Why not Mahara?

Mahara doesn't give enough freedom and it's also very broken!

Notes for evaluators

Because the description and requirements for this task has changed so much over the course (from 'do whatever you want!' to 'do specifically this, nothing more nothing less.'), my first few modules may not be in entirely in alignment with the requirements anymore.

If for whatever reason you can't view the documents properly, email me for a word document transcript. Email me at andrew@atunnecliffe.com.

And also...

It's important to mention that whilst I may reference a lot of DSS specific internal documentation that very little of it is easily accessible, advertised, or perhaps even current. Any assumptions, opinions or ideas based on the following content should only be made with the above in mind. Chances are nobody knows anything about these docs I'm writing about.

APS Code of Conduct and ACS Code of Ethics

This is a live document that will be updated with content as progress is made through the ICT graduate program. First you will be shown what I feel the APS and ACS values entail, then you will see exactly what they are, and finally you will see any personal experiences I have had where these values had to be scrutinised in order to achieve a positive outcome.

ACS and APS codes interpretation

What I think they mean

The APS code of conduct and the ACS code of ethics are simple. They are oriented around putting the interests of the public before your own personal interests, acting in a fully open and honest way. This means it is important to act in an impartial way, and always be driven by facts; avoiding using personal, business or sectional interests in any evaluation.

What is ethics without honesty? It should be implied that you are honest in not only in the representation of the data you may be providing, but you are also open in the way you represent yourself as a person and a resource.

We also need to do a good job, and be good at what we're doing. To me, doing a "good job" doesn't necessarily mean trying your hardest and hoping for the best, it means making sure you are competent in any work you undertake so you are able to work diligently for your stakeholders. There is of course a feeling of professional development, but the evaluation always needs to be made as to whether we are able to realistically perform a task; and if you are accepting a task that is in areas you are still learning you need to be honest about it. Development has to happen somewhere!

Alongside these personal values, there are interpersonal ones as well. We need to be respectful of everyone, including their rights and heritage. To me, we're all people; so we all get treated with the same level of respect — regardless of any other factor. Hopefully one day everyone will share this view, so we can fully embrace the benefits of diversity and equality.

On a more global scale, we need to be working towards improving the lives of anyone who is affected by our work. This can mean producing good quality code, a positive user experience, a healthy meeting outcome, a factual and full business case, and any other task that we are given in both this professional work context and in our outside life.

References

What is written above is my interpretation of these frameworks. They may or may not agree with you, but they should not offend anybody. If you are offended or feel I should change something please contact me at andrew@atunnecliffe.com.

Check out the ACS Code of Ethics here.

The SFIA chart here.

The ICT Skills White Paper here

And click here for the APS values.

But do you use these values?

Whenever you have a difficult decision to make there is a framework to assist you in making a decision. You can start by looking at your manager's priority lists, then move up the chain to your branch, your section or your departments priority list. Once a decision has been made, or even if it hasn't yet you check which decision is in the closest alignment to the APS values, whilst contributing towards your priorities.

This has already happened plenty of times in my role. Particularly "evidence based findings" from your departmental secretary and "committed to service", so we need to work hard to first figure out what the best results are, and then work on getting there.

As far as specific rulings from DSS, there is no physically written (at least no easily accessible or advertised) code of ethics. Ethics however are included within the code of conduct, and inherited from the APSC values. The DSS (or rather FaHCSIA) has performed a couple of ethical review guides, however none have been done (as far as I can see) for the past seven years. These reviews focussed on the FaHCSIA research and evaluation framework, or in more human language ethics surrounding procurement and hiring practices.

What has education changed about your behaviour?

It is often assumed, in fact it is often propagated that a corporation is at the forefront of technology. Looking at the 'front page' of a corporation this may appear true - the latest model blades in the server room, multi-monitor setups with big, comfortable chairs for each employee - but what about ethics? This is often not on the front page of a recruiting page. It definitely was not on the front page of mine, and I work for Social Services; a corporation promoting positive ethics. I still don't know why this isn't the case, and perhaps it is as simple as the idea that ethics isn't as cool as modern technology; but it often bring to mind the question -- are my ethics as modern as my tech?

According to Bowern, Burmeister, Gotterbarn and Weckert, they are probably not. Their publication "ICT Integrity: bringing the ACS code of ethics up to date" detailed the importance of making sure you are modern and specific with your ethics. Whilst the publication focused specifically on the ACS code of ethics, it can usually be applied to many codes of conduct and ethics (known internally as the Values and Ethical Framework).

The DSSs last internal audit of ethical behaviour concluded in May 2008, which at the time of writing is over seven years old. Additionally, this report found that FaHCSIA (now DSS) had not provided any training in ethics. As graduates we received training on ethics, but the standard employee populace still does not generally get this training. The report made a few recommendations, a couple of which have been followed, to attempt to increase the appearance of ethics within the organisation. But this still leaves the subject of the applicability of the ethical framework alone. There has not been any audit or study (that I can find with the help of the DSS library) on the applicability of the ethical framework. Following up from the publication about the ACS, they performed significant modifications to their code of ethics to modernise and make it much more pertinent to the end users. The DSS first needs to make the code of ethics more visible. Once people are more aware of it, then the applicability of it can (and should) be evaluated, resulting in a higher quality ethical framework.

Looking at personal changes resulting from these publications, I have learned that ethical frameworks are useful, but not to be wielded like a sword; as they may not be as pertinent as one may expect.

Bowern, M., Burmeister, O., Gotterbarn, D. and Weckert, J. (2006). ICT Integrity: bringing the ACS code of ethics up to date. AJIS, [online] 13(2). Available at: http://journal.acs.org.au/index.php/ajis/article/view/50 [Accessed 5 Jul. 2015].

FaHSCIA (2008). Promotion, Management and Assurance of Ethical Behaviour. Internal (DSS), [online]. Available internally at: http://staffnet/waf/support/audit/Documents/ethical_behaviour.DOC [Accessed 29 Jul. 2015].

Digging Deeper

The DSS does have an Ethics Policy! It is completely invisible, not advertised anywhere, was pretty much impossible to find and was last modified in 2008, prior to the ethical review mentioned earlier. The ethics policy covers three principles that DSS employees need to adhere to. However like all ethical policies it is unnecessary as it is perpetuating the concept of "being nice", and merely writing down what is already written in numerous other frameworks and policy documents we have subscribed to by being in the APS (APSC code of conduct / aps values / many others).

• Principle 1 - Compliance with the National Statement on Ethical Conduct in Human Research
  • This principle states that the department, including individuals and organisations contracted by it will conduct all research and evaluation activities in an "ethical manner". This probably refers to the National Statement on Ethical Conduct in Human Research but I can't be sure.
• Principle 2 - Recognition of the determinations of external ethical review bodies
  • In order to adhere to this principle, we need to recognise the determinations of external ethics review processes that comply with the above National Statement. In human terms, this means project owners need to obtain the required level of ethical approval from an institution that has a National Health and Medical Research Council registered Human Research Ethics Committee.
• Principle 3 - Limiting duplication of review and ensuring timely decision making
  • This principle seems to ensure the follower avoids unnecessary duplication of ethical review. It also allows DSS to minimise the compliance burden associated with research and evaluation of ethics review to facilitate timely and effective research and evaluation activities.

Witness Accounts

I probed a few people about the DSS ethics policy; nobody could confirm or deny the existence of such a document. However, I have noticed a fee important ethical quandaries being overcome by DSS employees. For example, I was involved in the hiring process for next year's IT graduates. We were told there was one DSS cadet interviewing for the DSS graduate programme, so we all stepped out of the room when it was his turn to interview. Excellent! No chance of naughty things happening. This does seem like the right thing to do. My security clearance forbids me from discussing anything in any sort of detail and I am not comfortable writing anything in the negative on this topic in the public domain, even if it is vague and non-incriminating. I do often think and reflect though, and have faced a few tough situations where I have had to bring extra people into a conversation to make sure what was happening was being appropriately attributed and recorded.

SFIA Work Role Analysis

Analysing my role specifically as it stands in cyber security by description and day-to-day driving puts me at level 3-4. In investigations this raises up to 4-5, but standard daily tasks sit around 3-4. The APS currently operated using the ICT Capability Framework, which has been built on top of SFIA. The purpose is also in alignment with SFIA, representing an "anchor point" for people management processes within agencies and for the career planning on ICT professionals.

I'm currently working in Cyber Security with the DSS. This incorporates sysadmin work (level 5), architectural (level 5), and analyst programmer (level 4) work. When you actually get to the day to day it is bumped down to a 3 because the sysadmin work has a habit of being... well secret account creations and the like.

Common ICT Job Profiles

The concept of creating job profiles is great to an extent. When applying for a job you get an idea of where you will sit in the chain of action, and it allows you to consider at what level of abstraction you are comfortable with. For example, project managers sit at level 5-6, but developers sit at 2-4. Developers are doing hands-on work and PMs are abstracted and above, so they may not see the day-to-day actions that are taken by everybody. In the same way, a developer may not see what other developers in other areas are doing; they may be honed in on their area of work.

Analysing my current role in detail however is a fruitless task as it is not the purpose of SFIA. SFIA (as described in the ICT skills white paper) is designed to enhance strategic planning and allow for rapid deployment of skills. I interpret this as hiring people who are better suited for the job, in order to "maximise your return on investment". The functional outputs listed are all consistent with providing clear job descriptions that are in alignment with expectations in order to enhance the alignment of skills to job roles. SFIA is for hiring. It is good to have a general overview of your current role so you know what to apply for to get your best values out, but going into detail about it far less enhancing because it's not in alignment with the goals of SFIA.

DSS does not have any content that applying to SFIA or the ACS' job profiling tasks. The APS Work Level Standards seem to be some sort of alternative to SFIA in that they're designed to facilitate more efficient hiring of targeted resources. From an ethical standpoint it's always important to work in a job that you are good at, as you will be most effecting in enhancing the quality of life of those affected by your work. SFIA is designed to provide a universal language and naming convention for skills in ICT.

Reflection?

SFIA is a great tool when used as it was intended. It's perfect for selecting courses or conferences to attend, to assist when applying (or obtaining applicants) for a new job and for giving a general overview of the type of work one may be encountering.

How does it all work?

Communication and Project Management are two extremely and increasingly important terms in the IT space. Communication in IT is enormously important. IT people need to be able to explain the most complex issues to management teams in a common language, and as business sizes increase and application the issues become more abstract, this is becoming progressively more difficult.

It is common nowadays for a developer to work in one area of development if they're in enterprise. Be that user interface design, user experience, database management, or server-side scripting it is usually done by a specific person who specialises in that area. There are various reasons for this, many of which are valid and primarily oscillate around the idea that a person will come to have a strong understanding of their area and will therefore be able to solve problems more quickly.

This looks great at the moment, a group of people who are all experts in their area working on their own parts of the project in an efficient manner. Tasks are delegated by management to each member as required and those tasks are completed within the service level agreement, and all is well. After about a while a few major enhancements are requested, and a group of fresh hires arrive to help out. Your small team has now grown, and there are three to five people specialising in each area. New areas have spawned, you now have a dedicated security team who seem to be slowing everything down, you have a WCAG compliance team making your site ugly and slow, and you have a rock star UX team who are making everything 'material design' or something equally ridiculous.

Everything is starting to turn into a bit of a mess, so they assign each area their own manager. These managers don't directly contribute to the technical work load; their job is to communicate with the other managers about the workload and the overall goal. Then they all start fighting because the UX guy uploaded a script without giving it to the security team, but UX guy said it was irrelevant because it was purely user experience based.

So they hire a project manager. Somebody to absorb the arguments and repair the damage caused. The project manager builds a workflow system to make sure issues like this don't happen again. So now every time someone codes something, before they can upload it to the repository they have to sign off a bunch of checklist items; like have they put it past security, they have to get it checked off by WCAG for compliance, they have to put it past their one-up for quality assurance.

Whilst this has resolved many internal disputes and is resulting in higher quality product, it has also greatly slowed down production. To try and alleviate this, each developer in each of the teams is given their own team of developers to train and work with them. They are now team leaders with a team of junior developers working alongside them. Suddenly the project manager is now in charge of five times as many people and can't cope, so they get each development team their own section manager to report to the project manager. Like the team leaders and managers, the section leaders are responsible for communicating with the group above and below themselves. Our diagram now looks like this. Don't forget each area also needs an architect to decide the best way for them to go because the section leader can't think in the big picture way. Which means with the project manager sits a solution architect who gets paid so much to draw clever diagrams and think about the future it would make you explode.

This level of abstraction is where much of enterprise is today. If a junior developer spots a problem, he needs to tell him team leader, who needs to tell the section leader who needs to tell the project manager who needs to get stakeholder input and decide on a solution, put that solution past the architects to make sure it's in alignment with our goals, report back to the section leaders who then communicate with the team leaders who let the developer know what to do. Except they don't tell him what data to store in his audit trail database like he wanted, they tell him the company has decided to move onto the cloud or something equally useless.

Imagine what this could look like in another ten or fifteen years. The rate of change is only increasing. At this stage even adding a text box to a website is an awkward ordeal, let alone a complex feature addition or data migration. The rate of abstraction is out of control and it's only going to speed up until a new, less hierarchical ideology comes along. The only glue holding everything together is communication.

So how do I communicate effectively?

This has been gone over countless times by countless different people. Traditionally, I have stuck to Aristotle's mantra to tell them what you're going to tell them, tell them, and then tell them what you told them; but recently this has started to lose its impact. It's easy to ponder the reasons for this loss of impact, be it mobile phones, fast internet, the bright colours in movies, fast food; people have shorter attention spans and we as communicators need to cater for that.

A listener has a choice when they're listening to a presentation or speech, and this is pertinent even in a meeting or conversation. They have the choice to not listen. This choice is made easier for them if you're boring or badly presented, but it's also pretty easy to not listen if the listener decides that what you're talking about isn't applicable to them. If you tell people what you're going to tell them, they can easily decide they don't care and jump straight onto their phones.

Time today is very valuable, and people are very quick to dismiss somebody on this basis. When an audience is awaiting your presentation, they don't want to know what they're going to hear, they want to know why they're there. So we should open our presentations not with an agenda, but with a framing idea that will answer the question of why the audience should listen.

Once you have answered the question of why, you are to start with the main content. Sometimes this part is difficult, but if you have ever spoken to anybody high up the food chain in business or government you're going to know you need to be concise or few will give you their time. The common urge when you're speaking about your speciality is to tell the audience everything you know like in a University lecture, but you're at work now and things are different. Keep it concise and only present ideas that are vital to your contention.

Conclude in a similar manner to your opening, finishing with a salient idea that reminds people why they have attended and what they have gained from it.

What about in the DSS?

As in any workplace there is an array of ways we communicate. These include informal talks, email, formal meetings, IM, phone calls and many others. There are often more layers inside these methods, such as inside formal meetings there are general meetings, section meetings, branch meetings, group meetings, team meetings, scrums and surely a lot more. There are a few unwritten rules that are generally followed within particularly the higher-level meetings, such as attempting to always speak in a professional capacity rather than a personal capacity. This is directly in alignment with the ACS values, particularly that of impartiality. Make sure when you speak people know who you are and what authority you have to comment; make sure you speak with political sensitivity and don't speak negatively of somebody or a group without first talking with them.

What about formal documentation?

DSS has several communication policies in place. These include several about sponsorship, media engagement and merchandising which are largely unneeded in my area of work. There is also a Stakeholder Engagement Policy that we have been following in the process of the ICTGP. This document is a key document written to implement the DSS Stakeholder Engagement Strategy, which is designed to ensure that we are effective, efficient and, perhaps most importantly, consistent in the way we engage with our stakeholders. This formal documentation has enforced changes in myself as a project manager, as I now have scheduled meetings with stakeholders and formal documentation to write up for these meetings, even if they're only 5-10 minutes in duration. Without this documentation I would have just met up each time we hit a milestone or roadblock -- however through documentation I have learned that this isn't the desired way.

Our project has a meeting etiquette policy which outlines communications and behaviour. Our meeting minutes have consolidated action items that list who needs to do what, when. Items that have not been completed by their due date are highlighted and assistance is offered to the resource who is supposed to be doing them. Whilst this is not written in policy, these are the actions that have been taken for the first 6 months of the project, and as they're working the behaviour will continue.

What have you witnessed?

Once a meeting has commenced, DSS employees largely obey all of these rules. There may be the occasional quip depending on the level of formality, but usually everything is followed. With the exception of one thing -- punctuality. There is a dangerous understanding that people can just rock up late and it's all fine. We had a joint-section meeting (about 100 people) scheduled for a specific time in the morning. Myself and my team arrived 10 minutes early as is appropriate. The chairs of the meeting arrived ten minutes late, and then spent about 15 minutes trying to get the projector to work. All I could think was you're literally in front of a room with tens of millions of dollars worth of IT professionals, developers, designers, architects; everything you can think of, and you think it's ok to make a mockery out of all of us. And then the to nobody's surprise the meeting went way overtime. A few people quietly walked out early, but the contents of the meeting was extremely important so some people couldn't.

Punctuality is something that needs to be worked on in the DSS. We can argue that it's derived from the work-life-balance focus of the department, the apparent perceived laziness of APS people; but for the point of this writing piece that is irrelevant. I will make it my goal to never be late to a meeting without setting expectations reasonably in advance.

What has education changed about your behaviour?

My day to day work life has no project management involvement. DSS uses Prince2, and as the project manager of our graduate team I suspect I am doing what any developer/inexperienced project manager would do in this situation. I'm doing a bastardised version of Prince2 mixed with Agile. How do you make Prince2 agile?

Like this apparently. Whilst my formal education in project management is miniscule (read: one undergrad unit), this book (as well as this one) gave me the powers I need to probably succeed. Before I started reading Prince2 Agile all I was thinking was "Prince2 literally means projects in a controlled environment, Agile is catering for somewhat the opposite of that. However it suits our project perfectly because it is a Prince2 foundation that caters for ongoing change, and because we immediately identified scope creep as a massive risk for our project it's important to tailor appropriately. I'm not ready to jump into scholarly literature in this rea as I don't yet fully understand the foundations. However I have been going through these books as the project goes on and they have given me the ability to decide an appropriate set of deliverables that we can produce in order to create a high quality final deliverable.

What is it?

Enterprise architecture in the APS is designed to bridge the gap between strategy and ICT, and make sure they're aligned. It is designed as a group of methodologies that are supposed to structure organisational (particularly technical) resources in order to better execute organisational strategy. EA is still a relatively new thing so the frameworks around it are still young and perhaps not entirely understood by everybody.

Does the DSS use it?

The DSS does use EA. Our system is derived from a number of other EA frameworks, including those of the Department of Defence Architecture Framework (DoDAF), the Federal Enterprise AF, and the Open Group AF. From these, the DSS has compared and built their own framework which includes 10 EA principles.

The DSS' Ten EA Principles

• Interoperability
• Able to Adapt for Change and Growth
• Security: IP and Data
• Control Technical Diversity
• Channel Independence and Access to Data
• Proven Technology
• Traceable to Business Objectives
• Trusted Service/SLAs
• Return a Business Benefit
• Manageable and Traceable

The IMTG in the DSS has an ICT Architecture team who are in ownership of the department's EA. According the the DSS' EA Roadmap, the DSS business Assets lead to technological work which lead to citizen outcomes.

Does this impact you directly?

I'm sure all these ideas have come to play in deciding the direction of my team and my day to day work, but I have yet to directly interact with something as strategic as this. The DSS themselves have clearly seen strong benefits in EA as we have a strong future state EA plan that extends through to 2016; focusing on Standards, Principles, Policies, Templates, EA Engagement and Project Delivery Framework.

ICT and Organisational Alignment in the DSS

The point has been made that organisations perform well when key IT resources are aligned with business strategy and business plans. Historically, and looking objectively, this is not always the case; however fortunately in DSS the IMTG alignment is right alongside that of the whole organisation.

Our IMT Group Manager has made a few things very clear. When we (DSS ICT graduates) first met him very early on in our working time, he told us that the IMTG was running as a business not just for the DSS, but for the whole of government. He told us how our services are sold to many other agencies and departments, and this has come to be due largely to our alignment with the DSSs strategic vision and the strategic plans of each group within the DSS.

DSS Strategic Vision

• Improve Government Operations
  • Extend Grant Management
  • Multi-agency shared services and data exchange
  • Mobile and flexible workforce
• Deliver Better Services
  • Business focus and co-design
  • Support high quality policy development
  • Efficient administration and value for money services
• Engage Openly
  • Creating and publishing strategic intelligence from data
  • Better online services and social media
  • Improved staff engagement and collaboration

DSS Key Priorities

• DSS provides evidence-based, forward-looking policy and implementation advice for Portfolio Ministers to support Government decisions and future directions.
• DSS is responsible for the design, funding and regulation of support systems that underpin the lifetime wellbeing, independence and participation of people and families, including: social security and family assistance payments; the aged care system, the National Disability Insurance Scheme; and disability employment.
• DSS works with the states and territories to achieve outcomes in their areas of responsibility, including disability services, concessions, the welfare of children and housing.
• DSS partners with and funds organisations to provide local services, including family relationship services, family support, community-based mental health services, early intervention, settlement services, multicultural engagement, aged care support, carer support, emergency relief and supported employment for people with a disability.

What are we doing to make sure we stay in alignment?

We are fortunate that our CIO is so strong on these issues. As a group, we are growing rapidly; and making sure our growth stays within these ideologies is imperative to our continuing success. The implementation of our strategic plan, each group's strategic vision and our departmental priorities provide a continuing framework to aid in decision making. As ICT workers within the DSS, we work under the same key priorities and strategic vision; and all our strategic frameworks are built of their foundation in order to retain alignment.

What about your work personally?

My group is currently being MOG'd due to the extreme growth of my group resulting from our success. We have been told that this MOG has occurred in an effort to maintain our continuing success. My day to day work processes follow these strategic plans so that I can be certain that I'm doing the best thing for the DSS.

Update from a few months later: I jumped ship from the MoG and moved into cyber security. Our ongoing projects are in alignment with the DSS strategic vision, particularly creating and publishing strategic intelligence from data. The publishings may not be public, but they're definitely in aid of the DSS strategy.

Information Management, according to the Association for Information and Image Management, is defined as the collection and management of information from one or more sources and the distribution of that information to one or more audiences. It concerns the daily propagation of information through organisational activity from acquisition or creation, ownership and distribution, and finally to the disposal of the information.

Data management is basically the same thing, but for data rather than information; which is why these topics are merged.

For the difference between information and data I revert to my undergraduate learnings and spew out the rote-learned quip "Data refers to qualitative or quantitative attributes of a variable or a set of variables". Whereas information can be defined as a set of conclusions that can be drawn upon based on a data set. I will illustrate this with an example later on.

What does the DSS have in place in this area?

The DSS is undergoing a strong evolution in the information management space. In 2014 DSS published the Information Management Strategy, with the vision "to provide a unified vision for the use and management of information across DSS".

This document goes over what the DSS identifies as key priorities of information management such as governance, people, data and systems capability and accessibility; as well as the key principles such as trusted, authoritative, accessible, integrated, managed and protected. These items are all important when governing information, as they are all requirements when producing (and reproducing) useful information.

The DSS has a number of other initiatives in place to ensure adequate information management, including our team project itself; as we are recommending enhanced information management and making sure we have conformity with the Information Management Strategy as well as any other relevant documents. We have also identified the DSS Recordkeeping Policy which handles the lifecycle of information as well as ethics as interpreted from other government documents such as the ISM, as well as the Recordkeeping Strategy which basically explains why it's necessary to have such record keeping and metadata strategies in place.

How does this impact you on a day to day level?

Heavily! As a lot of my work is classified I can't go into any sort of detail, so my language will be broad. We record and store vast amounts of data and metadata that can be connected to people. We have processes in place to anonymise this data (using the Information Security Manual (ISM)) and then release it to the public (in accordance with other DSS stakeholders including the Records Management, Investigations and HR teams and ministers / political figures).

Another example of my work involving information management stakeholders is the decommissioning of servers. When we "turn off" a server we need to speak with several teams to ensure that appropriate records are kept so that in the event of an audit or investigation we can retrieve any necessary data. We need to speak to the Records Management people whenever we wish to destroy data so that we get a formal "ok" before we proceed with destruction, and they'll always send someone to come and watch (and verify) that the destruction has taken place, as is consistent with the final step of the Information Life Cycle as probably defined by somebody on Wikipedia or perhaps even in a journal.

Formally at work, virtually everyone uses an Outlook plugin called FIRSt as a document management system. This is integrated with Janus Seal to provide levels of classification and DLM sensitivity. Protocols are in place to ensure people only gain access to data in FIRSt on a need to know basis. Currently FIRSt is in the process of being updated to ARC (Trim) which is basically the same thing.

What have you learned in this area from research?

Even the most mundane of data can be used in fascinating and fantastic ways. This is particularly true with mass metadata retention as described by the New York Times (and then backed up by a former NSA Tech Director Bill Binney) in August 2015 relating to the US NSA programs known as "Fairview", "Treasuremap" and "ATS" (Automated Targeting System). The ATS in particular uses mass metadata and sophisticated algorithms to analyse massive amounts of data to return a "score" for each person that related to how likely they are to be a part of a terrorist organisation. Historically this system has been assumed to be very accurate with people already known to be individuals of interest.

Ethically there are a lot of strong opinions in this area. The apparent vocal minority appear extremely strongly against any form of metadata retention for extremely valid reasons; including a belief that metadata retention can result in a person being identified and implicated based on such data, which is considered personal or private. In the workplace I feel that people (to an extent) own all the metadata we store about them, and that belief has led me to change some policies within my section.

A user asked for their own logon/logoff times for the past few months. Normally when we get these requests they are for HR or investigative purposes, however this time questioning led us to believe it was purely for personal reasons. My colleagues initial response was a resounding no. I explained to them I believed that whilst we technically own the metadata the customer it relates to has a right to view it (not alter it), as long as they understand that it is their own private data and they are under no obligation to show it to anybody else. It was decided that for mundane pieces of metadata such as logon times that's fine, but if logon time, machine name, operating system, open port list or any other more detailed things were requested then we would reject the proposal unless it had authority tacked onto it.

Among other far more complex things, the ATS is capable of building assumptions based on metadata -- for example a 2 minute inbound call from a medical professional followed by a 10 minute call to a loved one followed by a 30 minute call to an AIDS hotline carries enough grunt to build fairly strong and accurate assumptions that this software is capable of interpreting. In the DSS we are constructing a behavioural analysis platform to target threats that may get past traditional defence mechanisms such as firewalls and input validation; analysis targeted at people who either already have access to our systems (contractors, APS staff, social engineers) as well as people who may have... more obscure access through non-traditional means such as foreign workers placing hardware malware in our technology.

This is the most interesting part of Data and Information Management, as it pertains to the moment when data becomes information. We start off with the data set, which in the instance of ATS and DSS is mass metadata. With the ATS it may be phone calls, emails or Twitter posts; with the DSS it may be accessing specific files, machines or information. We grab all of this "data" and store it. Within this data set we then analyse it for patterns, and then try to sort out extremes. For the DSS this may be "how has this person accessed 100,000 classified documents in five seconds", and from the data set listing these interactions we come to the conclusion that something may be wrong. The data being a list of classified documents access and the time they were accessed, the information being that this behaviour is out of the ordinary. More detail on this in the Cyber Security section.

Bytheway, A. (n.d.), 2015. Investing in information - Chapter 2 - The Information Management Body of Knowledge, p25-p34. Retrieved from http://www.springer.com/cda/content/document/cda_downloaddocument/9783319119083-c2.pdf?SGWID=0-0-45-1488778-p177043060 [Accessed 12 Aug. 2015].

See inline links to NY Times and Reddit. The Reddit posts are verified as being authentically posted by the authoritative person in question, in this case former NSA intelligence official William Binney.

Talk about the theory around Cyber Security

An effective and holistic cyber security implementation requires the application of technologies, processes and behaviours designed to protect a system from unauthorised access. In more recent times this definition has been expanded into behavioural analysis of individuals who have authorisation, to ensure they are acting appropriately.

It is important to note that I cannot source a lot of this information as it has come from government documentation; all of the content however has been cleared by an EL2 agent for publishing to the public.
Sources are cited where they can be.

The reason behavioural analysis is required nowadays can sometimes be based on the assumption that attackers are already inside our systems. This is assumed based on many factors, including the following.
Paul Henry from Lumension says "The Chinese have already proven that they have the expertise to easily break into our networks using vulnerabilities. Why not package a backdoor directly in the network gear they are selling us? It makes sense that this vector would be a consideration of the Chinese."
The article publishing Paul Henry's statement was published in 2012, and it was largely speculative. In late 2013 however these issues were confirmed in a massive number of devices; and not necessarily just those made by the Chinese. But it was hard to detect these issues because the attacks weren't really targeted; the hardware seemed to have malware implanted at random in non-US cases.

Additional to the hardware malware and deliberate backdoors there are also more operational issues that can result in a successful attack vector being found, such as a large portion of the Australian Government still running Windows XP, and employees all over the world have a chronic susceptibility to basic social engineering.

So what has the DSS done to mitigate these risks?

The DSS has a number of policies and procedures in place to minimise these risks. We administer the IT Security Policy which directs users about appropriate password usage and making sure nobody other than yourself knows your password no matter what, it expresses that the Janus Seal product for applying levels of classification is gospel and if you send a TS email to your Gmail account at home, we have the capability to detect and prevent it from being transmitted. Additionally, there is an information page on the staff Intranet and a package that all new employees must read and sign prior to obtaining their credentials. These information pages contain details about social engineering, what we call "piggybacking" (where one person walks behind another person through a secure door), and how to spot bad emails. These are largely operational things that won't have any impact on attackers already in the system though.

That's where we implement behavioural analysis. Collecting mass data detailing what all entities on the network are doing and analysing it to check for consistency. Additionally, having checks in place such as "why is there a Kali Linux box in our Gateway" and "why are there 700 unidentified iOS devices on our wifi" are important for maintaining not only system stability, but also credibility.

How do these play out day to day?

Due to the classification of a lot of my work this will be very vague.

If the department were to become aware of any rogue hardware or malware in our systems, it would immediately be shut off and a thorough investigation would follow. If people are using their work email accounts for non-work related activities such as gambling or pornography, the Department would perform an investigation. Our license for out physical access controls

(door-lock keycard access system) prohibits me from talking publically about it in the way I intended to. The DSS, like all government departments, has software that watches the behaviour of each entity on all our networks to monitor for badness. What we do with this information however is classified, however a person is able to request part or all of the data they store about themselves.

So basically I can't talk about backdoors, malware, social engineering or behavioural analysis. But we're doing lots of cool stuff!

Have you changed or updated your behaviour as a result of learning?

Yes! Particularly around social engineering and operational security. It was surprising to see how easy it is to walk into a secure building like ours, grab a few phones from unattended desks, quickly duplicate then onto your laptop and then walk out with nobody caring at all. In the paper linked to in the first section, Social Engineering: The Neglected Human Factor for Information Security Management details simple methods for drastically enhancing groups of workers defences against social engineering practices such as the example above.

The paper makes the clear point that social engineering has been neglected compared to technical defences, which is absolutely true and slightly enhanced by the additional anecdotal evidence linked in the first section. As with technical security where the first steps were to educate developers and create secure programming guidelines, the first steps with clerical workers are education and training, followed by procedure and policy. We are currently implementing an ICT Security Roadmap at DSS which will be incorporating these new ideas and further enhance the existing trainings into social engineering which at present whilst they do exist, they may be ineffective.

Coupling this documentation with the subtle creation and negativity surrounding the aforementioned term "piggybacker" will create an aura of negativity around social engineering style practices and will work to prevent non-compliant behaviours.