In a recent study conducted by The Gallup-Healthways Well-Being Index, Boulder received top honors as the overall happiest, healthiest, and most optimistic city in the United States. The study surveyed more than 350,000 Americans across the country and assessed their lives based on a variety of pre-defined categories. While Boulder did not sweep every category looked at by the researchers, it did get the highest rank in the “Work Experience” arena. At Applied Trust we have always known this was true, but it is nice to get some nationwide visibility for it.

We care about having a good work and life balance for everyone that works here. That’s why the ATE Employee Canon is so important to us. Having this realization and making conscious, proactive maneuvers to maintain it is a key component to fostering a positive “work experience” like the one discussed in the survey. The section measured job satisfaction, ability to use one’s strengths at work, trust and openness in the workplace, and whether one’s supervisor treats him or her more like a boss or partner. These metrics align very closely to how we view work and how we want to spend our time there.

• Job Satisfaction – Applied Trust is always thinking of new ways to improve satisfaction in the work place. It is important to note that job satisfaction does not only take into account actual work-related tasks, but also other, less tangible, aspects. One of the more recent improvements we have made to increase job satisfaction is the MyATE program. Previous posts have talked about some of these improvements, but essentially every employee (either on their own or as part of a team) comes up with something they think would improve happiness at work. At the end of the year, a winner would be decided based on a vote. In 2009, these projects ranged from One Boulder Fitness gym memberships, to getting rid of all drinks in our fridges that contained high fructose corn syrup, to self-approved vacation (the eventual winner). This program is coming back for 2010, so expect to see some posts detailing ideas and improvements!
• Strengths at Work – Applied Trust has always been extremely open about letting employees choose their career paths. There are ample opportunities to get into existing disciplines in our space, and even encouragement to blaze new ones. Using your strengths at work is the simplest way to feel like you have an impact, and feeling needed and appreciated makes up a large percentage of a positive overall work experience.
• Trust and Openness – This seems to be an almost effortless component of life here, and I think that mostly has to do with our hiring process. Because we are a small company, we are able to have a majority of our engineers meet potential employees in both interview and social settings. Because of the multitude of perspectives via which we get to look at a candidate, it is unlikely that we will hire someone who isn’t trustworthy, open, and enthusiastic about working here.
• Boss or Partner? – We are a company of peers. This is not to say there is no strategic management in place, of course there has to be to run a successful business. But what is great about Applied Trust is that we are all have the same goal and we all work on projects together. There are no Bill Lumberghs here. We all work on big-picture infrastructure planning and we all reset passwords. There is very little red tape and very few politics. I think I take that aspect for granted sometimes, but am reminded of how rare it is when I hear office stories from friends.

So, if you feel like moving to the best city in America (I’m not biased, scientific research proved it!) and have an interest in working for a great local company, apply for a job today!

The PCI DSS (Payment Card Industry Data Security Standard) sets a number of expectations for IT assessment.  Activities, from scanning for rogue wireless access points to reviewing vendor contracts, are scattered throughout the PCI Data Security Standard document.

Below is an attempt to assemble those requirements into a single schedule.  Where the standard didn’t specify a frequency, I used reasonable “best practices” values.  I hope this is a useful starting place for organizations working toward compliance, but it is definitely not a holistic IT security plan!  There are lots of other security activities that should be taking place at every organization – this is just a summary of those discussed in the PCI DSS.

See anything that I missed?  Did I get something wrong?  Let me know in the comments and we’ll work toward an accurate sample schedule together!!

Sample PCI DSS assessment schedule

We wrote about the HITECH act and its impact on business associates a little less than a year ago. By February 18, business associates are required to:

• Comply with the HIPAA security and privacy rules
• Provide medical information breach notifications
• Work with the Department of Health and Human Services to perform compliance audits as requested
• Train employees on HIPAA and its requirements for business associates

BAs, I hope you’re taking note. Violations can incur fines for as much as $1.5 million per year and, in the most serious circumstances, may include prison time. According to HITECH, DHHS audits are also mandatory beginning 2/18/2010. (See sections 13410 and 13411).

Most of the associates that I’m familiar with haven’t made many changes in the past year to improve HIPAA compliance. So what should any self-respecting business associate, now subject to these somewhat draconian and certainly expensive rules, do to avert heavy fines and lost productivity? Avoid becoming a business associate at all costs.

First, re-evaluate whether the business truly qualifies as an associate, for one. In the past, BAAs had very few directly applicable requirements, and those that were in place were rarely or never audited and enforced. Businesses should no longer haphazardly sign BAAs when they aren’t strictly necessary.

If the business has determined that they are indeed an associate, what can be changed to eliminate that status? If there isn’t a dire business need for access to medical records, but they’re being collected incidentally, eliminate that dependency and escape the compliance game. Of course, most health care organizations don’t freely distribute health records, and most organizations don’t want them unless they need them.

If the business is resigned to being an associate subject to HIPAA courtesy of HITECH, it’s time to get to work. Start at www.hipaasurvivalguide.com, an excellent resource for learning the regulation and applying its teachings.

And never forget the old proverb (that I’m making up right now): more regulation always improves security. Emphasis added.

I’ve picked five of the Principles behind the Agile Manifesto that are particularly applicable to our field – read on to see how they look from an IT infrastructure perspective:

1) Our highest priority is to satisfy the customer through early and continuous delivery of valuable infrastructure.
2) Welcome changing requirements, even late in deployment. Agile processes harness change for the customer’s competitive advantage.
3) Business people and developers must work together daily throughout the project.
4) Simplicity–the art of maximizing the amount of work not done–is essential.
5) Continuous attention to technical excellence and good design enhances agility.

1) “Our highest priority is to satisfy the customer through early and continuous delivery of valuable infrastructure. “
The technical and business requirements documented at the beginning of a project are never perfect, and sometimes not even close to what the end user really needs. Agile emphasizes a focus on gathering customer feedback early and often. Pilot new technologies before making a commitment. I have been part of many IT projects that have met every defined requirement and deadline, but completely failed in the end because users hated the technology. Deploy new technology in phases – find a small group of smart, friendly users who are willing to help test your project as you get new pieces of functionality working. Don’t get married to a hardware/software vendor too early. Wireless, two-factor, remote access, and mobile solutions are all hot candidates for an iterative, phased deployment where frequent user feedback is essential for the project to succeed.

2) “Welcome changing requirements, even late in deployment. Agile processes harness change for the customer’s competitive advantage.”
Agile software development is all about responding to change gracefully, and many system and network administrators could learn a lesson from this attitude. Activities like gathering requirements, documenting use cases, and project planning are essential, but they should never get in the way of “doing what’s right” for the end user. Processes should enable agility, not be used as a roadblock by administrators who don’t to deal with something new. The Visible Ops Handbook has a great quote on this topic: “Like brakes in a car, IT controls let you go faster!”

3) “Business people and engineers must work together daily throughout the project.”
As computer people, we get stereotyped as geeks who are bad at communicating. Let’s prove them wrong! Agile encourages the use of crossfunctional teams – this is our opportunity to help the business people and developers “get it right” before we end up supporting a mess of an application in production. Many IT departments suffer from “silo’d operations”, where the network folks don’t talk to the Windows folks, who in turn don’t talk to the Unix folks or the developers. As infrastructure engineers, we build and run the networks and servers – the “glue” that allows our organizations to function. We are in the position to help the diverse teams surrounding us work together.

4) “Simplicity–the art of maximizing the amount of work not done–is essential.”
Engineered complexity is the drug of choice for many network and system architects. It’s fun to play with bleeding-edge, challenging technologies, but those aren’t always the best use of time and money. It’s cool to build a system that can support millions of users, but not even worth thiking scalability about for a typical in-house app. Like the Mr. Miyagi said, “Go, find balance.” — balance complexity with manageability, monitoritability, and testability. Although this principle was written by people focused on development/implementation, it applies equally well to operations. Responsible change planning, testing, and documentation reduces unplanned work.

5) “Continuous attention to technical excellence and good design enhances agility.”
Agile focuses on customer interaction and working solutions over “comprehensive documentation”, but that doesn’t eliminate the need for professional behavior. Solutions that are hacked-together without planning and rigorous testing will fail miserably. I can’t tell you how many times I have seen a “temporary fix” ignored for months until it blew up in some sysadmin’s face! Ward Cunningham describes this issue as “Technical Debt,” and if you are an IT person who has not heard the term, you should read about it here. You accumulate financial debt by spending beyond your means – technical debt builds up when you deploy networks, servers, and services without an appropriate investment in solid architecture, testing, monitoring, backups, and reasonable amount of documentation. If you must take on a technical debt, every effort should be made to “pay it off” as soon as possible!

Bonus: “At regular intervals, the team reflects on how to become more effective, then tunes and adjusts its behavior accordingly.”
Agile encourages picking and choosing individual processes and tools to best fit the team. Is this a cheap hedge? Maybe, but it works for us! For example, we don’t actually “stand up” in our various status/operations meetings, and we sure don’t use notecards or peer programming. Still, the principles above are useful to help set a “tone” of customer-collaboration, iterative release, and general “agility”. Take the “Agile Principles” with a grain of salt, but don’t be afraid to steal an idea or two from those programmers!!

Image credit to hickoryhollow113 via Flickr (Creative Commons).

Last year, I posted an end-of-year IT checklist, which I again encourage all IT folks to take a quick look at — this is a great time to evaluate and update a number of key IT areas.  At the very least, don’t forget to update your copyright dates!

I’m hoping 2010 can be a year of positive change for IT.  In that light, as a community let’s make a few resolutions:

1) Commit to consistent application of change management, not as a weapon but as the oil that allows the IT engine to run faster.  Too many IT groups apply change management as a way to slow things down… that’s counterproductive, in lots of ways.  Let’s make 2010 the year of productive change management.

2) Commit to a coordinated Annual Preventative Maintenance day.  Applied Trust is naming July 13, 2010 as IT Preventative Maintenance day.  Please join us — start planning now to make this the day you perform tasks such as:

• UPS battery replacement
• Standby generator oil change / load testing / PM
• Air conditioning filter change / PM
• Cabling clean-up and labeling
• Patch application
• System power-down/power-up
• Monitoring and sensor testing
• Workstation patch compliance and AV verification
• First-aid kit replenishment

Drop us a line if you’re planning on celebrating IT Preventative Maintenance Day on July 13, 2010 at your organization and we’ll send you free IT Preventative Maintenance Day T-Shirt (let us know your size).  Let’s band together to underscore the importance of preventative maintenance.  We can only hope that someday it will be a Hallmark holiday.

3) For a third and final resolution, I propose we take time in 2010 to take a serious look at the security and stability of our IT infrastructure and fix the things that keep us awake at night.  In 2009, many organizations deferred assessments or upgrades, and eventually that’s going to bite us all in the butt.  Take time today to make a list of security or infrastructure elements that need to be assessed and possibly upgraded in the coming year.  Be aware that there are a number of new regulations/standards that go into effect this year — especially in healthcare.

Happy New Year!

Obviously this change has consequences for lots of services and applications, in addition to just the operating system. For example, some applications have a specific operating system requirement (and support contracts may require this to remain valid), or simply don’t yet “officially” support Server 2008. Start talking to your application vendors and obtain commitments for support. Nothing lasts forever!

To read the full announcement issued by the Windows Server Division, click here.

Tickets are sometimes associated more with the help desk than with the operations group of an internal IT department.  Unfortunately, when this is the case, system administrators are missing out on an opportunity to use tickets for their own purposes.  Sometimes, administrators can see tickets as a barrier to efficiency and agility.  But this is not the case.  Tickets are a communication and change control tool.  All work done by the IT staff should be tracked in a ticket.  This is important for several reasons:

1. Other administrators can understand what is happening with a particular effort.
2. End users can be kept in the loop on the status of issues affecting them.
3. The administrator doing the work has a log of all the steps they have taken which can be useful if they ever need to perform the same task again, or if they need to go in and back out some portion of the change.
4. The manager can quickly and easily understand the workload of the staff.

Organizations that do not use tickets throughout the IT department tend to fall into one or more of three common IT traps:  The first trap is that work is being duplicated.  When administrators do not have a clear and reliable way to let other administrators know what they are working on, more than one person can be working on the same task without knowing it.  This is a waste of everyone’s time and can cause lots of problems if two people are making changes to a system at the same time.  The second trap is that work falls through the cracks.  Again, when work is not clearly tracked, it is easy for things to get lost.  Even if there is no one who has the availability to work on a task, if a ticket is created then that task does not get forgotten.  An administrator can grab the ticket when she is able and then complete it.  Tasks jotted down on a sticky note for future reference have a way of getting lost and never found.  The third trap is when administrators find themselves spending most of their time reacting to broken systems and networks.  This is related to tickets because when changes are clearly planned, approved, tested, and tracked, it is easy to know what changes are having what impacts.  When systems go down, the tickets can be reviewed to see if there were any changes around the time of system failure, and those changes can be backed out.  Without a reliable tracking mechanism, hours can be spent trying to figure out who did what and when.  Administrators who control their systems and what changes are being made will get fewer out-of-hours pages, and they will have more time to do the fun, proactive administrative tasks.

There are several good, free ticketing systems available.  You can compare many, many of them side by side here: http://en.wikipedia.org/wiki/Comparison_of_issue_tracking_systems.

Image credit to Flickr user 536.

• IPv6 in 2009? Are you kidding me?: It sure looks like Trent’s prediction will be correct (for 2010, too!)
• Save Green – Turn Up That Data Center Thermostat!: Green IT meets real cost savings.
• New HIPAA modifications under the ARRA: Stimulus package implications for anyone who handles health info.
• Black Thursday’s 20 year anniversary: A flashback to the beginnings of network security, from someone who was there.
• Keystroke dynamics: A practical web implementation: Practical?  Maybe not, but certainly interesting!
• Ten IT Infrastructure New Year Resolutions for 2009: Best practices that IT shops of all sizes should follow.
• Debugging Nagios performance problems: Performance tuning advice and insight.
• End-of-year IT checklist: Essential IT housecleaning tasks that you can do any time of the year!
• Poker at the Work Place? Deep insight into computer science/engineer personalities.
• Fend off disaster with preventative maintenance: A stitch in time…

Here’s to lots more entertaining (and hopefully insightful!) posts in the year to come!  Thanks for your comments, feedback, and continued support!

– The Seals at Applied Trust

(photo courtesy hfb under the CC)

WordPress isn’t everything, and if you’re looking for a CMS with the longest feature list, don’t bother trying it.  But if you want a reasonably-customizable web site that almost any end-user can update, I endorse it.  Try WordPress.com if you’re not comfortable managing your own web server.

For the technical folks in the audience, it’s easy to install the free WordPress.org version on any server that supports the LAMP stack (Linux, Apache, MySQL, and PHP).  It is infinitely customizable (if you know PHP, HTML, and CSS), but will probably meet most your needs “out of the box”.

If you do use WordPress.org, there are a few plugins that are worth installing… here are the ones that I think every WordPress.org administrator should consider:

Security essentials:

Event Logging for WordPress: WPSyslog2

Without WPSyslog2, WordPress does a poor job of tracking important security events.  This plugin logs critical issues (failed login attempts, article posts/deletions, password resets, etc.), so you have half a chance of figuring out what happened in a security incident.  The logs are sent to your server’s “syslog” – check in /var/log/messages if you can’t find them.  It’s sad WordPress doesn’t have reasonable auditing/logging internally – pretty much everyone should install WPSyslog2!

See: http://www.ossec.net/main/wpsyslog2

Free, invisible SPAM protection: NoSpamNX

Comment SPAM is a nightmare – for every thoughtful comment to your blog post, you’ll get tens or a hundreds of SPAMs.  If you use the WordPress.com edition, you get great comment spam protection by default.  For websites using the WordPress.org edition, you can either pay for the Akismit license, or try NoSpamNX.  It works great for us!

See: http://wordpress.org/extend/plugins/nospamnx/

Quick Security Self-Check: WP-Security-Scan

WordPress is a secure web site platform, but only if it’s configured correctly.  This plugin will check a number of important security issues, such as file permissions and database security, and warn you if you need to make changes.  Although the plugin offers a few extra features if it’s left installed, I prefer to install it, run the security scan, fix the problems, run one more scan, then uninstall the plugin.

See: http://wordpress.org/extend/plugins/wp-security-scan/

Performance essentials:

Prepare for the horde: WP Super Cache

If you expect to get a lot of traffic, you should configure the built-in WordPress caching support.  Rather than dynamically rendering every web page for every visitor, it allows WordPress to remember, or “cache” identical requests to they can be replayed to future visitors.  If you need to squeeze even more performance out of your WordPress installation , try this plugin!

See: http://wordpress.org/extend/plugins/wp-super-cache/

Usability essentials:

Post Editor for Adults: Tiny MCE Advanced plugin

The standard WordPress in-browser post editor is pretty weak – only a handful of formatting options are exposed.  In fact, this is the number one problem designer-types have with WordPress.  Install the Tiny MCE Advanced plugin and your web site editors will have a bounty of formatting options!

Before TinyMCE Advanced:

With TinyMCE Advanced:

See: http://wordpress.org/extend/plugins/tinymce-advanced/

Secure Form Handling: Dagon Design Form Mailer

Even the most simple web sites need a “contact us” form (it’s never a good idea to post an email address, or a “mailto:” link, on a web site – spammers will discover it quickly).  We have had great luck with this plugin – it has reasonable security controls and is flexible enough to support a diversity of forms – much more than simple contact forms.  (If you’re collecting sensitive information, you probably need a more secure solution!)

See: http://www.dagondesign.com/articles/secure-form-mailer-plugin-for-wordpress/

[ I've never used it, but I've heard lots of good things about: http://www.deliciousdays.com/cforms-plugin ]

Search Engine Optimization (SEO) essentials:

URL management: All in One SEO Pack

I’m not an SEO expert, and WordPress does a pretty nice job of making search-engine “friendly” sites by default.  Still, it doesn’t hurt to make sure you’re not accidentally breaking one of the many “SEO rules” – the All in One SEO Pack is a great choice.  It ensures you don’t have “duplicate content” (where multiple URLs point to the same page contents), and allows you to customize user-friendly URLs.

See: http://wordpress.org/extend/plugins/all-in-one-seo-pack/

Alternatives include the Permalink Redirect plugin, which offers much more bare-bones functionality – it meets my needs most of the time.  The most powerful, free plugin is the Platinum SEO Pack – I have not used it but it boasts some crazy features.

Sitemaps – on the road to the “holy grail”: Google Sitemap Generator

Modern search engines so a remarkable job of discovering pages on the world wide web.  Still, it doesn’t hurt to help them along.  Generate a sitemap with this plugin, prioritize the pages you really care about, and it will automatically submit your sitemap to all of the top search engines!

See: http://wordpress.org/extend/plugins/google-sitemap-generator/

Good luck!

This list is “missing” many content-focused plugins, such as post ranking, similar posts, integration with “web 2.0″ sites, etc.  – I personally have the most experience with the “back-end” part of web sites, so that’s more the focus of these plugins.

Firefox

• Autocopy automatically copies text when you select it. It can be configured to not copy on form fields, which I find useful – I rarely copy and paste out of a form. Very handy.
• Cooliris is just a cool add on. It searches a dozens (hundreds?) of multimedia sites, like flickr, Hulu, Google images, and YouTube, and creates a 3D wall display. I use it mostly for looking up travel-related images. I wish that I could disable the shopping/channels display on the left. Already filed a feature request.
• Firebug is the uber-developer add on. If you’re a web developer in any capacity, you’re probably already using it. If not, you’re missing out.
• FireFTP is an in-browser FTP and SFTP client. I prefer WinSCP for most file transfers, but sometimes it’s handy to have something in the next tab over.
• Fission is a simple addon that adds a progress bar component to the address bar when a page is loading.
• Who doesn’t use Flashblock? I get super annoyed at ads, especially when they’re flash-based. I especially like that I can remove flash frames entirely. It has a whitelist for sites like YouTube that you always want flash to work on.
• Forecastfox gives me weather in the status bar of my browser. I have it customized to display a 5 day forecast without annoying slider notifications for extreme weather conditions.
• I use Live HTTP headers for security and web testing. It shows exactly the requests that the browser sends to a remote server, along with the response. Especially useful for crafting complex Curl or wget commands.
• Similarly, Tamper Data lets you modify HTTP requests, including POST variables, before they are sent to the server. Since it sits in the browser it can intercept even HTTPS requests without any problems. Not as polished as something like Microsoft Fiddler, but more convenient IMHO.
• Last but not least, I use Xmarks to sync bookmarks between the many computers I use on a regular basis. I make extensive use of bookmarks, including the tags feature built in to Firefox. For example, if I’m doing research on a project, I’ll tag all relevant articles with the project or technology name. Then I can just type the tag in to the address bar and quickly see a useful list of all the sites I’ve linked. Xmarks syncs all the data between my systems. I highly recommend disabling the password sync feature, however – I don’t need my passwords stored in mystery database somewhere..

Thunderbird

• The AutoCopy plugin described above also works in Thunderbird. I like it for copy and paste out of emails.
• Enigmail is an excellent OpenPGP add on, allowing for one click signatures and encryption. It can also search for public keys online. I only wish more people used PGP.
• Finally, my absolute favorite Thunderbird add on is Nostalgy. Do you sort your mail in to multiple folders? I save every valuable message I get, and I sort them extensively in to around 50 or 60 different folders. Nostalgy gives quick keyboard shortcuts to move messages to a folder, saving me many mouse clicks. Probably the most useful add on in the list for me.

So point your browser at the links and install some new add ons. Did I miss any that you really like?