Quarkside

21/02/2011

Identity Icebergs to sink Universal Credits

Does the Cabinet Office talk to the Cabinet Office – or any other Department for that matter?  Last week’s Local Government Delivery Council also had two related presentations; “Identity Assurance for Public Services” by the Cabinet Office and  “Employee Authentication Services (EAS)” by DfE and DWP.

Put these into the context of “HMG CTO Council – Government Employees Strategy for management of Identities – Version 1.1 – 1 February 2011. ” This noble document has some excellent content as far as it goes – but look at the juicy bits it deems out of scope.

  • “Access control of data within a single system or organisation
  • Entitlements of a validated identity within a single system
  • Authorisation services and other capabilities enabled by identity management
  • Citizen and Individual authentication even for access to government services or visitors to government sites
  • Identity Management of systems, devices and other entities
  • Audit and accounting requirements other than by reference to their need.”

Most, if not all of these are required by real live systems, especially in Local Government.  They are probably the hard bit where most guidance is needed.  Federated identity management protocols do understand how to include these options.  For example the use of Shibboleth 2 in the education sector can easily differentiate between children and teachers in Web based application systems.

EAS has been around for years in DWP.  It has been recently used for the “Tell Us Once” (TUO) project, authenticating for multiple agencies handling common citizen data.  They have discovered the need for, and have implemented, some employee attributes that allow differential access to application systems. This is out of the scope of the strategy above, but they found they had to do it.  Every Local Authority (LA), and there are hundreds of them, needs guidance on this because most do not have the internal skills and knowledge to interoperate with external identity providers (like EAS, but there are lots more). A common standard for federating identity, supported with standard software, is the only sensible way to proceed.

Finally, there was a bomb shell from the Cabinet Office.  As part of the stakeholder engagement process, they presented  “a federated approach through which a person is able to assert a trustworthy identity“.  Here are some of the enlightening aspects of a working federated system:

  • delivered for DWP Universal Credits in April 2012
  • provided ‘by the market’, presumably meaning non-funded
  • dependent on external verification of identity by third parties (such as banks) selected by the citizen
  • LAs will provide an Identity Hub which collects personal data and matches with the external credentials (this is a minefield, not just icebergs)
  • links with biographic, health, wealth and education data by attributes
  • links with DVLA
  • links with an ‘official’ address file
  • not dependent on a centralised identity register
  • Oh, and by the way, it will run on the GCloud. Trebles all round.

The aspirations are wonderful, straight out of the junior management consultant’s handbook, but three simple questions illustrate the risks involved:

  1. Does the Identity Management industry, working with hundreds of LAs, have the capacity to deliver in such a time scale?
  2. Does the Cabinet Office (or anybody else?) have a Technical Architecture that is fit for purpose and compliant with the CTO Council strategy?
  3. Identity management ignorance crippled the development of ContactPoint – why is it so much easier and simpler for Universal Credits?
Advertisements

10/12/2010

SRPs avoid PM standards

As Quarked previously, the baseline (Draft) Structural Reform Plans (SRPs) for each Department are almost acceptable. There’s just about enough to begin a reasonable job of monitoring and control. There are actions with start dates and end dates. There are also milestones.

What is missing are definitions of what has to be delivered by an end-date. Quarkside believes that all public sector projects are expected to use Prince2 for project management. It is almost written in stone in Local Government. As everybody who has been trained knows, Prince2 “Focuses on products and their quality“.  In other words it is ‘Product based planning’.  A plan is only considered complete when it has described WHAT should be DELIVERED by a specific date, WHO should deliver it and the QUALITY criteria for acceptance.  All these points rely a documented and agreed Prince2 Product Description.

Number 10’s Implementation Unit have misunderstood the guidelines, or have chosen to avoid them. You can identify a product deliverable because it is (usually) a concrete noun in the Product Breakdown Structure. The SRPs use a verbal description of an action eg Home Office

  • 3.2.ii “Introduce English language requirements for spouses”.

Are these requirements a statute, a regulation or a ministerial memo to the Immigration and Nationality Directorate? Delivery implies the complete acceptance of a specific product. An alternative might be:

  • 3.2.ii “English Language regulations agreed by Parliament and applied in Border Control”

Quarkside is not making a political point or just being pedantic. The first definition has many options on what the end product might be; the second is more specific and would be linked to the Product Description.   In fact 3.2.ii in the Draft SRP does not give an end date, showing uncertainty.  Prince2, using Product Flow Diagrams, would enable an end-date to be calculated.

Action based planning must have its devotees.  Notably that’s the path followed by Microsoft Project out of the box.  MS Project, unsurprisingly, does not follow the UK standard but is easy to tailor for Prince2 methods.

Martha Lane Fox has called for the use of standards  Not only does it increases the interoperability project managers, it is the most effective way of controlling projects.   The good news is that it is not be a big problem to change the Draft SRPs and produce a Prince2 plan with a useful Product Breakdown Structure.  When this process is done it always uncovers things that had originally been considered.  It improves the Plan.

The current Plan is little more than a ToDo list.  That style is suitable for planning a foreign holiday for a group of thirteen people. It is not suitable for the far reaching political reforms of the coalition government. Prince2 is the Standard.  The No 10 Implementation Unit should have ensured that each of the thirteen Departments understood and used Prince2 for both the Plan and the control mechanisms.

It’s not too late to produce a final plan that follows the Prince2 Standard.  Then we can produce a transparent monitoring and control process.

09/12/2010

No 10: SRP shambolic progress

Filed under: Policy,Politics,Process,Risk — lenand @ 9:17 am
Tags: , , , , , , , , , , , , , , , , ,

The Prime Minister launched 13 draft Structural Reform Plans (SRPs) in June.  Departments set out their reform priorities and the actions they would have to take to achieve them, including a specified timetable and measurable milestones. Under the initiative each department had to produce a monthly progress report, holding the Secretary of State to account to the Prime Minister if they are not on track.  Quarkside has not studied all in detail, but the structure of the plans looks sound.  There is a consistent layout and it is easy to see what is expected.

However the monthly updates are shambolic.  Granted the layout is consistent but they do not conform to best practice in progress reports.  With the intention to increase transparency, they are more likely to obfuscate than clarify. Some examples to illustrate this career threatening statement may elucidate:

  • The reference numbers are not carried forward, it is difficult to know which deliverable a progress line refers to.  All good systems would refer to a Product Breakdown Structure (PBS) number for ease of reference.
  • Missed target lines are in red, but they don’t give any indication of the changed date or the action to be taken to recover the plan.  This is not control, it is an ineffective observation.
  • The status column only has a choice of complete, not complete, not started, work started, work ongoing. and still not complete.  This is primary school level planning, not the way to control a nation reform programme.
  • The reasons for failure to meet targets look more like excuses and not a lot of value.  They just lose credibility without plans to get the programme back on track.
  • There is no risk register to give any idea of the seriousness of any delays.  Every project needs a risk register – it looks like the product of amateurs, not professionals.

That’s the bad news. Looking at the Quarkside principles, the Process is bad, the Governance is pathetic and the Technology is antiquated.  Could we respectfully request that the Prime Minister’s Delivery Unit takes some crash courses in effective Programme Management Office (PMO) processes.

The good news is that is all recoverable. Watch Quarkside for some answers in future blogs.

30/11/2010

No excuses, LAs and NHS must talk

Filed under: Local Government,Technology — lenand @ 3:30 am
Tags: , , , , , ,

A good news story for a change. Simple connectivity between local authorities and the NHS has been needed for years.  I recall having to spend 15 months with the agreements and protocols to join 2 servers one foot apart in a server rack.

Joe Harley (DWP) and Christine Connelly (DH) have jointly published a letter encouraging local authorities to connecting to the NHS N3 network via their existing GCSX connection.    They explain that it is now possible for local authorities to access NHS Spine without the need to install a separate N3 connection.  The reverse is also true; NHS organisations can access local authority data via their existing N3 connections.

Everything these days come at a price, however.  The N3 Interconnect Service is an additional service charge to the GCSX service.  Expect to pay £5,760 for 10Mb.  There’s also value in sharing the service between LA partners: £7,200 for 4 local authorities (£1,800 each) then £1500 per additional local authority using the same aggregation route.

Now that the connectivity should no longer a barrier, we should revitalise the attempt at building information sharing partnerships and utilising systems interoperability standards, such as ISO 18876.   Exchange of data between Health and Social Services has long been the call of Enquiries into Victoria Climbié and Baby Peter.  One key excuse for non-cooperation has been removed.

« Previous Page

Blog at WordPress.com.