Cartoon plan: 
newbait

New Bait: Cartoon plan:
Two men in suits putting boxes on fishing pole hooks.  Box says “All New SOX in Box”
One says to other “Why did you bother changing the box?”
The other answers, “We just do it to keep the fish from recognizing the same old bait?”

shark

rescue

“Warning, The content you are about to read will soon expire. Content warranty for information pertaining to the classified #domain# is best consume by #date#, and set to expire in 30 days, 22 hours, 12 minutes, 35 seconds. Recommended sources for #domain# competency as required by your professional profile are [list]. Would you like to proceed?

U.S.  Department of Education, Annual Report

Man in suit waiving arms saying: “You’ve got to give me something.  We go public with these results in less than an hour.  The President isn’t going to buy this.”

Man at computer with spreadsheets all around, looking into computer screen, perspiration bullets around his face: “The only event correlation consistent with the 23% drop in college admissions across every demographic group in the United States is that week Google was off line due to that massive cyber attack.  Fell right around that cram week when the kids write all those essays.”

Get to higher ground

We have consensus among nations that we need to use same standards.  The process of evaluating the quality of a standard, or a process to force repeal preventing use of an outdated standard, to date, doesn’t appear to exist.  We just have to stay sharp and pay attention the signals sent from Eagles.  To the extent that a number of industries staked claim in known standards, by spinning content and then enforcing their own version like law, this is probably not a bad thing[127].

Performance Management may hold the substance of all our answers.  Like many auditors and IT professional, my career has included time analyzing configurations, change logs, network traffic data, entity diagrams and rule based access schemes.  Attempts to explain, interpret, or validate the information resulted in wall charts far larger than my cube or office.  The focus in measuring trend and performance began as a means for product and network management, and became foundation material for security and technology controls audit.   Every network manager became marketing and audit’s best friend.  There was one problem.  No one could consistently articulate the problems needing to be measured and reporting queries grew out of control.  There was another problem.  As SNMP traps and MIB technology became increasingly mainstream, trend reporting became increasing efficient in piping and pushing virtually all that is digital and accessible from inside and even outside of any corporate WAN.  The tools became a liability and in some cases, poor implementation included storing confidential data in clear text, and unrestricted access to information causing damages at staggering costs.  Network managers became targets of disproportionate concern.  Surpassing the need to measure and trend information, both enterprise and business began to call for a common visible implementation of controls aligned to sustainable compliance architecture.  Engineers have been telling us this for years.  We can measure everything, but interpretation call for context. 

Regulatory mandates have spawned more than a few pearls of wisdom.  One such jewel is the GRC model, introduced in 2004 by “Integrity Driven Performance; A New Strategy for Success through Integrated Governance, Risk and Compliance Management.”  The GRC, a trade mark of PricewaterhouseCoopers[128]

Bound and less than 50 articulate pages, the concept of GRC furthers definition and design model in a Governance Risk Compliance (GRC) framework.  Freely available and posted on line, the GRC deserves rank as a “Must Read”, and I also  suggest that being well rounded include attention to all publications offered by PwC, as well as their newsletter option at CFO Direct[129].

The Emerging Role of Technology: Enabling GRC - an advanced level of deployment, technology can be likened to a central nervous system for the organization – the means to ascertain, in real time, that risk is being managed and events are being acted upon.  Organizations that achieve a real-time risk management, compliance, and monitoring environment enable the application of policies and standards at the time business processes are executed.  For compliance to be truly effective it must be not incremental, but integral to business processes – the essence of real-time risk and compliance.

Integrity-Driven Performance™ is a “Must read™.”

Open the computer bay, HAL[130]

Creating a catalog of standards such that elements can be organized by a single ontology will take a lot of vision and team work.  In spite of the outstanding efforts toward security and standards harmonization as coordinated by ITGI and the evolving common security frameworks as produced by teams including ISO/IEC, OGC, OECD, SEI, NIST and others,  a single framework for comparison of all standards is still limited at least the following factors: Maybe our next evolution will be automation and real time control information governed by independent “decoupled” authority.  Perhaps we will dynamically tie to ISO/IEC/ANSI classified objects and build the correct answer through consistent selection of rules for any item’s construction.  Best practice according to NIST, CERT, SANS may someday be delivered via BPEL compliant schema implementing business and legally verified terms of acceptable use.Being neither Wolf, Eagle or even Human, all I can do is contribute to organizations like OASIS, itSMF, IIA and ISACA.  If I’m lucking this won’t distract real intelligence, and if we are all lucky, we will be solving the right problem.

After a month of frustrated attempts to use my Dog size brain to grasp a standards for IT audit ontology[131] the limits of my efforts took shape.  What can we offer in the area of best approach, without a framework database, normalized criteria, common process contents and updated legal and risk based audit requirements?  Given 270,000 registered standards, no one sees the entire picture but that shouldn’t keep us from using a system of placeholders aligned to best sources based in our audit context.

Until medical science establishes an Object Oriented brain chip that can transfers intelligence using such principles as inheritance, any single instance of vision is as good as any individual or teams best representation at any single point in time. Efforts observing how people solve a problem produce grains of goodness,  As for duplications of effort and papers that seem to overlap, I realize now that overlap is the greatest indication that we have found common wisdom so far.    Located in Appendix A, a screenshot shows the database and supporting tables that help me to see what’s important to audit competency and how I track sources across domains of technology, audit and law.  Since the content lacks formal body professional review, I make no claim of assurance that content is either comprehensive or complete.  It’s what I do to tackle my own ignorance, and maybe you will find it’s design useful.  Unfortunately, the greatest tools are the one’s we build.  The act of construction counts for almost all or our learning.  That’s why we have to let baby organizations live.

As a part of learning and a way to increase design clarity, I tried to fairly compares publications for a common elements (ontology), selecting for the study ten substantial contributions to current thinking in security and risk management.  Of course this failed.  It took several months to align NIST SP 800 53, FISCAM and COBIT®, and that was using freely provided templates and database[132].  It would take me at three months consume the Common Criteria and I’ve just now finished the PCI VISA standard (which I once thought small, and now view as a substantial undertaking).  Fortunately, the failure was in my arrogant belief that the problem had not already been solved by larger and more qualified teams.  I still got my answers.  They just didn’t come from me.

Produced in March 2005 by Information Systems Audit and Control Association®, Information Security Harmonization— Classification of Global Guidance is primarily authored by Leslie Ann Macartney, CISA, CISM, UK.  The publication includes all of the security and risk management documents I felt were critical to audit, and additionally involves a highly respected team and approach to their organization and comparison.

Scope

Selections based in common and generally accepted authority in security and risk management, included the following works.

The Classification Framework

Instead, I took a step back to my ISO roots and chose to represent a common Entity Resource model for COBIT®, COSO, FISCAM, BS7799 Part 2 and the PCI VISA Data Standard CISP version 2.   I reread an older document that offered reminder to the importance of common process and its language, the May 1998 NIST IR Process Specification Language[133].  What I did get from the exercise was a short list of standards worth normalizing in content.

The results were a leveled view of COBIT® 4.0, ITIL®2, FISCAM Appendix III, COSO – Internal Control Framework: Guidance for Small Business, CISP ver 2.3 PCI Data Standard, NIST Special Publication 53, BS77992, ISO/IEC 17799:2000

Here is my attempt to compare Apples and Apples.  The snapshot is an interface used to establish best standard and mapped standards for design of security related assessments. 

fcm

The database has evolved a long way since its early days.  The list of source documents alone is incredibly long.  All ERD and criterion referencing will be shared with the IIA’s AIC and the Standards Board of ISACA. There are a few more snapshots of the main interfaces in Appendix B.  Using a rough schema, delivery to my organizations is slated for early next quarter and the results will exist under copyright to OASIS, ISACA and IIA.

Naked without our tools

Auditors need to stay current in the proper use and deployment of applications, configurations and best practices in all aspects of technology.  Technology management applications, agents and processes are a collective compliance toolbox, supporting evidence of best practice in enterprise frameworks and minimum networking and data management controls as legally required for Enterprise Management.  We have to be current in benchmarks and standards defining all areas of IT best practice.  Among the ocean of products claiming instant cures to every compliance ailments, are the very same invaluable resources that make it possible to perform the duties of technology management and audit.   

Final thought, legal discussion among information auditors tends to over focus on three legal Acts, SOA, GLBA, and HIPAA.  Our professional mandate includes knowledge of regulatory requirements as mandated in the context of our placement, be it industry, military, government or private sector.  We are accountable to this requirement, not company Legal Staff.  When the audit fails to consider legal requirements, the person on the hook is US.

Buyer beware

In Hollywood, national crisis quickly followed by high profile names filming six to ten versions of the same bad movie.  They all release in the space of two or three months.  No writers are called in response to the times, since these are just scripts in can, ready at any moment with a little hot water and crisis tweak.  Executives start screaming “Tsunami sells”, “War is big”, “Get me a Corporate Villains” … and unfortunately, we all know they get what is demanded, and even worse these awful movies make money.

Good Movies don’t need popular crisis, and great products were great before SOX.  Mature technology is born from engineering genius, business savvy, hard work and time.  As for being a compliance product, just like the disaster movie outbreak, product vendors large and small, will use market opportunity to dress-up a failed idea, promise half baked solutions that never make it out of beta, and as IT auditors, we have to be the ones to recognize when it’s time to call fowl. 

Second greatest hook of all time

In my opinion “Compliance” is the second greatest marketing hook of all time.  Worsening the matter of articles lacking valid legal references is the marketing frenzy unleashed by the passing of Public Law 107-204, the Sarbanes-Oxley Act of 2002.  Every technology product in the world can claim some form of “SOX remedy” with the greatest number of claims targeting Section 404.  On its own, this is not a bad thing.  Tools really do help companies comply with the need for internal controls.  No matter the products original design, however, it became an all purpose “compliance hammer.”  As for the target of advertising, every publicly traded company in the United States became a Sarbanes-Oxley “nail."  A panicked public (whom I refer to as Fish, bait eaters and fish in a barrel) were undeniably hooked.  Hopes for silver bullet compliance tool spawned even more legal babble and marketing hype. 

Do these points have to contradict?

Standards and products created by public industry are equally as important as any created in audit organizations or government sanctioned research facilities.  In fact, valid means for evidence in compliance often depends on the existence and proper implementation of every single one of these types of tools. 

 “People, Process and Technology” in today’s electronic economy is surpassed by the three T’s, “Techniques, Tools and Technologies”[134].  Organizations work to insure our ability to maintain credibility in markets, protect U.S. interests, safeguard our patents, but they would never be successful without business interests and substantial financial backing by both government and corporate funds.  ISO, ANSI, NIST, IEC, BSA, OASIS, IIA, ISACA and AICPA work with and require corporate contributions, including the intellectual capital of their corporate sponsored private sector scientists and engineers.   Simply stated, products don’t make a company compliant.  Intelligent business models, however, include compliance requirements as part of any implementation, purchase and or product’s design. 

COTS alone can’t save us

White papers explain design and use of product, and are meaningful components in the acquisition and control process.  Solid IT companies invest heavily in research and design, giving priority to effective management of compliance requirements.  The best companies care for their own compliance first, and that trickles down as a standard in service delivery.  Understanding how products enforce compliance is what gives standards their power.  We should applaud and support the use of BSA, OASIS, IEC and all efforts that remove U.S. barrier to trade.  Understanding EMC, Oracle, Microsoft, HP, or IBM creates means for control in technology infrastructure is vital to our national strategy to secure cyberspace.  Those are the critical white papers. 

Tripwire for example, makes the automated change audit achievable in almost everything form PeopleSoft modules to instant alerts when a remote network devices is illegally added to an obscure branch office.  The MKS toolkit, as another example, ensures via web interface rules based workflow and SDLC control for any type development practice.  Serena adeptly manages financial roles and segregation of duties issues as a routine course of operations among shops using SAP.  The issues of data retention are at the forefront of product offerings addressing many levels of compliance as cared for by such products as Centera, offered by EMC.   Papers produced by, for and about EMC products offer insight to digital evidence, information retrieval and the consequence of violation when corporate practices fail to appreciate the complexity in the control of information. 

You may be thinking this is where I sell out and slip you a bunch of infomercials.  It is not.

Process alone can’t save us

Blindness to the need for technology is often found among the companies with the strongest set of business processes and policies.  “We don’t let our user install on our network” is one of my favorite quotations.  I heard these words spoken in the same room where a CEO offered to download my files by  via web mail on his private laptop.   Configuration exceptions made for “special cases” is the tip of the iceberg and, but offers at least one concrete example for why we tools such as the products created by Tripwire and EMC.  The management or mismanagement of digital information is a part of every employee, document and product in the path of running business.  We need to understand tools because evidence of their proper use is a large component of our job.  Assessing a corporation’s control over information touches people process and technology, but our process for evaluation involves technology, tools and technique.

As an ISO child, applying properties with relation to document owner, use and retention is just a way of doing business.  I would not imagine it any other way.   As the Final Rule on section 17a-4 of the already signed Sarbanes-Oxley Act was delivered for public view, I was surprised at the amount of response to suggest this was a new way to practice information archive and classification.  There is a web site listing in eloquent summary that manner used by ISO9001 to organize a data retention program.  I’ve written to the author, and hope to get permission to say more about it.  The site is not offered directly by an accredited organization, the summary for concerns in the retention of documents is well stated and compressive. 

The all-in-one notion of “Compliance Solutions” is forgivably appealing to executives desperate to pay compliance terrorist whatever ransom releases their hostage workforce.  The irony here is the workforce held hostage is likely the only means for technology compliance, and it won’t be accomplished through any single suite of solutions.  Even the term compliance tool is an oxymoron.  Is there a noncompliance tool?  Products like ACL earn the right to be called a tool for compliance.  My definition is a compliance tool is that it allows us to summarize metrics as they indicate the actual audit of application controls.  Consider Tripwire, EMC, ACL, Bindview, MKS and Serena.  They control change and configuration, providing all forms of evidence.  Clearly controls, but the tools have a technology functional core purpose.  The people who use them are what make a company compliant.  Strong infrastructure management resources align to logical data and function owners in service oriented architecture.  Success is achieved by domain experts who are actually capable of knowing the right tool when they find it.  Technology professionals know the pain of implementing battleship solutions that introduce excessive change to an already stressed or non adapting culture.  Even if one suite of products could control every known area of business and technology, certainly 90% would fail for lack of time to customize its use, or worse, the customization would break any digitally binding evidence built into the tool in the first place.  

These points are common sense.

Application Development and Acquisition is a science.  Tools that align to regulation and standard have a common characteristic of long aligning to respected frameworks.  Consider the history of PMI, TQM and W3C, BSA, and the SEI institute.  They were big before the hype.  Consider the suite of technology implementation guides produced by ITIL® being re-released with greater attention to current technology requirements.  Note that the creators of our best weapons against computer abuse and fraud have been at this for a long time, were involved in creation of standards and legislation and grew up with the standards. 

If any of this is new information, I suggest putting a foundation certificate in IT Service Management in front of all other tasks on your calendar this month.  The curriculum follows the first three titles in a substantial list of notable works, advancing general knowledge of frameworks and terminology.  Results from this knowledge include ability to discern compliance hype based in FUD, (Fear, Uncertainty and Doubt) from compliance theory, such as ITIL®, COBIT® and ISO 17799 derived security works.  ISACA, EXIM and InteQ offer excellent on line certification training.  The experiences of our company indicate a TSM certificate is achieved in four week-ends.  ISEB certification is not the only path to gaining knowledge.  The following series of book and CD resources are available for purchase at the TSO On-line Bookstore.

Consider the view in the ICT Infrastructure handbook of the manager’s role in the control over information and systems: An ICT Infrastructure Manager ensures that:

For more information on tools and compliance, please check posts to my web site.  (>www.pbandsp.com/tools)

Factors affecting world trade:

No matter what we buy or what we build, it is pointless to proceed without consideration for the financial, digital, and privacy mandates as required for World Trade.  The very definition of information, transaction and retainable data change with each passing day.  You might think the industry leaders have considered this since the beginning, albeit with varying moral intent, such that using established tools and vendors would guarantee safe trade and profit.  This is not so.  On any given day, news stories include headlines like today’s Computer World article  “Microsoft faces order to modify Windows in South Korea.”  This and many more articles regarding international policy can be found at: www.computerworld.com.

The statutes of European Digital Rights are available at EDRI: www.edri.org.

When looking to purchase technology products, those lacking evidence of alignment to international barriers to trade deserve lower rank or even complete elimination from vendor consideration.  Companies that are not actively involved in regulatory alignment simply won’t hold up in the global market.  Awareness of international legal requirement is not exclusively managed by larger corporations, or ignored by all non-public corporations.  It’s a factor that must be evaluated before inviting any vendor to provide either RFI or RFP.  Without consideration for legal exposure the product will not meet Common Criteria standards, will likely lack alignment to the PCI VISA standard which could result in loss of privilege to engage in e-commerce.  Digital Rights, both in Europe and the United States gain increasing regulation and granularity of definition, with changes occurring in the span of even writing this paper.

Important web sites for the study of European and International laws as affecting technology and information standards, consider adding these sites to your favorites:

http://www.edri.org/ the European Digital Rights foundation, including 21 privacy and civil rights organizations from 14 different countries in Europe

Computer World News http://www.computerworld.com/governmenttopics/government/policy

http://www.ijclp.org/ IJCLP, a joint project of The Administrative Law Department of the Institute for Information, Telecommunications and Media Law (ITM) at the University of Münster, Germany and The Information Society Project at Yale Law School, U.S.A.

Products that cannot conform to retention and restrictions as mandated by European Digital Rights will at the very least, need to demonstrate exactly how their services and inventory will steer clear of non-United States internet traffic.  One way or another, companies ignoring US and International Law will become both news and liability.  Remember, an Eagle spots prey from a thousand feet.  Hungry legal Eagles eat companies violating world trade and copyright law as a regular diet.  The notion of self contained requirements is pretty much long.

Birth announcement

I added a post it flag to a new pile.  It reads “Mount Recycle.”

peak

[126] United States Congress, "Computer Security Enhancement Act of 1997", in Public Law 100-418, H.R. 1903, Calendar No. 718, & Report No. 105-412 (1998), SEC. 1-14. Note: "To amend the National Institute of Standards and Technology Act to enhance the ability of the National Institute of Standards and Technology to improve computer security, and for other purposes."

[127] Payment Card Industry (PCI) Data Security Standard, op.cit.

[128] Integrity Driven Performance, White Paper, © 2004 PricewaterhouseCoopers. Page 34, PricewaterhouseCoopers (www.pwc.com) provides industry-focused assurance, tax and advisory services for public and private clients. More than 120,000 people in 139 countries connect their thinking, experience and solutions to build public trust and enhance value for clients and their stakeholders.

[129]

Note: While providing support to our CISA study group, Bruce I Winters CPA, CISA of, PricewaterhouseCoopers LLP – CT, shared this work (and a wealth of industry knowledge).  Sustainable compliance is a new domain for the integration of all IT Infrastructure and Enterprise Management. The topic has provoked tremendous advance in the concepts of configuration and process, aiding entire divisions of study to every institution of learning and changing the way we think about the creation of even the smallest snippet of code for the simplest of devices..

[130] Stanley Kubrick & Arthur C. Clarke, "HAL", HAL 9000, in 2001: A Space Odyssey, USA Box Office: MGM Home Entertainment, 1968.

[131] Tom Gruber, What is an Ontology?, KSL, Knowledge Systems, AI Laboratory, Stanford University. Retrieved December 1, 2005 from http://www-ksl.stanford.edu/kst/what-is-an-ontology.html. Note: “An ontology is an explicit specification of a conceptualization. […] We use common ontologies to describe ontological commitments for a set of agents so that they can communicate about a domain of discourse without necessarily operating on a globally shared theory."

[132] NIST SP 800-53 Database Application is available for download at < http://csrc.nist.gov/sec-cert/download-800-53database.html>

[133] OntoWeb Project, OntoWeb Working Group on Process Standards. Retrieved December 1, 2005 from http://www.aiai.ed.ac.uk/project/ontoweb/. Amy Knutilla, Craig Schlenoff, Steven Ray, Stephen T. Polyak, Austin Tate, Shu Chiun Cheah and Richard C. Anderson: "Process Specification Language: An Analysis of Existing Representations," NISTIR 6160, National Institute of Standards and Technology, Gaithersburg, MD, 1998.

[134] OGC, ICT Infrastructure Management Manual, op.cit., Section 2.7, pp. 59-63.

[135] Idem.

 

 
<-- Previous 1 2 3 4 5 6 7 8 9 Next --> home