eSCM-CL Release Underway

The eSourcing Capability Model for Client Organizations (eSCM-CL) Part 1 was released today for public review. As promised, we are notifying you about its availability from our website - simply click here to go to the ITSqc website to download your copy: http://itsqc.cmu.edu/downloads. This draft follows the November, 2005, release of the white paper describing the Model's architecture. Part 2 of eSCM-CL, which provides the detailed best practices in sourcing management for IT-enabled services, will be released during 2Q06.

ITSqc Research Consortium New Members

Newest members of the ITSqc Research Consortium are: - CA, - Deloitte, - DBA Engineering, - Hewlett-Packard (HP), and - Wachovia Financial.

These organizations join current Consortium members: Accenture, COPPE - Federal University of Rio de Janiero, EDS, IBM Global Services, itSMF U.S., the Outsourcing Insitute (OI), Phoenix Health Systems, Satyam Computer Services, Ltd., STQC, and TPI. The members of the ITSqc Research Consortium support and participate in the R&D activities of the Center. For information about joining the Consortium to participate in these activities, please contact us.

eSCM-SP Comparison Reports

Reports detailing the relationship between the eSourcing Capability Model for Service Providers (eSCM-SP), ITSqc's best practices model for IT-enabled service providers, and other quality or improvement frameworks are available to support your ongoing improvement efforts. The eSCM-SP comparison with CMMI was recently released. If you are already implementing CMMI and want to determine the relationship and coverage of eSCM-SP best sourcing practices, please see this Technical Report. If your organization is considering eSCM-SP adoption, and has one or more major quality models or frameworks in place, please see our technical reports for a comparative analysis of the coverage and relationships between eSCM-SP and CMMI v1.1, COBIT, BS 15000/ITIL, Software CMM, COPC 2000, ISO 9001, and BS 7799/ISO 17799. These reports are available at itsqc.cmu.edu/downloads.

For further information about the ITSqc or any of these items, please visit our website at itsqc.cmu.edu or contact: Jane Siegel, ITSqc Director, jals@cs.cmu.edu Bill Hefley, ITSqc Associate Director, hefley@cmu.edu Jeff Perdue, ITSqc Associate Director, jperdue@cs.cmu.edu

Bravo to teams producing GTAG Four of an oustanding series for IT Audit as sponsored by the IIA

Guide 4: Management of IT Auditing

Management of IT Auditing — the fourth guide in the Global Technology Audit Guide. There is no question that IT is changing the nature of the internal audit functions. The risks companies face, the types of audits that should be performed, how to prioritize the audit universe, and how to deliver insightful findings are all issues with which chief audit executive (CAE) must grapple. This guide is designed for CAE and internal audit management personnel who are responsible for overseeing IT audits. The purpose is to help sort through the strategic issues regarding planning, performing, and reporting on IT audits. Consideration will be given to the fundamentals as well as emerging issues. It covers how to:

Define IT – What areas should be considered for inclusion in an IT audit plan? The CAE should be able to measure his or her planned IT audit scope against the guidelines presented here to help ensure that the scope of IT audit procedures is adequate.

Evaluate IT-related Risk – It is clear that the evolution of IT introduces new risks into an organization. This guide will help the CAE understand how to best identify and quantify these IT-related risks. Doing so will help ensure that IT audit procedures and resources are focused on the areas that represent the most risk to the organization.

Define the IT Audit Universe – IT audit resources are typically scarce, and IT audit demands are substantial. A section on defining the IT audit universe will help the CAE understand how to build an IT audit plan that effectively balances IT audit needs with resource constraints.

Execute IT Audits – The proliferation and complexity of IT dictates the need for new IT audit procedures. Auditing by checklist or by inquiry is likely to be insufficient. This book offers specific guidance for the CAE on how to execute IT audit procedures and how to understand what standards and frameworks exist in the marketplace that can support required procedures.

Manage the IT Audit Function – Managing the IT audit function may require new management techniques and procedures. This guide provides helpful hints and techniques for maximizing the effectiveness of the IT audit function and managing IT audit resources.

Emerging Issues – IT evolves rapidly. This evolution can introduce significant new risks into an organization. The world class CAE focuses IT audit attention on not just the basic building blocks of IT, but also new and emerging technologies. A section on emerging issues will provide specific information on a number of emerging technologies, evaluate the risks that these technologies pose to an organization, and provide recommendations for how the CAE should respond to these risks.

The focus of this guide is on providing pragmatic information in plain English, with specific recommendations that a CAE can implement immediately. Further consideration is given to providing questions that a CAE can ask to help understand if his or her IT audit function is a high performer.

Author: Michael Juergens, Principal, Deloitte & Touche LLP

Contributing Author: David Maberry, Senior Manager, Deloitte & Touche LLP

Download GTAG 4: Management of IT Auditing (PDF, 377KB)

Download GTAG 4 PowerPoint slides (PPT, 405KB)

Bravo OCEG on your Great Success!

Gathered for two days at the elegant and prestiguous Harvard Club of Boston Massachusetts, world experts pondered, compared and propose solutions to the complex and ethical requirements of modern day "compliance".  Brilliant presentations by all.

Given the limit of being one attendee, special kudos to Bob Frelinger and Jonathan Fox (Sun Microsystems), Michael Rasmussen (Forester), Steve Mar (Microsoft Corporation), Marios Damianides (Earnst and Young) and Al Schmidt (Arch) for their added constructive advice regarding pragmatic steps with positive business impact towards meeting regulatory compliance.  Also noteworthy was their shared personal reach to the member audience, providing attention to their unique requirements. All presentors were excellent.  Great efforts on the part of all OCEG board members made this conference a fanstastic two days experience.

Many thanks!

With the next gathering scheduled in Califonia, PB&SP will certainly be there in both spirit and contriubtion.

Some highlights:

Dan Swanson's released Interal Audit Guide Evaluating a Compiance Ethics Program

What people are saying about the OCEG IT Forum:

"As a founding member of OCEG, we support OCEG’s mission to provide resources to help accomplish governance, compliance and risk management activities in a manner that protects and enhances business performance,” said Lee Dittmar, Deloitte Consulting, LLP. “The OCEG IT Forum is an important part of this mission, as information technology plays a critical role in enabling efficient and effective governance, compliance and risk management."

“OCEG has emerged as an invaluable resource for organizations looking for practical and objective information and guidance,” said Michael Rasmussen, VP of Risk Management, Forrester Research. “The OCEG IT Forum is a welcome addition to their already impressive collection of activities. Whether you manage, use, sell or add value to technology, the OCEG IT Forum should serve as a valuable resource.” “Technology and the operational advantages it can facilitate will clearly play a material role in any organization’s successful adoption of effective governance, risk and compliance practices, said Scott Mitchell, CEO of OCEG. “The OCEG IT Forum will serve as a lightening rod for companies, technology suppliers and regulators seeking to benchmark themselves and perfect their practices and policies.” “Qwest understands better than anyone that technology plays a central role in every facet of an effective business. We will be looking to the OCEG IT Forum as one more trusted source of information on this strategic topic” said Dave Heller, Chief Ethics & Compliance Officer and VP, Risk Management at Qwest

Great job teaching the CobiT®.Implementation training in Orlando and presenting for the entire conference on the topic of implementing CobiT®.for SunMicrosystems.  

People were commenting about the tremendous value of Bob's presentation of ITGI publications to the OCEG members.  Great job and well received. 

George Spafford, an identified "eagle" and lifetime member to Robin's Roundtable of Excellence.

"The Daily News is intended to find articles/resources of interest in areas impacting information technology including regulatory compliance, process improvement, human error, outsourcing, quality management, security, ... If you wish to join the email list or leave it, please send an email to george@spaffordconsulting.com. If you have compliance, security or technology business news articles or resources that you feel may interest the list, please send an email to the same address. Also, always feel free to forward the Daily News emails on to your friends and colleagues. The desire is to share the information and grow the list's membership.

Charles Le Grand is founder and CEO of CHL Global Associates.  He has more than 30 years experience dealing with security, reliability, compliance, risk, and assurance matters in information and related technologies.  He has served in various management positions and IT roles ranging from programmer / analyst, to IT auditor, to CIO; and managed many successful systems projects.  He is a recognized author and speaker on a wide range of technology topics. 

He produced board-level guidance on information security for the U.S. Critical Infrastructure Assurance Office (CIAO, now part of the Department of Homeland Security), and coordinated the development of information security metrics for a subcommittee of the U.S. House of Representatives.

Prior to forming CHL Global Associates, Mr. Le Grand directed the work of The Institute of Internal Auditors Research Foundation that produced the landmark Systems Auditability and Control (SAC) reports.  He served as IIA’s director of technology practices and helped to provide guidance and representation for the internal auditing profession, liaising with other professional and regulatory bodies.  He also served as IIA's CIO to develop and implement a three-year project that migrated IIA systems and networks to the Internet, architected and implemented its first two web sites (www.TheIIA.org and www.ITAudit.org), implemented its first email systems, and provided the secure framework for a global communication network.

Mr. Le Grand provided expert testimony to the U.S. President’s Commission on Critical Infrastructure Protection.  He served on the board of directors of the Partnership for Critical Infrastructure Security, the Executive Committee of the Generally Accepted Information Security Principles Committee, the Advanced Technology Committee of The Institute of Internal Auditors, the National Cyber Security Partnership, and the Center for Continuous Auditing.  He was co-leader of a team that developed “Information Security Program Elements” and “Information Security Metrics” for the Corporate Information Security Working Group.  He also serves in an advisory capacity to the U.S. President’s National Infrastructure Advisory Council, and the American Bar Association’s Information Security Committee.

Mr. Le Grand earned a bachelor degree from Auburn University School of Engineering, is a Certified Internal Auditor, a Certified Information Systems Auditor, and has the Basic and Standard certificates from the American Institute of Banking.  CHL Global Associates works with and through a global array of professional affiliates and associates to bring the best available talent to bear in providing solutions and responding to opportunities.

http://www.chlglobalassociates.com/

• www.securitybenchmark.com
• http://finance.groups.yahoo.com/group/Dans_SECemails/
• http://finance.groups.yahoo.com/group/Dans_CCCemails/

Director of Professional Practices at the Institute of Internal Auditors (The IIA) from May 1, 2003 until November 15, 2005; Dan is now back in private practice and a continuing source of audit excellence information that should certainly be kept on everyone's watch. Dan's SEC and CCC newsletters are available through Yahoo Groups. How do we thank people enough for a lifetime of commitment to our reading and audit best

Dan is an independent management consultant, President and CEO of Dan Swanson & Associates. Dan was previously the Director of Professional Practices at the Institute of Internal Auditors (The IIA), from May 1, 2003 to November 15, 2005 and prior to The IIA, he was an independent management consultant for more than ten years. Dan has over twenty-six (26) years of experience with an extensive background in Internal Audit, Information Systems, General Management, Information Security, Management Consulting, and Project Management. Over a twenty-year period Dan has completed audit projects for over 30 organizations, spending almost 10 years in government auditing, at the federal, provincial, and municipal levels, and the rest in the private sector, mainly in the financial services, transportation, and health sectors.

Dan has completed over 100 audits in his career including: operational audits, system audits, financial audits, value-for-money audits, comprehensive audits, and many more. Dan has completed almost 50 IT conversion audits and a dozen comprehensive audits of the Information Technology function including the RCMP, Canadian Air Force, and Farm Credit Corporation. Finally, he has published over 60 articles for seven different magazines.

Aligning CobiT®. ITIL and ISO 17799 for Business Benefit: A Management Briefing from the IT Governance Institute and the Office of Government Commerce

As stated on the ISACA web site: "This management briefing is the result of a joint study, initiated by the IT Governance Institute (ITGI) and UK government’s Office of Government Commerce (OGC), in response to the growing significance of best practices to the IT industry and the need for senior business and IT managers to better understand the value of IT best practices and how to implement them. Specific practices, such as CobiT®. ITIL and ISO 17799 are addressed in this report, sharing a hierarchy of guidance materials. Specific practices and standards such as ITIL and ISO 17799 cover discrete areas and can be mapped up to the CobiT®.Framework, thus providing a hierarchy of guidance materials. This document shows how they all interrelate.

The briefing suggests how implementation should be tailored, prioritized and planned to achieve effective use. To achieve alignment of best practice to business requirements it is recommended that COBIT be used at the highest level, providing an overall control framework based on an IT process model that should generically suit every organization. Specific practices and standards such as ITIL and ISO 17799 cover discrete areas and can be mapped up to the COBIT Framework, thus providing a hierarchy of guidance materials.

The ITGI and OGC plan, as part of future updates to their best practices, to further align terminology and content of their practices with other practices to facilitate easier integration."

CobiT®. 4.0

As stated on the ISACA web site: "Successful organizations understand the benefits of information technology (IT) and use this knowledge to drive their shareholders’ value. They recognize the critical dependence of many business processes on IT, the need to comply with increasing regulatory compliance demands and the benefits of managing risk effectively. To aid organizations in successfully meeting today’s business challenges, the IT Governance Institute® (ITGI) has published version 4.0 of Control Objectives for Information and related Technology (CobiT®.).

CobiT®.is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. CobiT®.enables clear policy development and good practice for IT control throughout organizations. ITGI’s latest version— CobiT®. 4.0—emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the CobiT®.framework. It does not invalidate work done based on earlier versions of CobiT®.but instead can be used to enhance work already done based upon those earlier versions. When major activities are planned for IT governance initiatives, or when an overhaul of the enterprise control framework is anticipated, it is recommended to start fresh with CobiT®.4.0. CobiT®.4.0 presents activities in a more streamlined and practical manner so continuous improvement in IT governance is easier than ever to achieve."

• CobiT®.Online went live on 1 October 2003 and its second version became available in April 2004. A further enhancement was issued in fourth quarter 2004. As its name suggests, CobiT®.Online is a web-enabled version of CobiT®. accessible completely through a browser.  Access is by ISACA member and subscriber.  Content includes all of CobiT®. search of all PDF's of the six documents of CobiT®.and secure access to survey results. Additional functionality includes benchmarking, a community area and addition of control practices for all 34 IT control processes.
• CobiT®.Security Baseline, a version of CobiT®.focusing on the security-related elements of CobiT®. and targeted to a variety of audiences, from the home user to the manager to the executive, is now available from the ISACA Bookstore.
• CobiT®.in Academia, which consists of instruction on using COBIT in the classroom, including several case studies, is now available to qualified instructors.
• CobiT®.implementation and assurance courses are in development. A new project, with the working title of  ValIT, is underway and should be available by end of 2005.
• and of course, CobiT®. 4.0

AND UROCK2 Tom Lamm Director of Research, Standards and Academic Relations - Team work at its best

Thomas Lamm, Director of Research, Standards and Academic Relations (tlamm@isaca.org) is the primary organizer and facilitator for the Standards Board charged with definition and development of IS auditing standards and their associated interpretations and guidelines.  The current product for this organization is found at <http://www.isaca.org/Template.cfm?Section=Home&Template=/ContentManagement/ContentDisplay.cfm&ContentID=15706> representing IS standards for IT Audit.  This committee seeks ways to further disseminate ISACA's standards and guidelines through strategic alliances with other organizations. The IIA has adopted several ISACA guidelines as practice advisories. ISO, ITIL and COSO are heavily represented in the collaborative works by the Standards Board. 

Sample post:

In reviewing the text of the VAWA http://thomas.loc.gov/cgi-bin/query/z?c109:H.R.3402 annoyance clause...

"Whoever...utilizes any device or software that can be used to originate telecommunications or other types of communications that are transmitted, in whole or in part, by the Internet without disclosing his identity and with intent to annoy, abuse, threaten, or harass any person who receives the communications shall be fined under title 18 or imprisoned not more than two years, or both."

This has interesting implications with regard to the HR responses to the unauthorized use of corporate IP infrastructure as well. At the very least this new law needs to be noticed in Corporate Email Policy to protect the Entity from any malfeasance performed against it or another through its infrastructure, where it could be constrained to have liability or otherwise not. The basis of this is a criminal sanctions put in place under the 18 USC claim which instantly mean RICO under the provisions of Fraud By Wire and the potential $$$ damages made under it, as well as the pain and damages of the CANSPAM and CFAA acts here in the US.

Based on these alone, this policy needs to become a part of the standard AUP boilerplate IMHO at the very least.

Todd Glassey

GRC, Tools and continuous audit

Layer One: Sources Multiple sources of data and content exist, both internal and external to the enterprise. Note that the sources may consist of structured (e.g., system) or unstructured (e.g., document) data.
Layer Two: ConnectivityThis layer provides the real-time connectivity to the data sources, as well as transforming thedata/content into a standardized format (XML based).
Layer Three: Repository & Processing
This layer provides the repository for all compliance-related data and provides a Business Process Management (BPM) and Business Rules component where management of business processes and process metrics monitoring are executed.
Layer Four: Governance, Risk & Compliance Modules This layer provides specific modules of governance and compliance functionality that leverage the content/data and associated processing from the underlying layers. Modules are optional, and could include: Digital Dashboard & Scorecards, Sarbanes-Oxley Module, Organization Module, Survey Engine (e.g., control self-assessment survey), etc.
Layer Five: User Interaction
This layer provides all user interaction that will be necessary, including internal web portals, email and real-time messaging such as pagers and Blackberry devices.

Regulatory mandates produced some true recent pearls of wisdom.  One such pearl is the GRC model, introduced in 2004 by “Integrity Driven Performance; A New Strategy for Success through Integrated Governance, Risk and Compliance Management.”  The GRC, a trade mark of PricewaterhouseCoopers. 
Bound and less than 50 articulate pages, the concept of GRC furthers definition and design model in a Governance Risk Compliance (GRC) framework.  Available on line  I would suggest that being well rounded include attention to all the publications offered by PwC, and using as “GRC” as a healthy start.

Congratulations Julie for earning the CobiT Foundation certification.

Most of all, thanks for the fabulous management and expertise you consistently deliver to our team.

Robert E. Davis is an independent management audit consultant, currently associated with Robert Half Management Resources and a Boson Software, Inc. author and instructor, as well as Pleier Corporation author. His IT audit specializations include Control Objectives for Information and related Technology, Sarbanes-Oxley Act, and the Foreign Corrupt Practices Act. Regarding information security and privacy, Robert is available to provide International Standards Organization-17799, Graham-Leach-Bailey, and Basel II Initiative consulting. His primary computer technology research interests are databases, operating systems, and distributed information systems processing.
Since starting his career as an IT auditor, Robert has provided data security consulting and IT auditing services from staff through management positions to the United States Enrichment Corporation, Raytheon Company, United States Interstate Commerce Commission, Dow Jones & Company, Fidelity/First Fidelity (Wachovia) Corporations, and other organizations.
Some of his professional IT software and hardware experience includes MVS, UNIX, Windows, Oracle, the International Money Management System, PERL, COBOL, PASCAL, DEC, IBM, Tandem, Compaq, and DELL.
Prior to engaging in the practice of IT auditing and information security consulting, Robert provided inventory and general accounting services to Philip Morris USA and general accounting services to Philadelphia National Bank (Wachovia).
[...read more at...] Currently, Robert is a member of the Institute of Internal Auditors IT AUDIT magazine Editorial Review Committee and author of the IT AUDIT magazine emerging issues article, “Did IT Auditing Forget the Foreign Corrupt Practices Act?”
Robert is a former ISACA-Philadelphia Chapter Board of Directors member and College Relation Chairman. Robert has provided instruction to an Internet CISA study group, the Data Processing Management Association, and the ISACA-Philadelphia Chapter CISA Review course.
Robert is a member of American Association of University Professors and the Institute for Internal Controls. He is also a college computer science and mathematics instructor, having previously taught at Cheyney University and Bryant & Stratton College.
Robert’s IT audit publications include “Information Systems Auditing: The IS Audit Planning Process”, “Information Systems Auditing: The IS Audit Study and Evaluation of Controls Process”, “Information Systems Auditing: The IS Audit Testing Process”, and “Information Systems Auditing: The IS Audit Reporting Process” electronic monographs available at http://www.boson.com/tests/auditor.htm.
For those preparing for the CISA or Certified Information Security Manager (CISM) examination, Robert has authored knowledge diagnostic tests that are also available at
http://www.boson.com/tests/auditor.htm. http://www.boson.com/Product/64.html and http://pleier.com/itauditingaap.htm

Senior Member of the Technical Staff, Software Engineering Institute, Author, Governing for Enterprise Security, June 2005 jha@sei.cmu.edu

Julia Allen is a senior member of the technical staff within the Networked Systems Survivability Program at the Software Engineering Institute (SEI), Carnegie Mellon University (CMU). The CERT® Coordination Center is also a part of this program. Allen is engaged in the development and transition of security improvement practices for
network-based systems and executive programs in information security and survivability. Previously, Allen served as acting Director of the SEI for 6 months and Deputy Director/Chief Operating Officer for 3 years. In addition to technical reports for CMU/SEI, she is the author of The CERT Guide to System and Network Security
Practices (Addison-Wesley, June 2001). Learn More: OCTAVE® Information Security Risk Evaluation

Why does Mike "rock"?  Start off by asking him about his part in supporting the CISWG.   The efforts and products of the CISWG are in PB&SP's TOP TEN Important products and organizations for IT: As summarized by web librarian at EDUCAUS: CISWG is able to work independently of all organizations and countries to evaluate contribution from all credible sources of information management. Recently they published Corporate Information Security Working Group: Report of the Best Practices and Metrics, hosted by EDUCAUS <h>
Of substantial importance is the wide girth of contributors and the inclusion of all relevant standards laws and guidelines in the pursuit of our National Strategy to consolidate and train in the area of information security. Work Products of CISWG are used in Governing for Enterprise Security, Networked Systems Survivability Program, produced by Julia Allen, June 2005
Citing, Corporate Information Security Working Group. Adam H. Putnam, Chairman; Subcommittee on Technology, Information Policy, Intergovernmental Relations & the Census Government Reform Committee, U.S. House of Representatives. “Report of the Best Practices Subgroup.” March 3, 2004. and listing This more current CERT document lists and suggest implementing CISWG's REPORT OF THE BEST PRACTICES AND METRICS TEAMS, INFORMATION SECURITY PROGRAM ELEMENTS AND SUPPORTING METRICS FOR MANAGEMENT
1. Oversee Risk Management and Compliance Programs Pertaining to Information Security (e.g., Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, etc.)
2. Approve and Adopt Broad Information Security Program Principles and Approve Assignment of Key Managers Responsible for Information Security
3. Strive to Protect the Interests of all Stakeholders Dependent on Information Security
4. Review Information Security Policies Regarding Strategic Partners and Other Third parties
5. Strive to Ensure Business Continuity
6. Review Provisions for Internal and External Audits of the Information Security Program
7. Collaborate with Management to Specify the Information Security Metrics to be Reported to the Board
8. Establish Information Security Management Policies and Controls and Monitor Compliance
9. Assign Information Security Roles, Responsibilities, Required Skills, and Role-based Information Access Privileges
10. Assess Information Risks, Establish Risk Thresholds and Actively Manage Risk Mitigation
11. Ensure Implementation of Information Security Requirements for Strategic Partners and Other Third-parties
12. Identify and Classify Information Assets
13. Implement and Test Business Continuity Plans
14. Approve Information Systems Architecture during Acquisition, Development, Operations, and Maintenance
15. Protect the Physical Environment
16. Ensure Internal and External Audits of the Information Security Program with Timely Follow-up
17. Collaborate with Security Staff to Specify the Information Security Metrics to be Reported to Management
18. User Identification and Authentication
19. User Account Management
20. User Privileges
21. Configuration Management
22. Event and Activity Logging and Monitoring
23. Communications, Email, and Remote Access Security
24. Malicious Code Protection
25 .Software Change Management, including Patching
26. Firewall's
27. Data Encryption
28. Backup and Recovery
29. Incident and Vulnerability Detection and Response
30. Collaborate with Management to Specify the Technical Metrics to be Reported to Management

If that's not enough, ask him about Digital Millennium Copyright Act (DMCA) 17 USC Section 101 et seq. (title IV amending §108, §112, §114, chapter 7 and chapter 8, title 17, United States Code).  Michael S. Hines, "Fiduciaries Beware: Defending the Upsurge of ERISA-Based Class Actions", in Insights, Volume 19 Number 6 (June 2005), Skadden Biography, Retrieved December 1, 2005. Note: Michael S. Hines has dedicated himself to distribution of accurate, timely security information, making about as much as anyone could from a career in Systems Administration at Perdue University (West Lafayette, IN). It seems hard to believe that with all he writes, he spend his own share of time putting out fires, just like the rest of us.  It was a post by Mike that led me to the Common Criteria project. http://archives.neohapsis.com/archives/win2ksecadvice/1999-q4/0188.html tipping off his peer group to Commercial Product Evaluations Main Page as early as 1999! Perhaps this is why Perdue’s infrastructure systems administrator, entrusted with their entire IT Infrastructure, was named president of the Central Indiana Information Systems and Control Association, an organization with more than 35,000 members. Watching Mike makes me feel like a potato!

He just gets better and better.  His published biography titled: The New NIST Security Standards and Guidelines for FISMA, explain: " Dr. Ron Ross is a senior computer scientist and information security researcher at the National Institute of Standards and Technology (NIST). His areas of specialization include security requirements definition, security testing and evaluation, and information assurance. Dr. Ross currently leads the FISMA Implementation Project for NIST, which includes the development of key security standards and guidelines for the federal government and critical information infrastructure. His recent publications include FIPS 199 (the security categorization standard), Special Publication 800-53 (the security controls guideline), and Special Publication 800-37 (the system certification and accreditation guideline). Dr. Ross is also the architect of the risk management framework that integrates the suite of NIST security standards and guidelines into a comprehensive enterprise security program."
Dr. Ross ROCKS, however, because anyone can read his trainings, download the NIST products and share in the wealth of his contributions.   Promoting security and standardization across governments, organizations and industry, provide countless reasons to respect Dr. Ross.  <http://csrc.nist.gov/publications/index.html>

Here's one: Federal Information Security Management Act Implementation Project
Protecting the Nation's Critical Information Infrastructure
Federal Information Security Management Act Implementation Project
Protecting the Nation's Critical Information Infrastructure

The goal of an organization’s regulatory compliance strategy must be to minimize the company’s exposure to litigation, fines, and reputation damage. In order to achieve this goal, it is essential for companies to not only retain necessary records for as long as required but also to properly dispose of data when it is no longer required.  Government and industry regulations have imposed strict requirements regarding data storage, retrieval and protection on companies across a variety of industries. Regulations such as the Sarbanes-Oxley Act for public companies, SEC 17a-4 in financial services, and HIPAA in healthcare define rules for storing and retaining data.  The integrity of retained data is a critical requirement for a number of regulations. These regulations require that data that must be retained cannot be altered or erased until the retention period expires. The data integrity requirement is particularly important in the financial services industry as a result of increased scrutiny by the SEC and other law enforcement authorities. However, a variety of other industries also find data integrity to be a necessary component of a regulatory compliance solution.

Additionally, the IT organizations of many non-regulated companies are subject to corporate governance requirements to ensure data is retained and accessible when necessary, particularly from a legal discovery perspective.  The stakes are high: failure to comply with regulations can result in significant financial and legal sanctions.  New regulations mandate that companies retain data for long periods of time. For example, Sarbanes-Oxley imposes a seven year retention period on certain financial records for public companies and their accounting and auditing teams.  SEC 17a-4 requires financial services firms to retain email and instant messaging records for a minimum of six years.

For example, the healthcare industry is subject to the HIPAA security regulations that are intended to protect patient privacy.  The Gramm-Leach-Bliley Act that affects the U.S. financial industry is intended to ensure the confidentially of financial data for U.S. consumers.  A successful regulatory compliance solution should be able to support privacy requirements such as authentication and access control.  -----       Rabetsky

<read more>  Use of his team's designs for companies, PDF and Mass article here

He just keeps on writing and writing and writing...

The Cayuga Group, LLC

Why does Chris Rock?  He is a braver man than me.  Supporting a blog that captures the interests and concerns of literally thousands, he simply thinks, speaks his mind, and continue to care about our profession - in spite of all flames.  The Controls Caddy points to the eradication of FUD  His "Best Practices" presentation   and IBM Presentation on Compliance are made available at Chris' web site.

About: Mr. Byrne is Lotus Notes Application/Web Developer with over 15 years experience in government, military, telecommunications, training and financial systems management/review.  He is a IBM Certified Advanced Application Developer for Lotus Notes R4.X , R5, and ND6; an IBM Certified Advanced System Administrator (R5); and an IBM Certified System Administrator (ND6).  Mr. Byrne has developed web pages and Notes Applications and Web Sites for Government agencies and commercial clients, participated in System Management Reviews of Government Program Offices, and co-chaired an Task Force examining the conversion of Environmental Protection Agency labs to privately operated facilities. 
Mr. Byrne is a former Lotus Notes Development/Infrastructure consultant for Lotus Professional Services/IBM Software Group.

World News Today from Dan and George

February 15, 2006

"The personal life deeply lived always expands into truths beyond itself".— Anais Nin. _______________________________________________________________

Corporate reputation By Kastuv Ray - kastuv@kastuv.fsnet.co.uk _______________________________________________________________

Corporate reputation is vital. With the current focus on risk management, reputational risk should "ride high" on the list of priorities in the risk register. Public trust in many companies has been damaged by recent corporate scandals and times are difficult for managing directors and chief executive officers. It is interesting to note that even with all the articles being written on corporate reputation, there are still some individuals who are solely concentrating on sales and profits with the perception that "it could never happen to us". Individuals involved in the corporate scandals that have rocked the world may have thought this and look what happened.

Customers influence corporate reputation. Management of corporate reputation is vital to achieving objectives, as is its measurement. The media may be in certain cases be considered a primary threat to corporate reputation. A company may have the best mission statement in the world, brilliant employees and a leading edge knowledge management database but a bad comment from a shareholder can affect corporate reputation.

What can we as internal auditors do to deal with this? Quite simply put, we must do our job. It is strange that reputational risk actually crops up nearly everywhere in the risk register as does the media. For example, a marketing audit may focus on the quality and standard of company literature generated as there is a risk that if the brochure is poor this will reflect badly on the company.

Fraud and whistleblowing policies should tackle the way media attention is handled. Reputational risk plays a key part in a student experience audit, as there should be an effective student support facility available on site or on the internet, which provides counselling, and advice to alleviate difficulties. Certain internal auditors in organisations have been so worried about their corporate reputation that they have undertaken specific audits, which are based on the Enron scenario.

Typical examples of audits that could be undertaken which may encompass reputational risk are: customers services, human resources particularly workplace conflict and harassment and health and safety, financial management (this should include a review of all key financial systems), corporate governance and corporate social responsibility.

Further guidance on stakeholders and reputational management can be found within Tolley's Corporate Governance Handbook by Andrew Chambers (Managing Director of Management Audit Ltd).

note - This article was originally published on www.AuditNet.org _________________________________________________________________

TIME MANAGEMENT _________________________________________________________________

Something will master and something will serve. Either you run the day or the day runs you; either you run the business or the business runs you.

1. Learn how to separate the majors and the minors. A lot of people don't do well simply because they major in minor things.
2. Don't mistake movement for achievement. It's easy to get faked out by being busy. The question is: Busy doing what?
3. Days are expensive. When you spend a day you have one less day to spend. So make sure you spend each one wisely.
4. Sometimes you need to stay in touch but be out of reach.
5. Time is our most valuable asset, yet we tend to waste it, kill it, and spend it rather than invest it.
6. We can no more afford to spend major time on minor things than we can to spend minor time on major things.
7. Time is more valuable than money. You can get more money, but you cannot get more time.
8. Never begin the day until it is finished on paper.
9. Learn how to say no. Don't let your mouth overload your back.

Time is the best-kept secret of the rich. __________________________________________________________________

The above quotes are by Jim Rohn, America's Foremost Business Philosopher and used with permission. To subscribe to the Free Jim Rohn Weekly E-zine, go to www.jimrohn.com or send a blank email to subscribe@jimrohn.com Excerpted from The Treasury of Quotes by Jim Rohn. Copyright © 1994-2005 Jim Rohn International. All rights reserved worldwide.

"If you have an important point to make, don't try to be subtle or clever. Use a pile driver. Hit the point once. Then come back and hit it again. Then hit it a third time a tremendous whack." - Winston Churchill. _________________________________________________________________

Have you established your quality assurance and improvement program? Does your audit committee know how effective the internal audit function is? Does senior management and the Board get informed on how internal audit is doing in relation to the international standards for the practice of internal auditing? Do you know your deadline for reporting your external quality assessment? - Its January 2007 for most audit departments !!! Have you begun your journey in quality? - if not, how can you say you are a professional internal auditor? (- period). Read on... re The IIA's effort to establish and promote the "profession" of internal auditing. ______________________________________________________________

1. The January 2007 QAR "deadline" is approaching !!! www.cfo.com/article.cfm/5485922?f=RegWatch021306

2. Why Standards Matter (an audit committee briefing). http://www.theiia.org/download.cfm?file=83632

3. The International Standards for the Professional Practice of Internal Auditing (The Standards). http://www.theiia.org/index.cfm?doc_id=124

4. Attribute Standard 1300: Quality Assurance & Improvement Program. http://www.theiia.org/?doc_id=1595 "The chief audit executive should develop and maintain a qua! lity assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors its effectiveness. This program includes periodic internal and external quality assessments and ongoing internal monitoring.  Each part of the program  should be designed to help the internal auditing activity add value and improve the organization's operations and to provide assurance that the internal audit activity is in conformity with the  Standards and the Code of Ethics".

5. The Internal Audit profession & the necessity for professionalism (in all your efforts). This link provides resources for newcomers to the profession of internal auditing as well as experienced practitioners who want to promote the profession and its role in the success of an organization. http://www.theiia.org/index.cfm?doc_id=269 6. The FAQs re Quality. http://www.theiia.org/index.cfm?doc_id=5249 7. The power of the PPF (The Professional Practices Framework). a) http://www.theiia.org/?doc_id=4944 b) http://www.theiia.org/iia/download.cfm?file=1620 8. The FAQs re the Internal Audit profession.

- a MUST read !!! http://www.theiia.org/index.cfm?doc_id=5402 9. The IIA's Quality Services information. http://www.theiia.org/?doc_id=318 10. Countdown to Internal Quality Assessment: Are You Ready? www.theiia.org/training/index.cfm?act=seminar.detail&semID=151 11. How quality assurance reviews can strengthen the strategic value of internal aud! iting (by PWC). A really excellent paper but which did not include many of the resources provided in this email, i.e. you need to read the entire QAR guidance available. www.pwc.com/extweb/pwcpublications.nsf/docid/b838f2da401647d785257108 004a964e 12. More quality resources from various world class organizations. http://www.theiia.org/index.cfm?doc_id=5350 13. One of my favorite spots on the IIA web site; i.e. it provides a list of the most popular internal audit guidance downloads. http://www.theiia.org/index.cfm?doc_id=5175 14. There are numerous quality related practice advisories (eight of them now); click on the "by number" link and then scroll to the 1300 series.

Note - you need to be an IIA member to download them. http://www.theiia.org/index.cfm?doc_id=73 15. Consider just buying the PPF (i.e. The "red book"). www.theiia.org/bookstore.cfm?fuseaction=product_detail&order_num=487

16. Measuring the effectiveness of internal auditing (Practice Advisory 1311-2 is a MUST MUST read). It took more than a year to develop and finalize and is quite the subject; with MANY different views on how best to measure effectiveness. What performance measures do you report to your audit committee? (i.e. its not simple at all). I strongly recommend you study this paper prior to your next audit committee meeeting. 

17. Then there is always the quality assessment manual - i.e. people always forget to look at the "manual". (its into a 4th edition with a fifth edition scheduled this quarter - and over 250 pages long and a wealth of information) www.theiia.org/bookstore.cfm?fuseaction=product_detail&order_num=449

18. Consider becoming an IIA volunteer & perform some actual quality assessments - i.e. doing is always the "best way" to learn. http://www.theiia.org/index.cfm?doc_id=317

19. Always an interesting question on every single QAR assessment. Are your IT audit efforts appropriate for the risks facing the organization today? IIA's guidance & numerous efforts in technology are accessible at:

http://www.theiia.org/index.cfm?doc_id=2458

20. Finally, leading guidance for the practice of internal auditing is always available, i.e. 24/7 from anywhere at:

a) www.theiia.org/guidance

b) www.theiia.org/technology

______________________________________________________

I strongly believe all of above IIA guidance & resources are "fully aligned", i.e. the standards, the many practice advisories, the many FAQs, the IIA seminars, other QAR related guidance, - they have ALL been reviewed and "brought current" over the past several years by many many staff and the many IIA international committee volunteers. Good luck. - (in your efforts to make a difference). The ball is now "in your court" - and please pass this email on to everyone involved with internal auditing. Sincerely, Dan Swanson, CIA www.securitybenchmark.com http://finance.groups.yahoo.com/group/Dans_SECemails/ http://finance.groups.yahoo.com/group/Dans_CCCemails/