James Williams

Tibco will offer on Wednesday do-it-yourself capabilities for generating business intelligence reports on business processes to users of its BPM (business process management) software. With this information, users can fine-tune their applications. [ Discover what's new in business applications with InfoWorld's Technology: Applications newsletter and Killer Apps blog. ] Previously, users have had to specifically request business intelligence information on BPM from IT personnel. "The cool thing about this technology is unlike existing business integration products or BPM, this product will allow business users to directly manipulate and analyze the BPM data or the process data that's out there," said Rourke McNamara, Tibco director of product marketing. Built as an add-on to Tibco iProcess Suite for BPM, the company's Tibco iProcess Spotfire software enables users themselves to build personalized, real-time process reports.

Management of business processes enables users to make businesses more efficient, he stressed. Customized templates display reports and analyses. Featured in Spotfire are personalized reporting and analytics, as opposed to using static dashboards to display business processes. Contextual process performance data is generated that can be combined with business data from other applications, enabling process performance to be assessed in a full business context, Tibco said. While BPM is used for a wide variety of tasks, McNamara mentioned insurance claims management as an example of a use.

Users can build reports on such activities as bottleneck data, process cycle time, and how quickly business participants are working. "This allows the business users to optimize those processes based on how they're being used today," McNamara said. Tibco's iProcess software represents a convergence of BPM, business intelligence, and business rules engines, said analyst Boris Evelson, of Forrester. Another shortcoming is the lack of common metadata and metadata standards to bridge the gap between data, process and rules data, he said. This convergence, he said, was "necessary to optimize enterprise operations and create actionable insight into data and processes in order to make better strategic, tactical, and operational decisions." But the merging of the three technologies represents an immature market, which has mostly been addressed by systems integrators cobbling together bits and pieces of components from multiple vendors, Evelson said. Tibco's iProcess Spotfire software is built as a Windows client package, although a Web client is available with abbreviated capabilities, called Spotfire Web Player. The company also will roll out iProcess Workspace Lite, an HTML workspace client focused on core activities for executing business processes.

Also being offered in the Tibco BPM space Wendesday is Business Studio 3.2, which is a user interface adding capabilities for visually defining an organization's structure and relationships between different organizational components. A simple user interface in Workspace Lite enables the product to be used more easily by those with impaired vision and/or fine motor control difficulties, Tibco said. This story, "Tibco brings DIY BI report generation to BPM," was originally published at InfoWorld.com. Tibco would not disclose pricing information for the three products. Follow the latest developments in enterprise applications at InfoWorld.com.

It has been a tough year for Dataupia, but the data-warehousing appliance startup is alive and well following reports of major layoffs and a potential asset sale, according to founder Foster Hinshaw. "Financially, we're in fairly good shape. Dataupia's customers have remained with the company, and some have already submitted new orders, Hinshaw said. We're running close to cash break-even," he said. Dataupia is known for its Satori Server appliance, which combines servers, storage and optimization software, and is compatible with multiple databases.

They cut staff and shifted focus to selling subsets of Dataupia's technology, versus turnkey appliances, which require more research and development work on the part of vendors, Hinshaw said. In response to last year's economic downturn, Dataupia's board and CEO at the time decided to "hunker down," Hinshaw said. At the time, Hinshaw was in the middle of recuperating from a medical condition, although he remained a board member. It has also received additional funding from its original investors, according to Hinshaw. The cost-cutting moves were short-sighted, according to Hinshaw, who recently assumed the job of CEO. Dataupia's employee head count now stands at about 30 people and its core technical staff is "one of the strongest in the industry," he said. He declined to reveal the size of the latest investment.

Dataupia will also make new product announcements in several months, according to Hinshaw. Hinshaw said he is feeling healthy and plans to remain at the helm for the long-term. He declined to provide details. "I always smile when [vendors] pre-announce something that isn't there yet." The company has a difficult road ahead, in the view of analyst Curt Monash of Monash Research. "Unlike numerous other analytic DBMS vendors, Dataupia never seemed to have much in the way of technological differentiation," Monash said via e-mail. "It seems to be little more than a price play, in a sector with vigorous ongoing price competition and even a few appealing free alternatives."

Just a day before a crucial hearing in the patent infringement case between Canadian developer i4i and Microsoft, i4i's top executive said that the injunction that forbids Microsoft from selling Word could be reinstated. Microsoft was also hit with $290 million in damages in the case. "The wording of the court order - it said it was staying the injunction 'pending appeal' - is not a highly-specific order," said Loudon Owen, i4i's chairman, in an interview today. "We're awaiting its interpretation. Last month, a federal judge barred Microsoft from selling current versions of Word 2003 and 2007 as of Oct. 10, part of the punishment for losing the case brought by Toronto-based i4i in 2007. But after Microsoft warned that sales chaos would result, the U.S. Court of Appeals stayed the injunction earlier this month. Oweb said that it's unclear whether the wording could be taken to mean that the stay would hold until the end of the appeals process, or perhaps only until the three-judge panel hears oral arguments tomorrow. "This is the classic [phrasing] for a stay, but it leaves a great deal of discretion in the hands of the judges," Owen added.

Microsoft has had ample time. Owen declined to say whether i4i's lawyers would bring up the injunction or the wording of the stay order during the oral hearing slated for Wednesday in Washington D.C. But he dismissed Microsoft's warning that the injunction might force it to pull Word 2003 and Word 2007, as well as the associated suites, Office 2003 and Office 2007, off the market for months while it removed the "custom" XML feature that's at the center of the legal dispute. "If we look at the record, Microsoft has had extensive time to make modifications to Word," said Owen. "We filed [the lawsuit] in March of 2007, and said then that we would seek an injunction. The jury verdict was in May." Owen also declined to comment on how long i4i thought it would take Microsoft to revise Word. "We haven't seen the source code," he acknowledged. "But Microsoft's apocalyptic prediction was unfair." Two months ago, a long-time patent attorney said he thought Microsoft could easily make a technical fix to Word, then sell the new version in the U.S. According to the original injunction, Microsoft is not required to update copies of Word 2003 and 2007 already in customers' hands. The two OEMs, who asked to be granted "friend of the court" status in the appeal, said that changes to Word would "require extensive time- and resource-consuming retesting" on their part. Hewlett-Packard and Dell, the top-two PC makers worldwide, disagreed with the attorney's belief. Many new computers come with Microsoft's Office or a trial version of the productivity suite; HP and Dell said they would have to rebuild the disk images they use to factory-install software on their new PCs. According to i4i, Microsoft began adding XML editing and custom XML features to Word shortly after meeting with the company in 2001. Microsoft has denied the charge, saying i4i distorted the facts. "After a handful of meetings there weren't fruitful, i4i and Microsoft went their separate ways and Microsoft later released the custom XML functionality for Word that it had told i4i it was developing," the Microsoft's lawyers said in a brief filed last week . Owen refused to speculate about what i4i hoped to get out of tomorrow's hearing, other than to say, "We expect a fair hearing." He also dodged questions about what i4i would do if the appeals court overturned the jury verdict. "It's hard to look past the appeal," he said, but promised that if Microsoft is granted a retrial - something the American developer has asked for at minimum - i4i would continue the battle. "This is certainly an important case to us," Owen said, "but it's also important to any inventor or entrepreneur who invents technology." Both Microsoft and i4i have promised to comment after tomorrow's hearing.

The National Institute of Standards and Technology (NIST) Special Publication (SP) SP 800-53 provides a unified information security framework to achieve information system security and effective risk management across the entire federal government. Everything that follows is Brusil's work with minor edits. * * * The Risk Management Framework in SP 800-53 (Chapter 3) evokes the use of NIST document SP 800-39, Managing Risk from Information Systems: An Organizational Perspective to specify the risk management framework for developing and implementing comprehensive security programs for organizations. In this second of four articles about the latest revision of this landmark Special Publication from the Joint Task Force Transformation Initiative in the Computer Security Division of the Information Technology Laboratory, Paul J. Brusil reviews the framework for risk management offered in SP 800-53 Recommended Security Controls for Federal Information Systems and Organizations, Rev. 3 which was prepared by a panel of experts drawn from throughout the U.S. government and industry.

SP 800-39 also provides guidance for managing risk associated with the development, implementation, operation, and use of information systems. The risk management activities are detailed across several NIST documents (as identified in SP 800-53, Figure 3-1), of which SP 800-53 is only one. Part 1: NIST SP800-53 Rev. 3: Key to Unified Security Across Federal Government and Private Sectors The risk management activities within the Risk Management Framework include the six steps of:1) Categorizing information and the information systems that handle the information.2) Selecting appropriate security controls.3) Implementing the security controls.4) Assessing the effectiveness and efficiency of the implemented security controls.5) Authorizing operation of the information system.6) Monitoring and reporting the ongoing security state of the system. SP 800-53 focuses primarily on step (2): security control selection, specification and refinement. To start the risk management process, each organization uses other mandatory, NIST-developed, government standards. SP800-53 is intended for new information systems, legacy information systems and for external providers of information system services.

One standard helps to determine the security category of each of an organization's information and information systems. These other standards are Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems and FIPS 200, Minimum Security Requirements for Federal Information and Information Systems. The other standard is used to designate each information system's impact level (low-impact, moderate-impact or high-impact). The impact level identifies the significance that a breach of the system has on the organization's mission. Companion guidelines in another NIST recommendation, SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, Rev. 1,> facilitate mapping information and information systems into categories and impact levels. SP 800-53 details the security control selection activities in Section 3.3. In brief, a minimum set of broadly applicable, baseline security controls (SP 800-53, Appendix D), are chosen as a starting point for security controls applicable to the information and information system. SP 800-53 summarizes the categorization activities in Section 3.2. Each organization then chooses security controls commensurate with their specific information and their specific information system's risk level exposure using typical factors such as identifying vital threats to systems, establishing the likelihood a threat will affect the system and assessing the impact of a successful threat event.

SP 800-53 specifies three groups of baseline security controls that correspond to the low-impact, moderate-impact and high-impact information system level categories defined in FIPS 200. The intent of establishing different target impacts is to facilitate the use of appropriate and sufficient security controls that effectively mitigate most risks encountered by a target with a specific level of impact. Then, as needed based on an organization's specific risk assessment, possible local conditions and environments, or specific security requirements or objectives, these minimal baseline security controls can be tailored, expanded or supplemented to meet all of the organization's security needs. The baseline security controls are selected by an organization based on the organization's approach to managing risk, as well as security category and worst-case impact analyses in accordance with FIPS 199 and FIPS 200. SP 800-53 gives guidance to organizations on the scope of applicability of each security control to the organization's specific situation, including, for example, the organization's specific applicable policies and regulations, specific physical facilities, specific operational environment, specific IT components, specific technologies, and/or specific exposure to public access interfaces. Tailoring activities include selecting organization-specific parameters in security controls, assigning organization-specific values to parameters in security controls and assigning or selecting appropriate, organization-specific control actions. If the tailored security control baseline is not sufficient to provide adequate protection for an organization's information and information system, additional security controls or control enhancements can be selected to meet specific threats, vulnerabilities, and/or additional requirements in applicable regulations. Augmentation activities include adding appropriate, organization-specific, control functionality or increasing control strength.

As a last resort, an organization can select security controls from another source other than SP 800-53. This option is possible if suitable security controls do not exist in SP 800-53, if appropriate rationale is established for going to another source and if the organization assesses and accepts the risk associated with use of another source. The plan documents rationale for selecting and tailoring each security control. An organizationally-specific security plan is then developed. Such rationale is used to provide evidence that the security controls adequately protect organizational operations and assets, individuals, other organizations and ultimately the nation. A designated senior official gives such authorization. Subsequent analyses of the risk management decisions documented in the security plan become the bases for authorizing operation of the organization's information system.

After authorizing operation, the organization begins continuous monitoring of the effectiveness of all security controls. Modification and update may be necessary to handle information system changes and/or updates, new configurations, operational environment changes, new types of security incidents, new threats and the like. Such monitoring facilitates potential future decisions to modify or to update the organization's security plan and the deployed security controls. Depending on the severity of adverse impacts on the organization, the revised security plan may need to be used to re-authorize operation of the information system. Organizations document selected program management controls in an Information Security Program Plan.

SP 800-53 also defines 11 organization-level, program management security controls (Appendix G) for managing and protecting information security programs. This plan is implemented, assessed for effectiveness via assessment procedures documented in NIST document SP 800-53A, Guide for Accessing the Security Controls in Federal Information Systems – Building Effective Security Assessment Plans and subsequently authorized and continuously monitored. In the next part of this four-part series, Brusil discusses the comprehensive repository of security controls presented in SP800-53 Rev. 3. * * *

Small and midsize businesses are confident in their disaster recovery capabilities, but their actual performance preventing outages shows they are "remarkably unprepared," according to survey results released Monday by Symantec. But that confidence is unwarranted. Four out of five SMBs are satisfied with their disaste-recovery plans, and two-thirds believe their customers would be willing to "wait patiently until our systems were back in place" in the event of an outage, Symantec found.

Three out of four SMBs report that they are based in a region susceptible to natural disasters. The report is a follow-up to Symantec's annual Disaster Recovery Research Report released last summer,  which found that the average cost of executing and implementing a recovery plan amounted to $287,600 for each downtime incident. The average respondent suffered three outages in the past 12 months, either from natural disasters, power outages, or virus and hacker attacks. "With this kind of exposure, and with the confidence SMBs display about their disaster preparedness, one would think SMBs have solid disaster-recovery plans in place," Symantec writes in the SMB Disaster Preparedness report. "However this is not universally soothe case - almost half (47 percent) report they do not yet have a plan to deal with such disruptions." Survey respondents included 1,657 companies worldwide, including both SMBs (companies with 10 to 499 employees) and their customers. This week's SMB study found that in some areas, respondents showed "an alarming lack of readiness," according to Symantec. "First, the average SMB backs up only 60 percent of its company and customer data," Symantec writes. "Second, they do so infrequently. This inattention to data backup is echoed by the fact that more than half (55 percent) of the SMBs feel they would lose 40 percent of their company data if their computing systems were wiped out in a fire." This lack of preparedness puts SMBs at risk of losing customers. Only one in five (23 percent) back up on a daily basis and 40 percent back up monthly or less.

Two out of five SMB customers surveyed by Symantec have switched vendors because they decided their vendor's technology was unreliable. Forty-two percent of outages reported by SMB customers lasted eight hours or more, and 26% of customers reported losing data because of a vendor's outage. More than a quarter of customers had suffered outages, many of which were significant. Customers said the estimated cost of outages averaged $15,000 per day. First SMBs should determine what critical information should be secured and protected, giving priority to customer, financial and business information, and trade secrets.

Symantec offered several recommendations to SMBs looking to bolster their disaster-recovery preparedness. SMBs should also automate the backup process to minimize human error, and test systems annually to ensure that data can be recovered and downtime minimized during a disaster.

Until yesterday, signing up for a Google Voice account required you to pick a new phone number - not a pleasant option for those who have kept the same digits for years. When you sign up for Google Voice - which is still not widely available to the public (you need to get an invite or request one) - you can either choose Google one-stop phone number or keep your own for a more pared-down experience. Now Google has enabled users to keep their existing phone numbers and get (most of) the features Google Voice offers, including Google's excellent voicemail service. Keeping your old digits gives you: Online, searchable voicemail Free automated voicemail transcription Custom voicemail greetings for different callers Email and SMS notifications Low-priced international calling Going for the full-throttle Google experience gives you all of the above plus: One number that reaches you on all your phones SMS via email Call screening Listen In Call recording Conference calling Call blocking If you already have a Google Voice number, you can add the voicemail option to any mobile phone associated with the account.

Happily, Google circumvented this problem earlier this month. Some of the awesome benefits are explained in Google's YouTube explanation: Since voicemails are transcribed and placed online, even made publicly available for sharing purposes, there has been some danger of said voicemails appearing in search results. These new features are both freeing and limiting: you can keep your number but sacrifice some of the goodies that make Google Voice a powerful contender in the telephony business. Follow Brennon on Twitter: @neonmadman Full number portability is likely coming in the future, after, of course, Google deals with AT&T, Apple, and the FCC. But some have high hopes that eventually the opposition will grow to accept and embrace Google Voice.