FTL Focused Planning...Extranet Project scheduled for pilot implementation in June 2007. This project extends authentication and authorization responsibility for key services to delegated

FOCUSED PLANNING FOR IT SECURITY

AT FRE IGHTL INER

“HOSHIN KANRI ”

as part of the

I DENT ITY MANAGEMENT ANALYST AND

SUB JECT MATTER EXPERT ENGAGEMENT

Author: Jeffrey W. Elliott

Version: v3.2b

Date: 2007‐04‐08

Sanitized for Distribution

Freightliner: Focused Planning for IT Security

Certified Security Solutions, Inc Page 2 of 38 Proprietary

Prepared for:

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐

© 2007 Certified Security Solutions, Inc.

Proprietary Material. All rights reserved.



You say you’ve got a real solution

Well, you know

We’d all love to see the plan.

Revolution, Lennon and McCartney



EXECUTIVE SUMMARY

A recent survey of 103 U.S. and European companies found that 34 percent have built a foundation to

automate key business services for core processes. Relative to their competitors, these companies have

higher profitability, experience a faster time to market, and get more value from their IT investments.

They have better access to customer data, lower risk of mission‐critical systems failures, and 80% higher

senior management satisfaction with technology, yet they have 25% lower IT costs. These advantages

are only achieved by developing and exploiting a tight alignment between business objectives and IT

capabilities.

In February 2007, Certified Security Solutions, Inc. (CSS), an information security consulting firm, was

engaged by Freightliner at the Portland Headquarters to apply its Focused Planning methodology to

define , clarify, and communicate Freightliner’s IT Security strategy and its linkage to company business

goals.

The study focused upon, but was not limited to, the ambitious and complex Identity Management

Extranet Project scheduled for pilot implementation in June 2007. This project extends authentication

and authorization responsibility for key services to delegated Security Administrators located within

Customer Dealerships. Implementing an Identity Management system is a major advance in the

evolution and maturity of Freightliner’s IT infrastructure and is a cornerstone in achieving full

compliance of the Sarbanes‐Oxley Act of 2002.

The analysis documented in this report revealed impressive strengths in the critical success factors

associated with project management and significant opportunities in the factors associated with process

management.

Most companies do a poor job of implementing the strategies their leaders document on conference

room walls, and for them, strategic planning promises very little return. The bottom line finding of this

report is that Freightliner’s IT Security Organization executes its initiatives with enthusiasm and world‐

class discipline. Strategic planning is therefore a high‐return investment at Freightliner.

Enterprise Architecture as Strategy: Creating a Foundation for Business Execution by Jeanne W. Ross,

Peter Weill, David C. Robertson, Harvard Business School Press, 2006



Contents

Executive Summary ............................................................................................................................4

Introduction: Freightliner Leads With Security ...................................................................................6

Strategy Map .....................................................................................................................................6

Reading the Freightliner Information Security Strategy Map ................................................................... 9

Critical Success Factors ..................................................................................................................... 11

CSF rationale and recommendations ...................................................................................................... 12

Strategic Analysis of the Identity Management Project ..................................................................... 20

Brainstorming Project Issues and Concerns ............................................................................................ 20

1.0 Managing Customer Requirements and Expectations .................................................................... 24

2.0 Creating Strategic Direction for IdM and Deploying Security Policies and Standards ................... 25

3.0 Managing Outside Influences .......................................................................................................... 27

4.0 Current Team Capabilities ................................................................................................................ 27

5.0 Timeline and Resources .................................................................................................................... 30

6.0 Managing the Project ....................................................................................................................... 32

Appendix A: Procedures for Focused Planning Tools ......................................................................... 35

Affinity Diagram ...................................................................................................................................... 35

Relations Diagram ................................................................................................................................... 36

Tree Diagrams ......................................................................................................................................... 37

Appendix B: References .................................................................................................................. 38

Figures

Figure 1: Strategic Project Alignment .......................................................................................................... 7

Figure 2: IT Security Strategy Map ............................................................................................................... 8

Figure 3: IT Security Critical Success Factors and Assessment Score ......................................................... 12

Figure 4: Affinity Diagram for the IdM Project .......................................................................................... 21

Figure 5: 160 Key Issues and Concerns! ..................................................................................................... 22

Figure 6: Sorting the Issues Into Themes ................................................................................................... 22

Figure 7: Relationship Diagram of Key Themes ......................................................................................... 23



INTRODUCTION: FREIGHTLINER LEADS WITH SECURITY

Over the last year, Freightliner has made steady progress transitioning from a vulnerability‐based to a

risk‐based approach to security management. An IT security organization is “vulnerability‐based” when

its primary focus is to react to vulnerabilities as they are identified, rather than taking a proactive,

strategy‐driven approach to security. It says much for Freightliner that so many current projects are

business‐enabling and have business partners on the teams. It is no small achievement that a high

percentage of the IT Security team has formal business education or experience.

It’s also not surprising that the IT Security Organization is actively working strategic issues and that

individuals are keenly aware of their priority. The organization reports directly to the Director of IT

Infrastructure and of the five dimensions on every employee’s annual evaluation, first is “Thinks

Strategically and Establishes Direction.”

So when Certified Security Solutions (CSS) was asked to provide subject matter expert oversight on a

major customer‐focused Identity Management (IdM) project, it was a natural step to also provide help

articulating the value proposition of IT Security’s strategic projects with an emphasis on the IdM

Extranet effort. The effort also generated analysis of Critical Success Factors gleaned during a series of

interviews with organizational leaders and team members. Additionally, this report includes specific

recommendations based on detailed analysis of key issues and concerns focused on the IdM

implementation pilot.

This report provides three major artifacts as products of the analysis:

1. A Strategy Map describing the value chain linking projects to Freightliner business strategy

2. A Critical Success Factor (CSF) study with an achievement assessment generating

recommendations to help deploy the strategic vision

3. A Focused Planning study of current IdM project issues that also generated specific

recommendations to help the team achieve its goals on the June pilot implementation.

Note: This document is designed to be viewed in color. Converting this document from MS Word 2007

to older formats may cause layout problems. Sharing this document as a PDF file will preserve its

integrity.

STRATEGY MAP

This section presents the IT Security Strategy Map developed in April 2007 and provides guidance in

reading and interpretation. A follow‐on Communications Plan will suggest venues and formats to

maximize the benefits of achieving an articulated security strategy.

The Strategy Map is a single‐page tool that provides a graphic linkage between organizational

investments, operating missions, and key company business measures. The Strategy Map is a key

communication device to focus the efforts of the project. Since company strategy is cross‐functional



and may encompass many different perspectives, the Strategy Map explains management’s rationale in

a single‐page global view to which all can relate.

Based on an IT Security‐centric modification of “Balanced Scorecard,” (familiar to much of the

company’s leadership) the Strategy Map links recent, current, and near‐term strategic projects to the

missions of IT Security (risk management and regulatory compliance) to the level of IT investment

leading to measures of company profitability. When these perspectives are linked, a coherent strategy

emerges that provides a potent focusing power for teams and stakeholders. The Strategy Map

represents a unique perspective on management’s hypothesis of cause and effect relationships leading

to business success. The goal is to share strategic vision and provide a guiding roadmap of the overall

plan.

For the purposes of this analysis, the following projects were used to articulate the strategy. This table

compares selected recent, current, and near‐term projects with Freightliner’s espoused statements of

aspirations and strategic direction found on the wall of every conference room.

FTL Aspirations and Strategic Direction

Strategic IT

Security

Projects

Market

Leader

Customer

Reliable

Continuous

Improvement

Strong

Brands and

Value

Proposition

World

Class

Cost

Position

Distinctive

Quality

Smart

Processes

Exceptional

People

Implement ITIL

Disciplines

DCX Integration

IdM Extranet

Deploy New IT

Security Tools

Webnet

Infrastructure

Improvements

Aveksa

Compliance

Assurance

IT Security

Reorganization

FIGURE 1: STRATEGIC PROJECT ALIGNMENT



FIGURE 2: IT SECURITY STRATEGY MAP



READING THE FREIGHTLINER INFORMATION SECURITY STRATEGY MAP

While the Strategy Map provides a handy reference easily adapted to many purposes, a comprehensive

interpretation is best read from the bottom up – left to right. Here’s one reading:

1. The farthest‐looking strategic initiative is the development of a three‐year vision to implement

selected disciplines from the Information Technology Infrastructure Library (ITIL). ITIL is a

universal framework outlining accepted best practices for IT Service Management. The concepts

within ITIL support the planning and implementation of consistent, documented, and repeatable

processes that directly tie IT service delivery to company business requirements. ITIL

implementation is a major commitment for an organization and demands IT expertise, process

management skills, and continual business interaction. This three‐year vision will focus first on

incident management and will begin the value chain to protect critical information assets.

Because it is a DaimlerChrysler corporate initiative, it also supports efforts to adopt and

integrate DCX security policies.

2. DCX integration is an initiative with the goal of optimizing corporate resources and increasing

the synergy of people, systems, and assets. Among the areas of integration scheduled to be

addressed this year are integrating corporate audit services and standardizing Computer

Incident Response Team (CIRT) activities.

3. Additional initiatives deploy innovative security technologies. New IT Security tools include

deployment of the Qualys network scanning system, an application security assessment tool, an

intrusion protection system, and firewall upgrades. Deployment of VMware will help deliver

provisioning resources by providing flexible capacity management for IT resources. Because IT

support has to adapt new technologies to legacy systems, Webnet infrastructure improvements

will allow needed systems to operate with new architecture.

4. Over the past year, the IT Security Organization has been restructured to achieve the planned

tactical and strategic goals before it. Now formed in three groups, the organization is divided

into Firewall/General Security under Chris Hamilton, Web Security under Jim Beikirch, and

Access Control/IdM under Aaron Radigan.

5. The Identity Management (IdM) Extranet Project leverages security technology to provide

enhanced Dealer‐Customer processes complying with auditing and traceability regulatory

requirements of the Sarbanes‐Oxley Act and DDC security policies.

6. Deployment of the Aveska compliance assurance product provides a comprehensive, scalable,

and cost effective reporting tool describing “who has access to which IT/business resources,” a

key requirement of Sarbanes‐Oxley.

7. Deploying these technology innovations will address three key areas of Information Security

Risk Management: protecting critical information assets, achieving control over authentication



(ensuring system users are correctly identified) and authorization (ensuring system users have

access to needed resources), and managing the scarce personnel and funding resources that

characterize “the leanest IT organization in the corporation” (as reported independently in three

different interviews).

8. In 2002, in reaction to the flood of corporate financial scandals across various U.S. corporations,

the Sarbanes‐Oxley Act (SOX) was signed into law implementing the most significant change to

corporate financial responsibility since the New Deal. Among other requirements, the SOX Act

demands documented management practices for key business processes. While widely viewed

in some circles as a burden and cost to corporate operations, it will provide a significant

investment in critical infrastructure through process management disciplines.

9. Protecting critical information assets focuses on a tri‐fold IT strategy commonly referred to as

CIA (confidentiality, integrity, and availability) of information assets.

10. Authentication and authorization supports CIA and is also a major investment in critical IT

infrastructure as it provides a unifying framework for user access to enterprise applications.

11. Managing scarce IT Security resources is both an investment in critical infrastructure and

characterizes the Freightliner approach to lean IT.

12. Maintaining a focus on CIA is a priority for IT because it is key to providing a seamless value

chain for Freightliner customers through access to reliable systems and information.

13. It speaks volumes for Freightliner’s IT and security leadership that the “leanest IT organization in

the Corporation” prioritizes significant investments in critical IT infrastructure which is focused

to address all three key elements of the business strategy: provide a seamless value chain for

customers, provide rapid development of new products and services and to contain costs to

maintain a world class cost position.

Especially promising is the RBAC (Role/Rule‐Based Access) work completed for the IdM Extranet

Project. The RBAC work provides a clean data base of current Customer‐Dealers in the customer

value chain. This will provide an unprecedented reference for the development of products and

services targeted to current customers in well‐defined business roles.

14. The previous thirteen points outline a detailed strategy to ensure that Freightliner maintains

current leadership in the North American commercial vehicle industry.

15. As reported in the December issue of TruckTIMES, the Truck Group uses two key metrics to

measure profitability: RONA (Return on Net Assets) is the ratio between operating profit and

fixed capital, ROS (Return on Sales) is the ratio between earnings and the revenue generated by

sales. It was reported in December that RONA was at thirty percent and ROS was just less than

seven percent.

Put simply, the Strategy Map reveals IT Security as a treasure chest of value‐added efforts.



CRITICAL SUCCESS FACTORS

Freightliner’s IT Security organization has a clear sense of mission and direction. Both are well reflected

in the relatively recent organizational structure and the choice of strategic projects to pursue. However,

having meaningful projects and goals are not enough. Even organizations of exceptional people must

perform well in key areas on a consistent basis to achieve success and an enjoyable work life. These key

areas – unique to the organization, its challenges, and its abilities – can be defined as the organization’s

Critical Success Factors (CSFs). A highly‐functioning team and its leaders implicitly know and consider

these key areas when they set goals and formulate action plans. However, when these CSFs are made

explicit, they reveal a common pattern of behavior that is highly relevant and meaningful to real project

situations. Strong achievement of a CSF is an indication of a strength that can be leveraged while an

achievement gap presents a major opportunity to operate at a higher level of achievement.

CSFs are easily confused with goals, but they are quite different. A goal is an operational target for

achievement that drives meaningful work. A CSF is an augmenting method of achieving a goal that

drives and enables success. In quality management terms, this is the relationship between targets and

means – the difference between “just do it” and understanding the how and why to achieve an end so it

is effective, efficient, repeatable, and learnable for others. For many teams the translation from goals to

successful action plans is accomplished invisibly and innately. The CSF method attempts to make this

hidden skill explicit so the organization can use it collaboratively as an aid to implementing strategy and

executing projects.

Although irreplaceable, technical acumen is rarely in short supply in IT Security organizations. More

often, skills such as “the ability to formulate and take focusing actions” or “the ability to make work

visible” contribute most to workplace effectiveness for the complex problems of information security.

Such skills are often not apparent and won’t be found on a laundry list of “habits of successful

organizations.” The need for such skills and the value in identifying them comes from actually observing

competent people performing well and identifying specific patterns of improvement. Meaningful CSFs

are derived from analysis of the team working well, rather than having them established upfront as

some kind of vision.

The brainstorming exercise completed for the IdM Extranet project and CSS’s on‐site interviews

provided an excellent opportunity to uncover the critical success factors of a well‐functioning team

working a complex and important project. The richness of the Strength‐Weakness‐Opportunity‐Threat

(SWOT) exercise is that it reveals things working exceptionally well in addition to uncovering problems.

The IdM project team was ideal for this focus because while IdM work is not representative of all the

strategic projects currently underway, it is an example of a high‐functioning team working its way

through complex problems. If a pattern of CSFs prove useful for the IdM project, they are likely to apply

widely to other complex projects as well.



Figure 3 shows the six distinct CSFs and the assessment scores that were identified by analyzing

recurrent themes in the interviews and project analysis. Please keep in mind that high scores indicate

strength in this area that should be leveraged and low scores indicate opportunities to function at a

significantly higher level.

FIGURE 3: IT SECURITY CRITICAL SUCCESS FACTORS AND ASSESSMENT SCORE

CSF RATIONALE AND RECOMMENDATIONS

The assessment that follows is necessarily subjective and qualitative. Recommendations are based on

my formal training in organizational dynamics, my experiences in industry, and my grounding in the

management principles of Dr. W. Edwards Deming.

Each of the following CSFs has a Problem Statement describing why it is important, an Assessment

rationale that describes criteria relevant to the score, and Recommendations to exploit high scoring

categories and suggestions to improve low scoring categories.



MANAGING SCARCE RESOURCES – SCORE: 80%

Problem statement: “We’re the leanest IT organization in the corporation.” Of course every IT and IT

Security organization is challenged with staffing a knowledgeable and compatible workforce. The

necessary disciplines are immature, the technology is rapidly changing, and the area is target‐rich. At

the same time, IT organizations are continually challenged to reduce costs in the face of endless serious

threats. The result is often that expensive projects are delayed by multitasking specialists delaying ROI

and burning out in the process.

Assessment: Very high marks in this category. Freightliner is managing lean IT exceptionally well. The

project portfolio is rich with infrastructure investment and a clear value chain. The organization is

structured to focus on mission success. In the words of Susan Moote, Director of IT Infrastructure,

“Security is the foundation of IT infrastructure.” Chris Poorman, IT Security Manager, has recently

reorganized into three focused groups: Firewall/General Security, Web Security, and Access

Control/IdM. Supervisors of each group provided a unified and coherent description of their missions

and responsibilities.

Excellent use is made of both long and short‐term contractor personnel. Highest marks go to the Project

Liaison Office and Richard Guyot’s professional project management. My favorite quote from a tightly‐

run meeting: “We’ve got one minute left, would anyone like to add anything?” Project management is

a specialized and challenging discipline and I’ve rarely seen it practiced better. In addition to skilled

talent, Freightliner has a well‐documented methodology for project development and execution that is a

jewel in the crown.

Selection of team membership is a crucial element of this CSF. A look at the single page Affinity Diagram

(see Figure 4) provides insight: The category “Current Team Capabilities” is overwhelmingly dominated

by Strengths (in blue).

Recommendations:

1) Establish cost benchmarks within the corporation and across the industry to help build the

business case for investment.

2) Invest in formal training for building IT business cases – it is a core competency and will help

security specialists build relationships with business partners.

3) Take advantage of the internal “LEAD” system to build a skills data base across the

corporation. Pool scarce resources at the highest possible level, put them on one project at

a time, and provide them with clear priorities.

4) Involve everyone in the zero‐based budgeting process.

5) Take every advantage of project and organizational milestones, recognize them in public

and formally celebrate achievement.



CULTIVATING AND COMMUNICATING BUSINESS SAVVY – SCORE: 90%

Problem Statement: As IT Security moves more into a strategy‐driven business‐enabling approach, it

becomes more and more important to develop and maintain a keen sense of business priorities and the

ability to respond meaningfully to them. The risk is to negatively impact the value chain of operations

with an emphasis on technology or compliance. The window for leveraging SOX compliance, for

example, will not remain open long. It will become more and more important to build deep and long‐

lasting partnerships with operations and learn to speak in the language of money and measurement.

Assessment: Highest marks here. In the course of interviewing twelve people for this report, five

mentioned their origins were in business and most demonstrated impressive depth of knowledge about

company operations and priorities. Critical skills are being developed in the areas of RBAC, use case

development, and compliance reporting areas. This work is very well documented. Susan Moote

observed that the business case for the internal IdM work is going to be a major challenge.

Three truths about IT strategy: (1) The demand for existing technology increases as the business grows,

(2) the demand for new technology functionality increases with the technology intensity of the

business, and (3) technology innovation increases the demand for new business skills in IT.

Recommendations:

1) Continue to cultivate business champions like Kimberly Ward and business analysts like

Jonathan Villante. Kimberly’s enthusiasm for the marketing advantages of the Dealer RBAC

work is inspirational. Jonathan’s insights into workflow automation and targeted services for

profitable customers are gospel. Whenever possible, couple a technical person with a business

talent.

2) Share the internal business knowledge and insight with everyone in the organization. Don’t let

business orientation become a specialty of a few.

3) Exercise your evangelists with road shows and presentations at staff meetings and town halls.

4) Move beyond dubious savings like “reduced help desk calls” to richer value‐driven measures

(see “Using Key Performance Indicators” CSF).

5) Attend conferences and build industry alliances with business‐savvy counterparts. Document

and share these resources. Build a corporate and industry champion data base.

6) Seek opportunities to make the company easier to work with (like the effort on 3rd party

contracts).

7) Refine, update, and share the strategy map with all stakeholders. Let’s see an appropriate

version of it in TruckTIMES. The security strategy belongs on the Freightliner web site and in the

annual report. How about adding a spot to the looping television tape overview in the

corporate headquarters lobby? Corporate communications people are always looking for new

features.



FORMULATING AND FOCUSING ACTIONS – SCORE: 60%

Problem Statement: Many challenges are being faced for the first time. The learning curve is steep and

multidisciplinary. The result is often an over‐emphasis on results with little attention to method. With

no time for experimentation and reflection, the penalty is paid when recurring problems are either

ignored or addressed by reinvention.

Assessment: Very good use is made of subject matter experts and outside talent and the team certainly

seems to collaborate well. Process management disciplines help keep task teams small and maximize

what learning opportunities exist (it’s hard to get left out of a pair). But as the work gets more complex

(e.g., next year’s Intranet IdM) more will depend upon the judgments made by individuals with no

formal method for methodology review and validation. Cultivating a habit of meeting deliverables and

deadlines without sharing the work methods will make success critically dependent upon the continued

performance of individuals, not the team. This is especially critical in the requirements gathering and

validation cycles. Major challenges lie ahead in the internal RBAC and the entire subject of data quality

is a sword of Damocles for the project. (For more information on data quality, see Improving Data

Warehouse and Business Information Quality: Methods for Reducing Costs and Increasing Profits, by

Larry P. English.) An effective strategy for next year depends heavily on preparation this year.

Recommendations:

1) Maintain the search for best methods and practices. Look into building skills in the

requirements disciplines of Quality Function Deployment and other formal approaches to

gathering, validating, and translating requirements into technical specifications.

2) Use corporate resources to build team websites, maintain running records of lessons learned,

and formalize cross‐training whenever possible. Document, publish, and follow an

organizational internal training plan.

3) Investigate and adopt a strategy to deal with data quality to include data base cleanup, process

analysis with robust design, and data quality performance reporting.

4) Establish annual training in the so‐called soft skills of problem formulation and dialogue.

5) Schedule regular meetings to share issues – even without resolution – to increase internal

communication about the challenges being faced and make wider use of your very skilled

individuals. (I know these items take time and people are already very busy, but it will pay off in

the team you build and your ability to quickly marshal problem solving capabilities when critical

problems arise.)



ALIGNING AND INTEGRATING MULTIPLE GOAL SETS – SCORE: 80%

Problem Statement: As IT Security projects become more business intense, they will compete more and

more with traditional operations‐focused projects and initiatives both for costs and for talent. The risk

is to miss critical security targets for lack of alignment and integration of business goals with IT security

goals.

Assessment: This value is very well demonstrated in the alignment and synchronization with the OWL

(On‐line Warranty) project. Expect much more like this in future strategic initiatives.

Recommendations:

1) Formalize the relationship with competing projects. Avoid the practice of sending the Project

Manager to deal with scheduling negotiations by dedicating team resources to key opportunities

and building alliances. Ensure stakeholders and partners share goal‐setting and performance

measurement where it makes sense. Share the strategy; share the success!

2) Engage experienced neutral third party facilitators to manage important meetings. Consider

using facilitators to manage the progress of knowledge transfer in meetings like the OWL

synchronization meeting. This can ensure the time is spent productively addressing key issues

definitively so they don’t go unresolved or reappear. It is also a useful way to have a third party

document the progress so team members can participate fully.

3) Practice formal expressions of appreciation like commendations for important contributions.

Always cc the manager as well.

4) Many projects that may appear to compete have a valuable security component that can be

leveraged. Don’t hesitate to take advantage of your marketing insight into the many dimensions

of IT Security.

PRACTICING COLLABORATIVE LEARNING – SCORE: 40%

Problem Statement: It is not collaboration if everyone attends a meeting and cleans email instead of

demanding a rich and productive experience. PowerPoint slides have a place, but the whiteboard is the

place to demonstrate thinking and sequential problem solving. There is no substitute for sitting across a

table, looking each other in the eyes, and engaging fully in meaningful dialogue. Without consideration

and skill in working with the ideas of others, we lose precious synergy and create the self‐fulfilling

prophesy of meetings wasting our time.

Much of the work in IT Security has an abstract dimension that makes it difficult to document how

decisions and judgments are made. Relying on the strength and trust of individuals inhibits the learning

cycle and makes it difficult to repeat success. In order for conscious competence to become routine

unconscious competence, it needs to be documented and shared. There are formal frameworks for

illuminating enterprise architecture that can be very helpful and provide a powerful communications

bridge with the business community.



Assessment: Many of the challenges team members have met so well have been new exercises or at

least had new scope and complexities. The individual learning has been excellent from my vantage

point and the phased deployment of the extranet project provides the ability to reflect and learn. In the

language of the quality management gurus, you’ve built iterative cycles of Plan‐Do‐Study‐Act into the

deployment that should safeguard the project, provide visibility into unforeseen problems, and generate

even more lessons for your team. At the completion of this first project, you’ll have a very well trained

team that no classroom cycle can produce.

Skillful public reflection is a much neglected success factor. Without a formal method of reflection and

learning, valuable knowledge capital is squandered in the name of meeting immediate goals. The result

is failure to address subtle but expensive problems and an endless cycle of scraping burned toast.

While there were strong presentations made on executive summaries of the IdM project, work was

largely (and perhaps necessarily) done individually and without wide collaboration. Techniques like the

Affinity Diagram can generate valuable insights that build on each other’s ideas. Without collaborative

technology we are only as smart as the smartest powerful person in the room. Excellent work was

demonstrated in documenting project progress but some individuals, even inside the team, complained

about not receiving updates and feedback. Share the strategy; share the work!

Recommendations:

1) Adopt a method of formal reflection and lesson gathering. Consider the work done by the U.S.

Military in building a culture of reflection in their After Action Reviews. Consider scheduling

formal Postmortems and Before Action Reviews.

2) Post findings and insights on a bulletin board, on posters, on the project web site. The schedule

information on the whiteboard in the Data Center is an excellent start once the code is broken.

3) Post work product in public and always sign your work (you’ll join Isaac Newton and Galileo,

both famous for showing and signing their work.) This does much to create tribal knowledge

and increase the likelihood of accidental and beneficial interactions.

4) Consider a method like the Zachman Framework of Enterprise Architecture as an avenue to

illuminate IT security opportunities in IT and business projects. Adopting standards for

graphically illuminating abstract entities can help business people overcome the intimidation of

highly technical concepts.

5) Adopt methods of graphical collaborative problem solving. Two good places to start are

Thinking Visually by Malcolm Craig and Rapid Problem Solving with Post‐It Notes by David

Straker. Both are accessible and rich sources of collaborative technologies.

6) As this project matures, you will find many opportunities to leverage the agility of

standardization, to capture lessons learned, and embed them in the organization. Take

advantage of these.



USING KEY PERFORMANCE INDICATORS – SCORE: 10%

Problem Statement: Without a small and meaningful set of both leading (predictive) and lagging

(reactive) measures, it’s impossible for people to build meaningful models of cause and effect so success

can be understood and reproduced. The purpose of performance metrics is to reveal the engines of

change that produce your desired results. It’s not necessary to engage a statistician, but some amount

of numeracy will ensure the measures are few, meaningful, and get used.

Assessment: Currently, other than milestones and scheduled deliverables, the only attempt to quantify

project or process performance was nicely carried out in one of the training documents early in the

project. I include it here in its entirety because so few recalled seeing it:

The implementation will be deemed successful if:

The volume of calls to the Dealer Help Desk related to external user security issues immediately

after deployment increases by 20% or less

The volume of calls to the Dealer Help Desk related to external user security issues is reduced

over time after deployment

The forecasted addition of 8,000 to 40,000 new external users does not require additional Dealer

Help Desk personnel to support user security

External end users can successfully log in to AccessFreightliner applications using a single

password

External end users can change and update their own password in real‐time with little to no

support from the Dealer Help Desk

Delegated dealer admins can monitor and maintain logins and access roles for users within their

Dealership

IT Security can analyze and audit ID security activities

Identity and access management capabilities and process comply with SOX and other regulatory

requirements

External end users, dealer admins, and Dealer Help Desk personnel understand their roles in

supporting corporate IT security policies.

It’s a useful set of measures but I don’t believe there’s a data collection and analysis review scheduled.

To be fair, the culture at Freightliner doesn’t seem to actively use many performance metrics so it’s not

surprising to find none. However, it does represent a major step forward in your ability to transition

projects into processes and manage them with a continual improvement emphasis. ITIL will certainly

help in this regard.

Recommendations:

1) The Maturity Model in COBIT 4.0 is an effective way to begin adopting process management

disciplines and I recommend it without hesitation. It does a nice job of presenting a collection of

potentially meaningful metrics – very useful for a start.



2) Remember that less is more in the performance measurement world. Stay focused on a small

set of balanced leading and lagging key performance indicators and use them to explain

progress in the project.

3) Gently initiate the practice of challenging conclusions with a non‐threatening, “That’s

interesting, how do you know?” Celebrate critical thinking.

4) Take advantage of resources in Freightliner’s Six Sigma program to get expert help developing

and implementing a metrics program for IT security.

5) Build a richly detailed vision of the desired future state of IT and its relation to business

processes. Use collaborative methods to develop metrics and build an executive scorecard for

the key process indicators of your success.



STRATEGIC ANALYSIS OF THE IDENTITY MANAGEMENT PROJECT

In this section a three‐step method was used to brainstorm issues, prioritize the key themes, and then

derive recommendations to mitigate the specific potential problems and concerns.

Note: The method and descriptions of the Hoshin tools (Affinity Diagram, Relations Diagram, and Tree

Charts) are in Appendix A.

BRAINSTORMING PROJECT ISSUES AND CONCERNS

The Affinity Diagram (Figure 4) is the valuable product of a structured brainstorming session. In this

two‐hour meeting, we surfaced and processed 160 different ideas and concerns about meeting the

project pilot date early in June.

The following pages show the product of the brainstorming exercise (best seen printed tabloid‐size or

electronically in a PDF file) and some photos of the team in action. Each of the team issues is also

printed in color‐coded tables in this chapter.



FIGURE 4: AFFINITY DIAGRAM FOR THE IDM PROJECT



FIGURE 5: 160 KEY ISSUES AND CONCERNS!

FIGURE 6: SORTING THE ISSUES INTO THEMES



Once the issues and concerns were brainstormed and sorted into themes, a follow‐up session

established priorities among the themes. Some categories drove others and had to be considered first.

The Relations Diagram in Figure 7 shows the key themes and the driving categories that must be

considered before “effect” categories can be analyzed.

FIGURE 7: RELATIONSHIP DIAGRAM OF KEY THEMES

The diagram guides us to address the themes of “Managing Customer Requirements and Expectations”

first since it drives all the other categories.

The third step was to single out actionable issues, group them, and develop mitigating

recommendations to address the concerns. The method is very powerful and intuitive, but it is a very

comprehensive method that should only be undertaken on important and complex projects.

Following are the details of the brainstorming (team issues organized by SWOT category) and the

analysis leading to recommended mitigating actions.



1.0 MANAGING CUSTOMER REQUIREMENTS AND EXPECTATIONS

SWOT TEAM ISSUE Strength 1.1. Knowledge of the customer base

1.2. Dealer interests are well represented

1.3. Requirements are clear

1.4. We have business owners who really want these changes and we have support

from the business

Weakness 1.5. No system redundancy

1.6. Can not impact daily workflow

Opportunity 1.7. We have the opportunity to deliver a solid, meaningful product

1.8. We will better understand our customers

1.9. We'll reduce calls to the help desk

1.10. We have the opportunity to receive positive feedback from the Dealers

1.11. Provide external user control

1.12. Because of clearly defined roles, distribution of applications will be simplified

1.13. Key data available on customers

1.14. Links disparate account codes for future use

1.15. Improve dealer relations

1.16. Reduce user account provisioning time

1.17. Improve customer satisfaction

1.18. Fix dealer logon issues: multi‐logons, manual processes

1.19. Efficient user management

1.20. Enhancing user experience

1.21. Provide customers with valuable reporting mechanisms

1.22. Improve dealer user ID management

1.23. Project will simplify Dealership admin process

1.24. Users only need one ID for AFR

Threat 1.25. All users and orgs may be involved

1.26. Dealers are outside of direct control

1.27. Poor dealer receptivity is a threat

1.28. Target audience is vast and diverse

1.29. We might miss the chance to succeed

1.30. Manage a large external user base

1.31. Dealerships fail to communicate down their orgn

1.32. Reduce customer satisfaction with security policies

1.33. Dealers may not fully cooperate in providing necessary information or may

foster ill feelings

1.0 GROUPED ACTIONABLE ISSUES RECOMMENDED MITIGATING ACTIONS

1) Threat: Poor dealer

receptivity; Dealers are outside

direct control; Dealerships may

fail to communicate down their

organization; Dealers may not

1a. Ensure team Dealer Representative (Kimberly Ward) has

dedicated priority and open lines of communication with

Dealers throughout phased deployment.



fully cooperate in providing

necessary information; target

audience is vast and diverse;

Dealers may foster ill feelings;

deploying new security policies

may reduce customer

satisfaction

1b. Actively solicit feedback on phased deployment through

focus groups of Dealer Security Admins and plan to

implement facilitating suggestions.

1c. Provide clearing house/bulletin board/web site for Dealer

input and problem resolution. Consider automating a

performance dashboard with Pareto analysis.

1d. Compile help desk problem analysis, feedback findings

with Dealer network, and plan to implement mitigating

solutions.

1e. Ensure training program is used to feed suggestions to

team for deployment modification.

1f. Publish regular editions of a Dealer Security Admin

bulletin/newsletter with sections for selected RBAC groups.

2) Opportunity: We will better

understand our customers; we

have the opportunity to receive

positive feedback from the

Dealers; provide customers

with valuable reporting

mechanisms; Improve dealer

user ID management; simplify

Dealership admin process

2a. Adopt a formal method to gather, translate, and validate

the Voice of the Customer, e.g., Quality Function

Deployment.

2b. Document Dealer Security Admin Communications Plan.

2c. Ensure communication strategy addresses reporting

needs and changes.

2d. Verify reporting strategy supports SOX compliance

requirements and company and corporate security policies.

3) Opportunity: Because of

clearly defined roles,

distribution of applications will

be simplified

3a. Involve relevant application development

representatives in IdM project deployment to spot early

opportunities and expose potential problems.

3b. Optimize RBAC categories for application development

where practical.

2.0 CREATING STRATEGIC DIRECTION FOR IDM AND DEPLOYING SECURITY

POLICIES AND STANDARDS

SWOT TEAM ISSUE Strength 2.1. Looking toward the future in how this app can be leveraged

Opportunity 2.2. Establish future base for IAM

2.3. Create a solid IAM cornerstone



2.4. We have an opportunity to fix business processes internally ‐ business owners

and app development

2.5. Ability to expand workflow to other parts of the business

2.6. Automate manual workflow

2.7. Provide a foundation for delivery of a portal

2.8. Will put well‐defined business processes in place

2.9. Enables better web‐trends data

2.10. Provides a good roadmap for future IT security plans

2.11. Contribute to company profit line

2.12. Gain economic benefit of project

2.13. Enables future app development by detailed roles

2.14. Provides structure for all apps who require dealer family info

Threat 2.15. Causes a change to how future apps are built

Opportunity

(Security

Policies and

Standards)

2.16. Adherence to policy/standards/best practices

2.17. Set security policies

2.18 . Meet SOX compliance

2.19. Security will comply with SOX

2.20 Tightening Security Controls

2.21. Much more secure environment

2.22. Security will become strengthened


1) Threat: Causes a change in

how future applications are

built; enables future

application development by

detailed roles

1a. Review actions taken in Managing IdM Project Customer

Requirements and Expectations above.

2) Opportunity: Meet SOX

compliance

2a. Review actions taken in Managing IdM Project Customer

Requirements and Expectations above.

3) Opportunity: Establish future

base for IdM; provides a good

roadmap for future IT Security

plans; create a solid IdM

cornerstone

3a. Document Freightliner IdM strategy beyond Burton

Group suggestions to capture lessons learned and maintain

actual IdM implementation details.

4) Opportunity: Contribute to

company profit line; gain

economic benefit of project

4a. Publish IdM/Security Strategy Map linking project details

to IT infrastructure and company business goals.

4b. Ensure project benefits are quantified and validated by

Company finance representative. Communicate results to

stakeholders.

5) Opportunity: Fix business

processes internally; expand

workflow to other parts of the

5a. Draft and implement automated workflow management

strategy.



company; automate manual

workflows

5b. Provide internal training on workflow management

opportunities, tools, and methods.

3.0 MANAGING OUTSIDE INFLUENCES

SWOT TEAM ISSUE Strength 3.1. Top management visibility

3.2. Visibility at high level

Weakness 3.3. Visibility at high level

Opportunity 3.4. OWL Support

Threat 3.5. Forced compression of project timeline

3.6. Pressure from OWL on project timeline

3.7. OWL dependencies

3.8. Increased visibility from being tied to the OWL project

3.9. 2007 business uncertainty


1) Threat: OWL dependencies;

Forced compression of project

timeline; pressure from OWL

on project timeline; increased

visibility from being tied to the

OWL project

1a. Dedicate team resources to continually manage OWL

synchronization.

2) Opportunity: Top

management visibility

2a. Ensure management briefings on project status, goals,

and results are included in documented project

communications plan.

4.0 CURRENT TEAM CAPABILITIES

SWOT TEAM ISSUE Strength 4.1. Our team is

experienced

4.2. We've learned

from past mistakes

4.3. Experience of

project members is a

strength

4.4. Good partner

who fully



understands this

technology

4.5. Project team has

strong advocates for

the concerns of the

end users

4.6. Project team has

solid understanding

of affected systems

4.7. Big picture view

from team members

4.8. We have a

dedicated team

4.9. Project team

support & objectives ‐

‐ "Buy‐in"

4.10. Diverse project

team that cares about

our success

4.11. We have a

wealth of experience

4.12. Strong

background with

Dealers on the team

4.13. Dealer JAD fully

supports the project

4.14. Project team

dedication to the

project

4.15. Strong

individual

organizational skills

4.16. Team works

well together

4.17. Developers that

have deployed this

application before

4.18. Good vendors

with lots of

experience and

knowledge

4.19. Competent

people

4.20. Productive

conflicting

approaches



Opportunity 4.21. Unproductive

conflicting

approaches

4.22. Knowledge of

non‐project

application

requirements

4.23. We have limited

experience in some

areas

4.24. Chance to learn

skills from other team

members

4.25. Chance to shine!

4.26. We have an

opportunity to

demonstrate the

ability to succeed at a

complex project

Threat 4.27. It's a threat that

we might do it the

same way as CCI‐

Phase II

4.0 GROUPED ACTIONABLE ISSUES

RECOMMENDED

MITIGATING

ACTIONS

1) Threat: We might do it the same way as CCI‐Phase II 1a. Dedicate project

team agenda item to

review CCI‐Phase II

issues and remedial

actions.

1b. Schedule formal

project After‐Action

Review/postmortem

to document lessons

learned.

1c. Maintain running

lessons learned data

base throughout

project.

2) Opportunity: Our team is experienced; we’ve learned from past

mistakes; project team has strong advocated for the concerns of the

end users; project team has solid understanding of affected systems;

2b. Develop internal

project team IdM



big picture view from the team members; team works well together;

diverse project team that cares about our success; productive diverse

and conflicting approaches

Training Plan.

2c. Establish

dedicated IT Security

resource library.

2d. Build alliances

with other

Corporate/industry

partner IT Security

organizations to

document and

exchange best

practices.

2e. Ensure team

achievements are

formally recognized

and celebrated.

3) Good partner who fully understands this technology; developers who

have deployed this application before; good vendors with lots of

experience and knowledge

3a. Involve

partner/vendor

representatives in

project reviews and

document lessons

learned.

5.0 TIMELINE AND RESOURCES

SWOT TEAM ISSUE Strength 5.1. Adequate staff

5.2. Project is supported by upper management

5.3. Funded project

5.4. Adequate budget

5.5. Proper funding

5.6. Adequate timeline

Weakness 5.7. Subject to CIRT interrupts

5.8. Team is allocated to competing projects

5.9. Steve Sawrey availability

5.10. There are scarce resources

5.11. Subject to priority threats

5.12. Cross‐functional project staffing

5.13. Unidentified (or uncommunicated) high executive sponsor

5.14. Tight fiscal environment



5.15. Other projects affecting our timelines

5.16. Ability to get resources in a timely manner

5.17. Single point of failure regarding web methods development

5.18. Limited personnel resources

5.19. Critical scarce resource ‐ web methods

Threat 5.20. Funding shortfall

5.21. Cost constraints

5.22. Freightliner may have to add staff

5.23. Schedule constraints

5.24. Long deployment schedule

5.25. Other projects impacting our timelines and deliverables

5.26. Resource constraints

5.27. Kimberley's availability

5.28. Key owners' availability

5.29. External projects may create surprises (unknown risks)


1) Threat: Funding shortfall; cost

constraints; resource

constraints

1a. Monitor and report upon project costs and resource

requirements.

1b. Ensure IT Security is formally involved in IT infrastructure

investment strategy process.

1c. Establish cost benchmarks to compare with other

Corporate initiatives.

1d. Standardize organizational methodology for making

business case for initiatives

1e. Involve more IT Security organization in zero‐based

budgeting

2) Threat: Key owner’s

availability; Kimberly’s

availability; Steve Sawrey

availability; key resources

availability; limited personnel

resources; cross‐functional

process staffing is limited;

team is allocated to competing

projects

2a. Ensure project team members document methods of

achieving deliverables to enable replication.

2b. Schedule agenda item to review detailed project plan to

identify potential resource vulnerabilities.

2c. Provide training and backup plan for key scarce

resources.

2d. Build alliances with competing company initiatives to

share key resources.

2e. Consider establishing corporate‐level key resource pool

for complex projects.



3) Threat: Long deployment

schedule; other projects

impacting our timelines and

deliverables; subject to priority

threats

3a. Maintain dedicated PMI‐certified project management

disciplines.

3b. Use experienced neutral facilitators for important

coordination meetings

3c. Selectively implement innovative project management

practices, e.g., Critical Chain Project Management.

6.0 MANAGING THE PROJECT

SWOT TEAM ISSUE Strength 6.1. Proper scope

6.2. System (IdM) may provide opportunities

for automated operations

6.3. Project involvement from PMLL

6.4. Clear need

6.5. Understanding that this has to get done

Weakness 6.6. Lack of authoritative data

6.7. So much missing data

6.8. Other app development happening

concurrently ‐‐ difficult to stay in synch

6.9. Project methodology falls between

infrastructure and app development

6.10. Poor data quality in current LDAP

6.11. So much bad data

6.12. RBAC ‐‐ moving the business away from

managing by exception

6.13. Eclipse may not fully deliver

6.14. Cross‐functional coordination is required

6.15. Extremely vast scope of deliverables

6.16. Project team may not have identified

and quantified all the stimulus‐response

(statistical thinking)

6.17. Deliverables are very confusing to

outside viewers

6.18. We must implement "all or nothing" in

production

6.19. Fractured internal communications

6.20. Complex and long deployment plan not




fully defined yet

6.21. Communication flows are disjointed

6.22. RBAC ‐‐ this is the first time we've

tackled it

Opportunity 6.23. We have the opportunity to clean up bad

data

6.24. Basis for good data ‐ detailed data

6.25. Establish a valid move forward point for

active users/orgns

6.26. Build great SCS and IDS communication

paths for the future

Threat 6.27. Years of bad data

6.28. Managing the massive data volumes

6.29. Communication breakdowns

6.30. RBAC scope change

6.31. Miscommunication

6.32. Development failures

6.33. Disruption of customer business

activities during deployment

6.34. If system isn't released working well, we

may not get buyoff from our external

customers

6.35. Vendor control

6.36. Years of bad processes

6.37. Possible application limitations may

impact our deliverables

6.38. Our project forces changes to other

business processes like DWC Sign‐up


1) Threat: Years of bad data; years of bad

processes; so much missing data; poor data

quality in current LDAP; lack of authoritative

data so much bad data; opportunity to clean

up bad data; opportunity to establish good

data – detailed data

1a. Develop and implement company data

quality strategy (reference: Improving Data

Warehouse and Business Information Quality

by Larry P. English, Wiley and Sons, 1999) to

include data cleanup, process improvement,

and data quality performance reporting.

2) RBAC scope change; RBAC – this is the first

time we’ve done it; RBAC – moving the

business away from managing by exception

2a. Document RBAC development methods

and lessons learned.

2b. Involve experienced external expertise on

RBAC development, optimization, and lessons

learned.




2c. Document Use Case development,

validation methods and lessons learned.

3) Communication breakdowns;

miscommunication; fractured internal

communications; cross‐functional

communication is required; communication

flows are disjointed

3a. Conduct periodic review and validation of

Project Communications Plan.

3b. Leverage company web site development

resources to establish dedicated

communication channels for complex projects.

3c. Look for opportunities to use visual

artifacts (e.g., posters) to communicate project

vision, mission, values.

4) Eclipse may not fully deliver; extremely vast

scope of deliverables; deliverables are very

confusing to outside viewers; difficulty with

vendor control is a threat

4a. Document formal project deliverables

specification.

4b. Map deliverables to project and company

benefits.

4c. Maintain selective use of experienced

external oversight for key deliverables and

complex projects.

4d. Establish alliances with other Corporate

initiatives to establish pool of qualified external

expertise.

5) We must implement “all or nothing in

production;” complex and long deployment

plan not fully defined yet; project

methodology falls between infrastructure and

app development

5a. Adopt a formal Plan‐Do‐Study‐Act

discipline for phased deployment.



APPENDIX A: PROCEDURES FOR FOCUSED PLANNING TOOLS

The following tools are singled out of the very large CSS Focused Planning toolkit for their suitability and

usefulness in the Freightliner IdM project. Tools are presented in a standardized format called a POPE.

The POPE is a statement of the Purpose – Outcome – Process – and Evaluation method for a meeting,

working session, or application of a process management tool. It is intended to provide context and set

expectations for productive collaboration.

AFFINITY DIAGRAM

Purpose: The Affinity Diagram gathers large amounts of language data (ideas, opinions, issues, etc.) and

organizes it into groupings based on the natural relationships between each item. It is an excellent

brainstorming technique and may be a lead‐in to further tools such as tree charts (for refining logical

relationships) or interrelationship diagrams (for separating drivers from effects and establishing

priorities).

Outcome: Logical categories of ideas grouped into manageable “buckets” to reveal themes and key

issue categories. All raw material is maintained and is accessible.

Process: Frame a large and open‐ended question along the lines of “What

are all the issues and elements related to x?”

Conduct a brainstorming session to generate a large quantity of ideas.

Resist the temptation to analyze the inputs, but ensure they are

descriptive and well‐understood. Maintain a written record of inputs in

front of the group to stimulate building upon one another’s ideas and also

record each input onto separate cards. All comments should be written in

the same hand to remove any sense of ownership of the idea.

When ideas have been exhausted (generally after 30‐50 inputs), arbitrarily

arrange post‐its on wall and have the group silently organize the cards into natural groupings. Avoid the

temptation to prearrange the categories – let them develop naturally. The rule of silence is to ensure

every perspective is given equal value in the grouping process.

When the cards are clearly organized in five to seven categories, develop header cards to name the

theme of the category.

Evaluation: The usefulness of this process will be immediately obvious as the themes can be driven into

a number of additional refinement tools. As with any brainstorming activity, this method only makes

use of the ideas in the room, so selecting the right participants is key.



RELATIONS DIAGRAM

Purpose: The Relations Diagram analyzes the relationship between each element in a group of entities

clarifying “drivers” from “effects.” While largely a creative effort, the cognitive dynamic is convergent as

logical connections are clarified.

Outcome: The Relations Diagram results in a clear priority of drivers and effects. What is essential to

understand is that you cannot go “do” an effect. Drivers must be considered first. Priority is given the

driver with the highest number of arrows headed “out.”

Process: This process works well with the output of an Affinity

Diagram. Place the names of the headers in a circle (like the

numbers on a clock).

Ask for each relationship, “Does x element drive y or is it driven

by y?” The answer is recorded in the form of a single headed

arrow indicating the direction of the driver.

When all possible relationships have been evaluated, count the

number of arrows headed out and prioritize the elements from

highest to lowest.

There will come early in the process the question of which is really the driver and which is really the

effect. Avoid the temptation to use double‐headed arrows and ask, “Which way of looking at the

relationship provides the strongest bias for action at this point in time?”

Evaluation: Beware of categories changing meaning in the middle of the analysis. Ensure internal logic

is not circular, e.g., if A drives B and B drives C, then C cannot drive A. The diagram is complete when

the team agrees that clear priorities have been identified and the way forward is clear.



TREE DIAGRAMS

Purpose: Tree diagrams are used to answer “how to” questions after key issues have been identified

and prioritized. This tool systematically maps out in increasing detail the full range of paths and tasks

that need to be accomplished in order to achieve a primary goal and every related sub goal.

Outcome: A completed tree diagram provides a hierarchical breakdown of goals and means. It gathers

and organizes actions suggested to address key issues. It ensures the team develops actionable plans

tied directly to important goals.

Process: Identify a theme and review key issues.

Working in small groups, team members brainstorm actions and record each action on a single card.

Action cards take the form, “subject – verb – object.” No reference to the purpose of the action should

be recorded on the card. As much as possible, statements should be as concrete and actionable as

possible.

Once completed, the entire team evaluates each card to clarify meaning.

Next, cards are grouped according to the issue they are designed to address.

Group by group, the team considers each card and declares it either

“general” or “specific.” General cards are placed to the left side of the

board and specific cards are placed to the right side.

It should now be apparent which cards are connected by causal links.

Lines are drawn from the general cards to the specific cards forming a

tree chart.

Top down review: The cards are now studied to ensure the linkages are

rational and any new cards needed can be added. The review takes the form, “If we want to accomplish

x (general card) and we do y (specific card), will we have achieved our goal?”

Bottom up review: Next the tree is studied from the specific to the general, “If we do “a, b, c” (specific

cards) will we have achieved our goal? Additional cards may be added.

Evaluation and Next Steps: Team review may include an analysis of effectiveness and feasibility which

will establish priority actions. High priority actions are integrated the project plan and become

scheduled tasks.

For More Information on the Tools

The definitive reference on these tools and four additional ones completing a collaborative strategic

system is The Memory Jogger Plus+: The Seven Management and Planning Tools by Michael Brassard,

published by GOAL/QPC, 1996.



APPENDIX B: REFERENCES

The following references were consulted while preparing this report and can be recommended:

2006 Workflow Handbook Edited by Layna Fischer with the Workflow Management Coalition, Future

Strategies, Inc., 2006

A Practical Guide to Enterprise Architecture by James McGovern, Scott W. Ambler, Michael E. Stevens,

James Linn, Vikas Sharan, Elias K. Jo, Pearson Education, 2004

Advanced Project Portfolio Management and the PMO by Gerald I. Kendall and Steven C. Rollins,

International Institute for Learning, 2004

Building a Project‐Driven Enterprise: How to Slash Waste and Boost Profits Through Lean Project

Management by Ronald Mascitelli, Technology Perspectives, 2002

Business Process Management with a Business Rules Approach by Tom Debevoise, Business Knowledge

Architects, 2005

Data Quality: The Field Guide by Thomas C. Redman, Ph.D., Digital Press, 2001

Enterprise Architecture as Strategy: Creating a Foundation for Business Execution by Jeanne W. Ross,

Peter Weill, David C. Robertson, Harvard Business School Press, 2006

Enterprise Dashboards: Design and Best Practices for IT by Shadan Malik, John Wiley and Sons, 2005

Improving Data Warehouse and Business Information Quality: Methods for Reducing Costs and

Increasing Profits by Larry P. English, John Wiley and Sons, 1999

IT Portfolio Management Step‐by‐Step: Unlocking the Business Value of Technology by Bryan Maizlish

and Robert Handler, John Wiley and Sons, 2005

Mastering the Requirements Process, Second Edition by Suzanne Robertson and James Robertson,

Addison‐Wesley, 2006

Project Management Maturity Model, Second Edition by J. Kent Crawford, Auerbach Publications, 2007

Strategy Maps: Converting Intangible Assets into Tangible Outcomes by Robert S. Kaplan and David P.

Norton, Harvard Business School Publishing, 2004

Using the Project Management Maturity Model: Strategic Planning for Project Management, Second

Edition by Harold Kerzner, Ph.D., John Wiley and Sons, 2005

Workflow Management: Models, Methods, and Systems by Wil van der Aalst and Kees van Hee, The MIT

Press, 2004

Writing Effective Use Cases by Alistair Cockburn, Addison‐Wesley, 2001

Documents

FTL Focused Planning...Extranet Project scheduled for pilot implementation in June 2007. This project extends authentication and authorization responsibility for key services to delegated