that they are taught and not try to branch out for better, more efficient processes.  Usually a new employee, or outside consultant will bring in ideas on how to use the software better.  It’s rare that someone just figures out better functionality, communicates the process with their manager and gets the company to adopt the new process.

As I wrote in a previous article, follow-up training is necessary.  Once users become familiar enough with the software, they need a time to go back to ask questions.  They will want the details on why they do what they do.  They need to know how it impacts the company and what the big picture looks like.

That full process will take care of most of your users.  Beyond that, however, are the ‘Power Users’.  These are the people who seriously want to take advantage of the system and use it to the fullest extent possible.  These are the people who currently have massive spreadsheets that they download to understand the data.  They need to understand what is going on at a basic level and make decisions based on that information.

These are the people who will try your patience once the new software is going strong.  They will need one-on-one guidance for their crazy projects.  They will stretch your understanding of the software to its limits and force you to call the vendor.

Now is the time to plan for their training.  They know what they do, and will be able to explain what they need.  You will be able to schedule one class for a bunch of them, or several classes if needed.  Getting them together may even work in your favor, giving them other resources to go to and other further ideas on how to improve the status quo.  You need to be at the top of your game and have good backup support for these classes.  You might want managers included in the room so that if ideas get out of hand, they can be cooled down.

Watch the beginning classes for the people who ask the most questions in the most detail.  Figure out who you think will become your ‘Power Users’ to include in the new classes.  Talk to them in advance to get an idea of what they will need.  Figure out how many of them can go into the same class.

These are the people that will figure out how to drag the last penny of profit out of what you currently have.  They will need data; all they can get, and more if possible.  They will need access to the system; more than the IT department currently provides for them on the standard templates.  They will need instruction on what other departments do, and how that relates to what they do. 

We spend so much time on teaching the basics.  Many classes have to go at the speed of the slowest user.  This won’t allow the best use of the software, and won’t create that immediate ROI that was the biggest reason for the software.  Spend a little more time and attention on the best and the brightest.  They are the ones who will have the biggest return on your investment.  They are the ones who know that it’s a global world and Technology makes it happen.

Comment with your stories of how users stretched the possibilities of your new software and how you had to develop new training to keep up.

Why do you need ERP System Testing? 05/23/2012

Posted by TBoehm30 in ERP.
Tags: , , , , , , ,
1 comment so far

Testing is one of the first items that are removed from a project when time becomes tight.  Many people wonder why they have to spend so much time doing formal testing when they have spent so much time training with informal tests.  They have spent so much time with the new system that they just know it works.  What is the point of spending a large amount of time on formal system testing?

First and foremost, you need to validate that you are getting what you think you are getting.  A new ERP system is a large complicated piece of software.  Just because individual sections are working, doesn’t mean that each module is sharing data the way it should.  A plan for system testing should include many of the core team, so they can see the larger picture.  You also need to be sure that the right communication is happening between team members.

You need to make sure that when a PO is created and received, that the inventory is added correctly and the journal entries are made appropriately.  You should review the documents and reports generated from the process to make sure that everybody is satisfied with the results.  When the PO is tested separately from the accounting module, it seems to work fine.  However, did anyone from accounting notice that the manufacturing group has automated the POs for inventory differently than expected?  This would be found in System testing with good communication between core team members.

You need to be absolutely certain that each process is testing using the same parameters.  There could be hundreds or even thousands of parameters in a good ERP system.  These parameters should be set based on the way your company does business.  For example, FIFO, LIFO, or Standard should be set to account for product costs.  I have seen software fail because no one realized that parameters were different than expected, or were changed during go-live.

The CYA reason for system testing applies for consultants and/or public companies.  A team who delivers a working ERP system takes a large risk of someone coming back with complaints.  Users can always find something to complain about.  A full, well documented, system test will reduce the risk for the implementation team.  If they have tested every scenario possible, then any complaints should already be documented and signed off. 

Auditors may be allowed to review the implementation process, especially if something goes wrong because of the software.  A good system test would be enough to hand over to show that you did everything you could think of to prevent problems.  When problems occur, you should be able to point to the system testing documentation to show that something new or different has occurred to cause the issues. 

Problems that arise after the system has been in use could become very large problems.  It is much better to find them early on.  A small problem could grow into something much bigger over time.  A problem that is found after a time lag will be more difficult to find and could be more difficult to fix.  System testing should be designed to follow all your processes to a logical conclusion.  If you are using the system for accounting, then journal entries and account balances should be watched during system testing.  If the software is used to run a call center, then you need to run rollup reports containing all possible call types.

IT projects are constantly delayed and have scope cut to meet deadlines or budgets.  A user will be much more forgiving of a delay in a project than he would for bugs in the software.  A problem that should have been caught in testing will be remembered far longer than any scope issue or delay.  Users will grumble and gather to complain about the software, keeping the errors at the top of their mind.  Delays, however, will be forgotten as the software finally comes out to make their lives a little easier.

A good system test will prove that you have done your job well and completely.  You can be positive that the system meets the requirements you were given, and you have documentation to back that up.  You will be able to move on to the next phase of the ERP system, or move on to your next project with confidence.  You know that it’s a global world, and Technology makes it happen.

Have you been involved in a project where testing was shortened, or removed, to the detriment of the company?  Leave your comment below.