The Perils of Mount Must Read™

The Perils of Mount Must Read™: Confessions of a Cliff Note Junky [Go to Preface] [Table of Contents] Are you sure I’m in recovery? I will conquer Mount Must Read™ Waste no time Compliance Farm™(sidebar) What should an IS Auditor eat? Touchdown! Blame someone Legal G-A-P What I dont know Please don’t ... back to high school Congress paid to think Say "Goodbye" to statute virginity Give up the white paper crutch Can someone help me down My Mother told me to say I’m sorry Basic principals of a well rounded diet How do you keep that stunning figure? Trade secrets You can’t make me download! GAO, is that you? Regarding recovery Even the score The diet starts today Birth records, death certificates If it makes sense, it exists A trip to the Standards Mall Lowest Common Denominator How low can you go? The more you know, the less you Fundamental Five A simpler selection criteria How did I miss the Common Criteria? These are not Cliff Notes Seems like a Schema to me Where are you taking me? Honest Doc, I looked Get to higher ground Open the computer bay, HAL Naked without our tools Second greatest hook of all time COTS alone can’t save us Process alone can’t save us Factors affecting world trade: Birth announcement Enough about them, let’s talk about Did you happen to notice ? A problem not owned You want me to kill them now? “Dreams are like stars... I don’t want a baby brother Competition is the spice of life Get the data and proportionality Does the punishment fit the crime? Do you mind one last question? Why didn’t I write any of that? Conclusion & Appendix Stuff Just Rules Play Evolution Printer Friendly Text


Preface: ...Why should anyone read a story about a possessed reading pile and a recovering workaholic? With liberal dose of fantasy and humor, “The Perils of Mount Must Read™ chronicles a quest to conquer the mountain of reading required to just stay competent in information audit and technology. Admittedly, the intended audience has some background in compliance and IT. Even if the reader is not an IT auditor, the challenge to stay ahead of new tools and research in an industry with no respect for “too much information” is a familiar predicament. Add to that, an ego driven compulsion to make sense of every digitally available IT resource, and you have the essence of a modern day tragic hero, an information overload villain, and a quest for information peace and enlightenment. Becoming caught up in the race to remain competent in one’s profession is probably not unique to audit or technology. Blending fiction and truth, the tale aims for insight, suggesting solutions to the problem of what to read and who to regard as “expert” in our field. Laugh with me or at me, but please relax and consider quality over quantity as an alternative to drinking from the digital fire hose. Events transpire between October and December, and conclude with the New Year, 2006. Part fantasy and part truth, the characters admit their flaws and evolve a strategy for survival against “The Perils of Mount Must Read™.“ Many thanks to the persons who provided a wealth of great resources. Credits are scattered throughout the story and detailed in the endnotes. Hope you enjoy the read. Kind Regards, Robin Basham, M.IT, M.Ed. CISA, ITsM [TOP]

Rule number one: Never move data

Focus on legitimate location by classification and information type.
Use access control to limit change and use
Use registered sources of information where the responsibility lies on them to keep data and standards current

Rule number two: ‘Only handle it once’

Decouple normalized data from stored data by creating business rules for data lookup
Attend to emerging standards by W3C and OASIS to insure that the smallest amount of unique information is all that we store in any process
Invest in real time valid feeds for standards of measure and control, so the standards are managed by the subject matter experts and the business is configured to leverage those controls

Rule number three: Common language equals common mission

Insure that all persons have ready access and training in the name and scope of all management functional areas, processes and programs by title
Use the best sources for current normalized glossary in including NIST, OGC, ISACA, ANSI, NISO, WTO, W3C , OISWG

Rule number four: Believe in the myth that someone has already solved this

Even if a problem is yet to be solved, there are people out there who share your quest and who will only add to your vision and quality of solution None of us is as smart as all of us.
If people who share your interest don’t seem to exist, keep looking.
Believe in the myth that YOU can solve the problem. Genius is exclusive to people with the tenacity to continuously fail until they succeed.

Rule number five: Process optimization is what makes a process real

Being unique isn’t the only way to bring value. Even if concepts can’t be patented, showing the world how to be faster, safer and more efficient still holds great value. Admitting existing work deserves alignment to current concepts is the first step. Every rewrite makes us stronger. Allowing others to make our own works better shows humility and true maturity.

Rule number six: Don’t re-work the design of others and claim to own their ideas

Use industry standard names to construct the names of all things. Giving credit to great frameworks and standards validates mature methodology and service quality

Rule number seven: Accurately represent the problem

Ensure the right stakeholders agree with what needs to be solved
Isolate the known from the unknown
Reuse repeatable frameworks and configuration, including common language, definition of programs and process.

Rule number eight: Only record the variance from the norm

Once a part of the configuration is defined, use it to extend the attributes of any other item. Only record the unique variance
Comply with norms and standards by limiting acceptable variance.

Rule number nine: Don't serve green eggs

Factor the reception of presentation as equal in importance to all other elements combined. People can't use what they don't know they have. Be sure the delivery looks and feels like a practice already common to the culture. New tastes, textures and smells are never big hits at a pot luck supper. They are less popular in IT. They never work in business.

Rule number ten: Make it easier to get permission than forgiveness. Then, show no mercy.

Factor protection of intellectual capital in the design and creation of content, approval and process
The construction of configuration and information based in correct business logic and standards shouldn't feel like secret sauce or be too complicated to simply explain.
Business rules make sense to the business.
Data Validation makes sense to data entry.
Without their visibility to the construction of an answer, we live at the mercy of people who were never able to accurately represent the problem.
Strive to make “easier to beg forgiveness than get permission” thinking both mute and obsolete.

Bibliography

This bibliography includes references whose source is not previously cited within the document text. Also included are references to influential people and other documents related to the subject area.

Berinato, Scott , Darwin Magazine, http://www.darwinmag.com/read/0502/apples.html.
BSI, British Standards Institute, "BS ISO/IEC 17799:2005", in British Standard ISO/IEC 27001:2005, London, United Kingdom: The Stationary Office, 2005.
Clark, James Bryce(jamie.clark@oasis-open.org), Shearman & Sterling, New York, http://www.oasis-open.org/who/tab.php#jclark.
Deming, Edwards (1986), "14 Points for Management", in Out of Crisis, 1986, Cambridge: The MIT Press, http://www.deming.org/resources/books.html.
EDUCAUSE & Internet2, Computer and Network Security Task Force, http://www.educause.edu/Elements/Attachments/security/flyer.pdf, and Information Security
Governance Assessment Tool for Higher Education, http://www.educause.edu/ir/library/pdf/SEC0421.pdf.
FASP, Federal Agency Security Practices, "STIGs, Security Technical Implementation Guides",http://csrc.nist.gov/pcig/cig.html.
FERF, Financial Executives Research Foundation, http://www.fei.org/rf/.
FIPS, Federal Information Processing Standards Publication, http://www.itl.nist.gov/fipspubs/.
Frye, Emily, “Cybersecurity and Corporate Governance Now: Does It Take Liability to Get Attention?”, in American Bar Association, Section Of Science & Technology Law, Chicago 2005, http://www.documation.com/aba/pdfs/004.pdf.
GAAP, Generally Accepted Accounting Principles, http://www.fasab.gov/accepted.html.
GAP, Government Accountability Project, http://www.whistleblower.org/template/index.cfm.
Gibaldi, Joseph (2003), MLA Handbook for Writers of Research Papers, 6th Edition, http://www.mla.org/handbook.
Gruber, Tom , What is an Ontology?, KSL, Knowledge Systems, AI Laboratory, Stanford University, http://www-ksl.stanford.edu/kst/what-is-an-ontology.html.
McNamara, Robert S. and Morris, Errol, The Fog of War: Eleven Lessons from the Life of Robert S. McNamara, December 2003.
NHGRI, National Human Genome Research Institute, http://www.genome.gov/.
NSSN, National Standards Systems Network, "STAR, Standards Tracking and Automated Reporting, Services", http://www.nssn.org/star_intro.html.
OntoWeb Project, OntoWeb Working Group on Process Standards, http://www.aiai.ed.ac.uk/project/ontoweb/. Amy Knutilla, Craig Schlenoff, Steven Ray, Stephen T. Polyak, Austin Tate, Shu Chiun Cheah and Richard C. Anderson: "Process Specification Language: An Analysis of Existing Representations," NISTIR 6160, National Institute of Standards and Technology, Gaithersburg, MD, 1998.
PricewaterhouseCoopers on behalf of COSO, COSO, Enterprise Risk Management — Integrated Framework, AICPA, Volume 2, https://www.cpa2biz.com/CS2000/Products/CPA2BIZ/Publications/COSO+Enterprise+Risk+Management+-+Integrated+Framework.htm, & COSO (2005), Internal Control — Integrated Framework, Guidance for Smaller Public Companies Reporting on Internal Control over Financial Reporting, AICPA, Exposure Draft, http://155.201.80.182/Coso/coserm.nsf/vwResources/PDF_IC/$FILE/COSO_FINAL_Draft_IC_Guidance.pdf.
Ross, Dr. Ron and NIST, Protecting Federal Information Systems and Networks, A Standards-based Security Certification Program for Operational Environments, http://cio.doe.gov/Conferences/Security/Presentations/RossRNIST.pps.
Skadden Biography, Michael S. Hines, http://www.skadden.com/index.cfm?contentID=45&bioID=2732.
Smith, Lawrence W. , "The FASB’s Efforts Toward Simplification", in The FASB Report, February 28, 2005, http://www.fasb.org/articles&reports/fasb_efforts_toward_simplification_tfr_feb_2005.pdf.
Spafford Jr., George , Spafford Global Consulting, Inc., Saint Joseph, MI, http://www.spaffordconsulting.com.
Swanson, Dan and Seccuris Inc., Security Benchmark, http://www.securitybenchmark.com.
TQM, Total Quality Management, http://www.managementhelp.org/quality/tqm/tqm.htm.
U.S. Department of Labor, Bureau of Labor Statistics, Occupational Employment and Wages, November 2004, http://www.bls.gov/oes/current/oes132011.htm.
U.S. Navy, Benefits, "Increasing Contractor Commitment", http://www.ar.navy.mil/aosfiles/tools/turbo/topics/cj.cfm.
United States Congress & Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census (2004). Oversight Hearing Statement by Adam Putnam, Chairman, Identity Theft: The Causes, Costs, Consequences, and Potential Solutions. http://www.reform.house.gov/UploadedFiles/Final%20Press%20Opening%20Statement%202.pdf, p. 5.
United States Congress, "DMCA", "Digital Millennium Copyright Act", in Public Law 105-304, H.R. 2281, S. 2037, & Congressional Record Vol. 144 (1998), Washington: U.S. Government Printing Office, 112 Stat. 2860 & 2905.
VISA International Service Association, Security Programs, http://corporate.visa.com/st/programs.jsp.
Walsh, Norman and Muellner, Leonard , DocBook: The Definitive Guide, O'Reilly & Associates, Inc, Version 1.0.2 (1999), http://www.oreilly.com/catalog/docbook/chapter/book/docbook.html.