A matter of public record
A MATTER OF
FACED WITH NEW
SECURITY AND PRIVACY
BY DAVID E. ESSEX
PHOTOGRAPHY BY SETH AFFOUMADO
- How the e-government trend is creating stronger demand for large, fast, Web-enabled databases
- Complex legal, performance and design challenges for IT project managers
- How the unique legal relationship between governments and citizens create additional security and privacy issues.
PROGRAM DIRECTOR, CALIFORNIA
FRANCHISE TAX BOARD,
SACRAMENTO, CALIF., USA
In the public sector, information technology (IT) is the place to be. There's a white-hot trend to make government more accessible to citizens, often via the Web. E-government—e-gov, for short—is sweeping the world, especially national and state agencies, where IT budgets are largest.
The friendliest, most interactive sites usually have an enterprise-class database running the show. However, governments also hold huge, information-rich databases, which increasingly are directly accessible from e-gov sites.
It all points to a renewed focus on databases for government IT project managers. Due to the public sector's unique societal role, databases often bring additional security and privacy concerns.
Government database projects differ significantly from corporate jobs, especially in the volume of outsourcing. “Government project managers are administering contracts as much as, if not more than, they are actually managing projects,” says Fred Sencindiver, PhD, an assistant professor of management science at George Washington University, Washington, D.C., USA.
Take Brazil, an e-gov leader with completely electronic elections and 99 percent online tax filing. “The great majority of the IT work force in the Brazilian government is not federal, state or municipal employees,” says Aloysio Vianna Jr., PMP, a Brasilia, Brazilian-based defense employee, director of the PMI Brasilia Chapter and vice president for Brazil of the PMI Government Special Interest Group (SIG).
THE NEW NON-FILER SYSTEM CATHY CLEEK, PMP, DEVELOPED FOR THE CALIFORNIA FRANCHISE TAX BOARD HAS GENERATED $220 MILLION FOR CALIFORNIA SINCE MAY 2001.
This apparent bias toward outsourcing can cut both ways. Viciously competing vendors may hire away each other's employees, even though both are working on the same project, Sencindiver says. If the main contractor subcontracts work, communication can suffer. The project manager may have to carefully monitor compliance with procurement regulations and clarify subcontracting requirements, lines of communication and responsibility up front.
Outside firms usually bring skills and knowledge lacking on the inside, and those familiar with the rules and laws that affect an agency may, in fact, be more important than consultants with generic project management skills. Sandy Williamson, national database team leader for the U.S. Geological Survey (USGS) office in Tacoma, Wash., USA, advises using inside people for business rules with outside IT consultants providing up-to-date technical know-how. He says projects that go awry may involve “internal people who aren't as up-to-date on current technology and methodology.”
Often, the consulting staff of the database vendor provides important input into an agency's business processes. The approach seems popular among Oracle's customers in the United Kingdom, where numerous municipalities and counties have built database-driven e-gov applications to improve internal operations.
The Leicestershire County Council in England, for example, installed workflow software to provide finer control over county-owned properties, a change mandated by new asset-management legislation handed down from the U.K. government. And the Glasgow (Scotland) City Council extended its Oracle property-management database with wireless access for field managers responsible for maintaining city-owned sites. In a published case study, Angela Murphy, IT manager, Building Services, calls Oracle “very willing to work closely with us and SX3, our implementation partner, to provide training support and licensing.”
Sencindiver says he's seen a gradual increase in the need for security screening of project team members in the past two decades. The reason is obvious: With access to databases, they may view sensitive personal information such as Social Security numbers and medical histories. Or, project workers may change data for malicious purposes.
Safeguards against such behavior have increased dramatically in recent years with new privacy and security laws arising from the Web's popularity and, most recently, heightened security concerns. For example, Williamson, who helped modernize and standardize U.S. National Water Quality Assessment data, says he was asked to make online maps of water quality in public supply wells less precise so they wouldn't be as useful to terrorists. And Vianna says Brazil has a high-level federal committee working to standardize the security measures of disparate agencies.
Some agencies respond by dedicating a security specialist who sits on database project teams. The databases themselves usually are placed behind a virtual firewall that locks out intruders and is maintained by the agency's network administrators, not its database specialists. While popular databases have their own security features, IT technicians often must build customized security applications for extra layers of protection.
Harry House, the Middleton, Wis., USA-based USGS database applications team leader who oversaw the database application team that developed Williamson's water-quality project, says the National Park Service Web site was shut down for two weeks due to a lawsuit against the Bureau of Indian Affairs that involved a “hacked” database of payments to Native Americans.
Management of privacy issues can get extremely detailed if, for example, applicable laws require stripping home addresses and phone numbers from otherwise public records. Project managers also must institute policies that specify how long data will be kept. Some stakeholders may want to be conservative and hold onto data as long as possible, but that approach increases the likelihood of violating privacy laws.
Project managers on database projects also might have to decide whether and how to distribute databases to field offices. Given government's bias toward centralization, a single database usually is accessible remotely over virtual private networks or other secure network channels. However, duplicates might be placed in two or three well-managed locations to optimize speed—a technique also employed by Internet service providers and other Web infrastructure vendors.
Governments also generally differ from industry in having a system of regular audits to ensure fiscal and regulatory compliance, so dealing with auditors will be part of a project manager's job. Electronic audit trails that show who has altered a database and what they did to it may be necessary.
“We have found it quite difficult to set up contracts with outside companies, due to the regulations involved,” House says. Projects also may be more susceptible to budget cuts and inter-agency squabbling, which makes guaranteeing top-level sponsorship more important in project planning.
Focus groups can be helpful both in building a better database and better meeting the needs of customers, says Cathy Cleek, PMP, a program director at the California Franchise Tax Board (FTB). Cleek's team worked with IBM‘s Global Services division to update the non-filer system and convert it to IBM‘s DB/2 database software. Cleek's focus group consisted of “customers” (taxpayers who failed to file state tax returns), enrolled agents (licensed tax prepar-ers) and attorneys. From this group, the project team learned that many non-filers can't afford to pay their taxes in one lump sum, so the FTB‘s Web site now includes installment payment options. Non-filers also sometimes can't locate their W-2 income statements, so the FTB‘s Web site soon will have a form for requesting W-2 information already in the agency's databases.
Cleek used a benefits-based procurement process to provide IBM with a strong incentive to deliver a quality product. “We said, ‘We'd be happy to pay you $29 million, but we're only going to pay you if the system generates $40 million in revenue. So you better be focused on getting it in place and generating additional money for the state, not just getting it in place,’” Cleek says.
She also advocates a request-for-proposal process that specifies only the problem to be solved, so vendors will be motivated to find innovative solutions. The new non-filer system she developed has generated $220 million for California since May 2001.
With older, legacy databases, project managers may encounter institutional resistance, House says. Internal users may, for example, prefer the report format of the old software. Another pitfall is what House calls the hostile database administrator (DBA) syndrome: A DBA whose job depends on a legacy database feels threatened by data consolidation.
“Whenever you're going to deploy a system that's going to be part of another system, first try to assess the mood of the people who are invested in that old system,” House says. He recommends working conscientiously to convince such people that their skills still will be needed, although maybe in a different way, and securing executive sponsorship to help enforce cooperation. House has experience with such issues: His group served as de facto consultant for a Wisconsin Department of Natural Resources (DNR) project to consolidate numerous small, scattered databases used mostly to track fish populations in hatcheries, lakes and streams. The three-year effort helped the DNR improve its operations, and this summer, the agency expects to make some of the data available at a public Web site after deciding which data to release.
Web sites and the applications that run on them raise issues of usability, scalability, performance and security that go way beyond those normally encountered in internal database projects. “You get data-integrity issues” that force project managers to decide what their policy will be for updating public data, says management professor Fred Sencindiver. Deciding whether to do daily, weekly, monthly—even annual—updates, as well as deciding internal policies for checking and approving the accuracy of data, will affect what the public sees. Sencin-diver says government managers commonly fail to have a formal plan or policy for publicizing available databases.
To achieve speed and reliability, project managers must take care in deciding whether or not to offer direct access to the database, because ad-hoc queries can bog down a site, says Harry House of the U.S. Geological Survey.
The likely higher volume of traffic at a public site also may require redundancy in databases and application software, failover (in which one server computer can take over if another fails), load balancing between servers, and the use of cache technology that speeds up processing of frequently used queries.
Caching affects another key metric for designing a good public site: freshness of data. Project managers and their stakeholders must decide if it's permissible for cached data to be a few minutes old and, for that matter, whether the public should even be privy to the latest information.
THREE TO GROW ON
Quick tips for serving the public reliable, easy-to-use Web access to government databases include:
- Build in project time for soliciting customer feedback on the user interface
- Make sure you understand which data can and must be made publicly available and in what format. Laws may require some sensitive data to be viewed only in-person and in hard copy
- Employ rapid-prototyping methodologies in an iterative process that maximizes interaction between domain experts and software developers.
James McGee, a manager in the Information Systems and Technology division of the Nebraska Department of Health and Human Services and finance director for PMI‘s Government SIG, agrees that departmental resistance can be challenging. “Part of it is people's perceptions that, ‘I‘ve got something that works for me—why should I devote time and resources for something that's going to be good for everybody?’”
McGee's Nebraska colleague, Linda Salac, a lead business analyst who chairs the Government SIG, adds that getting agencies to follow new privacy and security laws may require writing monetary penalty clauses directly into project plans. “If there's none, I think it's going to be hard to put pressure on state governments because a lot of agencies are overextended by existing mandates,” she says.
When working to ensure that a database and related products properly incorporate administrative rules and procedures, project teams should include experts in key domains—say, security and law—in meetings. “I would make a sincere effort early on in the project to get those people involved,” says Bill Bates, chief executive officer of Bates Project Management Inc., Ottawa, Ontario, Canada. “They may not be heavily involved in your team for the life of the project, but in the sense of monitoring and reviewing.”
Project managers also should devote substantial resources to preparing the data itself. For example, USGS’ data-cleansing operation is perhaps more complicated than some because the water-quality database tracks 1,500 chemicals. As a result, before data is allowed to go on the public site, 50 teams make corrections after 150 mostly automated checks are run three times a year to ensure that matching data elements actually do correspond.
“Seventy percent of the work is really understanding your data and putting the right business rules around it,” Salac says, and that requires finding people who know the meaning and importance of the data. It also may require special software that lets non-technicians develop the database's business rules.
Government database projects could use a stronger dose of project management methodologies: There are fewer certified project managers in government than in the financial and technology industries, according to Salac. “There are very few states that have established a project management office,” she says. As with many government initiatives, relief may ultimately come from the top.
Salac says a huge federal initiative to build a coherent enterprise software architecture has increased the demand for project managers and could lead to certified project managers at the state level.
However, project managers shouldn't assume generic skills will be sufficient: know-how about not just government regulations and procedures but the local “corporate” cultures toward applying those rules will help avoid nasty surprises. “Some of these government employees have been here for millions of years, and resistance to change is a reality,” Salac says. “Project managers are really treading on a place where people know more than they do. People need to understand what they're getting into.” PM
David E. Essex has covered information technology for 17 years, most recently as a freelancer for Computerworld, PC World and others. He was formerly director of reviews at BYTE.
Getting agencies to follow new privacy and security laws may require writing monetary penalty clauses directly into project plans.
LINDA SALAC, MA, MIT,
This article is copyrighted material and has been reproduced with the permission of PMI. Unauthorized reproduction of this material is strictly prohibited.
PM NETWORK | AUGUST 2003 | www.pmi.org