What is "Privacy by Design"? And how to achieve it? - privacy

I noticed that tutanota and mega.io mentioned "Privacy by design" in their homepages. So, I became curious and found the wikipedia page about Privacy by design, but it seems to be an abstract concept (a collection of principals). However, I was looking for something like - do a and b or implement y and z. For example, mega.io uses Zero Knowledge Encryption (User-Controlled End-to-End Encryption). What other features do a product need to have to be called a "Privacy by Design" service.

By their very nature, abstract principles do not concern themselves with implementation detail. There are many different ways to implement them, and mandating one approach over another is simply out of scope – what matters is the net effect. It's also applicable to non-tech environments, paper records, etc; it's not exclusive to web dev.
Privacy by design (PbD) is a term coined by Ann Cavoukian, an ex-information commissioner in Canada, and it has a collection of principles, as that Wikipedia page describes. PbD is also referenced by GDPR. I've given various talks on privacy and security at tech conferences around the world – you can see one of my slide decks on PbD.
So how do you use them in web development? Take the second principle: "Privacy as the default". This means that if a person using your web app does nothing special, their privacy must preserved. This means, amongst other things, that you should not load any tracking scripts (perhaps even remote content), and not set any cookies that are not strictly necessary. If you do want to track them (and thus break the user's privacy to some extent), then you need to take actual laws into account, such as the EU privacy directive, which is what requires consent for cookies and trackers.
So although the principle itself did not require these measures, it influenced the technical decisions you needed to make in your implementation in order to comply with the spirit of the principle. If that happens, the principle has done its job.
So what you have to do in order to claim privacy by design (though it's not like you get a badge!) is to introspect and consider how these principles apply to your own services, then act on those observations and make sure that the things you design and build conform to the principles. This is a difficult process (especially at first), but there are tools to help you perform "privacy impact assessments" (also part of GDPR) such as the excellent PIA tool by the French information commissioner (CNIL).
If you're thinking about PbD, it's worth looking at two other important lists: the data protection principles that have been the basis of pretty much all European legislation since the 1980s, including GDPR, and the 6 bases for processing in GDPR. If you get your head around these three sets of concerns, you'll have a pretty good background on how you might choose to implement something privacy-preserving, and also a good set of critical guidelines that will help you to spot privacy flaws in products and services. A great example of this is Google Tag Manager; it's a privacy train wreck, but I'll leave it to you to contemplate why!
Minor note: the GDPR links I have provided are not to the official text of GDPR, but a reformatted version that is much easier to use.

Related

accessibility -- WCAG 2 and law restrictions

I just found out that there's some countries(UK, CANADA and some more) that actually have a LAW about the web-site accessibility. I was shocked, because one thing when there's some RECOMMENDATIONS and another thing is a LAW, witch means anyone can sue you for not being 'standard'.
I'm interesting in your professional opinion about why is it bad to use LAW based on WCAG 2.0 recommendations to make web-site accessible to disabled people. If you may, please provide a good examples with proper comments. There's not so many people who're fluent in WCAG 2.0 standards.
I found at wikipedia criticism about wcag here what it says:
Criticism of WAI guidelines
There has been criticism of the W3C process, claiming that it does not
sufficiently put the user at the heart of the process.[2] There was a
formal objection to WCAG's original claim that WCAG 2.0 will address
requirements for people with learning disabilities and cognitive
limitations headed by Lisa Seeman and signed by 40 organisations and
people.[3] In articles such as "WCAG 2.0: The new W3C guidelines
evaluated",[4] "To Hell with WCAG 2.0"[5] and "Testability Costs Too
Much",[6] the WAI has been criticised for allowing WCAG 1.0 to get
increasingly out of step with today's technologies and techniques for
creating and consuming web content, for the slow pace of development
of WCAG 2.0, for making the new guidelines difficult to navigate and
understand, and other argued failings.
*I may be wrong, but I think CODE should not be restricted by any law at all. It's a godamn CODE ffs
I think governments should encourage web-site owners(businesses!) to make they sites accessible, but not restrict them to some wcag for example.
Thanks!
I think there is a basic misunderstanding about how the law aspect works, it isn't based on WCAG.
In the UK, most of the EU, Canada and Australia there is no mention of WCAG2 or any particular standard for website accessibility in the law itself.
The law in the UK and in other countries like Australia says (and consider this an extreme paraphrase) that any product or service you provide should not discriminate against people with disabilities.
Whether you rely on a website to be accessible is up to you, you just have to provide your product/service in an accessible way somehow, you could do it on the phone and in a physical place.
NB: Most countries have "advisory notes" that do talk about WCAG, but see those as a means of making things accessible, not the core legal requirment.
Given that the website is generally the easiest way to provide something accessibly, WCAG2 is the most recognised set of guidelines and if you use that and make a "reasonable effort", any legal complaints will be easier to deal with.
Taking the book example (from the comments elsewhere), a paper book may not be accessible to someone who is blind, but the publisher is obliged to either make the digital copy available as an ebook (which can be read out by a computer or other device) or make the content available to services that create audio versions. They don't loose out on sales, and it is not a hardship to provide an accessible version.
There are lots of ways to make products and services available and thanks to the web being created as accessible-by-default, it is a very good channel for that.
Also, WCAG does not say "you have to do it this way or you are not standard", it says things like "All non-text content that is presented to the user has a text alternative that serves the equivalent purpose". It doesn't define the code you use (although there are obvious ways to acheive that), the guidelines are written so there there a multiple ways of acheiving the aim.
Some people complain about that and think it should be clearer and easier to implement!
Bottom line: If you are paid to make a website, making it accessible is part of a professional job.
Accessibility is not just "code", accessibility is about discrimination.
And fortunately, there are laws to sue people, not for not being standard, but for removing access to people with disabilities.

How to get a handle on all this middleware?

My organization has recently been wrestling the question of whether we should be incorporating different middleware products / concepts into our applications. Products we are looking at are things like Pegasystems, Oracle BPM / BPEL, BizTalk, Fair Isaac Blaze, etc., etc., etc.
But I'm having a hard time getting a handle on all this. Before I go forward with evaluating the usefulness (positive or negative) of these different products I'm trying to get an understanding of all the different concepts in this space. I'm overwhelmed with an alphabet soup of BPM, ESB, SOA, CEP, WF, BRE, ERP, etc. Some products seem to cover one or more of those aspects, others focus on doing one. The terms all seem very ambiguous and conflated with each other.
Is there a good resource out there to get a handle on all these different middleware concepts / patterns? A book? A website? An article that sums it up well? Bonus points if there is a resource that maps the various popular products into which pattern(s) they address.
Thanks,
~ Justin
I've spent the last 3-4 years blogging on the topics you mentioned (http://www.UdiDahan.com) as well as writing my own lightweight ESB (http://www.NServiceBus.com) and many more years working and consulting in this space. The main conclusion that I've come to is that strong business analysis and technologically-agnostic architecture is needed - no tool or technology can prevent a mess by itself.
There is the Enterprise Integration Patterns book which provides a good catalog of the technical patterns involved but doesn't touch on the necessary business analysis. I've found that Value Networks (http://en.wikipedia.org/wiki/Value_network_analysis) can be used as a good start for identifying business boundaries to which IT boundaries can be then aligned, resulting in the benefits of SOA, and the use of an ESB across those boundaries is justified.
CEP, WF, and BRE should be used within a boundary and not across them.
ERP packages tend to cross boundaries and, as such, should be integrated piecemeal into the boundaries mentioned - DDD anti-corruption layers can be used to insulate custom logic from those apps.
Hope that helps.
IBM and Oracle have SOA certifications. Since they're the leaders in the marketplace (Gartner Magic Quadrant), I would read about how they define SOA and ESBs (along with methodology and the components needed to support SOA like Governance, Registry, etc etc). It'll give you the high level overview that you're looking for and the use cases "all this middleware" is trying to solve.

Is website accessibility mandated in some countries? What are the consequences of not being accessible?

Is it mandatory in some countries to make all websites accessible?
If so, what would happen if someone in country with this mandate does not make a website accessible?
Can the government remove or block the IP if the site is not accessible?
How could the government know if any website is not accessible? Do they check every single website?
Does only the people/company who make the inaccessible site get any notice from the government?
Why are there so many accessibility guidelines -- WACG 1, WCAG 2.0, DDA, Section 508, etc.? If the whole world follows W3C for XHTML and CSS, then why have some countries made their own guidelines?
Is it mandatory in some countries to make all websites accessible?
Yes, particularly the United Kingdom, Ireland and Australia.
This is in order to comply with legislation that prevents discrimination against disabled people. While this is, or can be, seen as a burden I find it helps to think of it as widening your audience, consumer or user-base.
If so, what would happen if someone in country with this mandate does not make a website accessible?
Being a legal requirement means that a court is/will be able to impose sanctions, depending on their interpretation of the local laws, that might involve enforced compliance with the laws, a financial penalty (fines, etc) or some other punishment until compliance is established.
Can the government remove or block the IP if the site is not accessible?
That depends on which government and the specifics written into the laws. It seems unlikely that they would block the website because of non-compliance with accessibility legislation. It seems far more likely, though I am biased because of where I live (the United Kingdom), that reparations would be sought through the judicial system.
How could the government know if any website is not accessible? Do they check every single website?
In the United Kingdom it seems that complaints would be brought by disabled users that are prevented from successfully using/accessing the site or service. These complaints would likely be taken to the court system, see above.
It is even more likely that the user would inform the owner of the website directly, before bringing a complaint to court, in order to give you/the owners a chance to apologise (never underestimate the power of a sincere apology) and enhance the site.
[Do] only the people/company who make the inaccessible site get any notice from the government?
I would imagine, and this is why this isn't necessarily a great place to ask the question, that the owners would be notified. It is, however, quite likely that, as the site developer, you would quickly receive complaints from the owner of the site since you made it/designed it. But the legal burden of responsibility is likely to depend upon the contract under which you were employed/contracted.
If you feel that accessibility would add an undue burden upon yourself, it's always worth specifying to the client the costs of adding compliance with accessibility requirements, and telling them of the specific laws under which they are requirements.
But, for this, you need to speak to a lawyer.
Why are there so many accessibility guidelines -- WACG 1, WCAG 2.0, DDA, Section 508, etc.? If the whole world follows W3C for XHTML and CSS, then why have some countries made their own guidelines?
Because all laws are set locally, or, in some cases, internationally via treaties. The W3C can make suggestions and guidelines, but it is not, thankfully for IE, illegal not to comply with CSS2.1. It is, however, illegal not to comply with the DDA (Disability Discrimination Act) in the United Kingdom.
All the above is not the advice of a qualified legal representative, or counsel. For specific advice consult a lawyer who practices the law in the country/region in which your client is based, or in which your website/product will accessible.
This would imply a lawyer from the United Kingdom for a British local government website, for a German authority website it would, of course, imply the services of a lawyer from Germany.
Is it only mandatory to make site accessible for Govt. own website and for stock exchange listed corporate sites. or for all type of sites?
I can't speak as to the exact requirements, since I'm not a lawyer. However a quick Google turns up the following web-page that seems to address this question: http://www.webcredible.co.uk/user-friendly-resources/web-accessibility/uk-website-legal-requirements.shtml
To paraphrase the linked page:
The DDA makes it unlawful for a service provider to discriminate against a disabled person by refusing to provide any service that it provides to members of the general public.
I read this to mean that all websites that provide a service to the public are required to be accessible under the terms of the DDA. This would include Government websites, but also home-shopping websites (from, for example, Sainsbury's, Asda, Tesco's, etc) and the Royal Mail or cinema ticket-reservation sites.
From 01/10/1999 service providers must take reasonable steps to change any practice that makes it unreasonably difficult for disabled people to make use of its services
The key term here, I think, is 'reasonable steps.' I presume, from this, that if the website/service generates an income of £10000 per annum, and the cost of compliance with accessibility would be in excess of £10000 then you could argue that it exceeded any reasonable effort/cost to become compliant.
However, this is the reason that progressive enhancement is popular in Javascript and CSS. If the service, at its most basic, is accessible then Javascript and CSS can be used to make it prettier and shinier (whatever that means to you), but it should degrade back to a functional UI when JS or CSS are disabled. In this situation the site is compliant, but a disabled person might not have the same shiny, moving buttons.
Accessibility means that they must be able to access the service/site without unreasonable difficulty. It does not mean that the site has to look/behave exactly the same.
A direct quote from the linked page:
2.13 - 2.17 (p11-13): “What services are affected by the Disability Discrimination Act? An airline company provides a flight reservation and booking service to the public on its website. This is a provision of a service and is subject to the act.”
In addition to above answers:
The W3C has a page listing relevant laws in different countries, including links to the relevant laws (often in the language of that country though):
http://www.w3.org/WAI/Policy/
As I said, it's very hard to answer in general. I guess you will be getting a list of answers specific to countries - maybe a good idea to make it Community Wiki.
For Germany, according to Wikipedia and other sources:
Newly built web sites of federal administrative bodies in Germany have to be accessible by law since 2006. The accessibility guidelines are defined in a directive named BITV (german text here). BITV follows the WCAG 1.0 Guidelines very closely.
Similar laws exist for the country's sixteen states ("Länder").
The creation of accessible web sites is encouraged by a number of government and EU initiatives and private initiatives like the BIENE Award (German only).
To my knowledge, no plans to enforce accessibility in non-government websites exist at this time.
As to why countries implement their own guidelines, among other things, language certainly is an issue: To put guidelines into a law, you need the guidelines in your native language, double-checked by lawyers.
There is an ISO standard, ISO 23026 for reccomended practices for website engineering and website lifecycle management and this does not vary for country specific guidelines. This std includes clauses for website accessibility as well. This standard touches upon guidelines for website accessibility, usability and security, etc.
Why are there so many accessibility guidelines -- WACG 1, WCAG 2.0, DDA, Section 508, etc.?
Just on this point (and assuming “DDA” refers to the UK’s Disability Discrimination Act), the Act doesn’t contain any guidelines on web accessibility in particular.
It makes a legal requirement for companies to provide equivalent service to disabled and non-disabled customers, and that requirement applies to websites just like any other service.
But the Act doesn’t count as another set of guidelines in itself.
I believe Section 508 was based on, and is almost identical to, WCAG 1.
That just leaves WCAG 1 and 2, both of which are from the W3C, and version 2 now supersedes version 1. So there’s actually just one set of guidelines, unless you’ve got any more examples.

How to balance DRY principle with minimizing dependencies?

I'm having a problem with the DRY principle (Don't Repeat Yourself) and minimizing dependencies that revolves around Rete rules engines.
Rules engines in large IT organizations tend to be Enterprise (note the capital "E" - that's serious business). All rules must be expressed once, nice and DRY, and centralized in an expensive rules engine. A group maintains the rules engine and are the keepers of the rules sets.
When that IT organization is part of an American insurance company, there tend to be lots of rules. There are rules that apply to all states and products, but each state tends to evolve its own laws for different products, so the rules need to reflect these quirks. The categories are many: actuarial, underwriting, even for ordering credit and motor vehicle reports from 3rd party bureaus.
The problem that I have from a design standpoint is that centralizing rules and processing is certainly nice and DRY, but there are costs:
Additional network hops to access the centrally located rules service and return results;
Additional complexity if the rules engine is exposed as a SOAP web service - consumers have to package up SOAP requests and OXM the response back to their own domain;
Additional interfaces between the enterprise group that maintains the rules engine, the business that sets and maintains the rules, and the developers that consume them;
Additional complexity - sometimes a data-driven solution might be enough.
Additional dependencies - components who don't have control of their own rules have to worry about external dependencies on the rules engine for testing, deployment, releases, etc.
These problems crop up with lots of other Enterprise technologies (e.g., B2B gateways, ESBs, etc.)
The same Enterprise groups also tout SOA as a foundational principle. But my understanding of proper service design is that they should tile the business space and be idempotent, independent, and isolated. How can a service be independent and isolated if its rules are maintained somewhere else?
I'd like to err on the side of simplicity, arguing that eliminating dependencies should take precedence over centralization if the rules can be shown to apply only in isolated circumstances. I'm not sure the argument will win the day.
So my questions are:
Where do you fall on the centralization versus independence argument?
What's your experience with Enterprise tools like rules engines?
How can I make the argument for isolation stronger?
If my view is incorrect, what argument would you make in favor of centralization?
In the long run, easy maintenance of the whole thing would be an absolute requirement.
So DRY should be honoured at all cost even if that involves a loss of performance here and there, some additional configuration issues and other "minor" problems.
Also "independent" is different than "self-contained".
Otherwise imagine the situation when you need to change something and you have to contact a lot of different parties to force them to update. With DRY you also solve the problem of having incompatible versions running at the same moment for a brief period of time.
So
Centralization > Indepenence (at least in the system you describe)
Single point of truth for rule engines (everybody on the same page)
Remind them the cost of maintenance as years pass
I find your view correct.
Your question is very Enterprise-specific, and I'm more into desktop stuff, so I hope this answer is not too general.
I liked the concept of Don't Repeat Yourself, until I found out how it was being codified and ossified. I liked it because it agreed with me (duh!) and my own ideas about how to make code more maintainable and less error-prone.
Basically, I see greater maintainability as requiring more of a learning curve on the part of the maintainer. I don't think there's an easy way around that. Here's an example of how to increase maintainability by a good factor, but not without a learning curve.

Requirements Gathering

Locked. This question and its answers are locked because the question is off-topic but has historical significance. It is not currently accepting new answers or interactions.
How do you go about the requirements gathering phase? Does anyone have a good set of guidelines or tips to follow? What are some good questions to ask the stakeholders?
I am currently working on a new project and there are a lot of unknowns. I am in the process of coming up with a list of questions to ask the stakeholders. However I cant help but to feel that I am missing something or forgetting to ask a critical question.
You're almost certainly missing something. A lot of things, probably. Don't worry, it's ok. Even if you remembered everything and covered all the bases stakeholders aren't going to be able to give you very good, clear requirements without any point of reference. The best way to do this sort of thing is to get what you can from them now, then take that and give them something to react to. It can be a paper prototype, a mockup, version 0.1 of the software, whatever. Then they can start telling you what they really want.
See obligatory comic below...
In general, I try and get a feel for the business model my customer/client is trying to emulate with the application they want built. Are we building a glorified forms processor? Are we retrieving data from multiple sources in a single application to save time? Are we performing some kind of integration?
Once the general businesss model is established, I then move to the "must" and "must nots" for the application to dictate what data I can retrieve, who can perform what functions, etc.
Usually if you can get the customer to explain their model or workflow, you can move from there and find additional key questions.
The one question I always make sure to ask in some form or another is "What is the trickiest/most annoying thing you have to do when doing X. Typically the answer to that reveals the craziest business/data rule you'll have to implement.
Hope this helps!
Steve Yegge talks fun but there is money to be made in working out what other people's requirements are so i'd take his article with a pinch of salt.
Requirements gathering is incredibly tough because of the manner in which communication works. Its a four step process that is lossy in each step.
I have an idea in my head
I transform this into words and pictures
You interpret the pictures and words
You paint an image in your own mind of what my original idea was like
And humans fail miserably at this with worrying frequency through their adorable imperfections.
Agile does right in promoting iterative development. Getting early versions out to the client is important in identifying what features are most important (what ships in 0.1 - 0.5 ish), helps to keep you both on the right track in terms of how the application will work and quickly identifies the hidden features that you will miss.
The two main problem scenarios are the two ends of the scales:
Not having a freaking clue about what you are doing - get some domain experts
Having too many requirements - feature pit. - Question, cull (prioritise ;) ) features and use iterative development
Yegge does well in pointing out that domain experts are essential to produce good requirements because they know the business and have worked in it. They can help identify the core desire of the client and will help explain how their staff will use the system and what is important to the staff.
Alternatives and additions include trying to do the job yourself to get into the mindset or having a client staff member occasionally on-site, although the latter is unlikely to happen.
The feature pit is the other side, mostly full of failed government IT projects. Too much, too soon, not enough thought or application of realism (but what do you expect they have only about four years to make themselves feel important?). The aim here is to work out what the customer really wants.
As long as you work on getting the core components correct, efficient and bug-free clients usually remain tolerant of missing features that arrive in later shipments, as long as they eventually arrive. This is where iterative development really helps.
Remember to separate the client's ideas of what the program will be like and what they want the program to achieve.
Some clients can create confusion by communicating their requirements in the form of application features which may be poorly thought out or made redundant by much simpler functionality then they think they require. While I'm not advocating calling the client an idiot or not listening to them I feel that it is worth forever asking why they want a particular feature to get to its underlying purpose.
Remember that in either scenario it is of imperative importantance to root out the quickest path to fulfilling the customers core need and put you in a scenario where you are both profiting from the relationship.
Wow, where to start?
First, there is a set of knowledge someone should have to do analysis on some projects, but it really depends on what you are building for who. In other words, it makes a big difference if you are modifying an enterprise application for a Fortune 100 corporation, building an iPhone app, or adding functionality to a personal webpage.
Second, there are different kinds of requirements.
Objectives: What does the user want to accomplish?
Functional: What does the user need to do in order to reach their objective? (think steps to reach the objective/s)
Non-functional: What are the constraints your program needs to perform within? (think 10 vs 10k simultaneous users, growth, back-up, etc.)
Business rules: What dynamic constraints do you have to meet? (think calculations, definitions, legal concerns, etc.)
Third, the way to gather requirements most effectively, and then get feedback on them (which you will do, right?) is to use models. User cases and user stories are a model of what the user needs to do. Process models are another version of what needs to happen. System diagrams are just another model of how different parts of the program(s) interact. Good data modeling will define business concepts and show you the inputs, outputs, and changes that happen within your program. Models (and there are more than I listed) are really the key to the concern you list. A few good models will capture the needs and from models you can determine your requirements.
Fourth, get feedback. I know I mentioned this already, but you will not get everything right the first time, so get responses to what your customer wants.
As much as I appreciate requirements, and the models that drive them, users typically do not understand the ramifications of of all their requests. Constant communication with chances for review and feedback will give users a better understanding of what you are delivering. Further, they will refine their understanding based on what they see. Unless you're working for the government, iterations and / or prototypes are helpful.
First of all gather the requirements before you start coding. You can begin the design while you are gathering them depending on your project life cicle but you shouldn't ever start coding without them.
Requirements are a set of well written documents that protect both the client and yourself. Never forget that. If no requirement is present then it was not paid for (and thus it requires a formal change request), if it's present then it must be implemented and must work correctly.
Requirements must be testable. If a requirement cannot be tested then it isn't a requirement. That means something like, "The system "
Requirements must be concrete. That means stating "The system user interface shall be easy to use" is not a correct requirment.
In order to actually "gather" the requirements you need to first make sure you understand the businness model. The client will tell you what they want with its own words, it is your job to understand it and interpret it in the right context.
Make meetings with the client while you're developing the requirements. Describe them to the client with your own words and make sure you and the client have the same concept in the requirements.
Requirements require concise, testable example, but keep track of every other thing that comes up in the meetings, diagrams, doubts and try to mantain a record of every meeting.
If you can use an incremental life cycle, that will give you the ability to improve some bad gathered requirements.
You can never ask too many or "stupid" questions. The more questions you ask, the more answers you receive.
According to Steve Yegge that's the wrong question to ask. If you're gathering requirement it's already too late, your project is doomed.
High-level discussions about purpose, scope, limitations of operating environment, size, etc
Audition a single paragraph description of the system, hammer it out
Mock up UI
Formalize known requirements
Now iterate between 3 and 4 with more and more functional prototypes and more specs with more details. Write tests as you go. Do this until you have functional software and a complete, objective, testable requirements spec.
That's the dream. The reality is usually after a couple iterations everybody goes head-down and codes until there's a month left to test.
Gathering Business Requirements Are Bullshit - Steve Yegge
read the agile manifesto - working software is the only measurement for the success of a software project
get familiar with agile software practices - study Scrum , lean programming , xp etc - this will save you tremendous amount of time not only for the requirements gathering but also for the entire software development lifecycle
keep regular discussions with Customers and especially the future users and key-users
make sure you talk to the Persons understanding the problem domain - e.g. specialists in the field
Take small notes during the talks
After each CONVERSATION write an official requirement list and present it for approving. Later on it would be difficult to argue against all agreed documentation
make sure your Customers know approximately what are the approximate expenses in time and money for implementing "nice to have" requirements
make sure you label the requirements as "must have" , "should have" and "nice to have" from the very beginning, ensure Customers understand the differences between those types also
integrate all documents into the latest and final requirements analysis (or the current one for the iteration or whatever agile programming cycle you are using ... )
remember that requirements do change over the software life cycle , so gathering is one thing but managing and implementing another
KISS - keep it as simple as possible
study also the environment where the future system will reside - there are more and more technological restraints from legacy or surrounding systems , since the companies do not prefer to throw to the garbage the money they have invested for decades even if in our modern minds 20 years old code is garbage ...
Like most stages of the software development process its iteration works best.
First find out who your users are -- the XYZ dept,
Then find out where they fit into the organisation -- part of Z division,
Then find out what they do in general terms -- manage cash
Then in specific terms -- collect cash from tills, and check for till fraud.
Then you can start talking to them.
Ask what problem they want you want to solve -- you will get an answer like write a bamboozling system using OCR with shark technoligies.
Ignore that answer and ask some more questions to find out what the real problem is -- they cant read the till slips to reconcile the cash.
Agree a real solution with the users -- get a better ink ribbon supplier - or connect the electronic tills to the network and upload the logs to a central server.
Then agree in detail how they will measure the success of the project.
Then and only then propose and agree a detailed set of requirements.
I would suggest you to read Roger-Pressman's Software Engineering: A Practitioner's Approach
Before you go talking to the stakeholders/users/anyone be sure you will be able to put down the gathered information in a usefull and days-lasting way.
Use a sound-recorder if it is OK with the other person and the information is bulky.
If you heard something important and you need some reasonable time to write it down, you have two choices: ask the other person to wait a second, or say goodbye to that precious information. You wont remember it right, ask any neuro-scientist.
If you detect that a point need deeper review or that you need some document you just heard of, make sure you make a commitment with the other person to send that document or schedule another meeting with a more specific purpose. Never say "I'll remember to ask for that xls file" because in most cases you wont.
Not to long after the meeting, summarize all your notes, recordings and fresh thoughts. Just summarize it rigth. Create effective reminders for the commitments.
Again, just after the meeting, is the perfect time to understand why the gathering you just did was not as right as you thought at the end of the meeting. That's when you will be able to put down a lot of meaningful questions for another meeting.
I know the question was in the perspective of the pre-meeting, but please be aware that you can work on this matters before the meeting and end up with a much usefull, complete and quality gathering.
I've been using mind mapping (like a work breakdown structure) to help gather requirements and define the unknowns (the #1 project killer). Start at a high level and work your way down. You need to work with the sponsors, users and development team to ensure you get all the angles and don't miss anything. You can't be expected to know the entire scope of what they want without their involvement...you - as a project manager/BA - need to get them involved (most important part of the job).
There are some great ideas here already. Here are some requirements gathering principles that I always like to keep in mind:
Know the difference between the user and the customer.
The business owners that approve the shiny project are usually the customers. However, a devastating mistake is the tendency to confuse them as the user. The customer is usually the person that recognizes the need for your product, but the user is the person that will actually be using the solution (and will most likely complain later about a requirement your product did not meet).
Go to more than one person
Because we’re all human, and we tend to not remember every excruciating detail. You increase your likelihood of finding missed requirements as you talk to more people and cross-check.
Avoid specials
When a user asks for something very specific, be wary. Always question the biases and see if this will really make your product better.
Prototype
Don’t wait till launch to show what you have to the user. Do frequent prototypes (you can even call them beta versions) and get constant feedback throughout the development process. You’ll probably find more requirements as you do this.
I recently started using the concepts, standards and templates defined by the International Institute of Business Analysts organization (IIBA).
They have a pretty good BOK (Book of Knowledge) that can be downloaded from their website. They do also have a certificate.
Requirements Engineering is a bit of an art, there are lots of different ways to go about it, you really have to tailor it to your project and the stakeholders involved. A good place to start is with Requirements Engineering by Karl Wiegers:
http://www.amazon.com/Software-Requirements-Second-Pro-Best-Practices/dp/0735618798/ref=pd_bbs_sr_2?ie=UTF8&s=books&qid=1234910330&sr=8-2
and a requirements engineering process which may consist of a number of steps e.g.:
Elicitation - for the basis for discussion with the business
Analysis and Description - a technical description for the purpose of the developers
Elaboration, Clarification, Verification and Negotiation - further refinement of the requirements
Also, there are a number of ways of documenting the requirements (Use Cases, Prototypes, Specifications, Modelling Languages). Each have their advantages and disadvantages. For example prototypes are very good for elicitation of ideas from the business and discussion of ideas.
I generally find that writing a set of use cases and including wireframe prototypes works well to identify an initial set of requirements. From that point it's a continual process of working with technical people and business people to further clarify and elaborate on the requirements. Keeping track of what was initially agreed and tracking additional requirements are essential to avoid scope creep. Negotiation plays a bit part here also between the various parties as per the Broken Iron Triangle (http://www.ambysoft.com/essays/brokenTriangle.html).
IMO the most important first step is to set up a dictornary of domain-specific words. When your client says "order", what does he mean? Something he receives from his customers or something he sends to his suppliers? Or maybe both?
Find the keywords in the stakeholders' business, and let them explain those words until you comprehend their meaning in the process. Without that, you will have a hard time trying to understand the requirements.
i wrote a blog article about the approach i use:
http://pm4web.blogspot.com/2008/10/needs-analysis-for-business-websites.html
basically: questions to ask your client before building their website.
i should add this questionnaire sheet is only geared towards basic website builds - like a business web presence. totally different story if you are talking about web-based software. although some of it is still relavant (e.g. questions relating to look and feel).
LM
I prefer to keep my requirements gathering process as simple, direct and thorough as possible. You can download a sample document that I use as a template for my projects at this blog posting: http://allthingscs.blogspot.com/2011/03/documenting-software-architectural.html

Resources