09-03 Contents: Risk survey, SQC
Conference report, ISACA Spreadsheet Auditing workshop
1649-2374 This issue online at http://www.sysmod.com/praxis/prax0903.htm
Modelling Ltd.: Managing reality in
Information Systems - strategies for success
IN THIS ISSUE
|1) IT Risk
Survey on risk and
SQC Conference Report
Ray Butler and
Patrick O'Beirne at
EuroCACS Frankfurt 15 March 2009
Graphing website structure
|8 Web links in this newsletter
|About this newsletter and Archives
Subscribe and Unsubscribe information
Welcome to PraxIS
This month I report on the SQC conference in Dublin on March
1) IT Risk
Matthew Leitch's survey may be over by the time you read this, but if
you are interested in the relationship of rationality to risk then take
a look at:
What circumstances are relevant to decision making under uncertainty?
And after that follow the links to his articles on:
The real reasons we avoid risk: A fresh and practical perspective on
fundamental theoretical questions
Making sense of risk appetite, tolerance, and acceptance
Software & Systems Quality Conference
Dublin, 4 March 2009
Keynote: Testing or Quality – what are we really talking
Bob Bartlett, SQC Ireland 2009 and Pierre Audoin Consultants
This is the result of a survey
on the Irish Computer Society website. He presented results
that compare Ireland vs. Europe (including UK)
Most questions had about 6-10% Don't Know responses, which is
"To what extent is your testing team responsible for software quality?"
to a very great extent: 13%, great extent: 45%, some extent 24%
I expect most professionals would recognise the question as
"responsible for software quality ASSURANCE"
- only those who produce the software can be responsible for its
quality as they are the ones who put quality in, or put defects in.
I wondered about the answers given to
"Is compliance testing and verification important to your organisation?"
82% yes, 12% no
Then they asked
"is the growing need for Regulatory Compliance impacting Testing?"
Yes: 75% in Ireland vs 15% in Europe
Not Applicable: 15% Ireland, 80% Europe.
So you have to ask: were the only participants in Ireland from the
No analysis of industry was available.
"In 2009 which is more important to you: cost reduction or increasing
Increasing SQ 61%, reducing cost 39%
So, who is speaking here? IMO, it's testers, who keep their job if
their company focuses on SQ, and may lose it if the company cuts jobs.
A good question is:
"Within the last two years - a lack of testing has cost the company
Europe and Ireland were similar with about 20% Yes, 50% No, 30% Don't
Some questions were not clear to me: When asked "Do you plan quality
standards or accept what you get?"
67% plan, 25% accept.
'accept what you get' reads to me like "software is always accepted
regardless of test results " which makes me wonder why test
at all - there must be something else intended there.
1-25% of spend: 57% of respondents saif they allocate 1-25% of their IT
spend to quality and testing and a further 28% said 26-50%.
But when asked "What percentage of project costs are typically
allocated to testing?"
Don't know scored Ireland: 80% , Europe 65%, with the rest at around
10-30% of project costs.
I infer that the vast majority are guessing.
Finally, the questions on training were revealing:
"Do you provide training in testing for your staff?"
In Ireland, 90% said Yes, against 58% in Europe
22% in Europe said 'Don't know' so that may indicate that more than 20%
were not in fact involved in testing.
But here's the testing (!) question:
"How many days of training do you give your staff?"
Don't Know: Ireland 90%, Europe 75%
with the rest divided between 1-5 days and 6-10 days.
So when put to it, those who said "Oh yes we provide training" could
not back it up with figures.
It's easy to come to the conclusion that responders in Ireland like to
give the proper answer rather than the correct one!
I chaired some sessions and here are my notes from some of the
Agile testing in a real world environment
David Espley of Progressive Media Group.
Progressive currently use Crystal as the basis for its agile processes
He said they have "Hard and fast rules for quality, Soft rules
They insist upon TDD, Fitnesse, Stand ups, Continual
integration, Task breakdown, Velocity measurements, Delivering to meet
acceptance criteria, Being goal driven, and Designing the system.
Among the lessons learnt so far, he listed "Make sure that you have at
least 2 people who understand every technology", and "Keep your sprint
plans up to date every day"
Data Protection Issues in a Development &Test
Hugh Jones, a consultant tutor delivering the Irish Computer
Data Protection certification programmes.
It was a straightforward overview of DP: key terms were
defined, the Data Protection rules, Individual Rights, Registration,
The Public Register is on www.dataprotection.ie
He quoted a Ponemon Institute survey of 800 IT professionals that found
that 69% use ‘live’ data in testing, and over 50% of those
using outsourced testing send ‘live’ data to the outsourcer. The
average cost of breach, per record is almost $200 - bear in mind that
one breach can release millions of records. Lost business
accounts for 65% of data loss costs. He reminded the audience that
legislation makes no distinction between Production and Test
For balance, he covered the risks with ‘generated’ test data.
Test data should be ‘real enough’, ‘real looking’; if unrealistic, the
data will give a skewed result. A common challenge is the retention of
data integrity – table relationships, etc.
His ‘Best Practice’ tips for testing included making data protection a
test criterion, assessing data sensitivity before using for test,
de-identification, anonymisation, randomisation, and keeping the key
for codified data separate. He advocated having a non-disclosure
agreement within the processor contract.
The inaugural ICS Data Protection Conference will take place on the 2nd
April at the Hilton Hotel, Charlemont Place, Dublin 2. Topics to be
discussed and debated on the day will include: Access requests, data
breaches, record management, security, audits, individual rights and
Software Lifecycle Standards for Very Small Software Companies
Rory O'Connor, Irish Software Testing Board; Marty Sanders,
The business reasons for certification to standards are:
Higher customer confidence and satisfaction
Higher software product quality
Increased sponsorship for process improvement
Decreased development risk,
Marketing facilitator (e.g. better image)
Higher potential to export
They decided on 25 employees or fewer in the department, company or
project as a Very Small Enterprise (VSE)
The assumption is that in such a small group of people, some of the
overhead in meetings, documentation and general communications is not
In Ireland, 61% of our 900 software companies employ 10 or fewer.
The general objectives for their ISO group (ISO/IEC 29110
working group) were to provide:
Accessibility to current software engineering standards for small
Harmonized documentation integrating available standards, but requiring
minimal tailoring and adaptation effort
Profiles aligned with the notions of maturity levels presented in other
Implementation guidelines (domain specific) on how to perform the
Deployment Packages are a series of guidelines explaining in more
details the processes defined in the profile
They include Competencies required, Knowledge and skills, Templates(s)
empty andfFilled with examples, checklist(s) to facilitate
implementation, assessment and self-assessment.
How you can participate and learn
The plan is to invite companies to participate in the field trials
before the standards get published by ISO
The plan is to produce a Final Draft this year
Publication as a standard is scheduled for 2010
In the meantime, deployment packages will be made available on public
Irish Software Engineering Research Centre
Product Management and the Testing Team
Mary Ryan, Product Innovator http://www.productinnovator.com
A Product Manager has to identify market and customer requirements,
develop a ‘whole product’strategy over the entire product lifecycle,
position products, develop a ‘Go to market’strategy and evangelise the
This links closedly with QA's input and Responsibilities
in Requirements Management and prioritisation, Use
Cases, Change Management, Release Plan,
QA Test cycles, the development of FAQs, and performance benchmarks.
Ray Butler and Patrick O'Beirne at EuroCACS Frankfurt 15
Offers a comprehensive approach to auditing spreadsheets.
Uses real-world examples and hands-on learning to demonstrate the
benefits of such an approach.
The participant will
learn more about:
Where to start and the most efficient techniques to use
How to cut down a system of spreadsheets to a manageable audit task
The symptoms that indicate potential or actual problems
How an enterprise can create an inventory of its critical spreadsheets,
assess them for risk and prioritise scarce resources
Little-known secrets of Excel's auditing features
The causes of spreadsheet errors
The risk environment and processes around spreadsheet use
Techniques for inspecting a spreadsheet for errors
Techniques to reduce the incidence of errors in spreadsheets
What to look for in software tools
Spreadsheet Check and Control: 47 best practices to detect
and prevent errors
Simply send your comments to FEEDBACK (at) SYSMOD (dot) COM
Thank you! Patrick O'Beirne,
Websites as graphs
Shows a web site as a chart of the linkages among the pages.
Copyright (c) Systems Modelling Limited,
. Reproduction allowed provided this copyright notice is included.
We appreciate any feedback or suggestions for improvement. If you have
received this newsletter from anybody else, we urge you to sign up for
your personal copy by sending a blank email to EuroIS-subscribe
(at) yahoogroups (dot) com
For those who would like to do more than receive the monthly
newsletter, the EuroIS list makes it easy for you to discuss issues
raised, to share experiences with the rest of the group, and to
contribute files to a common user community pool independent of the
sysmod.com web site. I moderate posts to the EuroIS list, to screen out
Patrick O'Beirne, Editor
ABOUT THIS NEWSLETTER
"Praxis" means model or example, from the Greek verb "to do". The name
is chosen to reflect our focus on practical solutions to IS problems,
avoiding hype. If you like acronyms, think of it as "Patrick's reports
and analysis across Information Systems".
Please tell a friend about this newsletter.
We especially appreciate a link to www.sysmod.com from your web site!
To read previous issues of this newsletter please visit our web site at
This newsletter is prepared in good faith and the information has been
taken from observation and other sources believed to be reliable.
Systems Modelling Ltd. (SML) does not represent expressly or by
implication the accuracy, truthfulness or reliability of any
information provided. It is a condition of use that users accept that
SML has no liability for any errors, inaccuracies or omissions. The
information is not intended to constitute legal or professional advice.
You should consult a professional at Systems Modelling Ltd. directly
for advice that is specifically tailored to your particular
We guarantee not to sell, trade or give your e-mail address to anyone.
To subscribe to this Newsletter send an email to
EuroIS-subscribe (at) yahoogroups (dot) com
To unsubscribe from this Newsletter send an email to
EuroIS-unsubscribe (at) yahoogroups (dot) com
EuroIS is the distribution list server of the PraxIS newsletter. It
also offers a moderated discussion list for readers and a free shared
storage area for user-contributed files. The archives of this group are
on YahooGroups website