The Perils of Mount Must Read™

The Perils of Mount Must Read™: Confessions of a Cliff Note Junky [Go to Preface] [Table of Contents] Are you sure I’m in recovery? I will conquer Mount Must Read™ Waste no time Compliance Farm™(sidebar) What should an IS Auditor eat? Touchdown! Blame someone Legal G-A-P What I dont know Please don’t ... back to high school Congress paid to think Say "Goodbye" to statute virginity Give up the white paper crutch Can someone help me down My Mother told me to say I’m sorry Basic principals of a well rounded diet How do you keep that stunning figure? Trade secrets You can’t make me download! GAO, is that you? Regarding recovery Even the score The diet starts today Birth records, death certificates If it makes sense, it exists A trip to the Standards Mall Lowest Common Denominator How low can you go? The more you know, the less you Fundamental Five A simpler selection criteria How did I miss the Common Criteria? These are not Cliff Notes Seems like a Schema to me Where are you taking me? Honest Doc, I looked Get to higher ground Open the computer bay, HAL Naked without our tools Second greatest hook of all time COTS alone can’t save us Process alone can’t save us Factors affecting world trade: Birth announcement Enough about them, let’s talk about Did you happen to notice ? A problem not owned You want me to kill them now? “Dreams are like stars... I don’t want a baby brother Competition is the spice of life Get the data and proportionality Does the punishment fit the crime? Do you mind one last question? Why didn’t I write any of that? Conclusion & Appendix Stuff Just Rules Play Evolution Printer Friendly Text

Preface: ...Why should anyone read a story about a possessed reading pile and a recovering workaholic? With liberal dose of fantasy and humor, “The Perils of Mount Must Read™ chronicles a quest to conquer the mountain of reading required to just stay competent in information audit and technology. Admittedly, the intended audience has some background in compliance and IT. Even if the reader is not an IT auditor, the challenge to stay ahead of new tools and research in an industry where “too much information” is a familiar predicament. Add to that, an ego driven compulsion to make sense of every digitally available IT resource, and you have the essence of a modern day tragic hero, an information overload villain, and a quest for information enlightenment. Finding one's life trapped in the race to sustain professional competence is probably not unique to audit or technology. Blending fiction and truth, the tale aims for insight, suggesting solutions to the problem of what to read and who to regard as “expert” in our field. Laugh with me or at me, but please relax and consider quality over quantity as an alternative to drinking from the digital fire hose. Events transpire between October and December, and conclude with the New Year, 2006. Part fantasy and part truth, the characters admit their flaws and evolve a strategy for survival against “The Perils of Mount Must Read™.“ Many thanks to the persons who provided a wealth of great resources. Credits are scattered throughout the story and detailed in the endnotes. Hope you enjoy the read. Kind Regards, Robin Basham, M.IT, M.Ed. CISA, ITsM [TOP]

The Perils of Mount Must Read™: Confessions of a Cliff Note Junky

Ever have a day where the more you learn the less you know? Around here, it’s been that kind of year. Printing any resource that might aid a losing race to stay current in regulations and frameworks, a reading backlog grew from a minor elevation to hill. As autumn fell, the pile extended beyond the height of our office, and the perilous pile acquired a name: “Mount Must Read™.”

In hindsight, I agree, this is hard to believe, but the story needs to be told. At the very least, consider it a fair warning that you could be next.

Are you sure I’m in recovery?

I had every right to feel on top of things. The degrees, certifications, business, friends, were perfectly valid indicators for professional competence. Where the Sarbanes-Oxley Act of 2002 (SOA or SOX)[1], data privacy, COBIT®[2], COSO[3], ITIL® [4] and ISO/IEC 17799:2005[5] frameworks or any area of IT Audit were involved, I felt solid. Not a day went by without time on the ISACA[6] home page, and I can honestly say with each visit we gained at least one significant download. Like a lot of people in my field, the list of what I should read increasingly outpaces the list I could read. Secretly, confidence in my ability to lead in my field had been replaced by a nagging paranoia that I would not maintain respectable position in the reading race. In fact, I doubted my ability to finish the race at all.

Then I found out I’d be having surgery classified as major and to plan one to two months in ‘recovery’. No problem. White papers packed with slippers and duck, I slated five to ten hours of hospital down time to chapters 4 through 8 of the ICT Infrastructure Management Manual [7].

I realize people don’t read text books as they roll out of surgery, but the situation was beyond my control. I’m a pawn, a powerless sheep, manipulated by anxiety over an out of control reading list. It’s not just the daily emails listing articles and white papers that can’t be ignored. I’m a compulsive downloader, printing everything that seems to have use. The symbol of all knowledge became that mountain of unread documents.

More like Edgar Allen Poe’s Tell Tale Heart[8], than a personal Everest, Mount Must Read™ controls my life. It started as a harmless stack, documents I truly intended to read, but then I planted a flag at the summit. That fateful red and white post-it included two word. They were “Must Read.” Once the pile knew its name, it gained power. Somewhere between hill and mountain, its soul became corrupted by the Dark Side[9].

I will conquer Mount Must Read™

I have to conquer him. For one thing, he’s blocking sunlight. (Please don't ask how I know Mount Must Read™ is male. You'll see soon enough.)

“Recovery” is great word. I place it in the same category as “Down Time.” (I have no idea what either word means.) Using down time to tackle Mount Must Read™ (a.k.a. "MMR™" and "Must Read™") is a perfect illustration of this problem.

Realizing that a stack of neglected documents would not hold attention for very long, I constructed a challenge that might result in wealth or fame. I announced to myself, and in ear shot of Mount Must Read™, “I will resolve duplicate legal requirements and rid our profession of redundant, competing technology standards.” It’s clear we need a short pile of "definitive required knowledge" and a safe means to disregard the rest. How many laws do we really need? Seems like the ones that aren’t obsolete either mandate concepts that people don’t understand, can’t be implemented, or are completely ignored. De-duplicating laws and standards meant we might finally operate with a short list of laws and standards, earn back some actual “downtime” and achieve the mission to deliver visibility and assurance of IT compliance. I am an information systems auditor. Someone’s gotta do it.

Waste no time

Post surgery, day one was not as productive as planned. The only perk you get in ‘recovery’ is unlimited self delusional power naps (the kind where you know everything and people care). Aided by a steady morphine drip, this particular dream began with a typical scenario. I propose a completely implausible solution to world hunger and a full session of Congress erupts into accolades. Feeling confident in my powers I make a classic Matrix gesture, the one where Neo signals Morpheus to “bring it on[10]." A voice on the floor asks “are there any U.S. statutes that allow us to charge Superman in connection with hurricane Katrina?” I say "we have to review his contract," but no one is satisfied. The room fills with auditors, business owners, five star generals, and bankers. Like a thousand Mr. Smiths entering from a myriad of hallway doors, people keep asking questions with random sounds like, “national strategy, FIPS[11], jurisdiction, FISMA[12], legal precedent, court marshal, and FEMA [13]. Someone’s shouting “Senator did you even read FISCAM?[14]." My ears sting from the buzz of federal codes, defense directives, public executive orders and a list of my apparent violations. Dream panic ends as I shout from my bed “that wasn’t even in the manual.”

A nurse is measuring milliliters of urine and smiling like I’m about to get a gold star. I hear, “Would you like something for the pain, honey?” mingled with the sound of squeaky treads fading out into the hall.

The dream was completely wrong. I’d been doing the delusional power routine long enough to know this was not my own mind's doing. Something or someone was responsible, and I only knew of one “something” that had motive to make me feel this way. I’ve suspected, but resisted speaking the words even to myself. It had been 72 hours since my last download. Mount Must Read’s™ hunger for fresh paper had driven him to new heights of intimidation. His evil broadcast storm followed me right into surgery.

Should this have worried me? Did he know that I knew? Was he listening now?

I shook off the experience as a post anesthesia fluke. The moment they freed me from nurse and catheter, it was business as usual.

Per my instruction, employees had carefully relocated Mount Must Read’s™ amputated peak to a stack of documents by my bed. The papers piled next to rolling laptop tray, a gigabit LAN port, and a two line phone. Browser poised to Google™, (the Oracle of all downloads), my quest and journey was ‘good to go’.

Being educated in research and statistics, my first steps began as three part hypothesis.

People create overlapping standards because they solve problems in isolation.
When existing law appears out of pace with technology people create new laws to hinder technology instead of understanding the technical context of an existing law's applicability.
People describe same problems and find same solutions as limited by their ability to perceive and describe. We can't see the overlap. We think we are different, but our standards are essentially the same.

I typed “audit frameworks standards law” and said with glee, “we’re off!” The Oracle answered, “Your search Results 1 - 10 of about 7,345,032 in .35 seconds.” Instant headache: much too wide a topic for my recovering mind. (I can’t imagine which of these four words unleashed smutty pop ups, but clearly, I would have to do my own thinking until the anti-spam tool finished inoculating against 7,354 new browser exploits.)

First thought, “Why did I think I can do this?”

Took a legally prescribed substance and used a familiar warm-up question; “Why is there world hunger?” If Miss America can answer this, it shouldn’t cause a brain cramp. I’m thinking “why can’t we feed entire regions of starving people, while the local health news says the only thing we’re loosing is ground in the war against obesity. Do the people with food know that people are starving?” I can’t surf T.V., answer the phone, read the mail or go to the movies without someone suggesting ten new ways to donate. I admit that’s where I lost interest. Hunger is a challenge for Superman or Congress. I only like a challenge that I’m pretty sure I can solve. Moving on to my own dilemma I asked myself, “why have I collected so many mandates and frameworks and why can’t I get past the cover page without that dizzy sensation like I’m reading in a circle?”

ZZZZzzzzzz maybe it was fatigue.

I lurch awake and checked the bottle to see exactly how many pills I took. (Don’t get smug. You’d have done it too.) The panic became immutable. I’ll never read the pile down. He’s made sure of this. Must Read™ had full control and was using his twisted powers to de-evolve me to a sheep.

Let me explain the origin of common sheep paranoia. Part myth, part theory, more framework than standards, it’s called “Compliance Farm™[15]."

Next TOC

[1] United States Congress, Sarbanes-Oxley Act of 2002, 15 U.S.C. §7201 (2002), "Sarbanes-Oxley Act of 2002", "SOX", in Public Law 107-204, H.R. 3763, S. 2673, & Congressional Record Vol. 148 (2002), Washington: U.S. Government Printing Office, 116 STAT. 745-810.

[2] COBIT®. Retrieved December 1, 2005 http://www.isaca.org/Template.cfm?Section=CobiT6&
Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981.

[3] COSO, Committee of Sponsoring Organizations of the Treadway Commission. Retrieved December 1, 2005 http://www.coso.org/.

[4] ITIL®, Information Technology Infrastructure Library. Retrieved December 1, 2005 http://www.ogc.gov.uk/index.asp?id=2261.

[5] BSI, British Standards Institute, "BS ISO/IEC 17799:2005", in British Standard ISO/IEC 27001:2005, London, United Kingdom: The Stationary Office, 2005.

[6] ISACA, Information Systems Audit and Control Association. Retrieved December 1, 2005 http://www.isaca.org/.

[7] OGC, Office of Government Commerce, "ICT Infrastructure Management", in ITIL® Series, London, United Kingdom: The Stationary Office, 2002.

[8] Edgar Allen Poe, Tell-Tale Heart, USA: BookSurge Classics, Philadelphia: J. B. Lippincott Co., 1895.

[9] George Lucas, Star Wars, Episode IV, A New Hope, USA Box Office: Lucas Films Ltd., 1977.

[10] Andy Wachowski & Larry Wachowski, The Matrix, USA Box Office: Groucho II Film Partnership, Silver Pictures, & Village Roadshow Pictures, 1999. Note: Scene with Lawrence Fishburn training Keanu Reeves in martial arts.

[11] NIST, National Institute of Standards and Technology. FIPS, Federal Information Processing Standards Publication. Retrieved December 1, 2005 from http://www.itl.nist.gov/fipspubs/.

[12] United States Congress, "FISMA", "Federal Information Security Management Act of 2002", in Public Law 107-347, H. R. 2458-48, Title III, Washington: U.S. Government Printing Office, SEC 301-305.

[13] U.S. Department of Homeland Security. FEMA, Federal Emergency Management Agency. Retrieved December 1, 2005 from http://www.fema.gov/.

[14] GAO Accounting and Information Division. FISCAM, Federal Information System Controls Audit Manual Volume I: Financial Statement Audits, Washington: Government Accountability Office, 1999. Retrieved December 1, 2005 from http://www.gao.gov/special.pubs/ai12.19.6.pdf.

[15] George Orwell, Animal Farm, New York: New American Library, 1956. Note: Orwell's book title did not inspire "Compliance Farm™". Any similarity is coincidental and unintentional. I assure you I only read the Cliff Notes®.

I will conquer Mount Must Read™

Waste no time

Potato

Fish

Sheep

Self Aware Sheep

Snake, Rats and Pigs

Shark

Dog

Dog-Squirrel

Dog-Fish

Rescue Dog

Wolf

Leader of the Pack

Eagle

Human Being (Human)