The Perils of Mount Must Read™

The Perils of Mount Must Read™: Confessions of a Cliff Note Junky [Go to Preface] [Table of Contents] Are you sure I’m in recovery? I will conquer Mount Must Read™ Waste no time Compliance Farm™(sidebar) What should an IS Auditor eat? Touchdown! Blame someone Legal G-A-P What I dont know Please don’t ... back to high school Congress paid to think Say "Goodbye" to statute virginity Give up the white paper crutch Can someone help me down My Mother told me to say I’m sorry Basic principals of a well rounded diet How do you keep that stunning figure? Trade secrets You can’t make me download! GAO, is that you? Regarding recovery Even the score The diet starts today Birth records, death certificates If it makes sense, it exists A trip to the Standards Mall Lowest Common Denominator How low can you go? The more you know, the less you Fundamental Five A simpler selection criteria How did I miss the Common Criteria? These are not Cliff Notes Seems like a Schema to me Where are you taking me? Honest Doc, I looked Get to higher ground Open the computer bay, HAL Naked without our tools Second greatest hook of all time COTS alone can’t save us Process alone can’t save us Factors affecting world trade: Birth announcement Enough about them, let’s talk about Did you happen to notice ? A problem not owned You want me to kill them now? “Dreams are like stars... I don’t want a baby brother Competition is the spice of life Get the data and proportionality Does the punishment fit the crime? Do you mind one last question? Why didn’t I write any of that? Conclusion & Appendix Stuff Just Rules Play Evolution Printer Friendly Text

Preface: ...Why should anyone read a story about a possessed reading pile and a recovering workaholic? With liberal dose of fantasy and humor, “The Perils of Mount Must Read™ chronicles a quest to conquer the mountain of reading required to just stay competent in information audit and technology. Admittedly, the intended audience has some background in compliance and IT. Even if the reader is not an IT auditor, the challenge to stay ahead of new tools and research in an industry with no respect for “too much information” is a familiar predicament. Add to that, an ego driven compulsion to make sense of every digitally available IT resource, and you have the essence of a modern day tragic hero, an information overload villain, and a quest for information peace and enlightenment. Becoming caught up in the race to remain competent in one’s profession is probably not unique to audit or technology. Blending fiction and truth, the tale aims for insight, suggesting solutions to the problem of what to read and who to regard as “expert” in our field. Laugh with me or at me, but please relax and consider quality over quantity as an alternative to drinking from the digital fire hose. Events transpire between October and December, and conclude with the New Year, 2006. Part fantasy and part truth, the characters admit their flaws and evolve a strategy for survival against “The Perils of Mount Must Read™.“ Many thanks to the persons who provided a wealth of great resources. Credits are scattered throughout the story and detailed in the endnotes. Hope you enjoy the read. Kind Regards, Robin Basham, M.IT, M.Ed. CISA, ITsM [TOP]

Get the data and proportionality[151]

Often associated to the Errol Morris film, The Fog of War[152], Robert McNamara’s revealing commentary regarding decision frameworks prolonging the Vietnam war, McNamara’s lesson includes messages regarding information and data. Morris explains in an NPR interview that reading Paul Hendrickson's book, “The Living and the Dead: Robert McNamara and Five Lives of a Lost War,” set this film in motion. As explained on the NPR website, "Robert McNamara was a believer in control accounting [...] a mathematical way to analyze and evaluate systems. […] and was plucked from success at the Ford Motor Company to become President John F. Kennedy's Secretary of Defense. His unique approach to management guided the United States involvement in Vietnam[153]."

Biographers and McNamara himself share a sense of irony in portraying the Fog of War lesson “Get the Data.” Commentary regarding speech delivered by a class 39 graduate to his HBS alumni highlights his conviction that “Statistical data could instead be used proactively as a general management tool for analyzing an organization’s production and operations and measuring the efficacy of problem-solving initiatives.” In spite of this, McNamara explained the conventional wisdom about the domino theory and the question of whether U.S. troops could ever in fact prevent the loss of South Vietnam“ was never debated at the government’s highest levels.” In the case of Iraq, he says, “there are comparable issues that appear to have never been debated. That includes ‘nation-building’ or what would happen after we passed through major military operations.”

Frameworks used for the analysis of risk, including financial, digital, criminal, military and social, and the ontology which may be common to those frameworks, is a topic deserving debate and global anticipation. The implications derived from efforts to develop world standards to the design of detective, preventive and predictive controls are only now gaining popular interest in our national strategy, market demand and prioritized government funded research.

The greatest lessons, however, are the simple ones. Realizing Robert McNamara’s professional history involved controls for both the World Bank and U.S. Department of Defense, I felt compelled to read the observations of an Eagle again.

1.       Empathize with your enemy.

2.       Rationality will not save us.

3.       There's something beyond one's self.

4.       Maximize efficiency.

5.       Proportionality should be a guideline in war.

6.       Get the data.

7.       Belief and seeing are both often wrong.

8.       Be prepared to reexamine your reasoning.

9.       In order to do good, you may have to engage in evil.

10.   Never say never.

11.   You can't change human nature[154].

Does the punishment fit the crime?

If your favorite pastime is cooking books, or you happen to run an electronic smuggling operation over parallel circuits beneath the data center floor, you certainly have my permission to feel all sorts of fear, uncertainty and doubt. IT controls and their associated tools detect a lot of good and bad practice. Punishment, however, is for people who commit crime. The Sarbanes-Oxley Act became landmark when accountability publicly enforced sentencing and jail time. Control frameworks, however, existed long before the events of this decade’s most notorious financial crimes. Jail time for the likes of Dennis Kozlowski (Tyco), Bernard Ebbers (World Com), John Rigas (Adelphia) and who knows, perhaps even Michael Brown (FEMA/ Katrina) is a punishment that fits. Citing those eleven lessons again, ‘proportionality’ must always be applied. Forcing a public company to spend more time on controls than in the path of their core business begs a lot of questions around fairness and legal intent. The standards we apply as auditor should not have the look and feel of punishment. Controls leverage technology to bring value to the business. The goal of audit is certainly to assure practice and prevent fraud, but it is not about retribution, or personal fame, and it certainly does not bring a company revenue. Risk is only relative to a company’s capacity to stay in business.

Do you mind one last question?

If desperation is what it takes to produce, “Please sir, can I have some more?”

Great developers often say the occasional server crash, file corruption and waterlogged backup tape is resulted in their best work. Re-writes are a chance to fix the details we wish we had known before we started. Not much in our life allows us this luxury. Rewrites are good.

T.S. Eliot has been cited a great deal since The Fog of War included Robert McNamara’s reciting of the poem:

“We shall not cease from exploration
And the end of all our exploring
Will be to arrive where we started
And know the place for the first time[155]."

Maybe this is an Eagle’s best lesson: Vision is never perfect until it looks forward, side to side, and backward, at our history.

Re-writing a standard improves its application and the community involved in its making. The best reason for rewriting already great standards, such as ISO/IEC 17799:2005, ITIL®2 and COBIT® 4^th edition, is expanded perspectives and distributed ownership. Comparing different Risk and Security Management guidelines produced by valid authorities comprised of credible and experienced teams only revealed that each group, based in slightly different audience scope and requirement, contributed usable and outstanding content to our field.

Increasing the number of people in the world who feel personally involved in information control is a good thing. To emerging groups, such as ITPI, Association for Business Process Management (ABPM) and a myriad of Local Interest Groups: I humble to their enthusiasm and commitment. Their leaders no doubt are wolf spirits, so I honor them with reminder of Rudyard Kippling’s Law For Wolves.

The Law for the Wolves

Now this is the law of the jungle, as old and as true as the sky,

And the wolf that shall keep it may prosper, but the wolf that shall break it must die.

As the creeper that girdles the tree trunk, the law runneth forward and back;

For the strength of the pack is the wolf, and the strength of the wolf is the pack. […][156]

For every organization skating the thin ice between influence and violation of copyright, publishing standards based entirely from ISO/IEC 17799:2005, COBIT®, ITIL®or COSO, I’ll just say, “Hats off to you.” I prefer to buy my standards, if for no other reason than the liability of data management mistakes, enabling fraudulent use of other people’s information, 100,000.00 per instance software license infringement fines, and things that go bump in the night[157].

ISO/IEC/ANSI, AICPA, ISACA, NIST CMU/CERT and the IIA provide all the raw ingredients for a diet balanced in current best practice across every area of information systems and infrastructure management. Tom Lamm[158], Brian Selby, Dan Swanson, Ron Hale, Fred Cummins, Tim Howes, Jamey Bryce Clark, Charles Le Grand[159], Gene Kim, George Spafford Jr., Julia Allen, Bruce Winters, and Mike Hines have collectively written works I will read for the rest of my life, but at least I can be confident that the best work is the most recent. That I can conquer right now. These people have spent a lifetime sharing ideas, feeding their children, running business, coaching little league, publishing masterful works, answering our posts, getting married, divorced, married again… Most amazing and true, they actually talk to me, a plain old part squirrel, part rescue Dog.

Our Leaders are not preoccupied with a need to insure all audit problems are solved by their own frameworks and theirs alone. In fact, they are more likely to start any conversation with a list of what they don’t know, inviting all the energy of what Richard Feynman, (Nobel Prize Winner) describes as “the pleasure of finding things out[160]." They will introduce future bills, write to members of the PCAOB, SEC and Congress, appear before committee, and forever be listed in the footnotes of regulations and standards, affecting everything from banking to the standard of density for fasteners and threads.

Leaders and Eagles do not pop up like mushrooms four hours after any new regulation is signed into law[161]. Their names mark a progression of community. No doubt they began in a toddler organization, and some may have joined troops fairly advanced in the fight, but each beginning grew to professional leadership. Maybe their secret power is being a master of change, appearing as a member of the GAISP standard committee, then appearing as contributors to ISACA or IIA publications, and emerging again in legal journals, and once more on the committee known as the CISWG, (Computer Information Security Working Group).

Today these foundation ideas continue in the BS 27000 series. The recent BS ISO/IEC 17799 (BS 7799-1) and BS ISO/IEC 27001:2005 (BS 7799-2:2005) publications demonstrate lifetimes of commitment to concepts respected world wide. Every major player in the standards game has at least one team working to remove duplications, with ISO 9000 (Quality Management), ISO 14001 (Environment), OHSAS 18001 (Occupational Health & Safety), and all forms of BS 7799 1 and 2 (aka the ISO/IEC 17799:2005 and related series) taking the lead[162]. There are substantial shifts in language from IT Service Management to a broader ICT Infrastructure Management in all areas that pertain to information systems. The expanded use of ICT Infrastructure in place of ITIL®Service Management and Service Delivery concepts makes room for a broader and more comprehensive mapping between British Standards and other frameworks, such as the COBIT® 4th^® edition by ISACA, NIST Special Publication 53a, FISCAM Volume Two and the ISG Tool[163] produced by the Computer and Network Security Task Force, which was created by members of the CISWG[164].

Being a loyal Dog, I really can’t solve world hunger. I put my family and company in various annual giving programs because there are no small parts, only small contributors.

After brief adjustment counseling, Mount Must Read™ has accepted that less is sometimes more. He may not be tall, but he’s quality. In all matters of “keep or throw” he will give up old white papers as long as they go to his better half and loving partner, Mount Recycle™.

It’s time for the end of down time and recovery. I am restored and ready for work. There’s just one last question:

Why didn’t I write any of that?

I doubt that any completely original ideas still exist. I’m not expecting to have one. I doubt any one person is able to see all the regulations and standards in one big picture, but if that Eagle is out there, my bet is he or she is working in a well recognized team. All I learned from this journey of reading is there is still so much more that I don’t know.

I would however, like to clear up one issue. Here’s my final ruling:

“With regard to alleged problems caused by overlap and conflicts in laws and standards; it is the recommendation of this jury including Loyal Dog, Mount Recycle™ and Mount Must Read™, that due to lack of evidence supporting conflict or damages, the case of Overlap vs.too Much Information is now dismissed.”

It’s all good. Make your own strategy, tackle the mountain and enjoy a nice long read.

I’ve started a small list of rules on the white board by my desk:

Rule number one: Never move data

Focus on legitimate location by classification and information type.
Use access control to limit change and use
Use registered sources of information where the responsibility lies on them to keep data and standards current

Rule number two: ‘Only handle it once’

Decouple normalized data from stored data by creating business rules for data lookup
Attend to emerging standards by W3C and OASIS to insure that the smallest amount of unique information is all that we store in any process
Invest in real time valid feeds for standards of measure and control, so the standards are managed by the subject matter experts and the business is configured to leverage those controls

Rule number three: Common language equals common mission

Insure that all persons have ready access and training in the name and scope of all management functional areas, processes and programs by title
Use the best sources for current normalized glossary in including NIST, OGC, ISACA, ANSI, NISO, WTO, W3C , OISWG

Rule number four: Believe in the myth that someone has already solved this

Even if a problem is yet to be solved, there are people out there who share your quest and who will only add to your vision and quality of solution None of us is as smart as all of us.
If people who share your interest don’t seem to exist, keep looking.
Believe in the myth that YOU can solve the problem. Genius is exclusive to people with the tenacity to continuously fail until they succeed.

Rule number five: Process optimization is what makes a process real

Being unique isn’t the only way to bring value. Even if concepts can’t be patented, showing the world how to be faster, safer and more efficient still holds great value. Admitting existing work deserves alignment to current concepts is the first step. Every rewrite makes us stronger. Allowing others to make our own works better shows humility and true maturity.

Rule number six: Don’t re-work the design of others and claim to own their ideas

Use industry standard names to construct the names of all things. Giving credit to great frameworks and standards validates mature methodology and service quality

Rule number seven: Accurately represent the problem

Ensure the right stakeholders agree with what needs to be solved
Isolate the known from the unknown
Reuse repeatable frameworks and configuration, including common language, definition of programs and process.

Rule number eight: Only record the variance from the norm

Once a part of the configuration is defined, use it to extend the attributes of any other item. Only record the unique variance
Comply with norms and standards by limiting acceptable variance.

Rule number nine: Don't serve green eggs

Factor the reception of presentation as equal in importance to all other elements combined. People can't use what they don't know they have. Be sure the delivery looks and feels like a practice already common to the culture. New tastes, textures and smells are never big hits at a pot luck supper. They are less popular in IT. They never work in business.

Rule number ten: Make it easier to get permission than forgiveness. Then, show no mercy.

Factor protection of intellectual capital in the design and creation of content, approval and process
The construction of configuration and information based in correct business logic and standards shouldn't feel like secret sauce or be too complicated to simply explain.
Business rules make sense to the business.
Data Validation makes sense to data entry.
Without their visibility to the construction of an answer, we live at the mercy of people who were never able to accurately represent the problem.
Strive to make “easier to beg forgiveness than get permission” thinking both mute and obsolete.

Conclusion:

Tell everyone “Who, what, where, when and why”, or as the army has long understood, “the commander’s intent.” Focus on outcome, and be open to variation in the path that gets us there. Intended outcome, the representation of the problem, is more important than the instruction for its solution.

An accurate problem is more powerful than the implementation details. Frameworks and standards are about methodology. They are not, in of themselves, the solution. In fact, they aren’t even the problem.

When we add minds to a project, it tends to extend time to finish and often results in failure. I think I know the reason why. We spend too much time instructing and not enough time sharing commander’s intent. We spend almost no time at all asking, “is this the right problem?”

This is why we can’t go through life as sheep. Sheep can’t ask if we are solving the right problem. They are not aware of the problem. We can’t live life as dogs. Dogs bark the instructions and bite those who appear to step out of line. Loyal as they may be, they also lack capacity to ask if we are solving the right problem. Wolves are great problem solvers, but they may not share the answer, and they certainly are not concerned with issues affecting packs beyond their kin. Eagles see our landscape. Most of us lack the courage to open our minds, hearts and eyes to even a small portion of what Eagle’s perceive. We need our Humans, our leaders. We need to hear the problem and believe in our ability to contribute.

How many times have we accurately and flawlessly solved the wrong problem? We never know what other’s will bring to the solution, but one thing is sure, if any single approach was working, we would not need everyone else to solve the problem. Share the problem, share the wisdom, and believe in the brilliance of others.

Mount Chill

[151] Get the Data and Proportionality

[152] The Fog of War

[153] Morris explains in NPR interview that reading Paul Hendrickson book

[154] You can't change human nature

[155] The Fog of War included Robert McNamara’s recit

[156] Rudyard Kippling’s Law For Wolves: Joseph Rudyard Kipling (December 30, 1865 – January 18, 1936) was a British author and poet, born in India. He is best known for the children's story The Jungle Book (1894), the Indian spy novel Kim (1901), the poems "Gunga Din" (1892) and "If— " (1895), and his many short stories. In 1907 he was awarded the Nobel Prize for Literature, and in 1934 he shared the Gothenburg Prize for Poetry with William Butler Yeats.

[157] Note: Recently, while preparing to take the CISA exam, a download found way to my inbox claiming 600 study examples based in the 2005 information audit competency requirements. They were an export of the ISACA study manual questions, not only under copyright but representing critical revenue to an important organization. I was outraged. ISACA enforced the removal of the distributed material, but not before it had been downloaded

[158] Note: Contributing member to far to many publications, it is notable that Tom Lamm was part of The World Bank Technology Risk Checklist 6.0, a highly organized overview for assurance of implemented banking security practice. Published by The World Bank in 2003, Tom worked with a team that included Julia Allen. It’s that pattern again, of good minds showing up for all the most important occasions.

[159] Charles Le Grand , CIA, CISA, CDP, clegrand@theiia.org, was formerly Assistant Vice President of Technology Practices for The Institute of Internal Auditors. He provided direction to all areas of The IIA in the use of technology to deliver programs and products for the internal auditing profession. He was Director of Research for The IIA Research Foundation. Le Grand has served as technical advisor to the International Federation of Accountants Information Technology Committee and worked with other organizations concerned with technology and its security, control, auditing, and educational aspects. He also was IIA's staff member responsible for the landmark Systems Auditability and Control (SAC) research projects in 1990 and 1993.

[160] Richard P. Feynman & Jeffrey Robbins, The Pleasure of Finding Things Out, Cambridge: Perseus Publishing, 1999, p. 1.

[161] Note: This analogy is not alluding Sarbanes-Oxley being extricated by congress like a large pile of dung. That would lack respect. The sprouting of mushrooms on dung, are the “self proclaimed control experts” selling compliance service based in FUD tactics (Fear, Uncertainty, Doubt)

[162] Note: Efforts to keep ISO adapting are so pervasive that this would merit a full thesis of information on its own.

[163] EDUCAUSE. Information Security Governance Assessment Tool For Higher Education. Retrieved December 1, 2005 from http://www.educause.edu/ir/library/pdf/SEC0421.pdf.

[164] EDUCAUSE & Internet2. Computer and Network Security Task Force. Retrieved December 1, 2005 from http://www.educause.edu/Elements/Attachments/security/flyer.pdf. Note: "Established by EDUCAUSE and Internet2 in July 2000, the Computer and Network Security Task Force works to improve awareness among the EDUCAUSE and Internet2 memberships and throughout higher education and actively promotes effective practices and solutions for the protection of information assets and critical infrastructures. The Security Task Force coordinates its efforts on behalf of institutions of higher education with the support of the Higher Education Information Technology Alliance (www.heitalliance.org), whose members include the American Association of Community Colleges, the American Association of State Colleges and Universities, the American Council on Education, the Association of American Universities, the National Association of Independent Colleges and Universities, and the National Association of State Universities and Land-Grant Colleges."

[165] Public Law 104-13 http://www.educause.edu/ir/library/pdf/SEH. As explained on their web site: EDUCAUSE and Internet2 established the Computer and Network Security Task Force in July 2000. The Task Force is working to improve awareness among the EDUCAUSE and Internet2 memberships and throughout higher education. The Security Task Force actively promotes effective practices and solutions for the protection of information assets and critical infrastructures. The Security Task Force is coordinating its efforts on behalf of institute.