The Perils of Mount Must Read

The Perils of Mount Must Read™

©Robin Basham 5/15/2006

The Perils of Mount Must Read™: Confessions of a Cliff Note Junky



Table of Contents

Preface.................................................................................................................................................... 4

The Perils of Mount Must Read™: Confessions of a Cliff Note Junky ....................................................... 5

Are you sure I’m in recovery? .................................................................................................................. 5

I will conquer Mount Must Read™........................................................................................................ 5

Waste no time...................................................................................................................................... 6

Compliance Farm™: Theory of Professional Practice Evolution (Nonlinear)............................................ 8

What should an Information Systems Auditor eat? ................................................................................. 10

Touchdown! Mount Must Read™ 7, Hometown 0............................................................................... 11

Blame someone................................................................................................................................. 11

Legal GAP....................................................................................................................................... 11

What I don't know can't hurt me.......................................................................................................... 12

Please don’t make me go back to high school........................................................................................ 15

Good News, they pay people in congress to think............................................................................... 15

Say "Goodbye" to statute virginity....................................................................................................... 17

Give up the white paper crutch........................................................................................................... 18

Can someone help me down from my horse?..................................................................................... 19

My Mother told me to say I’m sorry..................................................................................................... 19

Basic principals of a well rounded diet ................................................................................................... 20

How do you keep that stunning figure?............................................................................................... 20

Trade secrets..................................................................................................................................... 21

You can’t make me download!............................................................................................................ 21

GAO, is that you? ........................................................................................................................... 21

Regarding recovery ........................................................................................................................ 22

Even the score ............................................................................................................................... 22

The diet starts today: All right today... first thing in the morning… I mean it this time ......................... 22

Birth records, death certificates and standards euthanasia ................................................................. 23

If it makes sense, it exists .................................................................................................................. 23

A trip to the Standards Mall ................................................................................................................ 24

Lowest Common Denominator ........................................................................................................... 25

How low can you go? ......................................................................................................................... 26

The more you know, the less you have to say ................................................................................. 27

Fundamental Five .............................................................................................................................. 27

A simpler selection criteria.................................................................................................................. 28

How did I miss the Common Criteria?................................................................................................. 29

These are not Cliff Notes.................................................................................................................... 30

Seems like a Schema to me............................................................................................................... 33



Where are you taking me? ................................................................................................................. 35

Honest Doc, I looked everywhere. No expiration date. ................................................................... 36

Darker and deeper ............................................................................................................................. 36

Sucked in by detail ............................................................................................................................. 37

Get to higher ground .......................................................................................................................... 37

Open the computer bay, HAL ............................................................................................................. 37

Scope ................................................................................................................................................ 38

The Classification Framework ............................................................................................................ 40

Naked without our tools ......................................................................................................................... 41

Buyer beware..................................................................................................................................... 41

Second greatest hook of all time..................................................................................................... 41

COTS alone can’t save us.................................................................................................................. 42

Process alone can’t save us ........................................................................................................... 42

Factors affecting world trade: ............................................................................................................. 44

Birth announcement .............................................................................................................................. 45

The buddy system.............................................................................................................................. 45

Enough about them, let’s talk about us............................................................................................... 46

Say it ain’t so ..................................................................................................................................... 47

Did you happen to notice where I left a half million auditors? .............................................................. 47

Found them!....................................................................................................................................... 47

A problem not owned equals a problem not solved............................................................................. 48

You want me to kill them now? (But they're so cute!) ......................................................................... 48

I don’t want a baby brother. Tell the stork to bring ideas. ................................................................... 50

Competition is the spice of life............................................................................................................ 52

Get the data and proportionality............................................................................................................. 53

Does the punishment fit the crime? .................................................................................................... 54

Do you mind one last question?............................................................................................................. 54

Why didn’t I write any of that?............................................................................................................. 56

Conclusion: ........................................................................................................................................... 57

Appendix A: Database and Ontology ..................................................................................................... 58

Appendix B: Must Read's™ “Security and Risk Management”................................................................ 60

Bibliography .......................................................................................................................................... 62



Preface ...Why should anyone read a story about a possessed reading pile and a recovering workaholic? With liberal dose of fantasy and humor, “The Perils of Mount Must Read™” chronicles a quest to conquer the mountain of reading required to just stay competent in information audit and technology..

Admittedly, the intended audience has some background in compliance and IT. Even if the reader is not an IT auditor, the challenge to stay ahead of new tools and research in an industry with no respect for “too much information” is a familiar predicament. Add to that, an ego driven compulsion to make sense of every digitally available IT resource, and you have the essence of a modern day tragic hero, an information overload villain, and a quest for information peace and enlightenment. Becoming caught up in the race to remain competent in one’s profession is probably not unique to audit or technology.

Blending fiction and truth, the tale aims for insight, suggesting solutions to the problem of what to read and who to regard as “expert” in our field.

Laugh with me or at me, but please relax and consider quality over quantity as an alternative to drinking from the digital fire hose.

Events transpire between October and December, and conclude with the New Year, 2006. Part fantasy and part truth, the characters admit their flaws and evolve a strategy for survival against “The Perils of Mount Must Read™.”

Many thanks to the persons who provided a wealth of great resources. Credits are scattered throughout the story and detailed in the endnotes.

Hope you enjoy the read.

Kind Regards,

Robin Basham, M.IT, M.Ed. CISA, ITSM



The Perils of Mount Must Read™: Confessions of a Cliff Note Junky © By Robin Basham

Ever have a day where the more you learn the less you know? Around here, it’s been that kind of year. Printing any resource that might aid a losing race to stay current in regulations and frameworks, a reading backlog grew from a minor elevation to hill. As autumn fell, the pile extended beyond the height of our office, and the perilous pile acquired a name: “Mount Must Read™.”

In hindsight, I agree, this is hard to believe, but the story needs to be told. At the very least, consider it a fair warning that you could be next.

Are you sure I’m in recovery? I had every right to feel on top of things. The degrees, certifications, business, friends, were perfectly valid indicators for professional competence. Where the SarbanesOxley Act of 2002 (SOA or SOX) 1 , data privacy, COBIT® 2 , COSO 3 , ITIL® 4 and ISO/IEC 17799:2005 5 frameworks or any area of IT Audit were involved, I felt solid. Not a day went by without time on the ISACA 6 home page, and I can honestly say with each visit we gained at least one significant download. Like a lot of people in my field, the list of what I should read increasingly outpaces the list I could read. Secretly, confidence in my ability to lead in my field had been replaced by a nagging paranoia that I would not maintain respectable position in the reading race. In fact, I doubted my ability to finish the race at all.

Then I found out I’d be having surgery classified as major and to plan one to two months in ‘recovery’. No problem. White papers packed with slippers and duck, I slated five to ten hours of hospital down time to chapters 4 through 8 of the ICT Infrastructure Management Manual 7 .

I realize people don’t read text books as they roll out of surgery, but the situation was beyond my control. I’m a pawn, a powerless sheep, manipulated by anxiety over an out of control reading list. It’s not just the daily emails listing articles and white papers that can’t be ignored. I’m a compulsive downloader, printing everything that seems to have use. The symbol of all knowledge became that mountain of unread documents.

More like Edgar Allen Poe’s Tell Tale Heart 8 , than a personal Everest, Mount Must Read™ controls my life. It started as a harmless stack, documents I truly intended to read, but then I planted a flag at the summit. That fateful red and white postit included two words. They were “Must Read™.” Once the pile knew its name, it gained power. Somewhere between hill and mountain, its soul became corrupted by the Dark Side 9 .

I will conquer Mount Must Read™ I have to conquer him. For one thing, he’s blocking sunlight. (Please don't ask how I know Mount Must Read™ is male. You'll see soon enough.)

“Recovery” is great word. I place it in the same category as “Down Time.” (I have no idea what either word means.) Using down time to tackle Mount Must Read™ (a.k.a. “MMR™” and “Must Read™”) is a perfect illustration of this problem.

Realizing that a stack of neglected documents would not hold attention for very long, I constructed a challenge that might result in wealth or fame. I announced to myself, and in ear shot of Mount Must Read™, “I will resolve duplicate legal requirements and rid our profession of redundant, competing technology standards.” It’s clear we need a short pile of "definitive required knowledge" and a safe means to disregard the rest. How many laws do we really need? Seems like the ones that aren’t obsolete either mandate concepts that people don’t understand, can’t be implemented, or are completely ignored. Deduplicating laws and standards meant we might finally operate with a short list of laws and standards, earn back some actual “downtime” and achieve the mission to deliver visibility and assurance of IT compliance. I am an information systems auditor. Someone’s gotta do it.



Waste no time Post surgery, day one was not as productive as planned. The only perk you get in ‘recovery’ is unlimited self delusional power naps (the kind where you know everything and people care). Aided by a steady morphine drip, this particular dream began with a typical scenario. I propose a completely implausible solution to world hunger and a full session of Congress erupts into accolades. Feeling confident in my powers I make a classic Matrix gesture, the one where Neo signals Morpheus to “bring it on 10 ." A voice on the floor asks “are there any U.S. statutes that allow us to charge Superman in connection with hurricane Katrina?” I say "we have to review his contract," but no one is satisfied. The room fills with auditors, business owners, five star generals, and bankers. Like a thousand Mr. Smiths entering from a myriad of hallway doors, people keep asking questions with random sounds like, “national strategy, FIPS 11 , jurisdiction, FISMA 12 , legal precedent, court marshal, and FEMA 13 . Someone’s shouting “Senator did you even read FISCAM 14 ?" My ears sting from the buzz of federal codes, defense directives, public executive orders and a list of my apparent violations. Dream panic ends as I shout from my bed “that wasn’t even in the manual.”

A nurse is measuring milliliters of urine and smiling like I’m about to get a gold star. I hear, “Would you like something for the pain, honey?” mingled with the sound of squeaky treads fading out into the hall.

The dream was completely wrong. I’d been doing the delusional power routine long enough to know this was not my own mind's doing. Something or someone was responsible, and I only knew of one “something” that had motive to make me feel this way. I’ve suspected, but resisted speaking the words even to myself. It had been 72 hours since my last download. Mount Must Read’s™ hunger for fresh paper had driven him to new heights of intimidation. His evil broadcast storm followed me right into surgery.

Should this have worried me? Did he know that I knew? Was he listening now?

I shook off the experience as a post anesthesia fluke. The moment they freed me from nurse and catheter, it was business as usual.

Per my instruction, employees had carefully relocated Mount Must Read’s™ amputated peak to a stack of documents by my bed. The papers piled next to rolling laptop tray, a gigabit LAN port, and a two line phone. Browser poised to Google™, (the Oracle of all downloads), my quest and journey was ‘good to go’.

Being educated in research and statistics, my first steps began as three part hypothesis.

1. People create overlapping standards because they solve problems in isolation.

2. When existing law appears out of pace with technology people create new laws to hinder technology instead of understanding the technical context of an existing law's applicability.

3. People describe same problems and find same solutions as limited by their ability to perceive and describe. We can't see the overlap. We think we are different, but our standards are essentially the same.

I typed “audit frameworks standards law” and said with glee, “we’re off!” The Oracle answered, “Your search Results 1 10 of about 7,345,032 in .35 seconds.” Instant headache: much too wide a topic for my recovering mind. (I can’t imagine which of these four words unleashed smutty pop ups, but clearly, I would have to do my own thinking until the antispam tool finished inoculating against 7,354 new browser exploits.)

First thought, “Why did I think I can do this?”

Took a legally prescribed substance and used a familiar warmup question; “Why is there world hunger?” If Miss America can answer this, it shouldn’t cause a brain cramp. I’m thinking “why can’t we feed entire regions of starving people, while the local health news says the only thing we’re loosing is ground in the war against obesity. Do the people with food know that people are starving?” I can’t surf T.V., answer the phone, read the mail or go to the movies without someone suggesting ten new ways to donate. I admit that’s where I lost interest. Hunger is a challenge for Superman or Congress. I only like a



challenge that I’m pretty sure I can solve. Moving on to my own dilemma I asked myself, “why have I collected so many mandates and frameworks and why can’t I get past the cover page without that dizzy sensation like I’m reading in a circle?”

ZZZZzzzzzz maybe it was fatigue.

I lurch awake and checked the bottle to see exactly how many pills I took. (Don’t get smug. You’d have done it too.) The panic became immutable. I’ll never read the pile down. He’s made sure of this. Must Read™ had full control and was using his twisted powers to deevolve me to a sheep.

Let me explain the origin of common sheep paranoia. Part myth, part theory, more framework than standards, it’s called “Compliance Farm™ 15 ."



Compliance Farm™: Theory of Professional Practice Evolution (Nonlinear) Potato

§ Interprets all knowledge as explained by prime time television

Fish

§ Eats bait

§ Captured for sport

§ Required in food chain

Sheep

§ Lives in a heard

§ Keeps head down via lifelong commitment to grazing

§ Fears Dogs

§ Greatest accomplishment – Is not a Potato

Self Aware Sheep

§ Realizes there’s more to life than being a Sheep, but can’t put hooves on what to do about it

Snake, Rats and Pigs

§ Not useful to this discussion, but snakes and pigs are out there

Shark

§ See Snakes, Rats and Pigs

Dog

§ Loyal to one or more professional cause

§ Enthusiastic bark

§ Limited bite, growls via email, i.e., flaming for fame

§ Wildly sniffs while investigating new smell

§ Quickly loses interest in familiar stink

DogSquirrel

§ Keeps a copy of everything

§ Buries files in back yard

§ Prepares to read in winter

DogFish

§ Resolves all problems by being a Fish, otherwise Dog

Rescue Dog

§ Registered to Vote

§ Board member in one or more professional chapters

§ Known to rescue the cold and stranded

§ Reads journals and at least one newspaper



§ To a large extent, views hard work as its own reward

§ Looks up to Wolf

§ Known to generate legal smudge, causing others to mistake Dog for Donkey

§ Loves brandy

§ Sleeps anywhere warm

Wolf

§ Mates for life

§ Keen sense of direction and survival, develops tools to serve the Wolf’s purpose

§ Travels in a pack, yet stands alone

§ Hunts for its own food, sometimes penetrating thick walls of ice

§ Tremendous ingenuity

§ Known to eat Dogs and Sheep who “flame for fame”

§ Not concerned by other packs unless fighting over territory

§ Votes per instruction of Leader, enlisting RescueDog to heard sheep to polls (sheep never register to vote)

Leader of the Pack

§ Picks the party candidate, and directs every Wolf to get out there and vote

§ Uses instinct to advance the pack, marketing products and ideas for both profit and real utility. (Not a Shark)

§ Takes risks and fights for territory, able to sell the tools made by the pack

§ Exceptional instinct is used to assure everyone’s survival

§ Uses public image for being ruthless, to hide evidence of self sacrifice and compromise for a greater good

§ Long cleared on charges regarding Little Red

Eagle

§ Soars above the fight, preferring observations of trend over facts

§ Leverage simultaneous centers of focus, seeing both forward and peripherally

§ Critical to the balance of vermin, spotting rats at altitudes of a 1000 feet

§ Eagles are the only species in possession of the big picture

§ They see what others can’t imagine, and most refuse to believe

§ Eagles accurately pinpoint by longitude and latitude, every national fault

Human Being (Human)

§ Marked by goals involving world value achieved through arts and sciences, Surpasses Wolf in vigilance, to create new standards for both ethics and practice

§ Faces actual threats, by leveraging Eagle’s data to prioritize faults, and Wolf’s ingenuity for tools, survival instinct and good sense in designing a practical response strategy

§ Humans can be found in think tanks, governments, clergy, universities, private industry and even the world of entertainment



§ They commit with or without promise of glory, are more often sentenced to death than awarded a Nobel Prize

§ Humans admit to having been Fish, Dog, Wolf and Sheep, because they have humility

§ Regardless of whether we agree with a Human’s goal, chances are we would not last a day in their shoes

Under the right set of circumstance every animal has the potential to be both Eagle and Human 16

Cartoon plan: Why Can‛t The Government Fix It? Two women in hiking gear, far off mountain peak creates enormous shadow- Woman with binoculars asking: “Has NASA found a reason for the region‛s sudden lack of sunlight?” Woman two answers: “They know the cause. It‛s Mount Must Read™, increasing at a rate of 2.4 kilometers a day. No one knows how to stop it.”

What should an Information Systems Auditor eat? Back to the quest: There had to be a faster approach to the overlapping mandates question, like one single standards/frameworks and laws inventory. Starting points included sources I use regularly, acclaimed web sites like KNET 17 , Security Benchmark 18 , CERT/CC® 19 , IIA 20 , and the ISACA Member Downloads 21 . If you spend a portion of every day at these sites you will never be disappointed. On this particular day, I landed a substantial jewel, the newly released Aligning COBIT®. ITIL® and ISO 17799 for Business Benefit 22 . Nothing speaks louder to the cause of harmony among standards than the highly planned marriage of giants; ISO/IEC 17799:2005 (developed by ISO 23 and the IEC 24 ), COBIT®. 3rd Edition 25 (under ISACA copyright 26 ), and ITIL® (the flagship standard and product, produced by the United Kingdom’s Office of Government and Commerce 27 ). Barriers to effectively combine assessment frameworks are dismantled as each body revises their newest release, adapting wherever possible vocabulary and control concepts. The organizations worked together, leveraging the best each offers to business, supplying one definitive meaning; a single unified model which is useful to any person engaged IT Governance.

I felt a new confidence, (counted the pills again), and looked right into Must Read's™ eyes asking: “You still here? Take a hike! Beat it, scram. You’ve seen the list on KNet. I don’t need you.”

This wasn’t even dignified by a response. Must Read™ smirked, the kind that mothers and high school teachers use to say “You can’t be serious,” which would have been bad enough, but then Mount Must Read’s™ reign of terror truly came down.

“Where do you get the audacity to claim competence using the exclusive direction of Everett C. Johnson 28 (ITGI's International President), Tom Lamm 29 (ISACA's Director of Research, Standards, and Academics), and a handful among thousands of standards from ISO? Can you even spell GAAP? 30 It’s the perfect word to describe the span of your pathetic attempts at thinking. Can you tell me one thing about David Richards 31 (President of IIA)?”

This is when he threw the killer blow, tossing the Global Technology Audit Guide (GTAG 32 ), Information Technology Controls 33 right in my face.

Did I mention that it’s sundown on Halloween and I’m trapped by a psychotic reading stack? I live on a quiet street. No one will care if I scream.

Cliff Notes 34 were too risky. I might miss a critical detail, never having time to get off a second shot.

This would end in a single bullet. I picked up the Global Technology Audit Guide (GTAG) and without stopping, read every word to the last reference and copyright on the report cover’s back page.

In addition to appeasing Must Read™, the learning experience was tremendous. Like great documents produced by ITGI and contributors to ISACA, this IIA’s Technology Audit Guide provided a comprehensive overview in approach and standards for IT Control Audit, including COBIT® as a primary



and foundation IT Control standard. The journey, however, went beyond familiar ground, displaying a scrumptious menu of dishes I did not even know an IT Auditor was allowed to eat.

Reviewing the resources and contributor background shows IIA's coordinated efforts with the AICPA 35 , CIS – Center for Internet Security 36 , CMU/SEI (CarnegieMellon University Software Engineering Institute) 37 , ISSA (Information Systems Security Association) 38 , NACD (National Association of Corporate Directors) 39 , and SANS Institute 40 . Just getting a group this size to agree to one paragraph is notable, but this document amounted to agreement on the entire IT Control Map. I’m sure I’ll continue my heavy us of COBIT® Online 41 as a fundament tool for my practice, but the list of additional resources found in the GTAG held a great deal of promise.

Triumphant: “I shaved 7/10 cm off your peak without downloading Cliff Notes, summary, or random surfing. Bet you weren’t expecting that?”

Mount Must Read™ is still laughing. “Did you catch those footnotes, hyperlinks, appendixes, and references? You’ll be downloading all night!” He was right. They were new titles.

Touchdown! Mount Must Read™ 7, Hometown 0 I knew the “newly fallen Must Read’s™” might accumulate a light dusting. November nights are like that. This single night’s accumulated information fall dumped the equivalent of two years of collected readings. I tried to relax, telling myself the titles would melt off by halftime. Nine years of paper grazing, web surfing, earned degrees, and professional collaboration built a library more than 2000 files high. Timestamps alone attested my entire 21st century digital whereabouts. How many titles could I miss? Halftime came and went with little to no melting. 900+ substantial regulations, frameworks, events and organizations remained firmly fallen aiding only height to the perilously high Mount Must Read™ 42 ? I need a better defense, or at least to get within punting range.

Blame someone I wish I’d been raised by wolves. The cubs next door had it made; eating off the floor, playing in dirt, chasing mice for school credit and earning advanced degrees with nothing more than their instinct. Their Dad has a seat in the Senate. I’m the grown up child of Mr. and Mrs. Quality Management. Mom’s name is ISO. Her life is a standard. Dad’s a complete perfectionist. His name is TQM 43 . What would they say if they could see me? Ivey League obedience school, private barking lessons and constant lectures; “there’s more to life than digging holes, chasing cars, HIPAA 44 , SOX and GLBA 45 !”

Legal GAP I had to turn this around quick. First order of clean up was the legal GAP 46 . The investment in reading on the topics of the SarbanesOxley Act (SOA or SOX) Public Law 107204 47 , GrammLeach Bliley Act of 1999 (GLBA) Public Law 106102 48 , and The Health Insurance Portability and Accountability Act of 1996 (“HIPAA” not HIPA) Public Law 104191 49 exposed me to Securities Exchange Act of 1934 50 , crimes involving computer abuse and fraud, and specific areas affecting records management in audit such as 17a4 in final rule by the SEC. Please don’t ask how I missed FISMA, FOIA 51 , or that government regulated industries, use NIST 52 and FIPS as mandated by law. The list of regulations affecting IT standard alone quickly jumped over one hundred. Realizing there had to be a strategy to get arms around this task; I began rating laws based in immediate IT Audit requirement. This still left over sixty regulations. Relegating laws exclusive to Britain and Canada to the items with less immediate impact only lowered the list by two 53 . Even attempts to separate “critical” or “background” material, did not change that when I asked “how can not knowing this hurt me?” the answers were fairly substantial, and at the least, not to be ignored. I settled on the following three dozen laws, spending time reviewing each, and keeping the summary in a database. I eventually read all the laws, but there are still items from the recent blizzard that compel me as more threatening areas of my mental gap.



What I don't know can't hurt me

Title Type Regulation Primary Name Date Valid Copy in Public Domain: Web Reference

United States of America Patriot Act of 2001

United States Federal Law P.L. 10756, 115 Stat. 272

October 26, 2001

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (US Patriot Act) Act of 2001

United States Copyright Law, Title 17

United States Code 17 U.S.C. §§ 101 – 810

October 19, 1976

Circular 92: Copyright Law of the United States of America and Related Laws Contained in Title 17 of the United States Code

Uniform Accountancy Act State Board Uniform Accountancy Act

November, 2002

Uniform Accountancy Act, Third Edition, Revised, November, 2002

Title 21 Code of Federal Regulations (21 CFR Part 11) Electronic Records; Electronic Signatures

Code of Federal Regulation 21 CFR Part 11

August 2003

21 CFR Part 11: Electronic Records; Electronic Signatures

Securities Exchange Act of 1934

United States Code 15 U.S.C. §§ 78

July 1934 Securities Exchange Act of 1934

Section 17a4: Final Rule: Applicability of CFTC and SEC Customer Protection, Recordkeeping, Reporting, and Bankruptcy Rules and the Securities Investor Protection Act of 1970 to Accounts Holding Security Futures Products

United States Federal Law 15 U.S.C. §§ 78 Rule 17a4

1934 Final Rule: Applicability of CFTC and SEC Customer Protection, Recordkeeping, Reporting, and Bankruptcy Rules and the Securities Investor Protection Act of 1970 to Accounts Holding Security Futures Products

SarbanesOxley Act of 2002 United States Federal Law P.L. 107204

July 2002 Public Law 107–204—July 30, 2002—116 STAT. 745

Safe Harbor Privacy Framework

United States Code 15 U.S.C. §§ 4458 Section 5

July 21, 2000

Introduction to the Safe Harbor

Ronald W. Reagan National Defense Authorization Act for Fiscal Year 2005

United States Federal Law P.L. 108375

October 2004

Public Law 108–375 – October 28, 2004 118 STAT. 1811

Paperwork Reduction Act of United States Federal Law May 1995 PUBLIC LAW 104–13




1995 P.L. 104–13

OMB Circular A130: Management of Federal Information Resources

United States Office of Management and Budget Circular/Bulletin/Memorandum OMB Circular A130

September 29, 1995

Circular A130 Management of Federal Information Resources

OMB Circular A119, Federal Participation in the Development and Use of Voluntary Consensus Standards and in Conformity Assessment Activities

United States Office of Management and Budget Circular/Bulletin/Memorandum OMB Circular A119

Effective February 19, 1998

Revised OMB Circular A119

National Technology Transfer and Advancement Act of 1995


March 7, 1996.

Public Law 104113 3/7/96

National Archives and Records Administration

United States Code 44 U.S.C. §§ 2101 to 2118

Founded in 1934

NARA

Homeland Security Act of 2002


2002 Homeland Security Act of 2002

Health Insurance Portability and Accountability Act of 1996


April 2003 Public Law 104191

GrammLeach Bliley Act of 1999


November 12, 1999

GrammLeach Bliley Act

Freedom of Information Act United States Code P.L. 104 231

1966, Amended in 2002

Freedom of Information Act

Foreign Corrupt Practices Act 1977


1977 Foreign Corrupt Practices Act 1977

FIPS Publication 201, Personal Identity Verification (PIV) for Federal Employees and Contractors

Federal Information Processing Standard FIPS 201

February 2005

FIPS Publication 201, Personal Identity Verification (PIV) for Federal Employees and Contractors

FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems


July 2005 FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems




FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems


February 2004

FIPS Publication 199: Standards for Security Categorization of Federal Information and Information Systems

Final Act of The 19861994 Uruguay Round Of Trade Negotiations Agreement On Technical Barriers To Trade

International Trade Agreement

P.L. 103465, 108 Stat. 4809 April 15, 1994

WTO | legal texts A Summary of the Final Act of the Uruguay Round

Federal Trade Commission (FTC) Act of 1914, amended in 1938


1914, Amended in 1938 and in 2000

Federal Trade Commission Act, Title 15 Commerce and Trade

Federal Information Security Management Act of 2002

United States Federal Law P.L. 107347, Title III

July 30, 2002

Federal Information Security Management Act of 2002, 44 USC 101 note

Fair Credit Reporting Act or Bank Secrecy Act


1970, Amended in 1996 and in 2003

Internal Revenue Manual 4.26.5 Bank Secrecy Act History and Law

Fair and Accurate Credit Transactions Act of 2003


December 2003

PUBLIC LAW 108–159 DEC. 4, 2003 117 STAT. 1952; 15 U.S.C. § 1601

Executive Order 13103 of September 30, 1998 Computer Software Piracy

Executive Order Executive Order 13103

September 30, 1998

Executive Order 13103: Computer Software Piracy

EGovernment Act of 2002 United States Federal Law P.L. 107347

December 2002

H. R. 2458: EGovernment Act of 2002

DCI Directive 6/3, Protecting Sensitive Compartmented Information within Information Systems

Director of Central Intelligence Directive Central Intelligence Policy

June 1999 DCID 6/3 Policy

Cyber Security Research and Development Act of 2002


February 7, 2002

Cyber Security Research and Development Act of 2002

National Institute of United States Federal Law October Computer Security




Standards and Technology Act formerly Computer Security Enhancement Act of 1997, amendment to Computer Security Act of 1987

P.L. 100418 was P.L. 100 235

1998 Enhancement Act of 1997 (Reported in Senate); THOMAS U.S. Congress on the Internet

Computer Fraud and Abuse Act of 1986


October 11, 1996

Computer Fraud & Abuse Act

ClingerCohen Act of 1996 United States Federal Law P.L. 104106

1996 Illinois Land Conservation Act, P.L. 104106 S.1124

Chief Financial Officers Act of 1990, A Mandate for Federal Financial Management Reform


September 1991

GAO/AFMD12.19.4 CFO Act

Please don’t make me go back to high school Maybe it was withdrawal from pain medication or just pure frustration, but taking down Mount Must Read™ required some clean up I’ve been putting off for too long. Most aspects of legal reference leaves me totally confused. Seeing what seemed to be the same law as U.S. Code, Public Law, Code of Federal Regulation, Bill, Section, Circular, Directive, Amendment or simply sited under a variety of entirely different names, convinced me that I wasn’t cut out to understand the law. In fact, I can’t tell if my own government follows the law. Maybe that is by design, but seems that I should. And I don’t mind shucking a little blame. Judging by printed and internet text, a lot of people are generally confused about the law.

Education Mandate: Almost every U.S. State has legally mandated basic mastery of U.S. Government and the foundations of our legal system as a requirement for high school graduation and or examination equivalency. (See, Citizenship Education Inclusion in Assessment and Accountability Systems, Copyright 2002 by the Education Commission of the States, ECS 54 .)

Seems safe to say then, that any college graduate should be able to read a law and minimally appreciate its intent. This would also suggest that by the time we are earning our audit credentials, it would not fall to our national standards organization to be accountable to this same requirement. I only suggest that the scope of our most impacting laws tends to be straightforward. My personal struggle is interpreting audit and business accountability within our own code of profession practice. I would never attempt to embark on this alone.

Good News, they pay people in congress to think Researching legal statutes, national standards and the organization of code is a cared for by our own government. (See How Our Laws Are Made 55 .) Congress has allocated budget to assure timely reports on all upcoming and recent changes to our legal system. Found at Internet: Think Tanks & Research Institutes 56 , SIL DC List of Think Tanks 57 , and Earth's Common Sense Think Tank 58 , three independent sources support the following conclusion; The United States still pays people to think.

Congressional Research Service Reports 59 are legal summaries that even people with limited exposure to the law will fully understand. After drinking in a few days of legal process and glossary, I have to say, it isn’t as bad as you might think. Eventually, even I could swallow raw statute without holding my nose.



The short title, or name of a law, provides common language for the purpose of discussion and amendment by our members of congress. We avoid speaking with numbers, chapters, and sections by using “short titles” as a way to make laws and their amendments accessible. The overall intent of Bill, is enacted in the final rule of an Act, and enforced as positive law through a process of codification, where its language rests in permanent legal code 60 . (Codification is defined in endnote.)

I admit the choice to cite an act as Public Law vs. its final area(s) in U.S. code is for me at least, a judgment call. Laws, unlike us, are not created equal. How we cite them may require historical context. For example, dozens and even hundreds of amendments to any title or chapter of code can occur based in the final ruling of a single Act. In reverse, multiple acts can affect on single area of code. Whether we cite public law or code, we are talking about the exact same thing. Law is law. Regulation is regulation. Federal regulation for a single law will spawn further directives and regulation for alignment among all major regulatory bodies. Recognition plays a big factor in how we speak about legal ruling. When reading the word “SOX” (Public Law 107204) most of us sense the allusion to financial controls and regulatory penalty. In ten years, reading “SOX” in text regarding ethics and financial control will likely be interpreted as a funny typographical error. Where a law is more recognized than its eventual areas of code, such as the legislation resulting in the SarbanesOxley Act of 2002, using the short title makes more sense as a common frame of reference. The Security Exchange Act of 1934, for example, extends concepts in Security Exchange Act of 1933, but has different scope and intent. They are not the same law. It’s easy to see why people become confused. Where a collection of acts continue to affect a single area of code, it is practical to bundle discussion to a single substantial area of legal reference, as for example the Copyright Law of the United States of America 61 , sometimes identified as just “Title 17” within U.S. Code. As noted in the preface of this GPO 62 document,

The United States copyright law is contained in chapters 1 through 8 and 10 through 12 of title 17 of the United States Code. The copyright Act of 1976, which provides the basic framework for the current copyright law, was enacted on October 19, 1976, as P. L. 94553, 90 Stat. 2541. Listed below in chronological order of their enactment are subsequent amendments to copyright law. Chapters 9 and 13 of title 17 contain statutory design protection that is independent of copyright protection. Chapter 9 of title 17 is the Semiconductor Chip Protection Act of 1984 (SCPA), as amended. On November 8, 1984, the SCPA was enacted as title III of P. L. 98620, 98 Stat. 3335, 3347. Chapter 13 of title 17 is the Vessel Hull Design Protection Act (VHDPA). It was enacted on October 28, 1998 as title V of the Digital Millennium Copyright Act (DMCA), P. L. 105304, 112 Stat. 2860, 2905. Subsequent amendments to the SCPA and the VHDPA are also included in the list below, in chronological order of their enactment.

Please don’t let a block of text unravel the entire argument. Consider the block again. Here’s what I see.

The United States copyright law is contained in chapters 1 through 8 and 10 through 12 of title 17 of the United States Code. The copyright Act of 1976, which provides the basic framework for the current copyright law, was enacted on October 19, 1976, as =P. L. 94553, 90 Stat. 2541. Listed below in chronological order of their enactment are subsequent amendments to copyright law. Chapters 9 and 13 of title 17 contain statutory design protection that is independent of copyright protection. Chapter 9 of title 17 is the Semiconductor Chip Protection Act of 1984 (SCPA), as amended. On November 8, 1984, the SCPA was enacted as title III of P. L. 98620, 98 Stat. 3335, 3347. Chapter 13 of title 17 is the Vessel Hull Design Protection Act (VHDPA). It was enacted on October 28, 1998 as title V of the Digital Millennium Copyright Act (DMCA), P. L. 105304, 112 Stat. 2860, 2905. Subsequent amendments to the SCPA and the VHDPA are also included in the list below, in chronological order of their enactment.

I am an Information Systems Auditor. This is my “take away” for “critical mass.”

Copyright Acts are Codified in Title 17 within = Chapter 18, 1217 of Title 17 but not 9 and 13



Critical and current statute representing roll up of copyright laws: Digital Millennium Copyright Act (DMCA), P.L. 105304, 112 Stat. 2860, 2905

Both items are immediately added to my source documents database, representing two, not six, items for “critical reading.”

(Note: Endnote includes directions for joining the Information Security Management group as sponsored by ISACA. Here’s your chance to speak with the Eagles who influence the design of the Digital Millennium Copyright Act 63 .)

Laws resurface based in the context of historical events. In some cases, a new name will be used to identify the review of the Act. An example is the Computer Fraud and Abuse Act of 1986 64 , also known as 18 U.S.C. § 1030, (as it is amended) National Information Infrastructure Protection Act of 1996, and § 1030. Fraud and related activity in connection with computers, as chapter heading as found in the Legal Information Institute’s sanctioned rendering by title of all U.S. Code.

Say "Goodbye" to statute virginity Like any of the frameworks we use, understanding the shape of Code and Federal Regulation goes a long way.

Warning to DogSquirrels and Sheep under the age of 18: The following title is not an actual directive. “Download the United States Code Office of the Law Revision Counsel 65 " is an online U.S. Code library, managed under the authority the U.S. House of Representatives. You can, search and, yes, legally download every character in our Code… but, trust me on this, don’t do it.

Title

Title 1: General Provisions Title 2: The Congress

Title 3: The President Title 4: Flag and Seal, Seat of Government, and the States

Title 5: Government Organization and Employees (and Appendix)

Title 6: Domestic Security

Title 7: Agriculture Title 8: Aliens and Nationality

Title 9: Arbitration Title 10: Armed Forces (and Appendix)

Title 11: Bankruptcy and Appendix Title 12: Banks and Banking

Title 13: Census Title 14: Coast Guard

Title 15: Commerce and Trade Title 16: Conservation

Title 17: Copyrights Title 18: Crimes and Criminal Procedure (and Appendix)

Title 19: Customs Duties Title 20: Education

Title 21: Food and Drugs Title 22: Foreign Relations and Intercourse



Title

Title 23: Highways Title 24: Hospitals and Asylums

Title 25: Indians Title 26: Internal Revenue Code (and Appendix)

Title 27: Intoxicating Liquors Title 28: Judiciary and Judicial Procedure (and Appendix)

Title 29: Labor Title 30: Mineral Lands and Mining

Title 31: Money and Finance Title 32: National Guard

Title 33: Navigation and Navigable Waters Title 34: Navy (Repealed)

Title 35: Patents Title 36: Patriotic Societies and Observances

Title 37: Pay and Allowances of the Uniformed Services

Title 38: Veterans' Benefits (and Appendix)

Title 39: Postal Service Title 40: Public Buildings, Property, and Works

Title 41: Public Contracts Title 42: The Public Health and Welfare

Title 43: Public Lands Title 44: Public Printing and Documents

Title 45: Railroads Title 46: Shipping (and Appendix)

Title 47: Telegraphs, Telephones, and Radiotelegraphs

Title 48: Territories and Insular Possessions

Title 49: Transportation Title 50: War and National Defense (and Appendix)

Give up the white paper crutch There’s nothing wrong with an occasional white paper. Many are nothing more than benign generalizations of laws and standards, usually written to pass a class or sell a product. Laws however are neither static nor general. Even when accurately cited, laws are amended, superseded, repealed, codified, and renamed. White papers just sit on our hard drives. This is why we need at least one government approved and maintained repository in our circle of reference. National Archives, The Government Accountability Office Portal, Thomas 66 , and our Library of Congress are free and available on line resource.

Reading laws instead of reading what others say about them supercharged my diet and completely removed my craving for smudge (i.e., legal fudge). If you let reading law evolve into habit, you may experience vision of national landscape. The stronger our wings, they more our minds begin to soar. Mountains and valleys seen from a thousand feet in the air will take your breath away.



I only know this because I occasionally get a window seat to the West Coast. When I am lucky, I get to see the Rockies.

§ U.S. House of Representatives Internet Law Library

§ Statutes

§ Code Of Federal Regulations Background

§ Code Of Federal Regulations Searchable

§ U.S. Code Searchable

§ Thomas, In the spirit of Thomas Jefferson, legislative information from the Library of Congress

Can someone help me down from my horse? Panic Attack: “No Officer, I swear on my vintage Batman comic books, I have no idea how all those copyrighted files got there.”

On day sixteen of my Cliff Note recovery, I discovered there is no ladder down from a high horse. You just have to jump. Day sixteen was a Saturday deleting 2000+ standards and white papers spanning 15 blissful digital years of “right click, save target as” copies, stored for no better reason than because “I could.”

The effort gained back a maxed out drive share and an enormous waste of resources spent backing up essentially dead information. Even though we have long implemented Software Asset Management, content assets had been largely overlooked. Validating the right to store and save information extends beyond client and legal documents. Downloads need valid reason to be stored on a business network. Valid license and accurate workstation configurations includes all forms of contents.

Any standard or law identified as mandate will have one authoritative source. The documentation will be stored as a hyperlink reference, leaving copyrighted content in its rightful home, allowing for its timely removal and update by the document's legal owner. The only exception to keeping locally either publicly accessible or by authentication available links, are the books and materials we purchase. Representing standards and guidelines used in professional practice, these should be managed as a material assets with locations and copies managed in the context of their copyright.

My Mother told me to say I’m sorry “I'm Sorry.”

I had no grounds to comment on laws that conflict. In the event I do come across a question or an actual issue, we have Codification Legislation as managed by the Office of the Law Revision Counsel:

Codification Legislation Office of the Law Revision Counsel

As currently proposed by H.R. 866 (109th Congress, 1st Session), and under the management of the Law Revision Counsel

Technical Corrections to the United States Code Public Law 93554 (2 U.S.C. 285b) currently enforces technical corrections to the United States Code relating to cross references, typographical errors, and stylistic matters. […]

“Positive law codification is the process of preparing and enacting, one title at a time, a revision, and restatement of the general and permanent laws of the United States.

Because many of the general and permanent laws that are required to be incorporated into the United States Code are inconsistent, redundant, and obsolete, the Office of the Law Revision Counsel of the House of Representatives has been engaged in a continuing comprehensive project authorized by law to revise and codify, for enactment into positive law, each title of the Code. When this project is completed, all the titles of the Code will be legal evidence of the general and



permanent laws and recourse to the numerous volumes of the United States Statutes at Large for this purpose will no longer be necessary.

Positive law codification bills prepared by the Office do not change the meaning or legal effect of a statute being revised and restated. Rather, the purpose is to remove ambiguities, contradictions, and other imperfections from the law.

The legal process begins and ends with the same goal, to serve unique useful purpose with clear conditions, boundaries, and scope. Real issues of clarity can escalate as high as the United States Supreme Court. Representing a law left or right of original context, stretching its interpretation or extending its intent, creates the legal smudge that pollutes everyone’s atmosphere.

IIA and ISACA make frequent efforts to assure our accurate reference to U.S. and International Laws. In fact, my exposure to the EU Directive and cross border privacy began with the ISACA and ISACAF collaborated paper on Electronic and Digital Signatures: A Global Status Report 67 .

Basic principals of a well rounded diet Being a cliff note junky, my health condition had long shown signs of chronic “Vertical Stack.” Left untreated for a period of many years, I ran risk of acquiring “Swiss Cheese” syndrome.

Well rounded, balanced consumption across all major food groups, minimizing potential gaps in awareness as might cause failures during periods of stress (i.e., climate change in career stalls, shifts in corporate regulations, and so on). Balanced consumption is best achieved by a diet of mainly raw publications, as processing is known to remove most essential nutrients.

At the opposite end of “well rounded” is the malnutrition condition known as “vertically stacked.” A stacked professional maximizes consumption in a narrow selection of food groups producing single areas of expertise characterized by tremendous height. Weakness includes, stacks can’t roll, tip easily, and once down, are impossible to stand back up. Similar to “Stack” is a state known as “Swiss Cheese”; low calorie snack, full of holes, not a substantial meal.

These conditions are quickly cured by a steady diet including areas high in nutritional content. Fresh, inexpensive content is found in a range of local markets including the FFIEC 68 , NIST 69 , AICPA 70 , COSO 71 , National Archives and Records Administration, (NARA) 72 and Government Accountability Office, (GAO) 73 . Deciding what to read has a lot to do with where we find it. My lists began as “scraping”, taking titles from news and email, especially those from George Spafford Jr. 74 and Dan Swanson 75 . Having plenty of caloric content the links are rolled in a spreadsheet preservative allowing them to appear fresh during the next Future Surf (FS) event. First cousin to Mount Must Read™ (MMR™ in most health journals), FS’s virtual tasty bone flavor has an addictive quality, causing even the healthiest Dog to indiscriminately bury them in a digital back yard.

Trade Secrets: Reporter with microphone asking, “What‛s your secret?” 17th Century Art Studio - Michael Angelo: “Throw the bad paintings out.” Scaffold with baskets and heads - Hooded Man with guillotine: “Keep the blade sharp.

How do you keep that stunning figure? For me, people like George Spafford Jr., Gene Kim, Dan Swanson, Bruce Winters, Kevin Behr, Mike S. Hines, Tim Howes, James Bryce Clark 76 and far too many more to list, collectively represent the Eagles. They remain a vigilant lookout, perched high, eyes watching for movement legal, technical, and/or social on everyone’s horizon. Their letters and posts amount to a habit of vision, spotting nourishment and vermin at a distance of a thousand feet.

Contrary to popular belief, long lists are not the ultimate tie breaker for the last seat in heaven. Lists don’t help us find a mate or increase our salary. I’m fairly certain they send us the information as a reminder. They’re telling us to look alive and keep sharp 77 .



Trade secrets On the point of “where” we find things, valid security portals meet every resource information criteria, with one providing particular advantage to audit. They explain their current legal mandates and current best strategies for implementation of specific published standards. For example, “OMB Circular A130: Management of Federal Information Resources 78 ," OMB Circular A119, Federal Participation in the Development and Use of Voluntary Consensus Standards and in Conformity Assessment Activities 79 , The Cyber Security Research and Development Act 80 , enforce, among other things, National Institute of Standards and Technology (NIST) 81 authority to perform oversight, research and development, management and distribution of security standards and various benchmarking tools. Security Technical Implementation Guides (STIGS) 82 , found at DISA Checklists / Implementation Guides, exemplify a regulated and monitored security source. Equal in rank, and including duplication in some areas of information, is the Center for Internet Security (CIS). CIS checklists 83 are categorized by use, as applied to various industry requirements. U.S. Commerce Department's Technology Administration funding and guidance to NIST is a part of our United States Law, and plays a leading role in our “National Strategy to Secure Cyberspace 84 .” The works produced by NIST, under U.S. Commerce Department's Technology administration’s authority, is “critical” and essential to our practice. It’s at the top of my list.

You can’t make me download! It took several days just to review publication dates, document contents, organizations and authors. In spite of Mount Must Read™, I resisted impulses to save and print. The titles remained in their native homes, while records only stored hyperlinks, along with background details and high level metadata regarding criticality, use and contents. The most notable reference was a very short document simply listing titles used to evaluated best security practices by the House of Representatives committee known as the CISWG 85 . United States Cyber Security Reference List 86 highlights a standards review process resulting in improvements to the way we define, prevent, regulate, and criminally penalize cyber crimes. CISWG Human and Eagle efforts continue to impact law, standards, and technology as an industry 87 . Under the Directive of the Cyber Security Enhancement Act, Report To The Congress: Increased Penalties For Cyber Security Offenses (As Required By Section 225(C) of The Homeland Security Act of 2002, Public Law 107296), provides excellent summary of laws designed to manage international and national cyber risk, explaining the nature of data privacy rulings and the need for greater controls, in a manner I found unsurpassed 88 .

GAO, is that you? Beware of our Government Accountability office, GAO. Pack a lunch before you launch, as you may become glued to the monitor for the next several days. Auditors and IT professionals will feel compelled to read the “Yellow Book” series, but my advice is to go straight for the Federal Information and Communications Audit Management Guide (FISCAM) 89 . Skip the search for Cliff Notes. You simply have to put on high boots and march through these pages one at a time. Having a mental picture of FISCAM’s framework will alter all future thinking in terms of what is available to us in the world of audit.

A mental hierarchy will evolve. With visibility, you gain confidence in the knowledge that two reams of unread white papers are, by virtue, obsolete better practices. This is a reminder that federally mandated standards (FIPS) should be exclusively viewed at the Computer Security Resource Center’s (CSRC's) Computer Security Division (CSD) web site, which is the only place that holds responsibility for their distribution and content 90 . Similarly, keep COBIT® standards linked to the ISACA web site and check back often for new release and updates. There are thousands of sites posting rogue copies of out of date standards. As IT professionals, this is a habit we all should break.

If this is your first exposure to the words FIPS and NIST, excellent presentations by Marianne Swanson and Dr. Ron Ross can help to quickly fill in what you missed 91 . As indicated in their presentations, they collectively manage projects, publications, and training for the Computer Security Division of the Information Technology Laboratory at NIST. In draft, NIST SP 800 53a, identifies Dr. Ross as government appointed FISMA Implementation Project Leader. Most recently, Dr. Ross made publicly available, Building More Secure Information Systems 92 , A Strategy for Effectively Applying the Provisions of FISMA.



Regarding recovery I knew I’d completely lost my mind. Anyone with impulse to wrap their head in tin foil in order to conceal thoughts from a stack of reading material, (even if the stack has glaring eyes, and a pitching arm), is minimally experiencing “a cry for help.” I made many calls, left messages, demanding information about my anesthesia and the array of federally regulated recovery aids. NFL nurses kept me from reaching the surgeon, since apparently paranoid delusional panic is completely normal. The nurses kept saying, “You just had surgery. These things take time. You’re in recovery for crying out loud. Go back to bed.”

Even the score I realized I had to find a way to slip Must Read™ all of my remaining drugs. After all, I’m in recovery, so he needs the pills more than I.

The Ruse: An entire bottle of sleeping pills ground to fine powder and sprinkled between the pages of bogus publication, tucked deep within his stack, under pretext of adding fresh reading. While Must Read™ surrendered to a deeply delusional power nap, I snatched away redundant copies of web enabled resources. 47 inches shorter, Must Read™ eventually woke, oblivious to any change.

The diet starts today: All right today... first thing in the morning… I mean it this time After consuming twenty five pounds of regulation and Halloween candy, the previous night’s reading fall began to melt. I’d gained a range of tools, saved $75.00 in ink, and noticed common evolutionary patterns in the list of significant mandates.

Returning to the Compliance Farm™ Theory of Evolution 93 , the details aligned to framework quite nicely. Eagles report observed faults, which spawn wolf teams to analyze risk impact. Wolves define details of the problems, breeding theories, tools, and best practice. These discoveries influence ideals, and Humans form committees to amend our laws. This leads to regulation requiring supporting standards. The standards evolve increasingly efficient methods to mitigate the exact same observation that started the cycle in the first place, a fault, a perceived weakness affecting the survival of the pack.

These factors further strengthen the quest to conquer Must Read™:

Duplications exist across organization and lists because most webmasters apply unique names to identical content. Focus on the diamond domains like www.crcs.nist or www.gpo.gov.

Laws are introduced, amended, enacted and codified, each version having its own short title. With the help of LOC (our Library of Congress) and institutions like Cornell, Duke and Harvard Law, legal lists normalize by 80%, if you simply check the history on any law or act.

Favorite discovery: Among the Humans (i.e., authors, organization leaders, committee chairs), were names I actually know. If you take part in the ISACA list services, you may be posting with them on a regular basis. Members of ISACA, CMU, Perdue and IIA had cross pollinated years ago. Reference after reference demonstrate the same sets of names, executive board members, professors, engineers, directors, corporate owners (large and small), and security professionals; essentially a list of people that look and feel a lot like “us.”

A good diet can make anyone strong. I told Mount Must Read™ (MMR™., since we’ve become more familiar) to “Back off! I don’t have to pick a winner. The frameworks don’t compete.” Mount Must Read™ only shrugged in submission. We both knew the “building in isolation” hypothesis wasn’t working.

“Is it possible” I asked aloud, “that the proliferation of laws and standards is just our need to improve on existing ideas? All I need to solve this problem is to start finding document nutrition labels and checking for expiration dates.”

Did I have him now? Was this the blow that would take him down?

“Expired Ideas? Blah ha, ha, ha! You’re killing me!” Mount Must Read™ exploded in earth quaking laughter.



“Laws have Sundown dates. Drugs have "use by" dates. Even car parts have warranty and recall dates. Why shouldn't standards have "applicable by" dates? Stop laughing at me!”

Birth records, death certificates and standards euthanasia It seemed reasonable to me, a rule that let a standard it has outlived its usefulness. We could establish a committee to determine recommendations for putting various standards down. On second thought, I was beginning to see Mount Must Read’s™ point. We are not a culture that likes to throw things out, never mind recognize when it’s time to gracefully stepdown. The solution had to be data driven and non emotional.

First attempts at gathering a baseline inventory of registered standards, relied on nonmember area publications at ISO\IETF hosted sites. Unfortunately, the number of technical committees alone spans hundreds of web locations, and the 2004 year end report by ISO lists more than a thousand standards in active use. FFIEC, ANSI, NIST, and NISO had more generic lists, but still failed to establish an altitude to consistently represent domains, framework concepts, categories, or classes. Listing everything would be too much information and instantly obsolete. There must be a Standard for the Classification of Standards. How can organizations like ANSI and ISO exist without it?

Long time user of the ISO’s 9000 and 17799 series, I can’t tell where the standards end and my own thinking begins. With bias, I’ll suggest that published ISO/IEC Directives make the best model for a framework to create or manage standards. A review of recent Supplement Procedures specific to ISO 94 , located at the ISO TC Portal, reveals that ISO committees, by design, will not approve the scope of a Technical Committee (TC), unless thorough review, which verifies the standard to be unique and not in conflict with a known charter or activity by any other registered standards body. ISO is without question the highest ranking standards organization world wide. Templates for the development of a standard alone can make other efforts and products appear trivial, (although I’m not saying that they are). To consider a means for evaluation and comparison of standards should begin with consideration for the values expressed in a world report published December 2004, stating the criteria for the adoption of any ISO standard. They should:

§ respond effectively to global regulatory requirements, market needs and scientific/technical developments;

§ not distort markets nor have adverse effects on fair competition;

§ not stifle innovation or technological development;

§ not give preference to the requirements of specific countries or regions; and

§ be performancebased rather than designprescriptive 95 .

ISO provides templates for the development of standards. The models found here should be part of the collective consideration establishing the bar for the quality of standards produced by any organization. There is a published standard for the Conformity Assessment: Code of Good Practice: ISO/IEC Guide 60:2004, describing “[…] all elements of conformity assessment, including normative documents, bodies, systems, schemes, and results. It is intended for use by individuals and bodies who wish to provide, promote or use ethical and reliable conformity assessment services. ISO/IEC Guide 60:2004 is designed to facilitate trade at the international, regional, national and subnational level(s) 96 ." This guide establishes a clear target for the implication of a standard to promote safe trade through a process of clear measurement.

If it makes sense, it exists I wondered if I could just buy the data. ANSI pointed to the following sources:

§ NSSN / Standards Mall

§ Homeland Security Standards Database

§ The Hydrogen Codes and Standards portal



§ Standards Information

§ Standards Developing Organizations

§ National Standards Bodies

§ Other Organizations/Topics of Interest

A trip to the Standards Mall Do you see it? There is a Standards Mall. For a fee of only $99.00, anyone can obtain a database of coordinates, locations and access to an untold number of standards. Actually, the number is over a quarter million.

The NSSN: A National Resource for Global Standards includes contributions by 600 developers and is grouped into six categories:

§ Approved Industry Standards

§ Approved International Standards

§ Approved U.S. Government Standards

§ Industry Standards Under Development

§ International Standards Under Development

§ U.S. Government Standards Under Development

With updates ranging from weekly to monthly, this number is no doubt already greatly increasing. Standards Tracking and Automated Reporting (STAR) Services are described this way:

In today's world of change, the best laid business plans can be swept away almost without warning. Speed has become the name of the game and instant information provides the competitive edge.

Users require immediate access to data organized in a meaningful format. The NSSN's Standards Tracking and Automated Reporting (STAR) Service […] keeps you informed by tracking critical updates in the standards arena. Current status reports on more than 270,000 standards under development, revision and maintenance are as close as your desktop and as easy as sitting back and reading your email.

Available only by subscription via NSSN, STAR identifies new project proposals and automatically tracks changes in status of a development project or standard under maintenance 97 .

Each change of document status is compared to a directory of userestablished profiles profiles broad enough to span an entire industry or focused enough to track updates to a single standard. Users impacted by an update receive an email summary and a URL link to a personal web page cataloguing details of the modification.

After 30 or 40 links, it was clear I had too many choices and no compelling hierarchy for gathering a baseline of standards. I left the mall hungry for one high level list.

NISO, the National Information Standards Organization 98 , for example, provides a comprehensive overview of TC international standards, commentary regarding how standards are created, as well as current U.S. (Technical Committee), JTC (joint) and WG (Working Group) involvement with ISO 99 . The U.S. involvement in technical standards is vast. U.S. TAG to ISO TC 46 on Information and Documentation provides information regarding naming classifications, libraries and works across all organizations involved in creation and management of standards; and is organized in the following five categories.

§ SC 4 Technical Interoperability



§ SC 8 Quality Statistics and Performance Evaluation

§ SC 9 Identification and Description

§ SC 11 Archives/Records Management

§ WG 2 Coding of Country Names and Related Entities

Attempting any single Joint Technical Committee's list of standards is a mistake. There are hundreds of subcommittees, each managing hundreds of standards, and their own lists. Clearly, this issue is important to all of our nations, as ISO has a committee dedicated to nothing more than a means to simply classify the standards. ISO 5963:1985 aims to provide a catalogue of standards, with scope including “Documentation Methods for examining documents, determining their subjects, and selecting indexing terms.”

Updates to drafts and release occur with all the regularity of an atomic clock. In 2004, ISO 100 reported 1,247 publications in use by a member body, which can only be counted by number of countries and member associations 101 . It is clear that if any group has in its possession a true need for an ontology governing the comparative record of all known standards, it will be found in the coordinated efforts of ISO, IEC, ANSI and NIST. This core group is regulated by a variety of local, industry, national and international laws. Bound by MOU (Methods of Understanding) and in accordance with The Agreement on technical cooperation between ISO and CEN 102 , Public Law 104113 103 , and the WTO Final Act of the Uruguay Round, this core group is recognized by the principle of US National Conformity Assessment 104 to the extent that their implementation may be assessed by conformity assessment bodies, such as CASCO.

To speak for the workings of even one technical area requires a long period of involvement. To speak with authority to any single standard, one would at least need to be a contributing member of the Information Technology Task Force (ITTF) 105 . I find it hard to believe anyone knows every consideration ever made within every area of ISO, IEC, ANSI and NIST aligned committees.

Given the choice to build a list or get the list from ISO, the choice is fairly obvious. ISO wins.

I’m not suggesting we can’t perform an information audit unless we use standards as created by ISO. If I try to isolate and extract all ISO influence in my own thinking, I’m left with a big empty space in my head.

At best, I have evolved to the professional ranks of dogsquirrel. Part squirrel and part rescue dog, I don’t pick up the principals of ISO based in pure wolf instinct. I sniff at everything new and then bury it in the yard, I store nuts for winter, and I need a good master to tell me what to do. I’m pretty loyal to ISO.

In the event you are not familiar with ISO, I suggest a warm up using the two documents I mentioned before. Start with the GTAG Information Control Guidance, because it is easy to understand, and provides thoughtful insight in the way we conduct our practice. Then read Aligning COBIT®, ITIL® and ISO 17799 for Business Benefit, because exposure begins with the advantage of ISO standards in an audit context 106 .

Lowest Common Denominator High School math is not often listed as a “critical thinking” requirement. It should be. Halfway through the ninth grade, most of us learned how to reduce miles of numbers to their lowest common denominator. No matter how large, any equation could be reduced according to a few simple rules. I wonder what our task would be like if IT audit had been planned by Socrates and Euclid 107 ? Every standard would have applicable rules for the factoring, reduction and calculated probability of its impact to any organization.

Committees for audit organizations produce a list of authors whose names can be placed at the scene of every significant law and standard affecting IT over the entire digital age. Given generations of cross pollination, our major standard bodies share expression of a mission to simplify, deduplicate and align information controls to one common framework of standards. In spite of differing charters, they are all concerned with efficiency and effective controls. For example, in recent interpretive documents, the PCAOB and the FASB ask that we make it easier, not harder, to meet audit requirements. ISACA and IIA publications consistently consider the FASB 108 and PCAOB concerns over cost and waste by offering



tools and resources designed to support the process of audit, to measure, benchmark and report, and to guide the selection of critical controls using a risk based audit management approach.

All groups agree that frameworks are resources made available to our audit strategy. They are not laws in of themselves. All committees share a valid concern for the oversimplification and misinterpretation of laws governing business and systems. Unfortunately, Euclid and Socrates aren’t here to help us. We rely, in their absence, on ethical judgment in selecting the fewest requirements necessary to the attestation of control. The better we are in selecting a lowest common denominator of standards, laws and frameworks, the more we benefit our clients while reducing escalating and burdensome compliance costs.

The true test of those ethics is maintaining the intent of the law and being certain our method of reducing the numbers also keep those numbers real. Our challenge is to remember, no matter how long and complicated the equation, when we've found that lowest common denominator, it must still be the same number.

Reduction versus oversimplification is the essence of detection risk. It is a legitimate and driving fear that keeps us from proclaiming an algorithm to reduce regulatory requirements. We must not cross the line between standard of practice and code, as if a practice were a mathematic law. We are not served by “dumming down” the information problem. So we are left with a truly ethical challenge: How do we reduce complexity and verify that at the end of the day, we still have the same raw number?

The GTAG, references two works reflecting summary of larger security standards. They reduce complexity define standards for secure technology for specific areas of industry. Both standards are widely used by merchants and educators, primarily those in the United States. The Payment Card Industry (PCI) Data Security Standard, produced by VISA, enforces the management of credit card data and the protection for an industry that is constantly under attack 109 .

Cartoon Plan: Commercial: […] is everywhere you want to be Private Incorporation: $1200. Printing and Marketing: $15,000. Web Site Shopping Cart: $30,000. Over 40,000 Verified Credit Cards transactions per day: Priceless. VISA, PCI Data Standard, is everywhere your electronic business wants to be.

How low can you go? I recall having seen the VISA standard as a single file pulled back by a Google search. Out of surrounding context, I initially felt the standard served no purpose, seeming to paraphrase a number of standards in the public domain, and lacking attribution or recorded peer review. The Global Technology Audit Guide (GTAG) only needed to make one point to inspire me to dig out the standards from the stack and reprioritize its reading. The GTAG simply stated that the PCI VISA Data Standard is in wide use.

Definition for a “good” standard clearly needed an adjustment. Is it more important to represent every security detail, or prioritize a high level list of concepts? What we see in the PCI CISP, (aka CISP V2.3), is that merchants and electronic markets get it.

Even if it looked to me like an ISO Light, anything extending critical security practice to businesses engaging in poor data security, is at the very least “spot on.”

Maybe it’s “spot on” for another reason. A small amount of digging for contributors to the credit card standards revealed the chairman of ISO TC68 SC2 Security Management and General Banking Operations, Mike Versace and Secretary Cynthia L. Fuller. With biographies published in English and French, their efforts to assure financial industry standards and automation reap results that go way beyond humbling. Ms. Fuller’s name leads to the “ISO 20022 Universal Financial Industry message scheme”, which can be viewed at ISO 20022 Financial Repository: Business Process Catalogue & Data Dictionary. Mike Versace, in addition to full time industry position, travels world wide in support of numerous financial security standards. ISO delegates representing: Canada, United Kingdom, United States, Germany, France, South Korea and Japan include organization and business representation from CLEARSTREAM, IBN, MasterCard, SWIFT, UN/ECE, and of course, VISA 110 .



Reviewing current works and the 34 published and current standards used in security and banking, as produced by this single TC, did not lower the height of Mount Must Read™. The study of the VISA standard, however, provided a means for quick demonstration of compliance evidence is specific areas of data and retention management. The PCI Visa Data standard test procedure check list is clean, clear and achievable.

“Good things, when short, are twice as good”

Baltasar Gracián y Morales (16011658)

The more you know, the less you have to say The second “short and sweet” standard, also listed in the GTAG, is the "Fundamental Five.” I first heard of it while reading posts in the ISACA information security list service. Mike S. Hines, a frequent contributor within many substantial information security organizations, made no mention of working on the project 111 . He simply asked me if I had seen the ISG Tool and if I knew about the work of the Corporate Information Security Working Group: CISWG. This was a humbling day. As current as this 2005 writing, they work to introduce the ‘‘Corporate Information Security Accountability Act of 2003.’’ The bill will further amend the Securities Exchange Act of 1934 with bolder restrictions controlling IT products on a scale that many find to be excessive. Stating the need for “Internet Service Providers and Operating Systems manufacturers to work more aggressively with other public and private stakeholders to provide consumers of all levels of sophistication with information about affordable and userfriendly tools that are available to help them protect themselves and immediately improve their cyber security hygiene.” this act has potential to impact technology manufacturing with force equal to the wallop of SOX 112 .

Produced by the subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, chaired by Adam H. Putnam, few efforts compare with the CISWG’s elegance in considering all best and current contribution to security, and compiling them to a single list; Information Security Management References.

The ISG Tool gives cyber security what the home pregnancy instant strip test gave to medical practice. The Fundamental Five concept answers tell us fairly quickly if information practice is healthy or having problems. No pretense of an easy fix or exhaustive technical detail is made. IT control is simply made accessible to education, affecting practice as witnessed by our youngest minds, and in protecting our country's most valuable asset; our intellectual capital.

Fundamental Five The Consensus Benchmarks, from the Center for Internet Security (www.cisecurity.org), provide guidance on the “Fundamental Five” of basic security hygiene. Use of these benchmarks typically results in an 80 percent to 95 percent reduction of known vulnerabilities.

1. Identity and Access Management (including privilege assignment and authentication)

2. Change Management (including patch management)

3. Configuration Management

4. Firewalls (workstation, host, subnetwork, and perimeter)

5. Malware protection (including worms and viruses) 113



TV News “Information on Massachusetts Seismic and magnetic phenomena warned geologists that Mount Must Read™ had become unstable. Fearing volcanic eruption, investigators gathered evidence pointing to a completely unexpected source. The rise in temperature appears due to radiated humiliation, believed to come from a single source in Massachusetts. Investigative reporting claims they‛ve identified the Dog, saying she simply became aware of her own ignorance. Scientists fear the single outbreak in spontaneous humility may be first signs of an epidemic. Secretary of Education refused to comment. More at eleven. “

A simpler selection criteria High school graduates use either MLA or APA standard in submission of writing and research 114 . Not meaning to compare a writing standard to the ISO template, smaller standards still accomplish many of the same goals with infinitely less complexity. Provided by Leslie Murtha, to support her Rutgers students, a simple common criteria for evaluation of information resources lends value to how we might organize a collection of rated sources 115 . The points simply reinforce that resources be reviewed for Authority, Accuracy, Currency, Clarity, Purpose, and Content.

The IIA GTAG for information technology controls lists types of control framework, as applied to technology practice and its assessment by information systems audit. The suggested grouping of standards included:

§ Systems Development Processes

§ Systems Software Configuration

§ Application Controls

§ Data Structures

§ Documentation

Perhaps the bite size model won’t satisfy all appetites, but it certainly organizes a broad view of current thinking. My experience using ITIL® Service and Infrastructure framework and COBIT’s 34 domains for IT control left me feeling this list is not going to carry me to lunch. Being a collector, I’ve squirreled away 200 process titles and flow diagrams in a Facilitated Compliance Management™ (FCM™) tool. Normalizing process by aligning ITIL® functional domains and COBIT®y IT and application controls, provides a baseline for mapping process to standard, supporting visibility over process architecture, and documenting compliance in activities throughout business and systems management. I’m part rescue Dog. Like most rescue dogs, my mission has been bringing relief to one stranded victim at a time. Maybe spending October through December of 2005 in “recovery” exposed me to a few too many FEMA failure and Katrina devastation news reels. Perhaps it was the night I stayed up to watch “Enron: The Smartest Guys in the Room” (see the Roger Ebert summary for more information), but my sense of personal contribution had shrunk to complete insignificance. A feeling of utter urgency to push audit and standards to a stronger level of automation and implementation became paramount.

Even after ISO creates the classification schema for the catalogue of standards, we will still need a universal standards blood bank. Highlighting all distinct types, as we do with our national blood bank, our standards would form a configuration database. This standard CMDB would facilitate the baseline allowing us visibility over what we have and what we need, establishing status regarding our effort to keep current with other countries and reveal any potential for yet another moral and technology standards driven crisis.

A common criterion for evaluation frameworks of information standards and would have to operate independently of infrastructure or industry. Its greatest challenge is simply the ability to correctly represent the problem. All control assessment frameworks begin with a context, be it geographic, legal,



technical or social, because there is no such thing as compliance unless it answers the question: “Compliance with what?”

The closest all encompassing framework, spanning tremendous size, considering enormous number of business and social conditions, leveraging centuries in contributed wisdom by the world's greatest minds, is the United States Code Fifty volumes of Federal Regulation.

How did I miss the Common Criteria? Any valid comparative technology standard points to work by NIST and CISWG, but even they are limited by the context of the United States legal parameters. Leading the pack in attacking the picture are the collective members responsible for the ISO/IEC 15408 International Standard; Common Criteria for Information Technology Security Evaluations 116 . Seven government organizations, known as “Common Criteria Project Sponsoring Organizations” grant ISO/IEC a nonexclusive license to provide the standards for purchase:

ISO/IEC 154081:2005 Ed. 2 Current stage 60.60 JTC 1/SC 27

Information technology Security techniques Evaluation criteria for IT security Part 1: Introduction and general model

ISO/IEC 154082:2005 Ed. 2 Current stage 60.60 JTC 1/SC 27

Information technology Security techniques Evaluation criteria for IT security Part 2: Security functional requirements

ISO/IEC 154083:2005 Ed. 2 JTC 1/SC 27

Information technology Security techniques, Evaluation criteria for IT security Part 3: Security assurance requirements ISO/IEC 154083:2005

The standards are also available at the ITTF web site. ITTF endeavors to supply a solution for the uniform evaluation and certification of technology products. ISO/IEC Information Technology Task Force (ITTF) web site provides a great deal of information.

With all the reading I’ve done in the area of SAS 70 and Systrust, I don’t understand how I missed product based certification. Although the standard does not extend to all areas of technology, I would not use a network product in the future, unless it aligned to this certification.

How did we miss Common Criteria for Product Evaluation? Feeling like a Dog caught drinking from the toilet bowl; I immediately began to explore everything on the site. The writeups on product testing provide unbiased simple assessments in a manner infinitely more impacting than the white papers primarily written for advertising. Even if the words are exactly the same, reading it here means the study counts. Organization of products provides an interesting ontology for the review of technology control resources.

§ Access Control Devices and Systems

§ Boundary Protection Devices and Systems

§ Databases

§ Data Protection

§ Detection Devices and Systems

§ ICs, Smart Cards and Smart Card related Devices and Systems

§ Key Management Systems

§ Network and Network related Devices and Systems

§ Operating systems

§ Other Devices and Systems 117



I ‘d love to say that my addiction to reading Cliff Notes, saving files and printing is now conquered, but that would be a BIG FAT LIE. Even as a Dog, I couldn’t swallow that I’d never seen this before. A full text search showed the files had not been downloaded to my hard drive or network. I marched over to Mount Must Read™ and began to take him down by chunks. “Why don’t you have these files?” I recall saying in a crazed stammer. I had to touch these, feel them as paper and ink.

Realizing the potential for reams of new reading, it was clear I’d need two pots of coffee and a really good sponsor. I medicated with 20 pages, the Introduction to Common Criteria, and uninstalled all the printers.

These are not Cliff Notes Quoting the Common Criteria (CC) introduction, as it explains the nature of assessment, "the project has tremendous fit with technology audit needs."

An evaluation is an assessment of an IT product or system against defined criteria. A CC evaluation is one using the CC as the basis for evaluating the IT security properties. Evaluations against a common standard facilitate comparability of evaluation outcomes. In order to enhance comparability between evaluations results even further, evaluations should be performed within the framework of an authoritative evaluation scheme, which sets standards and monitors the quality of evaluations. Such schemes currently exist in several nations 118 .

Models used to compare security best practices are astoundingly comprehensive. Unfortunately, I began by reading items pulled back by Google searches, which provided out of date (1999) text of CCV.1 and CCV.2, then finding out just today that CC had already released Version 3 of the Common Criteria and the Common Evaluation Methodology, CC V3.0.

As explained at the organization portal, “The Common Criteria (CC) was published as Version 2.1 in 1999. Some updates were subsequently incorporated in version 2.2, which was published in 2004. The CC and the associated evaluation methodology (CEM) are used by the nations involved in the Common Criteria Recognition Arrangement (CCRA) to gain assurance in products, protection profiles, etc. evaluated under the various schemes.”

As explained at the organization portal, “The Common Criteria (CC) was published as Version 2.1 in 1999. Some updates were subsequently incorporated in version 2.2, which was published in 2004. The CC and the associated evaluation methodology (CEM) are used by the nations involved in the Common Criteria Recognition Arrangement (CCRA) to gain assurance in products, protection profiles, etc. evaluated under the various schemes.”

The Common Criteria Project summary explaining the reason to update and change their standard is a model of why we continue to optimize all of our standards. Taking some liberty, here is my summation of their points.

Cause for update to an existing release is to provide by new release:

§ Simplicity, Clarity and Consistency, (in all cases reducing length)

§ Rationalization and removal of duplication, (especially those created by other standards), Improved ease of use, (as in leveraging organizations dedicated to the training of professional such as the ISPI)

§ Provide for Additional support

Full text of the series is available under limited copyright. I recommend reading the introduction and evaluation methodology. Based in assessment needs, this may be useful, in particular for industries supporting or releasing security and IT control management products.

CC Part 1: Introduction and general model ccpart1 V3.0.pdf

CC Part 2: Security functional components ccpart2 V3.0.pdf

CC Part 3: Security assurance components ccpart3 V3.0.pdf



CEM: Evaluation Methodology cem V3.0.pdf

Any company needing product based security compliance certification, as means to advance in international markets, should own and adopt the Common Criteria standard released by ISO.

This is not the answer to my quest, but it offers a lot of insight in the process. The Common Criteria, ISO/IEC 1528 standard provides a method that includes uniform comparisons, response to changes in current application and security conformance to best practice. The approach aligns all known best inputs from literally dozens of organizations.

Here are two more snippets from the introduction. I liked the simple idea that any standard might be aligned to a protection profile, so here is just one taste from the CC.

"Protection Profile (PP) A protection profile defines an implementationindependent set of security requirements and objectives for a category of products or systems which meet similar consumer needs for IT security. A PP is intended to be usable and to define requirements which are known to be useful and effective in meeting the identified objectives. The PP concept has been developed to support the definition of functional standards, and as an aid to formulating procurement specifications. PPs have been developed for firewalls, relational databases, etc, and to enable backwards compatibility with TCSEC B1 and C2 ratings.

Security Target (ST)

A security target contains the IT security objectives and requirements of a specific identified TOE and defines the functional and assurance measures offered by that TOE to meet stated requirements. The ST may claim conformance to one or more PPs, and forms the basis for an evaluation 119 ."

Common Criteria for Information Technology Security Evaluation, Part 3: Security assurance components, 2005 release, I found a design model that offered some insight into a standard for all standards approach. Classes of information used to evaluate products against their relative claim in providing technology controls are presented as class and family, across the following domains:

§ ACO: Composition

§ ADV: Development

§ AGD: Guidance documents

§ ALC: Lifecycle support

§ ASE: Security Target evaluation

§ ATE: Tests

§ AVA: Vulnerability assessment



Table 1: Assurance family breakdown and mapping

Assurance Class Assurance Family

Composition Rationale

Development Evidence

Reliance of Dependent Component

Base TOE Testing

Composition

Composition Vulnerability Analysis

Architecture Design

Functional Specification

Implementation Representation

TSF Internals

Security Policy Modeling

Development

TOE Design

Operational User Guidance Guidance Document

Preparative User Guidance

CM Capabilities

CM Scope

Delivery

Development Security

Flaw Remediation

LifeCycle Definition

LifeCycle Support

Tools and Techniques

Conformance Claims Security Target Evaluation

Extended Components Definition



Assurance Class Assurance Family

ST Introduction

Security Objectives

Security Requirements

Security Problem Definition

TOE Summary Specification

Coverage

Depth

Functional Test Tests

Independent Testing

Vulnerability Assessment Vulnerability Analysis

Seems like a Schema to me Reading any representation of standards will at some point propose a common schema for application and digital communication. Tom O’Reilly’s published “What is Web 2.0, in which he summarizes these points as Core Competencies for companies claiming their software or service meets the standard to be described as Web 2.0. If a framework for all standards has any hope for success, it will at the very least be Web 2.0 compliant. His summary suggests that success comes from:

§ Services, not packaged software, with costeffective scalability

§ Control over unique, hardtorecreate data sources that get richer as more people use them

§ Trusting users as codevelopers

§ Harnessing collective intelligence

§ Leveraging the long tail through customer selfservice

§ Software above the level of a single device

§ Lightweight user interfaces, development models, AND business models

With an interesting side bar titled “The Architecture of Participation”, O’Reilly pitches the development of data, not in a predetermined design pattern, but it a pattern based in common use 120 . The side bar notes Dan Bricklin’s work. The Cornucopia of the Commons, which three ways to build a large database.

“The first, demonstrated by Yahoo!, is to pay people to do it. The second, inspired by lessons from the open source community, is to get volunteers to perform the same task. The Open Directory Project, an open source Yahoo competitor, is the result. But Napster demonstrated a third way. Because Napster set its defaults to automatically serve any music that was downloaded, every user automatically helped to build the value of the shared database. This same approach has been followed by all other



P2P file sharing services. […] One of the key lessons of the Web 2.0 era is this: Users add value. But only a small percentage of users will go to the trouble of adding value to your application via explicit means. Therefore, Web 2.0 companies set inclusive defaults for aggregating user data and building value as a sideeffect of ordinary use of the application. As noted above, they build systems that get better the more people use them 121 ."

Seems like our society runs in two directions at the same time. Blogs, Wiki and RSS have us overtaking outmoded rules for everything from spelling to acceptable business attire. Moving rapidly in parallel, laws restricting digital expression, increasing the girth of copyright and extending legal jurisdiction to every form and channel of communication, is the subject of both world and local news. We have never struggled harder to be compliant with greater numbers of independent variations of conformity, to such granular levels of performance and standard.

Is this why I feel dizzy?

The Common Criteria project is among the Open Source initiatives heavily supported by U.S. Government, (see open source memo). In fact, the U.S federal government uses open source software in response to the EGovernment Act of 2002. Various news releases describe the EGovernment Act as a regulation that: “promotes the sharing of best practices and innovative approaches in acquiring, using, and managing information resources for the government.” An outstanding example is found at the Government Open Code Collaborative Repository, which provides, among other things, an open source Content Management System. The repository contains code available for use in meeting state and local governments requirements CMS. The Commonwealth of Massachusetts Information Technology Division; the Rhode Island Office of the Secretary of State; the Pennsylvania Office of Information Technology; the Utah Governor’s Office, CIO Section; the Kansas Secretary of State Office; the Kansas Treasurer’s Office; the Missouri Secretary of State Office; the West Virginia Auditor’s Office; the City of Gloucester, MA; the City of Worcester, MA; and the City of Newport News, VA, launched the formation of the Government Open Code Collaborative (GOCC) in June of 2004, as a means for collaboration and sharing of computer code developed for and by government entities. Additional links found at this site point to: WorkforceConnections, Advanced Distributed Learning, W3C Web Content Accessibility Guidelines and www.core.gov.

All conferences and articles concerned with open source and code reuse mention OASIS and in particular, the SAML standard. The approach used for evaluation of product security offered some similarity to the approach used for the creation of SAML 2.0, the OASIS Security Assertion Markup Language 122 . The most significant difference in the Common Criteria and SAML projects however, is that one evaluates and the other creates assurance from the very start. CC is focused to the evaluation of meeting standards, the committees of OASIS and the SAML TC strive to constrain information by schema, creating preventive controls and uniform communication of data such that compliance is embedded in both form and function. Reading the introduction and end references of SAML 2.0 reveals that this TC applied common security evaluation constructs, leveraging many of the same elements found in the 15408 ISO/IEC series, reworked to normalize use case requirements, enforcing industry security terms in its glossary, and listing various IETF RFC and government standard considerations, such as NIST SP 800 26. For example, SAML is used to demonstrate conformity to web security standards, such as Federal Information Processing Standard, FIPS 140.

Constraint and normalization of information is a cornerstone in meeting regulatory compliance requirements. Concepts around the representation of information have existed for many decades, but the most compelling manner of representing information is probably “DocBook.” The concept of the DocBook 123 may have been the initial draw for many persons among the Information Technology Audit community, and as it offered the basis of what would become Financial Assertion markup language and the representation of bank regulation compliant financial reporting. I know it attracted and inspired me to join and participate with several configuration and network data center OASIS TCs. This volunteer organization is at the forefront of compliance and automation. Remarkably, both teams and standards evolve through raw collaboration, commitment, and talent. In spite of tremendous success, leaders like the creator of DocBook XSL: The Complete Guide, Bob Stayton, and DocBook: The Definitive Guide, author Norman Walsh, provide daily support to OASIS XML use groups 124 .



The concept of stylesheets as a means to validate any standard is long and well implemented by the web application and electronic industry user communities. BPEL, (Business Process Execution Language) offers process documentation and controls modeling a lot of hope. It is already an adopted standard by the FFIEC. A profound product is the recently released “Enterprise Technical Reference Model (ETRM) v3.5. ERTM incorporates a new Discipline for Data Formats within the Information Domain. This Discipline addresses the acceptable formats in which data can be presented and captured for viewing and download at www.mass.gov. ERTM, announced by several news feeds for its bold and eloquent use of Open Standards, is said to jump ahead of the compliance curve. Quoting a small portion of what I find to truly be a Must Read™ shows the importance of OASIS to security and IT.

“[…] Domain: Security Discipline: Identity Management

Description: Identity Management is a broad administrative area that deals with identifying individuals in a system and controlling their access to resources within that system by associating user rights and restrictions with the established identity. The driver licensing system is a simple example of identity management: drivers are identified by their license numbers and user specifications (such as "can not drive after dark") are linked to the identifying number.

In a wider context, industry standards groups such as the World Wide Web Consortium and OASIS are developing standards that would enable global identity management, in which each individual would be uniquely identified, and all applicable data would be linked to that identity.

Relevant Standards Organizations.

OASIS – The organization for advancement of structured information standards (OASIS) is currently working two sets of Service Registry standards, i.e. UDDI and ebXML. More information about OASIS can be found at www.oasisopen.org.

W3C The World Wide Web Consortium was created in October 1994 to lead the World Wide Web to its full potential by developing common protocols that promote its evolution and ensure its interoperability. W3C has around 400 Member organizations from all over the world and has earned international recognition for its contributions to the growth of the Web. More information about W3C can be found at www.w3.org.

WSInteroperability – The Web Services Interoperability Organization is an open industry effort chartered to promote Web Services interoperability across platforms, applications, and programming languages. More information about WSI can be found at www.wsi.org.

IETF the Internet Engineering Task Force (IETF) is a large open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet. It is open to any interested individual. The actual technical work of the IETF is done in its working groups, which are organized by topic into several areas (e.g., routing, transport, security, etc.). More information on the IETF can be found at www.ietf.org/home.html.

Where are you taking me? OASIS teams, such as the TC members of SAML, represent a vast array of business, government and industry contribution, with representation from W3C, ISO, IEC, ANSI, and BSA, just to start. SAML is in use, is valuable and is current to the recent year. The interpretation this or any standard, however, suffer common vulnerabilities. As with any standards body or TC, it may miss adopting best criteria simply for a lack of correctly representing a problem, caused for example, by a lack of involvement with an outside organization. While the OASIS processes for standards development is highly successful, it is by virtue of contributing members, commitment, consensus, and a broad distribution of stakeholders. SAML is one of the best standards in our time. OASIS is an amazing collection of people and thinkers. It is not, however, immune to obsolescence, lost efficiency or redundancy.



OASIS is a model for standards evolution. The following is a 2005 list of the technical committees:

§ Adoption Services

§ Computing Mgmt

§ DocumentCentric

§ ECommerce

§ Law & Government

§ Localization

§ Security

§ SOA

§ Standards Adoption

§ Supply Chain

§ Web Services

§ XML Processing

The standards adoption offers sound advice in the evaluation of newly developed standards, their use and quality. There are no “buts” in my statement of support to OASIS. Unfortunately, we are left to stringing all these standards together and subject to the limits in each technical scope. In the absence of a uniform ontology for the classification of all existing comparative and or potentially redundant standards, we are still facing the same challenge of recognizing apples for apples and oranges for oranges 125 .

“Warning, The content you are about to read will soon expire. Content warranty for information pertaining to the classified #domain# is best consume by #date#, and set to expire in 30 days, 22 hours, 12 minutes, 35 seconds. Recommended sources for #domain# competency as required by your professional profile are [list]. Would you like to proceed?

Honest Doc, I looked everywhere. No expiration date. Like most dogs, anything I can chew and swallow, is labeled “food.” I don’t generally confirm that a hyperlink is the best or most recent source for any type of information. I’ve only recently made a habit of reading dates and source code on most web sites. Even the most reputable sources, such as Common Criteria Portal and NIST, provide a few dead links. No one organization is dedicated to or has the scope to recognize everyone else’s expiration date. It’s not deliberate. Most portals come with disclaimers. The Common Criteria Evaluation Portal is under the NIST domain. The disclaimer reads, “Any mention of commercial products within NIST web pages is for information only; it does not imply recommendation or endorsement by NIST.”

In the absence of distributed accountability and liability agents, everyone’s afraid of definitive answers. As a result, there’s no mandate to label expiration by concepts. Words like “to the best of my ability” and “not an endorsement” have become excuses to for even a few Human beings to slip back to the realm of sheep.

A universal schema to manage the expiration of ideas may sound like a Roddenberry plot. Broadcasting over 80:80, a best practice validation algorithm, provides a warning beacon based in an authors or organizations current positional authority to claim guidance in any domain. Wouldn’t it be great if we had an automated agent screening a document on launch and providing guidance on content relevance? Imagine an agent that could say:

Darker and deeper We have standards for submitting written works, research design, chemical and products, and even requirements that require creation of more standards 126 . I was starting think Mount Must Read™ had



called in a ringer, a seedy underworld association from his days with snakes, pigs and rats. I could sense all this reading taking me down a dark alley.

Sucked in by detail There’s a reason that Eagles fly at a thousand feet in the air. The choice is fly fast or fly low. Try to do both and you slam against a wall. This reality poses an interesting dilemma. If Eagles can’t think on a scale of detail that is both miniscule and grand, how do the detail thinkers work with the visionaries, and vice versa?

Get to higher ground We have consensus among nations that we need to use same standards. The process of evaluating the quality of a standard, or a process to force repeal preventing use of an outdated standard, to date, doesn’t appear to exist. We just have to stay sharp and pay attention the signals sent from Eagles. To the extent that a number of industries staked claim in known standards, by spinning content and then enforcing their own version like law, this is probably not a bad thing 127 .

Performance Management may hold the substance of all our answers. Like many auditors and IT professional, my career has included time analyzing configurations, change logs, network traffic data, entity diagrams and rule based access schemes. Attempts to explain, interpret, or validate the information resulted in wall charts far larger than my cube or office. The focus in measuring trend and performance began as a means for product and network management, and became foundation material for security and technology controls audit. Every network manager became marketing and audit’s best friend. There was one problem. No one could consistently articulate the problems needing to be measured and reporting queries grew out of control. There was another problem. As SNMP traps and MIB technology became increasingly mainstream, trend reporting became increasing efficient in piping and pushing virtually all that is digital and accessible from inside and even outside of any corporate WAN. The tools became a liability and in some cases, poor implementation included storing confidential data in clear text, and unrestricted access to information causing damages at staggering costs. Network managers became targets of disproportionate concern. Surpassing the need to measure and trend information, both enterprise and business began to call for a common visible implementation of controls aligned to sustainable compliance architecture. Engineers have been telling us this for years. We can measure everything, but interpretation call for context.

Regulatory mandates have spawned more than a few pearls of wisdom. One such jewel is the GRC model, introduced in 2004 by “Integrity Driven Performance; A New Strategy for Success through Integrated Governance, Risk and Compliance Management.” The GRC, a trade mark of PricewaterhouseCoopers 128 .

Bound and less than 50 articulate pages, the concept of GRC furthers definition and design model in a Governance Risk Compliance (GRC) framework. Freely available and posted on line, the GRC deserves rank as a “Must Read™”, and I also suggest that being well rounded include attention to all publications offered by PwC, as well as their newsletter option at CFO Direct 129 .

The Emerging Role of Technology: Enabling GRC an advanced level of deployment, technology can be likened to a central nervous system for the organization – the means to ascertain, in real time, that risk is being managed and events are being acted upon. Organizations that achieve a realtime risk management, compliance, and monitoring environment enable the application of policies and standards at the time business processes are executed. For compliance to be truly effective it must be not incremental, but integral to business processes – the essence of realtime risk and compliance.

IntegrityDriven Performance™ is a “Must read™.”

Open the computer bay, HAL 130

Creating a catalog of standards such that elements can be organized by a single ontology will take a lot of vision and team work. In spite of the outstanding efforts toward security and standards harmonization as coordinated by ITGI and the evolving common security frameworks as produced by teams including



ISO/IEC, OGC, OECD, SEI, NIST and others, a single framework for comparison of all standards is still limited at least the following factors:

§ Team success tends to require and be limited by perception of specific technical context

§ Creation and adoption of standards and regulations tend to have basis in industry specific use case

§ We see both problems and solutions with the limits of existing vocabulary.

§ It is easier to solve a problem in isolation than to consider all the relevant and existing efforts completed by others to solve the same problem.

Maybe our next evolution will be automation and real time control information governed by independent “decoupled” authority. Perhaps we will dynamically tie to ISO/IEC/ANSI classified objects and build the correct answer through consistent selection of rules for any item’s construction. Best practice according to NIST, CERT, SANS may someday be delivered via BPEL compliant schema implementing business and legally verified terms of acceptable use. Being neither Wolf, Eagle or even Human, all I can do is contribute to organizations like OASIS, itSMF, IIA and ISACA. If I’m lucking this won’t distract real intelligence, and if we are all lucky, we will be solving the right problem.

After a month of frustrated attempts to use my Dog size brain to grasp a standards for IT audit ontology 131 the limits of my efforts took shape. What can we offer in the area of best approach, without a framework database, normalized criteria, common process contents and updated legal and risk based audit requirements? Given 270,000 registered standards, no one sees the entire picture but that shouldn’t keep us from using a system of placeholders aligned to best sources based in our audit context.

Until medical science establishes an Object Oriented brain chip that can transfers intelligence using such principles as inheritance, any single instance of vision is as good as any individual or teams best representation at any single point in time. Efforts observing how people solve a problem produce grains of goodness. As for duplications of effort and papers that seem to overlap, I realize now that overlap is the greatest indication that we have found common wisdom so far. Located in Appendix A, a screenshot shows the database and supporting tables that help me to see what’s important to audit competency and how I track sources across domains of technology, audit and law. Since the content lacks formal body professional review, I make no claim of assurance that content is either comprehensive or complete. It’s what I do to tackle my own ignorance, and maybe you will find its design useful. Unfortunately, the greatest tools are the one’s we build. The act of construction counts for almost all of our learning. That’s why we have to let baby organizations live.

As a part of learning and a way to increase design clarity, I tried to fairly compares publications for a common elements (ontology), selecting for the study ten substantial contributions to current thinking in security and risk management. Of course this failed. It took several months to align NIST SP 800 53, FISCAM and COBIT®, and that was using freely provided templates and database 132 . It would take me at three months consume the Common Criteria and I’ve just now finished the PCI VISA standard (which I once thought small, and now view as a substantial undertaking). Fortunately, the failure was in my arrogant belief that the problem had not already been solved by larger and more qualified teams. I still got my answers. They just didn’t come from me.

Produced in March 2005 by Information Systems Audit and Control Association®, Information Security Harmonization— Classification of Global Guidance is primarily authored by Leslie Ann Macartney, CISA, CISM, UK. The publication includes all of the security and risk management documents I felt were critical to audit, and additionally involves a highly respected team and approach to their organization and comparison.

Scope Selections based in common and generally accepted authority in security and risk management, included the following works.

§ BS 7799 Part 2:2002 Information Security Management Systems—Specification with Guidance for Use is a specification for an information security management system.



§ Control Objectives for Information and related Technology (COBIT®), published by the IT Governance Institute, represents a collection of documents that can be classified as generally accepted framework and standards for IT governance, security, control and assurance.

§ Systems Security Engineering—Capability Maturity Model (SSECMM) Model Description Document 3.0 is a guide to the concepts and application of a model to improve and assess security engineering capability.

§ Generally Accepted Information Security Principles (GAISP) is a collection of security principles that has been defined and produced as a collective effort by members of the organizations involved.

§ The Information Security Forum’s (ISF’s) Standard of Good Practice for Information Security is a collection of information security principles and practices.

§ ISO/IEC 13335 Information Technology—Guidelines for the Management of IT Security, released by the International Organization for Standardization and the International Electrotechnical Commission, is technical guidance subdivided into five parts which provide guidance on aspects of information security management.

§ ISO/TR 13569: 1997 Banking and Related Financial Services—Information Security Guidelines, released by the International Organization for Standardization, is a grouping of security concepts and suggested control objectives and solutions for financial sector organizations.

§ ISO/IEC 15408:1999 Security Techniques—Evaluation Criteria for IT Security is based on the Common Criteria for Information Technology Security Evaluation.

§ 2.0 (CC). ISO/IEC 15408:1999 is used as a reference to evaluate and certify the security of IT products and systems.

§ ISO/IEC 17799:2000 Information Technology—Code of Practice for Information Security Management is a collection of information security practices.

§ The IT Infrastructure Library’s (ITIL®’s) Security Management is a methodology describing how IT security management processes link into other IT infrastructure management processes.

§ NIST 80012 An Introduction to Computer Security—The NIST Handbook, released by the US National Institute of Standards and Technology (NIST), describes the common requirements for managing and implementing a computer security program and some guidance on the types of controls that are required.

§ NIST 80014 Generally Accepted Principles and Practices for Securing Information Technology Systems is a collection of principles and practices to establish and maintain system security.

§ NIST 80018 Guide for Developing Security Plans for Information Technology Systems provides a format and guidance for developing a system security plan.

§ NIST 80053 Recommended Security Controls for Federal Information Systems provides a set of baseline security controls.

§ Operationally Critical Threat, Asset, and Vulnerability Evaluation SM (OCTAVE) is a set of principles, attributes and outputs for risk assessment.

§ Organization for Economic Cooperation and Development (OECD) Guidelines for the Security of Information Systems and Networks provides a set of nine information security principles aimed at fostering a “culture of security”.

§ Open Group’s Manager’s Guide to Information Security is a booklet providing general guidance for IT managers on acquiring secure IT products and systems.



The Classification Framework § A goal of this project was to produce a comprehensive document that evaluated all selected security guidance in the same manner, using the same criteria. The following approach was used to evaluate the guidance:

§ Issuer

§ Document taxonomy

§ Circulation

§ Goal(s)

§ Information security drivers for implementing the guidance

§ Related risks of not using or implementing

§ Target audience

§ Timeliness

§ Certification opportunities

§ Completeness

§ Availability

§ Recognition/reputation

§ Usage

§ CISM domain alignment

§ Description

Instead, I took a step back to my ISO roots and chose to represent a common Entity Resource model for COBIT®, COSO, FISCAM, BS7799 Part 2 and the PCI VISA Data Standard CISP version 2. I reread an older document that offered reminder to the importance of common process and its language, the May 1998 NIST IR Process Specification Language 133 . What I did get from the exercise was a short list of standards worth normalizing in content.

The results were a leveled view of COBIT® 4.0, ITIL®2, FISCAM Appendix III, COSO – Internal Control Framework: Guidance for Small Business, CISP v.2.3 PCI Data Standard, NIST Special Publication 53, BS77992, ISO/IEC 17799:2000.

Here is my attempt to compare Apples and Apples. The snapshot is an interface used to establish best standard and mapped standards for design of security related assessments.

The database has evolved a long way since its early days. The list of source documents alone is incredibly long. All ERD and criterion referencing will be shared with the IIA’s AIC and the Standards Board of ISACA. There are a few more snapshots of the main interfaces in Appendix B. Using a rough schema, delivery to my organizations is slated for early next quarter and the results will exist under copyright to OASIS, ISACA and IIA.

Two men in suits on lunch break, reading newspaper, steps of legal building: Man one: Did you hear Congress is amending Title 17 as a means to slow growth of “Mount Must Read™” Man two: “It‛s actually a two part ruling, first, “The New Idea Verification and Universal Encoding Act of 2006”, and a then lesser known “CFR 290-15a-b: Final Rule: On Maintaining Juice." The bite is in the Juice law.” Man one: “Weird. I can‛t believe I never heard of it?” Man two “Juice makes it a federal crime to let batteries run dead in a Universal Translator." Man one: “Those things run on batteries? My G-d, that‛s insane!”



Man two: “Actually, this just amends ‘Dead Light Bulb in a Nuclear Research Facility Act of 1966‛. You remember “don‛t sit in the dark law." Congress had it tucked in some obscure chapter of Title 42, Public Health and Welfare.”

Naked without our tools Auditors need to stay current in the proper use and deployment of applications, configurations and best practices in all aspects of technology. Technology management applications, agents and processes are a collective compliance toolbox, supporting evidence of best practice in enterprise frameworks and minimum networking and data management controls as legally required for Enterprise Management. We have to be current in benchmarks and standards defining all areas of IT best practice. Among the ocean of products claiming instant cures to every compliance ailment, are the very same invaluable resources that make it possible to perform the duties of technology management and audit.

Final thought, legal discussion among information auditors tends to over focus on three legal Acts, SOA, GLBA, and HIPAA. Our professional mandate includes knowledge of regulatory requirements as mandated in the context of our placement, be it industry, military, government or private sector. We are accountable to this requirement, not company Legal Staff. When the audit fails to consider legal requirements, the person on the hook is US.

Buyer beware In Hollywood, national crisis quickly followed by high profile names filming six to ten versions of the same bad movie. They all release in the space of two or three months. No writers are called in response to the times, since these are just scripts in can, ready at any moment with a little hot water and crisis tweak. Executives start screaming “Tsunami sells”, “War is big”, “Get me a Corporate Villains” … and unfortunately, we all know they get what is demanded, and even worse these awful movies make money.

Good Movies don’t need popular crisis, and great products were great before SOX. Mature technology is born from engineering genius, business savvy, hard work and time. As for being a compliance product, just like the disaster movie outbreak, product vendors large and small, will use market opportunity to dressup a failed idea, promise half baked solutions that never make it out of beta, and as IT auditors, we have to be the ones to recognize when it’s time to call fowl.

New Bait: Cartoon plan: Two men in suits putting boxes on fishing pole hooks. Box says “All New SOX in Box” One says to other “Why did you bother changing the box?” The other answers, “We just do it to keep the fish from recognizing the same old bait?”

Second greatest hook of all time In my opinion “Compliance” is the second greatest marketing hook of all time. Worsening the matter of articles lacking valid legal references is the marketing frenzy unleashed by the passing of Public Law 107 204, the SarbanesOxley Act of 2002. Every technology product in the world can claim some form of “SOX remedy” with the greatest number of claims targeting Section 404. On its own, this is not a bad thing. Tools really do help companies comply with the need for internal controls. No matter the products original design, however, it became an all purpose “compliance hammer.” As for the target of advertising, every publicly traded company in the United States became a SarbanesOxley “nail." A panicked public (whom I refer to as Fish, bait eaters and fish in a barrel) were undeniably hooked. Hopes for silver bullet compliance tool spawned even more legal babble and marketing hype.

Do these points have to contradict?

Standards and products created by public industry are equally as important as any created in audit organizations or government sanctioned research facilities. In fact, valid means for evidence in compliance often depends on the existence and proper implementation of every single one of these types of tools.



“People, Process and Technology” in today’s electronic economy is surpassed by the three T’s, “Techniques, Tools and Technologies 134 ”. Organizations work to insure our ability to maintain credibility in markets, protect U.S. interests, safeguard our patents, but they would never be successful without business interests and substantial financial backing by both government and corporate funds. ISO, ANSI, NIST, IEC, BSA, OASIS, IIA, ISACA and AICPA work with and require corporate contributions, including the intellectual capital of their corporate sponsored private sector scientists and engineers. Simply stated, products don’t make a company compliant. Intelligent business models, however, include compliance requirements as part of any implementation, purchase and or product’s design.

COTS alone can’t save us White papers explain design and use of product, and are meaningful components in the acquisition and control process. Solid IT companies invest heavily in research and design, giving priority to effective management of compliance requirements. The best companies care for their own compliance first, and that trickles down as a standard in service delivery. Understanding how products enforce compliance is what gives standards their power. We should applaud and support the use of BSA, OASIS, IEC and all efforts that remove U.S. barrier to trade. Understanding EMC, Oracle, Microsoft, HP, or IBM creates means for control in technology infrastructure is vital to our national strategy to secure cyberspace. Those are the critical white papers.

Tripwire for example, makes the automated change audit achievable in almost everything form PeopleSoft modules to instant alerts when a remote network devices is illegally added to an obscure branch office. The MKS toolkit, as another example, ensures via web interface rules based workflow and SDLC control for any type development practice. Serena adeptly manages financial roles and segregation of duties issues as a routine course of operations among shops using SAP. The issues of data retention are at the forefront of product offerings addressing many levels of compliance as cared for by such products as Centera, offered by EMC. Papers produced by, for and about EMC products offer insight to digital evidence, information retrieval and the consequence of violation when corporate practices fail to appreciate the complexity in the control of information.

You may be thinking this is where I sell out and slip you a bunch of infomercials. It is not.

Process alone can’t save us Blindness to the need for technology is often found among the companies with the strongest set of business processes and policies. “We don’t let our user install on our network” is one of my favorite quotations. I heard these words spoken in the same room where a CEO offered to download my files by via web mail on his private laptop. Configuration exceptions made for “special cases” is the tip of the iceberg and, but offers at least one concrete example for why we tools such as the products created by Tripwire and EMC. The management or mismanagement of digital information is a part of every employee, document and product in the path of running business. We need to understand tools because evidence of their proper use is a large component of our job. Assessing a corporation’s control over information touches people process and technology, but our process for evaluation involves technology, tools and technique.

As an ISO child, applying properties with relation to document owner, use and retention is just a way of doing business. I would not imagine it any other way. As the Final Rule on section 17a4 of the already signed SarbanesOxley Act was delivered for public view, I was surprised at the amount of response to suggest this was a new way to practice information archive and classification. There is a web site listing in eloquent summary that manner used by ISO9001 to organize a data retention program. I’ve written to the author, and hope to get permission to say more about it. The site is not offered directly by an accredited organization, the summary for concerns in the retention of documents is well stated and compressive.

The allinone notion of “Compliance Solutions” is forgivably appealing to executives desperate to pay compliance terrorist whatever ransom releases their hostage workforce. The irony here is the workforce held hostage is likely the only means for technology compliance, and it won’t be accomplished through any single suite of solutions. Even the term compliance tool is an oxymoron. Is there a noncompliance tool? Products like ACL earn the right to be called a tool for compliance. My definition is a compliance



tool is that it allows us to summarize metrics as they indicate the actual audit of application controls. Consider Tripwire, EMC, ACL, Bindview, MKS and Serena. They control change and configuration, providing all forms of evidence. Clearly controls, but the tools have a technology functional core purpose. The people who use them are what make a company compliant. Strong infrastructure management resources align to logical data and function owners in service oriented architecture. Success is achieved by domain experts who are actually capable of knowing the right tool when they find it. Technology professionals know the pain of implementing battleship solutions that introduce excessive change to an already stressed or non adapting culture. Even if one suite of products could control every known area of business and technology, certainly 90% would fail for lack of time to customize its use, or worse, the customization would break any digitally binding evidence built into the tool in the first place.

These points are common sense.

Application Development and Acquisition is a science. Tools that align to regulation and standard have a common characteristic of long aligning to respected frameworks. Consider the history of PMI, TQM and W3C, BSA, and the SEI institute. They were big before the hype. Consider the suite of technology implementation guides produced by ITIL® being rereleased with greater attention to current technology requirements. Note that the creators of our best weapons against computer abuse and fraud have been at this for a long time, were involved in creation of standards and legislation and grew up with the standards.

If any of this is new information, I suggest putting a foundation certificate in IT Service Management in front of all other tasks on your calendar this month. The curriculum follows the first three titles in a substantial list of notable works, advancing general knowledge of frameworks and terminology. Results from this knowledge include ability to discern compliance hype based in FUD, (Fear, Uncertainty and Doubt) from compliance theory, such as ITIL®, COBIT® and ISO 17799 derived security works. ISACA, EXIM and InteQ offer excellent on line certification training. The experiences of our company indicate a TSM certificate is achieved in four weekends. ISEB certification is not the only path to gaining knowledge. The following series of book and CD resources are available for purchase at the TSO Online Bookstore.

§ Introduction to ITIL®

§ Service Support

§ Service Delivery

§ Planning to Implement Service Management

§ Security Management

§ The Business Perspective

§ ICT Infrastructure Management

§ Application Management

§ Software Asset Management

Consider the view in the ICT Infrastructure handbook of the manager’s role in the control over information and systems: An ICT Infrastructure Manager ensures that:

§ ICT plans are produced and circulated to the appropriate IT Service Management and Business Management on a regular basis

§ Changes to architectures, plans, designs, configurations are reviewed and approved

§ Any changes that impact on the ICT services are appropriately assessed and the risks and impact made clear

§ ICT components and services are adequately managed and administered

§ ICT components and services are appropriately monitored and that there is adequate funding for the necessary tools to support diagnostic and performance monitoring

§ There is adequate monitoring of security and supporting procedures



§ There are appropriate plans for recruitment, training and development of ICTIM staff

§ The quality and cost of ICT services are monitored and controlled to ensure that they are matched to business needs and are provided within budget

§ Appropriate regulations and standards are enforced

§ Regular audits and risk analysis of the ICT infrastructure are conducted

§ Relationships with suppliers and partners are developed accordingly, with compliance to contractual commitments

§ Regular reviews of ICTIM processes are performed

§ ICT Infrastructure Managers may play a key coordination role as part of a business change program and in crisis management 135 .

For more information on tools and compliance, please check posts to my web site. (www.pbandsp.com/tools)

Factors affecting world trade: No matter what we buy or what we build, it is pointless to proceed without consideration for the financial, digital, and privacy mandates as required for World Trade. The very definition of information, transaction and retainable data change with each passing day. You might think the industry leaders have considered this since the beginning, albeit with varying moral intent, such that using established tools and vendors would guarantee safe trade and profit. This is not so. On any given day, news stories include headlines like today’s Computer World article “Microsoft faces order to modify Windows in South Korea.” This and many more articles regarding international policy can be found at: www.computerworld.com.

The statutes of European Digital Rights are available at EDRI: www.edri.org.

When looking to purchase technology products, those lacking evidence of alignment to international barriers to trade deserve lower rank or even complete elimination from vendor consideration. Companies that are not actively involved in regulatory alignment simply won’t hold up in the global market. Awareness of international legal requirement is not exclusively managed by larger corporations, or ignored by all nonpublic corporations. It’s a factor that must be evaluated before inviting any vendor to provide either RFI or RFP. Without consideration for legal exposure the product will not meet Common Criteria standards, will likely lack alignment to the PCI VISA standard which could result in loss of privilege to engage in ecommerce. Digital Rights, both in Europe and the United States gain increasing regulation and granularity of definition, with changes occurring in the span of even writing this paper.

Important web sites for the study of European and International laws as affecting technology and information standards, consider adding these sites to your favorites:

§ www.edri.org, the European Digital Rights foundation, including 21 privacy and civil rights organizations from 14 different countries in Europe.

§ Computer World News, www.computerworld.com.

§ www.ijclp.org, IJCLP, a joint project of The Administrative Law Department of the Institute for Information, Telecommunications and Media Law (ITM) at the University of Münster, Germany and The Information Society Project at Yale Law School, U.S.A.

Products that cannot conform to retention and restrictions as mandated by European Digital Rights will at the very least, need to demonstrate exactly how their services and inventory will steer clear of nonUnited States internet traffic. One way or another, companies ignoring US and International Law will become both news and liability. Remember, an Eagle spots prey from a thousand feet. Hungry legal Eagles eat companies violating world trade and copyright law as a regular diet. The notion of self contained requirements is pretty much long.



Birth announcement I added a post it flag to a new pile. It reads “Mount Recycle.”

The buddy system Truth is, only Eagles and licensed pilots fly alone. We simple farm animals need ITGI's Knowledge Network, all the resources from ISACA (especially COBIT® Online), IIA Resources for Information Technology, and updates from PricewaterhouseCoopers CFOdirect Network®. I rank attempts to SarbanesOxley and SAS 70 compliance in the absence reading COSO 136 and AICPA guidelines with untied shoe laces while running with scissors. These are our primary source of guidance, because they represent the people with a core mission to provide us with what we need to know. Google™ may be the source of infinite answers, but these sources are true Oracles. Google may win a Nobel Prize someday, but as for me, it is by definition “too much information 137 ."

Reading PCAOB standards, audit guideline and practice frameworks, attending ISACA and IIA CPE events, and subscribing to the PwC’s world class newsfeed is hardly a shabby approach to an audit career. National Association of State Boards of Accountancy endorsed organizations assures timely access to uniform levels of training, materials and guidelines for our practice.

This writing only suggests that a diet consisting of “drinking from the fire hose” and every type of food they have in the company vending machine, will likely lead to poor thinking skills, obesity, and complete lack of resistance to minor changes in flu strain or weather. Vary the daily circle of reference to reliable solid sources and defend against self induced white paper frenzy. Protect whatever brain matter that may be left by careful selection of valid documents worthy of “Must Read™” rank.

Let ISACA handle it Have I have skipped right over the “shared responsibility” clause? Surfing for audit material has scary potential to drag us down dark alleys and rat holes. Isn’t it safer to let ISACA and IIA handle the reading list? Why not plug back in to three or four portals and stop the journey right here?

Because The people, who maintain, manage use of and contribute to these critical resources, however, are not in the habit of playing it safe. They demonstrate life long patterns of participation in the scope, applicability and intent behind international standards, treaties and laws. Frameworks such as the widely implemented COBIT® are refined and optimized based in the solicited feedback of “rival” organizations. Consider the intent of “COBIT® Mapping: Mapping ISO/IEC 17799: 2000 with COBIT," which painstakingly demonstrates a “global overview of […] important international standards and guidance for IT control and IT security in relationship to COBIT®: COSO, ITIL®, ISO/IEC 17799:2000, ISO/IEC 13335, ISO/IEC 15408, TickIT and NIST 80014 138 ." ISACA clearly supports that we consider these standards in our manner of implementing IT governance.

The influence of contributors to the Mapping Projects at ISACA and the GTAG at IIA are the same men and women who elevated a practice previously isolated to the department IT, into a major business and legal concern now known as Enterprise Governance. I thought about the articles and papers that I typically read. I examined a few references on papers people had been sending me to read. Some had no references at all. I compared one of the papers to a random (Carnegie Mellon Universities) CERT publications, IIA endorsed resource or and a product released under the guidance of ITGI. The differences between articles and white papers, and then any item by the three organizations were impressive. Look at the references listed on page two of “It Control Objectives for SarbanesOxley: The Importance of It in the Design, Implementation and Sustainability of Internal Control over Disclosure and Financial Reporting 139 ."

COBIT® 3rd Edition ©, IT Governance Institute, Rolling Meadows, Illinois, USA, July 2000



Committee of Sponsoring Organizations of the Treadway Commission (COSO), www.coso.org

Common Criteria and Methodology for Information Technology Security Evaluation, CSE (Canada), SCSSI (France), BSII (Germany), NLNCSA (Netherlands), CESG (United Kingdom), NIST (USA) and NSA (USA), 1999

Exposure Draft Enterprise Risk Management Framework, Committee of Sponsoring Organizations of the Treadway Commission (COSO), USA, July 2003

“Final Rule: Management’s Reports on Internal Control over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports,” Release Nos. 33 8238; 3447986; IC26068; File Nos. S74002; S70603, US Securities and Exchange Commission, USA, June 2003, <http://www.sec.gov/rules/final/33 8238.htm>

Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission (COSO), AICPA, New York, USA, 1992

ISO IEC 17799, Code of Practice for Information Security Management, International Organization for Standardization (ISO), Switzerland, 2000 […]

Here’s my visual take away and mental note regarding organizations, documents and writers deserving our professional attention and a rating as “critical” ten out of ten weights.

COBIT® (ISACA, ITGI) AND COSO (AICPA, IIA)

Common Criteria and Methodology for Information Technology Security Evaluation, CSE (Canada), SCSSI (France), BSII (Germany), NLNCSA (Netherlands), CESG (United Kingdom), NIST (USA) and NSA (USA)

Enterprise Risk Management Framework, (COSO)

Any Final Rule US Securities and Exchange Commission

Any ISO IEC 17799, Code of Practice for Information Security

ITIL® and OCG

CCTA

Public Company Accounting Oversight Board=Auditing Standards

Information Security Forum

Endorsed contributions: Deloitte & Touche, PricewaterhouseCoopers

Cartoon Plan Friday Night Fight: Two men ring side seats, people standing and sitting, tossing tickets on ground looking angry or disappointed, ref with microphone in distance “… force cancellation of the long anticipated Mega Blockbuster Event “COSO vs. COBIT®.” Man one: “There goes another 80 bucks down the drain!”

Enough about them, let’s talk about us Consider again, a “critical,” a ten out of ten weight, “IT Control Objectives for SarbanesOxley: The Importance of It in the Design, Implementation and Sustainability of Internal Control over Disclosure and Financial Reporting”, Copyright© 2003 by the IT Governance Institute 140 ." Contribution in peer review and content include PricewaterhouseCoopers, Crowe Chizek, RBC Financial Group, Deloitte & Touche, Financial Executives InstituteResearch Foundation (FERF) 141 , Ernst & Young, Protiviti, META Group, Q Alliance, RBC Financial Group, demonstrating among business and regulators their highest rank and strongest talent. The come from Banking, Audit, and Enterprise IT Consulting, in Industries ranging from Manufacturing to Insurance an Air Travel, (i.e., Electrolux, GreatWest Life Assurance Company, Waviest



Technologies, New Zealand Air). Participation in this one project represents regulatory mandates as experienced in the USA, Canada, Singapore and Tokyo, Argentina, Australia, United Kingdom, Luxembourg, and Belgium.

What was the motivation that brought this group together? Were they working as a team to be Olympic swimming gold medalists in the 1000 meter Reference List? If so, I didn’t catch that on ESPN. The product is in public domain and no particular individual is given exclusive rights except for guardianship on the copyright. If IIA and ISACA aren’t going to fight, and PricewaterhouseCoopers is work along side Deloitte & Touche, Ernst and Young, Protiviti and KPMG, then… then…

Man two, “#&*=^%#! Promoter should have his license shoved down his throat. What kind of moron puts a pair of pansies the ring. Why don‛t they have love-in now and sing Kum-ba-yah…” Man one: “It‛ ain‛t worth it. Let it go. They‛ll be other fights.” Man two: Outside entering pub, “It‛s just the principle of the thing…”

Say it ain’t so Frameworks don’t compete. That can be accomplished by People. Consider the evidence so far; audit bodies, corporations, and every member of the Big5 have been caught in the act of teamwork. ISACA, IIA, AICPA represent a combined membership of one half million audit and technology professionals. As found on their respective web sites, "ISACA is a leading information technology organization representing more than 47,000 individual members in more than 140 countries. […] ISACA has assumed a role as the harmonizing source for IT control practices and standards the world over 142 ." AICPA reported the 2005 member total as 327,135 members, who passed the CPA exam and are certified to practice 143 . "IIA Membership reaches 110,000” is the noted headline of the IIA’s Home page 144 . These are not the full team required for national compliance.

Did you happen to notice where I left a half million auditors? Total Accountants and Auditors in the United State are estimated to be around 1,007,760 145 . Each organization provides framework and guidance as required by the Unified Accountancy Act, as mandated by PCAOB, according to the U.S. laws for GAAP (Generally Acceptable Accounting Practice) and according to the state guidelines of the NASB 146 . Our charters serve the spirit of the law but each team applies different methods frameworks toward a fairly unified goals. Whether if we walk, swim, bike or fly, we are over a million professionals who all know one thing about this country’s need for compliance; we need to get there and stay there.

Certainly all auditors involve themselves in maintaining Continued Professional Education requirements, and an enormous number work among the PwC, E&Y, D&T and KPMG (Big4), (surely Protiviti is overdue for making this a Big5). Why are so many professionals creating faction organizations? Why not join OASIS, IETF, IIA, and ISACA contributing to the greater good? Why do so many IT consultants feel qualified to act as auditors, and why do auditors believe they have mastered the extent of needed learning to perform forensics?

Found them! I knew they weren’t lost. The circle of reference strikes again. Audit is much more than IT. Site details at AICPA and NASB mention

§ AACSB International AACSB International—www.aacsb.edu.

§ Management accounting and the CMA designation is found at the IMA, Institute of Management Accountants www.imanet.org. Management accounting and the CMA designation is found at the IMA, Institute of Management Accountants www.imanet.org.

§ Accredited in Accountancy, Accredited Business Accountant, Accredited Tax Advisor, or Accredited Tax Preparer designations are supported by the Accreditation Council for Accountancy and Taxation, www.acatcredentials.org.



§ Government accounting is supported by the CGFM designation, earned with the help of Association of Government Accountants www.agacgfm.org.

I feel like such a Jackass: Donkey ‘Jackass‛: “I thought they‛d appreciate my creative talent. All the materials were so drab and a little color seemed like a great idea…” Sheep: “Let it go. No one really cares. Don‛t forget, we‛re not paid to sit around thinking all day.” Donkey: “I feel like such a fool. Do you think the sheep will have me back?” Sheep: “I have a career to protect. You know how it is…”

Did I mention all the new IT Audit and Control Organizations?

A problem not owned equals a problem not solved We need to own a little bit of the solution or we lose interest in the problem. This is misidentified as “NMO” or “not my idea.” Even as a babies adopted a personal mission to take everything apart. Our obsession evolved to putting pieces together followed by, reverse engineering. (That’s why I parents have gone insane.) Some of us matured to actual inventing, and even hacking for professional gain. (Wolves invent, sharks hack, pigs use the hack created by a shark.) We copy fashion, software, music and even personality. The nature of copying is so pervasive, it is at least a significant reason for most areas of security and all of Title 17.

In fact, we assume we’re supposed to copy and in some cases this is a career strategy. When asked to perform even a slightly creative task, we begin with a search for the right template. In fact, very few people really want to hear our ideas. Ask any boss and he’ll say, is there a template? Great, let’s move one.

Where do the templates end and our unique configurations begin? Living with blinders is a sure path to failure. Propose anything dramatically different from the norm, and chances are, you become member to a class I’ve completely left off the list, the jackass.

Many business leaders will tell you that failure in one context drove success in another. We have a proliferation of new organizations in IT Control and Information System Audit. They can be characterized as toddlers, cute, creative, still in possession of baby superpowers. Their interests are stirred by the exciting new problems in technology compliance standard. Outsmarting our favorite cartoon villain holds fascination, joy and wonder, providing opportunity to flex our intellect, sense of justice and share in camaraderie. You have to admit, for a while there SOX was holding almost as much country attention as the first round of Ben and Jen.

You want me to kill them now? (But they're so cute!) Are you sure about this? I agree they will reproduce. Yes, they may marry into family. You’re right, they’ll publish more standards. Correct, we will have to read them too.

Valid points and I see the wisdom in killing them while they’re weak, but I can’t support youth organization genocide. It’s not even a religious hangup. I’m concerned these baby organizations may be needed in the compliance chain.

Basic principles in human dynamics limit team size as a factor in success. Business and the army use a principle of five. Schools try to do it with rules for number of students per class. We need small groups to manage and learn. Large mature groups tend to drown out creativity. People lack a sense of place and purpose. Newcomers to large established organizations see a list of problems that aren’t qualified to solve, leaving nothing to do but try to rub elbows with people who are “trusted to think.” We need baby organizations. In addition to pollinating the untapped dogs and sheep with inspiration, I’m pretty sure killing them isn’t legal. (Check the ACLU site comments on “right to gather for any purpose, no matter how stupid or a waste of time”, First Amendment 147 .) New teams share uninformed optimism, a chemical we have not been able to bottle. They believe they impact the world. Sometimes, they do.

Consider the mission of ITPI, an organization focused on prescriptive, datadriven guidance for IT leaders.

Research – study top performers and identify the causal link between behavior and results.



Benchmarking – create tools that compare individual organizations to top performers.

Prescriptive Guidance – share content written to help IT organizations become top performers.

With this simple datadriven approach, the IT Process Institute aims to enhance the efficiency and effectiveness of our member organizations, and drive performance. They are not Gartner, and they are not the OGC, but their leadership is comprised of Eagles, and their goals remind us there are stars.

“Dreams are like stars...you may never touch them, but if you follow them they will lead you to your destiny.”

Informed Optimism How did a handful of starving painters create all the works that are collectively known as Impressionism? Why is it we tend to find that Nobel Prize winners are also best friend’s with a Golden Globe awarded play writes, parents to winners of the Tchaikovsky competition or just merely leaders of fortune five hundred corporations? Don’t Tom Hanks, Paul Newman, Jane Fonda, Goldie Hawn and the Durnings understand what they’ve done to the bell curve on talent? Will someone please tell these bumblebees that science has absolutely proven they can’t fly!

Last note on why we should let baby organizations live, and do everything in our power to help them along, is answered by simply reading the list of members who belong to ITPI. We need this gene pool.

§ Kevin Behr – President and cofounder: CTO and Chief Operational Strategist for IP Services. Kevin cofounded the ITPI with Gene Kim. He is an active member of the Information Systems Audit and Control Association. Kevin is a frequently invited speaker called on to address a broad range of technology and management framework topics. Kevin is coauthor of the Visible Ops Handbook.

§ Scott Alldridge – Vice President and founding officer: founding officer and board member of the ITPI. He provides key strategic and operational oversight, and provides key resources from IP Services to see the vision and mission of the ITPI is carried onward.

§ Ron Neumann – Vice President and founding officer: President of Neumann Management Group, Inc. Ron is a board member of the ITPI and participates in defining the vision and overall strategic direction of ITPI. He manages the organization’s finances, and develops strategic relationships and sponsorships.

§ Gene Kim – Director of Research and cofounder: CTO and cofounder of Tripwire. Gene Kim cochaired the Best in Class Security and Operations Roundtable (BICSORT) with the Software Engineering Institute. He is coauthor of the Visible Ops Handbook and is a primary researcher for the IT Controls Benchmarking Survey with Dr. Grant Castner.

§ Dr. Grant Castner – Director of Benchmarking: Professor in the Department of Decision Sciences, Lundquist College of Business, University of Oregon. His research interests include technology adoption and diffusion, accounting information systems, electronic commerce, and informationtechnology infrastructure best practices. Grant is the research lead for the IT Controls Benchmarking Survey. Grant has also developed the ITPI website, ecommerce systems, and content management system.

§ George Spafford Jr. – Director of Prescriptive Guidance: Managing Director of Spafford Global Consulting. He is a recognized expert in IT process and Audit. He is a prolific author contributing articles to a wide range of IT publications. He coauthored the Visible Ops Handbook.

§ Julia Allen: Senior member of the technical staff at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University. Julia is engaged in developing and transitioning enterprise security frameworks and executive outreach programs in enterprise security and governance.

§ Kurt Milne – Managing Director IT Process Institute: He has over 15 years experience in various marketing management, alliance management, and engineering positions at leading



technology companies. His main areas of expertise include IT service management and IT controls, inventory and supply chain management, and computer integrated manufacturing. He is responsible for overall ITPI operations including sponsorship and membership.

I don’t want a baby brother. Tell the stork to bring ideas. Consider just a sample of organization impacting at least some of the thoughts we actually we believe are our own. Don’t get discouraged, even the mighty oak, was once a nut like …

Source Title: Short Name Web

American Chemistry Council ACC American Chemistry Council

American Civil Liberties Union (ACLU) Privacy Information

ACLU Privacy Information American Civil Liberties Union: Privacy & Technology

American Institute of Certified Public Accountants

AICPA American Institute of Certified Public Accountants

American National Standards Institute

ANSI American National Standards Institute ANSI

Basel Committee on Banking Supervision (BCBS)

BCBS The Basel Committee on Banking Supervision

Business Software Alliance BSA Business Software Alliance USA Home Page

Center for Internet Security (CIS), Benchmarks and Scoring Tools

CIS Benchmarks and Tools Center for Internet Security

Center for Public Company Audit Firms

CPCAF Center for Public Company Audit Firms

CERT Coordination Center CERT/CC CERT Coordination Center: Security Practices and Evaluations

Common Criteria Project Common Criteria Project Common Criteria Project

Chief Information Officers Council

CIO Council Federal Chief Information Officers Council

Code of Federal Regulations Full listing at GPO

CFR Full Listing at GPO Code of Federal Regulations: Main Page

Committee of Sponsoring Organizations of the Treadway Commission

COSO Committee of Sponsoring Organizations




Corporate Information Security Working Group

CISWG Corporate Information Security Working Group: Report of the Best Practices and Metrics Teams

Director of Central Intelligence Directives

DCID DCID Director of Central Intelligence Directives

Federal Emergency Management Agency Mitigation Division

FEMA Mitigation Division FEMA: Mitigation Division

Financial Crimes Enforcement Network

FinCEN Financial Crimes Enforcement Network (FinCEN)

Global Information Assurance Certification

GIAC Global Information Assurance Certification

Government Accountability Office

GAO Government Accountability Office

Information Systems Audit and Control Association

ISACA Information Systems Audit and Control Association® (ISACA®)

Information Systems Security Association

ISSA Information Systems Security Association

Information Technology Governance Institute

ITGI Information Technology Governance Institute

Institute of Internal Auditors IIA The Institute of Internal Auditors (The IIA) Progress Through Sharing

International Information Systems Security Certification Consortium, Inc

ISC2 (ISC)² International Information Systems Security Certification Consortium, Inc

International Organization for Standardization

ISO ISO International Organization for Standardization Homepage

National Archives and Records Administration

NARA National Archive and Records Administration

National Association of State Boards of Accountancy NASBA

NASBA National Association of State Boards of Accountancy




National Institute of Standards and Technology

NIST National Institute of Standards and Technology

Organization for the Advancement of Structured Information Standards

OASIS Organization for the Advancement of Structured Information Standards

Open Information Systems Security Group

OISSG Open Information Systems Security Group Home

Organization for Economic Co operation and Development

OECD Organization for Economic Co operation and Development

Public Company Accounting Oversight Board

PCAOB The Public Company Accounting Oversight Board

SANS Information and Computer Security Resources

SANS Resources SANS Institute Information and Computer Security Resources

Securities and Exchange Commission

SEC U.S. Securities and Exchange Commission (Home Page)

SysAdmin Audit Network Security Institute (SANS)

SANS Institute SysAdmin Audit Network Security Institute About the SANS Institute

Thomas Library of Congress On Line

Thomas THOMAS Library of Congress Online

United States Security Awareness Organization

USSAO United States Security Awareness Organization

Competition is the spice of life Consider why so many mission statements use words like “best”, “premier”, and “highest authority.” ‘Amaarrikans’ are measured in increments of gold (medals). We compete, because that is the only way to win.

That was a little harsh. Let me take it back. Searching the internet for “Edwards Deming, Cooperation and Competition” brings back a list including the U.S. Department of Defense. In spite of reputation, The DoD has long promoted cooperation over competition, “Quality” over “Zero Defect,” citing Edwards Deming’s 14 points for management practice 148 . Here’s an example found buried in a memo on how to work with vendors:

“W. Edwards Deming recommended stable, ongoing relationships between vendors and customers as a key to longterm success. Industry has applied this principle with great success. On the other hand, the Government has traditionally taken the shorter view, e.g., one base year and four option years. This mindset can lead to rapid vendor turnover and encourages industry to maximize profit. Longterm contracts



provide the vendor with the steady income stream needed to make longterm investments in the tools, people, and facilities that the Government needs 149 ."

The Wolf maintains a ruthless image which serves to protect the pack. The leaders collaborate and optimize as a lifelong form of play. They don’t care what it says in the history books. Their children grow up on instinct. Building the better mousetrap may make them wealthy or powerful, but good ideas just add to the world paradigm.

Evidence of Deming’s impact is honored in our Library of Congress. We rate his ideas among our country’s greatest assets. Stories of triumph through cooperation, by opposing forces represents a third of prime time television, even if the only reason to cooperate is to enforce the medal, but we are making our way towards living Deming's dream.

My only comment on our obsession with winning is I’m a Deming fan 150 .

Get the data and proportionality 151 Often associated to the Errol Morris film, The Fog of War 152 , Robert McNamara’s revealing commentary regarding decision frameworks prolonging the Vietnam war, McNamara’s lesson includes messages regarding information and data. Morris explains in an NPR interview that reading Paul Hendrickson's book, “The Living and the Dead: Robert McNamara and Five Lives of a Lost War,” set this film in motion. As explained on the NPR website, "Robert McNamara was a believer in control accounting [...] a mathematical way to analyze and evaluate systems. […] and was plucked from success at the Ford Motor Company to become President John F. Kennedy's Secretary of Defense. His unique approach to management guided the United States involvement in Vietnam 153 ."

Biographers and McNamara himself share a sense of irony in portraying the Fog of War lesson “Get the Data.” Commentary regarding speech delivered by a class 39 graduate to his HBS alumni highlights his conviction that “Statistical data could instead be used proactively as a general management tool for analyzing an organization’s production and operations and measuring the efficacy of problemsolving initiatives.” In spite of this, McNamara explained the conventional wisdom about the domino theory and the question of whether U.S. troops could ever in fact prevent the loss of South Vietnam“ was never debated at the government’s highest levels.” In the case of Iraq, he says, “there are comparable issues that appear to have never been debated. That includes ‘nationbuilding’ or what would happen after we passed through major military operations.”

Frameworks used for the analysis of risk, including financial, digital, criminal, military and social, and the ontology which may be common to those frameworks, is a topic deserving debate and global anticipation. The implications derived from efforts to develop world standards to the design of detective, preventive and predictive controls are only now gaining popular interest in our national strategy, market demand and prioritized government funded research.

The greatest lessons, however, are the simple ones. Realizing Robert McNamara’s professional history involved controls for both the World Bank and U.S. Department of Defense, I felt compelled to read the observations of an Eagle again.

1. Empathize with your enemy. 2. Rationality will not save us. 3. There's something beyond one's self. 4. Maximize efficiency. 5. Proportionality should be a guideline in war. 6. Get the data. 7. Belief and seeing are both often wrong. 8. Be prepared to reexamine your reasoning. 9. In order to do good, you may have to engage in evil. 10. Never say never. 11. You can't change human nature 154 .



Cartoon Plan: Man in suit waiving arms saying: “You‛ve got to give me something. We go public with these results in less than an hour. The President isn‛t going to buy this.” Man at computer with spreadsheets all around, looking into computer screen, perspiration bullets around his face: “The only event correlation consistent with the 23% drop in college admissions across every demographic group in the United States is that week Google was off line due to that massive cyber attack. Fell right around that cram week when the kids write all those essays.”

Does the punishment fit the crime? If your favorite pastime is cooking books, or you happen to run an electronic smuggling operation over parallel circuits beneath the data center floor, you certainly have my permission to feel all sorts of fear, uncertainty and doubt. IT controls and their associated tools detect a lot of good and bad practice. Punishment, however, is for people who commit crime. The SarbanesOxley Act became landmark when accountability publicly enforced sentencing and jail time. Control frameworks, however, existed long before the events of this decade’s most notorious financial crimes. Jail time for the likes of Dennis Kozlowski (Tyco), Bernard Ebbers (World Com), John Rigas (Adelphia) and who knows, perhaps even Michael Brown (FEMA/ Katrina) is a punishment that fits. Citing those eleven lessons again, ‘proportionality’ must always be applied. Forcing a public company to spend more time on controls than in the path of their core business begs a lot of questions around fairness and legal intent. The standards we apply as auditor should not have the look and feel of punishment. Controls leverage technology to bring value to the business. The goal of audit is certainly to assure practice and prevent fraud, but it is not about retribution, or personal fame, and it certainly does not bring a company more revenue. Risk is only relative to a company’s capacity to stay in business.

Cartoon plan: It is our Fault: Eagle flying over Unites States contour map, sees thick arrows at two end of jagged line and a sign post that reads “Our fault”

Do you mind one last question? If desperation is what it takes to produce, “Please sir, can I have some more?”

Great developers often say the occasional server crash, file corruption and waterlogged backup tape is resulted in their best work. Rewrites are a chance to fix the details we wish we had known before we started. Not much in our life allows us this luxury. Rewrites are good.

T.S. Eliot has been cited a great deal since The Fog of War included Robert McNamara’s reciting of the poem:

“We shall not cease from exploration

And the end of all our exploring

Will be to arrive where we started

And know the place for the first time 155 ."

Maybe this is an Eagle’s best lesson: Vision is never perfect until it looks forward, side to side, and backward, at our history.

Rewriting a standard improves its application and the community involved in its making. The best reason for rewriting already great standards, such as ISO/IEC 17799:2005, ITIL®2 and COBIT® 4th edition, is expanded perspectives and distributed ownership. Comparing different Risk and Security Management guidelines produced by valid authorities comprised of credible and experienced teams only revealed that each group, based in slightly different audience scope and requirement, contributed usable and outstanding content to our field.



Increasing the number of people in the world who feel personally involved in information control is a good thing. To emerging groups, such as ITPI, Association for Business Process Management (ABPM) and a myriad of Local Interest Groups: I humble to their enthusiasm and commitment. Their leaders no doubt are wolf spirits, so I honor them with reminder of Rudyard Kippling’s Law For Wolves.

The Law for the Wolves

Now this is the law of the jungle, as old and as true as the sky,

And the wolf that shall keep it may prosper, but the wolf that shall break it must die.

As the creeper that girdles the tree trunk, the law runneth forward and back;

For the strength of the pack is the wolf, and the strength of the wolf is the pack. […] 156

For every organization skating the thin ice between influence and violation of copyright, publishing standards based entirely from ISO/IEC 17799:2005, COBIT®, ITIL® or COSO, I’ll just say, “Hats off to you.” I prefer to buy my standards, if for no other reason than the liability of data management mistakes, enabling fraudulent use of other people’s information, 100,000.00 per instance software license infringement fines, and things that go bump in the night 157 .

ISO/IEC/ANSI, AICPA, ISACA, NIST CMU/CERT and the IIA provide all the raw ingredients for a diet balanced in current best practice across every area of information systems and infrastructure management. Tom Lamm 158 , Brian Selby, Dan Swanson, Ron Hale, Fred Cummins, Tim Howes, Jamey Bryce Clark, Charles Le Grand 159 , Gene Kim, George Spafford Jr., Julia Allen, Bruce Winters, and Mike Hines have collectively written works I will read for the rest of my life, but at least I can be confident that the best work is the most recent. That I can conquer right now. These people have spent a lifetime sharing ideas, feeding their children, running business, coaching little league, publishing masterful works, answering our posts, getting married, divorced, married again… Most amazing and true, they actually talk to me, a plain old part squirrel, part rescue Dog.

Our Leaders are not preoccupied with a need to insure all audit problems are solved by their own frameworks and theirs alone. In fact, they are more likely to start any conversation with a list of what they don’t know, inviting all the energy of what Richard Feynman, (Nobel Prize Winner) describes as “the pleasure of finding things out 160 ." They will introduce future bills, write to members of the PCAOB, SEC and Congress, appear before committee, and forever be listed in the footnotes of regulations and standards, affecting everything from banking to the standard of density for fasteners and threads.

Leaders and Eagles do not pop up like mushrooms four hours after any new regulation is signed into law 161 . Their names mark a progression of community. No doubt they began in a toddler organization, and some may have joined troops fairly advanced in the fight, but each beginning grew to professional leadership. Maybe their secret power is being a master of change, appearing as a member of the GAISP standard committee, then appearing as contributors to ISACA or IIA publications, and emerging again in legal journals, and once more on the committee known as the CISWG, (Computer Information Security Working Group).

Today these foundation ideas continue in the BS 27000 series. The recent BS ISO/IEC 17799 (BS 7799 1) and BS ISO/IEC 27001:2005 (BS 77992:2005) publications demonstrate lifetimes of commitment to concepts respected world wide. Every major player in the standards game has at least one team working to remove duplications, with ISO 9000 (Quality Management), ISO 14001 (Environment), OHSAS 18001 (Occupational Health & Safety), and all forms of BS 7799 1 and 2 (aka the ISO/IEC 17799:2005 and related series) taking the lead 162 . There are substantial shifts in language from IT Service Management to a broader ICT Infrastructure Management in all areas that pertain to information systems. The expanded use of ICT Infrastructure in place of ITIL® Service Management and Service Delivery concepts makes room for a broader and more comprehensive mapping between British Standards and other frameworks, such as the COBIT® 4th edition by ISACA, NIST Special Publication 53a, FISCAM Volume Two and the ISG Tool 163 produced by the Computer and Network Security Task Force, which was created by members of the CISWG 164 .

Being a loyal Dog, I really can’t solve world hunger. I put my family and company in various annual giving programs because there are no small parts, only small contributors.



After brief adjustment counseling, Mount Must Read™ has accepted that less is sometimes more. He may not be tall, but he’s quality. In all matters of “keep or throw” he will give up old white papers as long as they go to his better half and loving partner, Mount Recycle™.

It’s time for the end of down time and recovery. I am restored and ready for work. There’s just one last question:

Why didn’t I write any of that? I doubt that any completely original ideas still exist. I’m not expecting to have one. I doubt any one person is able to see all the regulations and standards in one big picture, but if that Eagle is out there, my bet is he or she is working in a well recognized team. All I learned from this journey of reading is there is still so much more that I don’t know.

I would however, like to clear up one issue. Here’s my final ruling:

“With regard to alleged problems caused by overlap and conflicts in laws and standards; it is the recommendation of this jury including Loyal Dog, Mount Recycle™ and Mount Must Read™, that due to lack of evidence supporting conflict or damages, the case of Overlap vs. too Much Information is now dismissed.”

It’s all good. Make your own strategy, tackle the mountain and enjoy a nice long read.

I’ve started a small list of rules on the white board by my desk:

Rule number one: Never move data

§ Focus on legitimate location by classification and information type.

§ Use access control to limit change and use.

§ Use registered sources of information where the responsibility lies on them to keep data and standards current.

Rule number two: ‘Only handle it once’

§ Decouple normalized data from stored data by creating business rules for data lookup.

§ Attend to emerging standards by W3C and OASIS to insure that the smallest amount of unique information is all that we store in any process.

§ Invest in real time valid feeds for standards of measure and control, so the standards are managed by the subject matter experts and the business is configured to leverage those controls.

Rule number three: Common language equals common mission

§ Insure that all persons have ready access and training in the name and scope of all management functional areas, processes and programs by title.

§ Use the best sources for current normalized glossary in including NIST, OGC, ISACA, ANSI, NISO, WTO, W3C , OISWG.

Rule number four: Believe in the myth that someone has already solved this

§ Even if a problem is yet to be solved, there are people out there who share your quest and who will only add to your vision and quality of solution. None of us is as smart as all of us.

§ If people who share your interest don’t seem to exist, keep looking.

§ Believe in the myth that YOU can solve the problem. Genius is exclusive to people with the tenacity to continuously fail until they succeed.

Rule number five: Process optimization is what makes a process real

§ Being unique isn’t the only way to bring value. Even if concepts can’t be patented, showing the world how to be faster, safer and more efficient still holds great value. Admitting existing work



deserves alignment to current concepts is the first step. Every rewrite makes us stronger. Allowing others to make our own works better shows humility and true maturity.

Rule number six: Don’t rework the design of others and claim to own their ideas

§ Use industry standard names to construct the names of all things. Giving credit to great frameworks and standards validates mature methodology and service quality.

Rule number seven: Accurately represent the problem

§ Ensure the right stakeholders agree with what needs to be solved.

§ Isolate the known from the unknown.

§ Reuse repeatable frameworks and configuration, including common language, definition of programs and process.

Rule number eight: Only record the variance from the norm

§ Once a part of the configuration is defined, use it to extend the attributes of any other item. Only record the unique variance.

§ Comply with norms and standards by limiting acceptable variance.

Rule number nine: Don't serve green eggs

§ Factor the reception of presentation as equal in importance to all other elements combined. People can't use what they don't know they have. Be sure the delivery looks and feels like a practice already common to the culture. New tastes, textures and smells are never big hits at a pot luck supper. They are less popular in IT. They never work in business.

Rule number ten: Make it easier to get permission than forgiveness. Then, show no mercy.

§ Factor protection of intellectual capital in the design and creation of content, approval and process.

§ The construction of configuration and information based in correct business logic and standards shouldn't feel like secret sauce or be too complicated to simply explain.

§ Business rules make sense to the business.

§ Data Validation makes sense to data entry.

§ Without their visibility to the construction of an answer, we live at the mercy of people who were never able to accurately represent the problem.

§ Strive to make “easier to beg forgiveness than get permission” thinking both mute and obsolete.

Conclusion: Tell everyone “Who, what, where, when and why”, or as the army has long understood, “the commander’s intent.” Focus on outcome, and be open to variation in the path that gets us there. Intended outcome, the representation of the problem, is more important than the instruction for its solution.

An accurate problem is more powerful than the implementation details. Frameworks and standards are about methodology. They are not, in of themselves, the solution. In fact, they aren’t even the problem.

When we add minds to a project, it tends to extend time to finish and often results in failure. I think I know the reason why. We spend too much time instructing and not enough time sharing commander’s intent. We spend almost no time at all asking, “is this the right problem?”

This is why we can’t go through life as sheep. Sheep can’t ask if we are solving the right problem. They are not aware of the problem. We can’t live life as dogs. Dogs bark the instructions and bite those who appear to step out of line. Loyal as they may be, they also lack capacity to ask if we are solving the right problem. Wolves are great problem solvers, but they may not share the answer, and they certainly are



not concerned with issues affecting packs beyond their kin. Eagles see our landscape. Most of us lack the courage to open our minds, hearts and eyes to even a small portion of what Eagle’s perceive. We need our Humans, our leaders. We need to hear the problem and believe in our ability to contribute.

How many times have we accurately and flawlessly solved the wrong problem? We never know what other’s will bring to the solution, but one thing is sure, if any single approach was working, we would not need everyone else to solve the problem. Share the problem, share the wisdom, and believe in the brilliance of others.

Appendix A: Database and Ontology Database: This data repository houses a collection of resources for Information Auditors. The list of “What I need to know” is validated by cross referencing bibliographies in significant works, peer review and lists supplied by accredited organizations. Organizing, researching, deduplicating and summarizing are a continuous process. Most text is verbatim summary of how each work or organization represents itself, with small areas of summary reflecting a small amount of compiled consensus and review. Resources using white papers to primarily sell product, as well as papers lacking accredited review teams are generally removed from the list. While often very well written, the works lack backing from organizations authorized to approve and release such works.

Note that sites such as IIA, ISACA, AICPA and BSA list and sell resources such as books, training, journals and standards. Retail materials provide necessary revenue organization. I have been careful to avoid using the list as an advertisement billboard. As with any profession, audit guidelines, accredited standards and training materials are generally under copyright and require purchase. Where an item is necessary to professional practice, the location listed for purchase is limited to sites operated by standards and accreditation bodies such as CASCO, ISO, IEC, ANSI, ISACA, IIA and AICPA.

Each reference includes links to additional source data, validated web references that avoid advertisement or marketing bias. The format is created as a means to quickly capture related lists of important and relevant source data. Each item was reviewed for the laws it enforced and aligned with, applicability and use as defined by the author or as commonly understood in the field.

Considerations for database inclusion:

Who needs to know this?

Is it current? The nature of print is instant obsolescence.

Is it mandated by law? Is it also mandated by other laws?

Is it mandated by any Government or Industry?

Is this a Sunset Law or has it been repealed?

If a standard, do other standards handle this in a better or simpler way?

Is it almost the same as something else, or it is the same content with varied codification, for example BSI code of ISO/IEC standard, or U.S.C. as codified by law.

Is there a conformity assessment body associated to the standard?

Is there higher authority to address this policy, standard, framework or legislation?

Are there accredited free or low cost implementation tools, and government supported bodies maintaining the standard?

Who are the current experts? Are they cited as reference? Does this violate a copyright?

In short: Considering, Organization Charter, Authority, Conformity, Relevance to IT Audit, Manner of staying Current, Use of Advertising or Self Interest, Regulations, Laws, Standards, Directives, Frameworks, Certifications, Conformity Assessment Bodies, Significant Works, Sponsoring Committee and Authors and Reviewers, Supporting Data, Audience, Adoption and Repeal, Superseding standards or frameworks



And Are the authors mostly dog, eagle or wolf? Is the work endorsed by Humans?

[ERD and Class diagram]

Repository Organization:

[Table and data definition removed to protect copyright on work in development with OASIS, ISACA and IIA. Materials as developed will be shared through all organizations and linked here.]

Snapshot Source Document Database establishing relationships and applicability of critical organizations, regulations, and standards products:



Appendix B: Must Read's™ “Security and Risk Management” The list of readings for security was superseded by the products of ISACA under Harmonization and Standards alignment. In my own defense, the list below existed before I read the CISM and harmonization efforts. I was simply relieved to discover my “must reads” were on target from the perspectives as published by IIA, AICPA and ISACA.

Title (s) Used to Copyright

Cost

Supporting Frameworks and Standards

NIST Special Publication 800 30, Risk Management Guide for Information Technology Systems,

As implemented with 53, 53a, and FIPS 199. 200, 201

In conjunction with NIST Special Publication 800 53, Recommended Security Controls for Federal Information Systems

Gary Stoneburner, from NIST and Alice Goguen and Alexis Feringa,

Written to comply with OMB Circular A 130 Management of Federal Information Resources and Public Law 104 13 a.k.a. Paperwork Reduction Act of 1995 165 .

BS ISO/IEC 27001:2005 (BS 77992:2005)

Copyright BSI; cost is listed in Swiss franks Uses previous contributions made by

Intended for use in Federal and internationally regulated industry, used for Conformity Assessment

Corporate Information Security Working Group: Report of the Best Practices and Metrics Teams

Public Domain also ISG Tool.

Intended for any United States Public or Private Security Organization

Governing for Enterprise Security Networked Systems Survivability Program

Public Domain Intended for any United States Public or Private Security Organization, Julia Allen, 2005

OCTAVE Information Security Risk Evaluation

Produced by Defense Advanced Research Projects Agency (DARPA) contributions by Christopher Alberts Audree Dorofee James Stevens Carol Woody




Title (s) Used to Copyright

Cost

Supporting Frameworks and Standards

COBIT:COBIT®: Security Baseline: An Information Security Survival Kit

COBIT: Security Baseline: An Information Security Survival Kit

COBIT:COBIT®: Security Baseline: An Information Security Survival Kit

Public Domain (requires login as ISACA member, but the login cost is supported as “required” by anyone in IT systems audit.)


FFIEC Information Technology Examination Handbook

Federal Regulated Federal Reserve Board (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and Office of Thrift Supervision (OTS)

Public Domain

Global Technology Audit Guide (GTAG) Information Technology Controls (Change and Patch Management)

Enterprise Risk Management Integrated Framework

COSO (must be purchased)

ISO/IEC 15408 International Standard; Common Criteria for Information Technology Security Evaluations

CEM: Evaluation Methodology cem V3.0.pdf

CC Part 1: Introduction and general model ccpart1 V3.0.pdf

CC Part 2: Security functional components ccpart2 V3.0.pdf

CC Part 3: Security assurance components ccpart3 V3.0.pdf



Bibliography This bibliography includes references whose source is not previously cited within the document text. Also included are references to influential people and other documents related to the subject area.

Berinato, Scott, Darwin Magazine, http://www.darwinmag.com/read/0502/apples.html.

BSI, British Standards Institute, "BS ISO/IEC 17799:2005", in British Standard ISO/IEC 27001:2005, London, United Kingdom: The Stationary Office, 2005.

Clark, James Bryce (jamie.clark@oasisopen.org), Shearman & Sterling, New York, http://www.oasis open.org/who/tab.php#jclark.

Deming, Edwards (1986), "14 Points for Management", in Out of Crisis, 1986, Cambridge: The MIT Press, http://www.deming.org/resources/books.html.

EDUCAUSE & Internet2, Computer and Network Security Task Force, EDUCAUSE/Internet2 Computer and Network Security Task Force.

Governance Assessment Tool for Higher Education, http://www.educause.edu/ir/library/pdf/SEC0421.pdf.

FASP, Federal Agency Security Practices, "STIGs, Security Technical Implementation Guides", http://csrc.nist.gov/pcig/cig.html.

FERF, Financial Executives Research Foundation, http://www.fei.org/rf/.

FIPS, Federal Information Processing Standards Publication, http://www.itl.nist.gov/fipspubs/.

Frye, Emily, “Cybersecurity and Corporate Governance Now: Does It Take Liability to Get Attention?”, in American Bar Association, Section Of Science & Technology Law, Chicago 2005, http://www.documation.com/aba/pdfs/004.pdf.

GAAP, Generally Accepted Accounting Principles, http://www.fasab.gov/accepted.html.

GAP, Government Accountability Project, http://www.whistleblower.org/template/index.cfm.

Gibaldi, Joseph (2003), MLA Handbook for Writers of Research Papers, 6th Edition, http://www.mla.org/handbook.

Gruber, Tom, What is an Ontology?, KSL, Knowledge Systems, AI Laboratory, Stanford University, http://wwwksl.stanford.edu/kst/whatisanontology.html.

McNamara, Robert S. and Morris, Errol, The Fog of War: Eleven Lessons from the Life of Robert S. McNamara, December 2003.

NHGRI, National Human Genome Research Institute, http://www.genome.gov/.

NSSN, National Standards Systems Network, "STAR, Standards Tracking and Automated Reporting, Services", http://www.nssn.org/star_intro.html.

OntoWeb Project, OntoWeb Working Group on Process Standards, http://www.aiai.ed.ac.uk/project/ontoweb/. Amy Knutilla, Craig Schlenoff, Steven Ray, Stephen T. Polyak, Austin Tate, Shu Chiun Cheah and Richard C. Anderson: "Process Specification Language: An Analysis of Existing Representations," NISTIR 6160, National Institute of Standards and Technology, Gaithersburg, MD, 1998.

PricewaterhouseCoopers on behalf of COSO, COSO, Enterprise Risk Management — Integrated Framework, AICPA, Volume 2, https://www.cpa2biz.com/CS2000/Products/CPA2BIZ/Publications/COSO+Enterprise+Risk+Management ++Integrated+Framework.htm, & COSO (2005), Internal Control — Integrated Framework, Guidance for Smaller Public Companies Reporting on Internal Control over Financial Reporting, AICPA, Exposure Draft, http://155.201.80.182/Coso/coserm.nsf/vwResources/PDF_IC/$FILE/COSO_FINAL_Draft_IC_Guidance. pdf.



PricewaterhouseCoopers, Integrity Driven Performance White Paper, © Copyright 2004 PricewaterhouseCoopers, Page 34.

Ross, Dr. Ron and NIST, Protecting Federal Information Systems and Networks, A Standardsbased Security Certification Program for Operational Environments, http://cio.doe.gov/Conferences/Security/Presentations/RossRNIST.pps.

Skadden Biography, Michael S. Hines, http://www.skadden.com/index.cfm?contentID=45&bioID=2732.

Smith, Lawrence W., "The FASB’s Efforts Toward Simplification", in The FASB Report, February 28, 2005, http://www.fasb.org/articles&reports/fasb_efforts_toward_simplification_tfr_feb_2005.pdf.

Spafford Jr., George, Spafford Global Consulting, Inc., Saint Joseph, MI, http://www.spaffordconsulting.com.

Swanson, Dan and Seccuris Inc., Security Benchmark, http://www.securitybenchmark.com.

TQM, Total Quality Management, http://www.managementhelp.org/quality/tqm/tqm.htm.

U.S. Department of Labor, Bureau of Labor Statistics, Occupational Employment and Wages, November 2004, http://www.bls.gov/oes/current/oes132011.htm.

U.S. Navy, Benefits, "Increasing Contractor Commitment", http://www.ar.navy.mil/aosfiles/tools/turbo/topics/cj.cfm.

United States Congress & Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census (2004). Oversight Hearing Statement by Adam Putnam, Chairman, Identity Theft: The Causes, Costs, Consequences, and Potential Solutions. http://www.reform.house.gov/UploadedFiles/Final%20Press%20Opening%20Statement%202.pdf, p. 5.

United States Congress, "DMCA", "Digital Millennium Copyright Act", in Public Law 105304, H.R. 2281, S. 2037, & Congressional Record Vol. 144 (1998), Washington: U.S. Government Printing Office, 112 Stat. 2860 & 2905.

VISA International Service Association, Security Programs, http://corporate.visa.com/st/programs.jsp.

Walsh, Norman and Muellner, Leonard, DocBook: The Definitive Guide, O'Reilly & Associates, Inc, Version 1.0.2 (1999), http://www.oreilly.com/catalog/docbook/chapter/book/docbook.html.



Endnotes

1 United States Congress, SarbanesOxley Act of 2002, 15 U.S.C. §7201 (2002), "SarbanesOxley Act of 2002", "SOX", in Public Law 107204, H.R. 3763, S. 2673, & Congressional Record Vol. 148 (2002), Washington: U.S. Government Printing Office, 116 STAT. 745810. 2 COBIT®. Retrieved December 1, 2005 http://www.isaca.org/Template.cfm?Section=CobiT6&Template=/TaggedPage/TaggedPageDisplay.cfm& TPLID=55&ContentID=7981. 3 COSO, Committee of Sponsoring Organizations of the Treadway Commission. Retrieved December 1, 2005 http://www.coso.org/. 4 ITIL®, Information Technology Infrastructure Library. Retrieved December 1, 2005 http://www.ogc.gov.uk/index.asp?id=2261. 5 BSI, British Standards Institute, "BS ISO/IEC 17799:2005", in British Standard ISO/IEC 27001:2005, London, United Kingdom: The Stationary Office, 2005. 6 ISACA, Information Systems Audit and Control Association. Retrieved December 1, 2005 http://www.isaca.org/. 7 OGC, Office of Government Commerce, "ICT Infrastructure Management", in ITIL® Series, London, United Kingdom: The Stationary Office, 2002. 8 Edgar Allen Poe, TellTale Heart, USA: BookSurge Classics, Philadelphia: J. B. Lippincott Co., 1895. 9 George Lucas, Star Wars, Episode IV, A New Hope, USA Box Office: Lucas Films Ltd., 1977. 10 Andy Wachowski & Larry Wachowski, The Matrix, USA Box Office: Groucho II Film Partnership, Silver Pictures, & Village Roadshow Pictures, 1999. Note: Scene with Lawrence Fishburn training Keanu Reeves in martial arts. 11 NIST, National Institute of Standards and Technology. FIPS, Federal Information Processing Standards Publication. Retrieved December 1, 2005 from http://www.itl.nist.gov/fipspubs/. 12 United States Congress, "FISMA", "Federal Information Security Management Act of 2002", in Public Law 107347, H. R. 245848, Title III, Washington: U.S. Government Printing Office, SEC 301305. 13 U.S. Department of Homeland Security. FEMA, Federal Emergency Management Agency. Retrieved December 1, 2005 from http://www.fema.gov/. 14 GAO Accounting and Information Division. FISCAM, Federal Information System Controls Audit Manual Volume I: Financial Statement Audits, Washington: Government Accountability Office, 1999. Retrieved December 1, 2005 from http://www.gao.gov/special.pubs/ai12.19.6.pdf. 15 George Orwell, Animal Farm, New York: New American Library, 1956. Note: Orwell's book title did not inspire "Compliance Farm™". Any similarity is coincidental and unintentional. I assure you I only read the Cliff Notes®. 16 Robin Basham, “Fish", "Sheep", "Snake", "Dog", "Wolf", "Eagle”, in Compliance Farm™, 2005. Note: Inspired by and with thanks to A.J. Jacobs, Fractured Fairy tales (1997) & Warner Brother’, Looney Tunes (1961), amended by various mental pop ups, most recently 2005. 17 KNET. Retrieved December 1, 2005 http://www.isaca.org/knet. Note: KNET is provided by ISACA as a professional resource and describes it as "a global knowledge network for IT Governance, Control and Assurance" and “KNET contains over 5,200 peerreviewed web site resources pertaining to knowledge covering IT Governance, Assurance, Security and Control. Full access to KNET is reserved for association members. In addition, a personalized tracking feature […]. Reference items are organized into logical categories of interest and concern".



18 Dan Swanson & Michael Legary (2005). Security Benchmark. Retrieved December 1, 2005 from http://www.securitybenchmark.com. Note: Dan Swanson and Michael Legary's list of Information Security Organizations is recently listed among the top 5 security resources worldwide. 19 CERT/CC, Computer Emergency Readiness Team/Coordination Center. Retrieved December 1, 2005 http://www.cert.org/. Note: CERT Coordination Center resources are coordinated by Carnegie Mellon University and the Software Engineering Institute. 20 IIA, The Institute of Internal Auditors. Retrieved December 1, 2005 http://www.theiia.org. 21 ISACA, ISACA Downloads. Retrieved December 1, 2005 from http://www.isaca.org. Note: Most downloads require ISACA membership. 22 ITGI & OGC (2005). Aligning COBIT®, ITIL® and ISO 17799 for Business Benefit. Retrieved December 1, 2005 from http://www.isaca.org/. 23 ISO, International Organization for Standards. Retrieved December 1, 2005 http://www.iso.org. 24 IEC, International Electrotechnical Commission. Retrieved December 1, 2005 http://www.iec.ch/. 25 COBIT®, COBIT®: Project. Retrieved December 1, 2005 from http://www.isaca.org/Content/NavigationMenu/Members_and_Leaders/CobiT6/Project1/CobiT_Project.ht m. Note: COBIT® has recently released Edition 4.0. 26 ITGI, IT Governance Institute. Retrieved December 1, 2005 http://www.itgi.org. Note: ITGI describes itself as "The IT Governance Institute (ITGI) exists to assist enterprise leaders in their responsibility to ensure that IT is aligned with the business and delivers value, its performance is measured, its resources properly allocated and its risks mitigated." and "[ITGI] is a notforprofit research organization affiliated with the Information Systems Audit and Control Association® (ISACA®), a global notforprofit professional membership organization focused on IT Governance, assurance and security, with more than 47,000 members in more than 140 countries. ITGI undertakes research and publishes COBIT®, an open standard and framework of controls and best practice for IT governance." 27 OGC, Office of Government Commerce. Retrieved December 1, 2005 http://www.ogc.gov.uk. Note: As explained by the OGC as "[…] a UK government organization responsible for procurement and efficiency improvements in the UK public sector. OGC has produced worldclass best practice guidance, including PRINCE (project management), MSP (Managing Successful Programs) and ITIL® (IT service management). ITIL® is used throughout the world and is aligned with the ISO/IEC 20000 international standard in service management." 28 Everett C. Johnson, ITGI's International President, Named one of the top 100 most influential accountants in America, he additionally served on the American Institute of Certified Public Accountants (AICPA) Assurance Services Executive Committee and currently chairs the AICPA Privacy Task Force. He has served as chairman for the International Federation of Accountants (IFAC) Information Technology Committee and the AICPA Information Technology Research Subcommittee. Johnson has more than 40 years of experience in IS audit, control and security. He most recently was a partner at Deloitte & Touche, where he served as the Latin American regional director of the company’s enterprise risk services line and the US national and global leader for the computer assurance services practice. 29 Staff Liaison: Thomas Lamm, Director of Research, Standards, and Academic Relations ([email protected]) is the primary organizer and facilitator for the Standards Board charged with definition and development of IS auditing standards and their associated interpretations and guidelines. The current product for this organization is found at http://www.isaca.org representing IS standards for IT Audit. This committee seeks ways to further disseminate ISACA's standards and guidelines through strategic alliances with other organizations. The IIA has adopted several ISACA guidelines as practice advisories. 30 GAAP, Generally Accepted Accounting Principles. Retrieved December 1, 2005 http://www.fasab.gov/accepted.html.



31 David Richards, President of IIA is described in public forum by IIA Chairman Bob McDonald, CIA, CGAP, as a leader who can build consensus on difficult issues such as globalization and strategic planning. 32 The Institute of Internal Auditors. GTAG, Global Technology Audit Guide. Retrieved December 1, 2005 from http://www.theiia.org/index.cfm?doc_id=4706. 33 GTAG, ibid., Guide 1: Information Technology Controls. Retrieved December 1, 2005 from http://www.theiia.org/index.cfm?doc_id=5166. 34 John Wiley & Sons, Inc. Cliff Notes, CliffNotes®. Retrieved December 1, 2005 from http://www.cliffsnotes.com/WileyCDA/Section/id106262.html. Note: CliffNote, without a space, is the registered trade mark for the study aids which are commonly referred to as Cliff Notes, with a space. 35 AICPA, American Institute of Certified Public Accountants. Retrieved December 1, 2005 http://www.aicpa.org/index.htm. 36 CIS, Center for Internet Security. Retrieved December 1, 2005 http://www.cisecurity.org/. Note: CIS provides Benchmarks and Scoring Tools, free of charge. 37 CMU/SEI, Carnegie Mellon University/Software Engineering Institute. Retrieved December 1, 2005 http://www.sei.cmu.edu/. 38 ISSA, Information Systems Security Association. Retrieved December 1, 2005 http://www.issa.org/. 39 NASD, National Association of Corporate Directors. Retrieved December 1, 2005 http://www.nacdonline.org/. 40 SANS Institute, SysAdmin Audit Network Security Institute. December 1, 2005 http://www.sans.org/aboutsans.php. 41 COBIT®, COBIT® Online. Retrieved December 1, 2005 from http://www.isaca.org. 42 Note: Town zoning committee warned me. The additional 63 meters of paper puts Mount Must Read™ in a new category of land mass. I continue to argue the definition of hill vs. mountain based in geological definition; “Hill: A natural land elevation, usually less than 1000 feet above its surroundings, with a rounded outline. The distinction between hill and mountain depends on the locality.” My view is, if its base is in my office I can call it a hill. 43 TQM, Total Quality Management. Retrieved December 1, 2005 http://www.managementhelp.org/quality/tqm/tqm.htm. 44 United States Congress, "HIPA", "Health Insurance Portability and Accountability Act of 1996", in Public Law 104191, H.R. 3103, S. 1028, S. 1698, & Congressional Record Vol. 142 (1996), 110 STAT. 1936 2103. 45 United States Congress, "GLBA", "Gramm–Leach–Bliley Act", in Public Law 106102, H.R. 10, S. 900, & Congressional Record Vol. 145 (1999), Washington: U.S. Government Printing Office, 113 STAT. 13401481. 46 GAP, Government Accountability Project. Retrieved December 1, 2005 http://www.whistleblower.org/template/index.cfm. 47 United States Congress, "SOX", in Public Law 107204, loc.cit. 48 United States Congress, "GLBA", in Public Law 106102, loc.cit. 49 United States Congress, "HIPAA", in Public Law 104191, loc.cit. 50 United States Congress, "Securities Exchange Act of 1934", in 15 U.S.C. § 78, Title I Regulation of Securities Exchanges, 1934, SEC 136. 51 United States Congress, "FOIA", "Freedom of Information Act", in P.L. 104231, FOIA Update Vol. XVII, No. 4, 1996, 110 STAT. 3048.



52 NIST, National Institute of Standards and Technology. Retrieved December 1, 2005 http://www.nist.gov/. Note: “The National Institute of Standards and Technology (NIST) developed this document in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107347.

NIST is responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets; but such standards and guidelines shall not apply to national security systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A130, Section 8b(3), .Securing Agency Information Systems,. as analyzed in A130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in A130, Appendix III. “ 53 European Parliament & The Council Of The European Union, "EUDPD", "EU Data Protection Directive", in Directive 95/46/EC, No L. 281 (1995), Luxembourg, Official Journal of the European Communities, p. 31. & Senate and House of Commons of Canada, Department of Justice Canada, "PIPEDA", "Personal Information Protection and Electronic Documents Act", in Bill C54, 2000, c. 5, Note: EUDPD and PIPEDA will absolutely have impact in the way most publicly owner and operated company’s conduct their business. I simply narrowed these two items and the laws of WTO so I could create a consumable list. 54 ECS, Education Commission of the States (2002). Citizenship Education Inclusion in Assessment and Accountability Systems. Retrieved December 1, 2005 from http://mb2.ecs.org/reports/Report.aspx?id=107. 55 United States House of Representatives, Parliamentarian, Mr. Ney, & Charles W. Johnson. How Our Laws Are Made. Retrieved December 1, 2005 from http://thomas.loc.gov/home/lawsmade.toc.html. 56 College of Liberal Arts. Think Tanks & Research Institutes. Retrieved December 1, 2005 from http://www.libarts.ucok.edu/political/links/think.htm. 57 SIL International. Think Tanks. Retrieved December 1, 2005 from http://www.sil.org/sildc/ThinkTanks_DC.htm. 58 United States Think Tank List. Earth's Common Sense Think Tank. Retrieved December 1, 2005 from http://www.venusproject.com/ecs/world_news/think_tank_list.html. 59 National Council for Science and the Environment. Congressional Research Service Reports. Retrieved December 1, 2005 from http://www.ncseonline.org/NLE/CRS/. 60 NHGRI, National Human Genome Research Institute. Retrieved December 1, 2005 http://www.genome.gov/. Note: NHGRI provides legal glossary including: “Codification “, defined as “laws or regulations that are codified are general and permanent laws or regulations that are arranged in subjectmatter order by title or other major subdivision and section (as opposed to session laws, which are generally presented in chronological order). The text of the original law or regulation is collated with any subsequent amendments (additions to or deletions from the language of the original law or regulation), so as to provide the most uptodate text of the law or regulation. Most bills or session laws indicate (either in either the text or the margin) the title (or other major subdivision) and section number of the U.S. Code or the state code in which the law will appear.” 61 United States Congress, "Circular 92", "Copyright Law of the United States of America and Related Laws Contained in Title 17 of the United States Code", in United States Code, Title 17 (1976), Washington, U.S. Government Printing Office, Chapters 18 & 1012. 62 GPO, Government Printing Office. Retrieved December 1, 2005 http://www.gpoaccess.gov/index.html. 63 United States Congress. "DMCA", "Digital Millennium Copyright Act", in Public Law 105304, H.R. 2281, S. 2037, & Congressional Record Vol. 144 (1998), Washington: U.S. Government Printing Office, 112 Stat. 2860 & 2905. Note: Review of the DMCA reveals in contribution the name of Mike S. Hines, who is frequently in discussion on various ISACA and CMU sanctioned list services. Mike contributes to the Information Security Management group, under ISACA sponsor, mailto:infosec



[email protected]. Recommendation, send email with the word “join” in subject and no other text to infosec[email protected]. Here is a chance to speak with a few Eagles. 64 United States Congress. "Computer Fraud and Abuse Act", in 18 U.S.C. § 1030, 1986. Retrieved December 1, 2005 from http://cio.doe.gov/Documents/CFA.HTM. 65 U.S. House of Representatives. Download United States Code. Retrieved December 1, 2005 from http://uscode.house.gov/download/download.shtml. 66 The Library of Congress. Thomas. Retrieved December 1, 2005 from http://thomas.loc.gov/. 67 ISACAF, Information Systems Audit and Control Foundation (2002). Electronic and Digital Signatures A Global Status Report. Retrieved December 1, 2005 from http://www.isaca.org/Content/ContentGroups/Bookstore6/Intros_and_Summaries/Electronic_and_Digital_ Signatures__A_Global_Status_Report____Executive_Introduction.htm. Note: ISACA membership may be required to review this report. 68 FFIEC, Federal Financial Institutions Examination Council. Retrieved November 1, 2005 http://www.ffiec.gov/. 69 NIST, loc.cit. 70 AICPA, loc.cit. 71 COSO, loc.cit. 72 NARA, National Archives and Records Administration. Retrieved December 1, 2005 http://www.archives.gov/. 73 GAO, Government Accountability Office. Retrieved December 1, 2005 http://www.gao.gov/. 74 George Spafford Jr. President, Spafford Global Consulting, Inc. Note: George Spafford Jr. provides substantial direction in current information affecting IT audit and information systems law. Spafford Global Consulting, Inc., 3353 Celina Avenue, Saint Joseph, MI 49085 USA. [email protected], http://www.spaffordconsulting.com. 75 Dan Swanson, Security Benchmark. Note: Dan Swanson’s SEC daily email has over 6000 reading members. He provides summaries and reminders regarding our profession’s most substantial contributions, and includes many pointers to public companies and products supporting audit and legal requirements. To become members of these mailing email [email protected]. 76 James Bryce Clark, (jamie.clark@oasisopen.org), Director of Standards Development for OASIS, is responsible for managing the consortium's industry standards efforts. He is an ecommerce and information technology attorney who began his practice as a financing and corporate restructuring lawyer with Shearman & Sterling at 53 Wall Street in New York. He represented high technology companies in their banking, trade finance, acquisitions and securities transactions throughout the 1990's, and served two terms as chairman of the American Bar Association's business law subcommittee on electronic commerce. While a practicing attorney, he was a contributor to the original ebXML project (now ISO 15000), coeditor of its business process standards in 2001, and chairman of the ebXML Joint Coordinating Committee. Prior to joining OASIS, he was vice president and general counsel of a healthcare ecommerce company, and corporate partner in a Los Angeles law firm. He is a U.S. delegate to the ecommerce working group of the United Nations Commission on International Trade Law (UNCITRAL), and an expert adviser on automated contracting and Internet law for the U.S. State Department. He is a frequent speaker and author in ecommerce and information security law as well as complex finance transactions. Jamie holds JD and BSc degrees from the University of Minnesota, and is based in Los Angeles. He is joined at OASIS by an amazing set of peers. Read more at http://www.oasisopen.org/who/tab.php#jclark. 77 Participation in a TC, such as the OASIS DCML/ Configuration and Standards, will expose any participant to more brilliant thinkers and areas of technology previously thought possible. http://www.oasisopen.org/who/. Participation with the ISACA community offers witness to world



leadership. The lists are available for IT and Audit professionals interested in Governance, COBIT®, Legal Issues in Audit, and IT Audit in general. The following links to join are all you need. join SARBANES[email protected], joinIT[email protected], joinCobiT [email protected], joininfosec[email protected]. 78 Office of Management and Budget. "Circular No. A130 Revised", in Transmittal Memorandum No. 4, Memorandum For Heads Of Executive Departments And Agencies. Retrieved December 1, 2005 from http://www.whitehouse.gov/omb/circulars/a130/a130trans4.html. 79 Office of Management and Budget. "Circular No. A119 Revised, Accompanying Federal Register Materials", in Federal Participation in the Development and Use of Voluntary Consensus Standards and in Conformity Assessment Activities. Retrieved December 1, 2005 from http://www.whitehouse.gov/omb/circulars/a119/a119.html. 80 United States Congress, "Cyber Security Research and Development Act", in Public Law 107305, H.R. 3394, S. 2182, & Congressional Record Vol. 148 (2002), Washington: U.S. Government Printing Office, 116 STAT. 23672382. Retrieved December 1, 2005 from http://thomas.loc.gov/cgi bin/bdquery/z?d107:H.R.3394:@@@L&summ2=m&. Note: Summary of impacts resulting from this law, as amended 10/16/2002, include reference to NIST including:“[…]Requires the NIST Director to develop CNS checklists for Federal Government computer hardware or software systems. (Sec. 9) Amends NISTA to authorize appropriations to enable the Computer System Security and Privacy Advisory Board to: (1) identify emerging issues related to computer security, privacy, and cryptography; (2) convene public meetings, and (3) publish and disseminate information. (Sec. 10) Requires NIST to carry out specified types of intramural computer security research. (Sec. 11) Authorizes appropriations to the Secretary of Commerce for NIST for: (1) the CNS research program; and (2) intramural computer security research. (Sec. 12) Requires the NIST Director to arrange with the National Research Council of the National Academy of Sciences to study and report to specified congressional committees on vulnerabilities of the Nation's network infrastructure and recommendations for improvements.(Sec. 13) Requires the NSF and NIST Directors to: (1) coordinate the research programs under this Act; and (2) work with the Director of the Office of Science and Technology Policy to ensure that programs under this Act are taken into account in any Governmentwide cyber security research effort. […]. 81 NIST, op.cit. 82 FASP, Federal Agency Security Practices. STIGs, Security Technical Implementation Guides. Retrieved December 1, 2005 from http://csrc.nist.gov/pcig/cig.html. 83 CIS, Center for Internet Security. CIS Benchmarks/Scoring Tools. Retrieved December 1, 2005 from http://www.cisecurity.org/bench.html. 84 NIAC, National Infrastructure Advisory Council (February 2003). The National Strategy to Secure Cyberspace, Washington: Department of Homeland Security. Retrieved December 1, 2005 from http://www.dhs.gov/interweb/assetlibrary/National_Cyberspace_Strategy.pdf. 85 CISWG (2004). Corporate Information Security Working Group, Report of the Best Practices and Metrics Teams. Retrieved December 1, 2005 from http://www.educause.edu/ir/library/pdf/CSD3661.pdf. 86 Information Security Management References. Retrieved December 1, 2005 http://reform.house.gov/UploadedFiles/Best%20Practices%20Bibliography.pdf. 87 Emily Frye, “Cybersecurity and Corporate Governance Now: Does It Take Liability to Get Attention?”, in American Bar Association, Section Of Science & Technology Law, Chicago 2005, Retrieved December 1, 2005 from http://www.documation.com/aba/pdfs/004.pdf. Note: “[…] Adam Putnam (RFL) circulated a draft of a bill he contemplated introducing in the House. Titled the Corporate Information Security Accountability Act (CISAA), it would have imposed information security audit reporting by all publicly traded companies. Adam Putnam, as Chair of the Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census (under the umbrella of the Committee on Government Reform), had become increasingly concerned about what he perceived to be apathy toward a cybersecurity crisis on the part of corporate America. Contemplation of a bill like CISAA set off an uproar



among the private sector. Within weeks, almost every industry coalition that plays in this space was attacking the bill. On December 5, 2003, Adam Putnam convened the first meeting of a new coalition: The Corporate Information Security Working Group (CISWG). Putnam asked two questions: what's wrong with the draft of the bill? And – can you offer me a viable privatesector led alternative to Congressional action?". 88 United States Sentencing Commission (2003), Report to Congress: Increased Penalties for Cyber Security Offenses (As required by section 225(c) of the Homeland Security Act of 2002, Public Law 107 296). Retrieved December 1, 2005 from http://www.ussc.gov/r_congress/cybercrime503.pdf. Note: Report includes names Dan Swanson, Mike Hines. 89 GAO Accounting and Information Division (1999). FISCAM, Federal Information System Controls Audit Manual Volume I: Financial Statement Audits, Washington: Government Accountability Office. Retrieved December 1, 2005 from http://www.gao.gov/special.pubs/ai12.19.6.pdf. 90 CSRC CSD, Computer Security Resource Center's Computer Security Division. "With the passage of the Federal Information Security Management Act (FISMA) of 2002, there is no longer a statutory provision to allow for agencies to waive mandatory Federal Information Processing Standards (FIPS). The waiver provision had been included in the Computer Security Act of 1987; however, FISMA supersedes that Act. Therefore, the references to the "waiver process" contained in many of the FIPS listed below are no longer operative.

Note, however, that not all FIPS are mandatory; consult the applicability section of each FIPS for details. FIPS do not apply to national security systems (as defined in FISMA)". Retrieved December 1, 2005 from http://csrc.nist.gov/publications/fips/. 91 Dr. Ron Ross & NIST. Protecting Federal Information Systems and Networks, A Standardsbased Security Certification Program for Operational Environments. Retrieved December 1, 2005 from http://cio.doe.gov/Conferences/Security/Presentations/RossRNIST.pps. 92 Dr. Ron Ross & The OWASP Foundation. Building More Secure Information Systems, A Strategy for Effectively Applying the Provisions of FISMA. Retrieved December 1, 2005 from http://csrc.nist.gov/organizations/fissea/conference/2005/presentations/Ross/AbstractRoss.pdf. 93 Charles Darwin, The Origin of Species (1859), London: J. Murray. 94 ISO TC Portal. Standards Development Processes. Retrieved December 1, 2005 from http://isotc.iso.org/livelink/livelink/fetch/2000/2122/3146825/4229629/sds_base.htm. 95 Idem. 96 ISO & CASCO, ISO/IEC Guide 60:2004 Conformity Assessment Code of Good Practice, Geneva: ISO Store. Retrieved December 1, 2005 from http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=37035&ICS1=3&ICS2=12 0&ICS3=20&showrevision=y. 97 NSSN, National Standards Systems Network. STAR, Standards Tracking and Automated Reporting, Services. Retrieved December 1, 2005 from http://www.nssn.org/star_intro.html. 98 NISO, National Information Standards Organization. Retrieved December 1, 2005 http://www.niso.org/index.html. 99 NISO. About ISO Technical Information and Documentation Committee 46. Retrieved December 1, 2005 from http://www.niso.org/international/TC46/index.html. 100 ISO. General information on technical committees. Retrieved December 1, 2005 from http://www.iso.ch/iso/en/stdsdevelopment/tc/TC.html. 101 ISO. "Achieving Optimal Output", in ISO Annual Report 2004, 2004, Chapter 4. Retrieved December 1, 2005 from http://www.iso.ch/iso/en/aboutiso/annualreports/pdf/chapter4.pdf.



102 ISO. The Agreement on technical cooperation between ISO and CEN (Vienna Agreement). Retrieved December 1, 2005 from http://isotc.iso.org/livelink/livelink.exe/fetch/2000/2122/3146825/4229629/4230450/4230458/customview.h tml?func=ll&objId=4230458&objAction=browse&sort=subtype. Note: This is summarized by ISO as follows: “The Agreement on technical cooperation between ISO and CEN (Vienna Agreement) is an agreement on technical cooperation between ISO and the European Committee for Standardization (CEN). Formally approved on 27 June 1991 in Vienna by the CEN Administrative Board following its approval by the ISO Executive Board at its meeting on 16 and 17 May 1991 in Geneva, it replaced the Agreement on exchange of technical information between ISO and CEN" (Lisbon Agreement) concluded in 1989. The 'codified' Vienna Agreement was approved by ISO Council and the CEN Administrative Board in 2001.” 103 United States Congress, "National Technology Transfer and Advancement Act of 1995'', in Public Law 104113, H.R. 2196 & Congressional Record Vol. 141 (1995), Washington: U.S. Government Printing Office, 110 STAT. 775784. 104 ANSI. U.S. National Conformity Assessment Principles. Retrieved December 1, 2005 from http://www.ansi.org/conformity_assessment/ncap.aspx?menuid=4. Note: "The National Conformity Assessment Principles for the United States articulates the principles for U.S. conformity assessment activities that the consumer, buyers, sellers, regulators and other interested parties should be aware of to have confidence in the processes of providing conformity assessment, while avoiding the creation of unnecessary barriers to trade. We base these principles on the conformity assessment language in the Agreement on Technical Barriers to Trade, one of the agreements within the World Trade Organization (WTO). [1] These principles supplement the language of the agreement to give national clarity and focus to conformity assessment in the United States. We intend the concise and clear presentation of these principles for the United States to promote national and international understanding and recognition of competently conducted U.S. conformity assessment processes resulting in increased acceptance of U.S. products. [2] Within national and international markets. National and international acceptance is vital to the continued economic health of the United States, as well as to the protection of human health, safety and the environment. Because standards underlie all conformity assessment activities, this document is intended to be a companion to the principles of the U.S. standards system as described in the 'National Standards Strategy for the United States.' These two sets of principles should be considered together in the evaluation of standards and conformity assessment activities and related issues". 105 ITTF, ISO/IEC Information Technology Task Force. Retrieved December 8, 2005 http://isotc.iso.org/livelink/livelink/fetch/2000/2489/Ittf_Home/ITTF.htm. Note: ITTF maintains access to all freely available ISO standards, a list that grows daily, and on December 8, 2005 included 253 free ISO standards. 106 ITGI & OGC, Aligning COBIT®, ITIL® and ISO 17799 for Business Benefit, op.cit.

David A. Richards, CIA, President, The IIA, Alan S. Oliphant, MIIA, QiCA, MAIR International, and Charles H. Le Grand, CIA, CHL Global are listed as primary writers for GTAG; Global Technology Audit Guide; Information Technology Controls. Notable contributions by Corporations include Tripwire, ACL, and BindView, Note: Michael S. Hines, CIA, Purdue University, Julia H Allen, CMU/SEI CarnegieMellon University/Software Engineering Institute, Gene Kim, CTO, Tripwire Inc., USA, George Spafford Jr., President, Spafford Global Consulting, and Dan Swanson, CIA, IIA are again in the mix of contributors, innovators, Eagles and Humans. 107 Euclid of Alexandria is the “most prominent mathematician of antiquity” as explained by http://www groups.dcs.stand.ac.uk/~history/Mathematicians/Euclid.html. He is only mentioned for having been named on the cover of most High School Algebra One text books. 108 Lawrence W. Smith, "The FASB’s Efforts Toward Simplification", in The FASB Report, February 28, 2005. Retrieved December 1, 2005 from http://www.fasb.org/articles&reports/fasb_efforts_toward_simplification_tfr_feb_2005.pdf. Note: This



article summarizing Bob Herz, FASB chairman of Financial Accounting Standards Board to show the complexity of GAAP as it relates to application of consistent standards and codification in the current 180 of US GAAP articles within U.S. Code. 109 VISA International Service Association. Security Programs. Retrieved December 1, 2005 from http://corporate.visa.com/st/programs.jsp. Note: “Visa has collaborated with other payment card companies to create a single set of worldwide requirements, called the Payment Card Industry (PCI) Data Security Standard, for consumer data protection across the entire industry. The PCI Data Security Standard aligns Visa's Account Information Security (AIS) program, also known as Cardholder Information Security Program (CISP) in the U.S., and MasterCards' Site Data Protection (SDP) program, streamlining requirements, compliance criteria and validation processes. It also addresses merchants' and acquirers' concerns about having to meet more than one set of standards to accomplish a single goal.” © Copyright 19962005, Visa International Service Association. 110 ISO. Standards and/or guides of TC 68/SC 2. Retrieved December 1, 2005 from http://www.iso.org/iso/en/stdsdevelopment/tc/tclist/TechnicalCommitteeStandardsListPage. TechnicalCommitteeStandardsList?COMMID=2193. Note: Standards in the last three years, by the Security management and general banking operations, are listed here as:

ISO 8732:1988/Cor 1:1999

ISO 95642:2005 Banking Personal Identification Number management and security Part 2: Approved algorithms for PIN encipherment

ISO 95643:2003 Banking Personal Identification Number management and security Part 3: Requirements for offline PIN handling in ATM and POS systems

ISO/TR 95644:2004 Banking Personal Identification Number (PIN) management and security Part 4: Guidelines for PIN handling in open networks

ISO 115681:2005 Banking Key management (retail) Part 1: Principles

ISO 115682:2005 Banking Key management (retail) Part 2: Symmetric ciphers, their key requirements and evaluation methods

ISO 134912:2005 Banking Secure cryptographic devices (retail) Part 2: Security compliance checklists for devices used in financial transactions

ISO 157821:2003 Certificate management for financial services Part 1: Public key certificates

ISO 16609:2004 Banking Requirements for message authentication using symmetric techniques

ISO/TR 17944:2002 Banking Security and other financial services Framework for security in financial systems

ISO/TR 19038:2005 Banking and related financial services Triple DEA Modes of operation Implementation guidelines. 111 Skadden Biography. Michael S. Hines. Retrieved December 1, 2005 from http://www.skadden.com/index.cfm?contentID=45&bioID=2732. Note: Michael S. Hines has dedicated himself to distribution of accurate, timely security information, making about as much as anyone could from a career in Systems Administration at Purdue University (West Lafayette, IN). It seems hard to believe that with all he writes, he spend his own share of time putting out fires, just like the rest of us. It was a post by Mike that led me to the Common Criteria project. http://archives.neohapsis.com/archives/win2ksecadvice/1999q4/0188.html, tipping off his peer group to Commercial Product Evaluations Main Page as early as 1999! Perhaps this is why Purdue’s infrastructure systems administrator, entrusted with their entire IT Infrastructure, was named president of the Central Indiana Information Systems and Control Association, an organization with more than 35,000 members. Watching Mike makes me feel like a potato! 112 United States Congress & Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census (2004). Oversight Hearing Statement by Adam Putnam, Chairman, Identity



Theft: The Causes, Costs, Consequences, and Potential Solutions. Retrieved December 1, 2005 from http://www.reform.house.gov/UploadedFiles/Final%20Press%20Opening%20Statement%202.pdf, p. 5. 113 GTAG, op.cit, p. 17. 114 Joseph Gibaldi (2003). MLA Handbook for Writers of Research Papers, 6th Edition. Retrieved December 1, 2005 from http://www.mla.org/handbook. & APA (2001). Publication Manual of the American Psychological Association, 5th Edition. Retrieved December 1, 2005 from http://www.apastyle.org/pubmanual.html. 115 NIST Information Technology Laboratory (2002), International Standard ISO/IEC 17799:2000 Code of Practice for Information Security Management, Frequently Asked Questions, Retrieved December 1, 2005 from http://csrc.nist.gov/publications/secpubs/otherpubs/revisofaq.pdf. 116 ITTF. Freely Available Standards. In accordance with ISO/IEC JTC 1 and the ISO and IEC Councils these International Standards are publicly available. Retrieved December 1, 2005 from http://isotc.iso.org/livelink/livelink/fetch/2000/2489/Ittf_Home/ITTF.htm. Note: The standards are available for download at the ITTF web site. This does not imply free use or permission to copy any materials found. The files are in zip format. I had no difficulty with them but always use a staging are to run additional antivirus/spyware before opening anyone’s files: http://standards.iso.org/ittf/PubliclyAvailableStandards/c040612_ISO_IEC_154081_2005(E).zip, http://standards.iso.org/ittf/PubliclyAvailableStandards/c040613_ISO_IEC_154082_2005(E).zip, & http://standards.iso.org/ittf/PubliclyAvailableStandards/c040614_ISO_IEC_154083_2005(E).zip. 117 Note: Product evaluation results in certification and explanation of product compliance with acknowledge best practice and industry standards for certification as required by any type of company or branch of government or international service. Tripwire Manager 3.0 with Tripwire for Servers 3.0, Tripwire Manager 3.0 with Tripwire for Servers Check Point Edition 3.0, a product heavily supported by the IIA has listed certification since 2003. 118 CESG (UK) & NIST (USA). Common Criteria, An Introduction. Retrieved December 1, 2005 from http://www.commoncriteriaportal.org/public/files/ccintroduction.pdf. Note: "The Common Criteria work is an international initiative by the following organizations: CSE (Canada), SCSSI (France), BSI (Germany), NLNCSA (Netherlands), CESG (UK), NIST (USA) and NSA (USA)", p. 2. 119 Ibid., p. 6. 120 Tim O'Reilly, What Is Web 2.0, Design Patterns and Business Models for the Next Generation of Software, 09/30/2005 Retrieved December 30, 2005 from http://www.oreillynet.com/pub/a/oreilly/tim/news/2005/09/30/whatisweb20.html?page=1, What is Web 2.0 121 Idem, Article cites: Daniel Bricklin, The Cornucopia of the Commons: How to get volunteer labor, © Copyright 19992005, Retrieved December 31, 2005 http://www.bricklin.com/cornucopia.htm. 122 OASIS (2005). Security Assertion Markup Language (SAML) v2.0. Retrieved December 1, 2005 from http://www.oasisopen.org/specs/index.php#samlv2.0, & http://docs.oasis open.org/security/saml/v2.0/saml2.0os.zip. 123 DocBook Schemas. Retrieved December 1, 2005 http://docbook.org/oasis/index.html. Note: As stated on the website: “DocBook is a schema (available in several languages including RELAX NG, SGML and XML DTDs, and W3C XML Schema) maintained by the DocBook Technical Committee of OASIS. It is particularly well suited to books and papers about computer hardware and software (though it is by no means limited to these applications)." 124 Norman Walsh & Leonard Muellner, DocBook: The Definitive Guide, O'Reilly & Associates, Inc., Version 1.0.2 (1999). Retrieved December 1, 2005 from http://www.oreilly.com/catalog/docbook/chapter/book/docbook.html. Note: This is the official documentation for DocBook. & Bob Stayton, DocBook XSL: The Complete Guide, Sagehill Enterprises, Third Edition (2005). Retrieved December 1, 2005 from http://www.sagehill.net/docbookxsl/. Note: This is



the definitive guide to using the DocBook XSL stylesheets. It provides the necessary documentation to realize the full potential of DocBook publishing. It covers all aspects of DocBook publishing tools, including installing, using, and customizing the stylesheets and processing tools. 125 The phrase "apples and oranges," is not mine, but the source cannot be found at this time. Interesting to note, is an article by Scott Berinato found at Darwin, The Chief Security Officer magazine/ website, where attempted to find the origin of this phrase. http://www.darwinmag.com/read/0502/apples.html. 126 United States Congress, "Computer Security Enhancement Act of 1997", in Public Law 100418, H.R. 1903, Calendar No. 718, & Report No. 105412 (1998), SEC. 114. Note: "To amend the National Institute of Standards and Technology Act to enhance the ability of the National Institute of Standards and Technology to improve computer security, and for other purposes." 127 Payment Card Industry (PCI) Data Security Standard, op.cit. 128 PricewaterhouseCoopers, Integrity Driven Performance, White Paper (2004), Page 34, Note: PricewaterhouseCoopers (www.pwc.com) provides industryfocused assurance, tax and advisory services for public and private clients. More than 120,000 people in 139 countries connect their thinking, experience and solutions to build public trust and enhance value for clients and their stakeholders. 129 Note: While providing support to our CISA study group, Bruce I Winters CPA, CISA of, PricewaterhouseCoopers LLP – CT, shared this work (and a wealth of industry knowledge). Sustainable compliance is a new domain for the integration of all IT Infrastructure and Enterprise Management. The topic has provoked tremendous advance in the concepts of configuration and process, aiding entire divisions of study to every institution of learning and changing the way we think about the creation of even the smallest snippet of code for the simplest of devices. 130 Stanley Kubrick & Arthur C. Clarke, “HAL 9000” or “HAL”, in 2001: A Space Odyssey, USA Box Office: MGM Home Entertainment, 1968. 131 Tom Gruber, What is an Ontology?, KSL, Knowledge Systems, AI Laboratory, Stanford University. Retrieved December 1, 2005 from http://wwwksl.stanford.edu/kst/whatisanontology.html. Note: “An ontology is an explicit specification of a conceptualization. […] We use common ontologies to describe ontological commitments for a set of agents so that they can communicate about a domain of discourse without necessarily operating on a globally shared theory." 132 NIST SP 80053 Database Application is available for download at http://csrc.nist.gov/sec cert/download80053database.html. 133 OntoWeb Project, OntoWeb Working Group on Process Standards. Retrieved December 1, 2005 from http://www.aiai.ed.ac.uk/project/ontoweb/. Amy Knutilla, Craig Schlenoff, Steven Ray, Stephen T. Polyak, Austin Tate, Shu Chiun Cheah and Richard C. Anderson: "Process Specification Language: An Analysis of Existing Representations," NISTIR 6160, National Institute of Standards and Technology, Gaithersburg, MD, 1998. 134 OGC, ICT Infrastructure Management Manual, op.cit., Section 2.7, pp. 5963. 135 Idem. 136 PricewaterhouseCoopers on behalf of COSO, COSO, Enterprise Risk Management — Integrated Framework, AICPA, Volume 2. Retrieved December 1, 2005 from https://www.cpa2biz.com/CS2000/Products/CPA2BIZ/Publications/COSO+Enterprise+Risk+Management ++Integrated+Framework.htm. & COSO (2005), Internal Control — Integrated Framework. & Guidance for Smaller Public Companies Reporting on Internal Control over Financial Reporting, AICPA, Exposure Draft. Retrieved December 1, 2005 from http://155.201.80.182/Coso/coserm.nsf/vwResources/PDF_IC/$FILE/COSO_FINAL_Draft_IC_Guidance. pdf. Note: These are both noted by the SEC as appropriate framework in the implementation of controls assessment.



137 Note: Google is a fascinating company, but their name is not “Googol”, confused infinite number. I am reminded by the PBS rerun of Cosmos, of Carl Sagan saying the googol is finite in number with 1 followed by 100 zeros, or 10100. 138 ITGI & ISACA (2004). COBIT® Mapping, Overview of International IT Guidance. Retrieved December 1, 2005 from http://www.isaca.org/Content/ContentGroups/Research1/Deliverables/CobiT_Mapping_Paper_6jan04.pdf . 139 ITGI & ISACA (2004). It Control Objectives for SarbanesOxley: The Importance of It in the Design, Implementation and Sustainability of Internal Control over Disclosure and Financial Reporting. Retrieved December 1, 2005 from http://www.isaca.org/Content/ContentGroups/Research1/Deliverables/IT_Control_Objectives_for_Sarban esOxley_7july04.pdf. 140 Idem. 141 FERF, Financial Executives Research Foundation. Retrieved December 1, 2005 http://www.fei.org/rf/. 142 ISACA, ISACA Membership Information. Retrieved November 1, 2005 http://www.isaca.org/Template.cfm?Section=Membership&Template=/TaggedPage/TaggedPageDisplay. cfm&TPLID=15&ContentID=7510. 143 AICPA Membership. AICPA 20042005 Annual Report. Retrieved November 1, 2005 from http://www.aicpa.org/about/annrpt/20042005/aicpa_0405_ar.pdf, p. 22. 144 IIA, op.cit. 145 U.S. Department of Labor, Bureau of Labor Statistics. Occupational Employment and Wages, November 2004. Retrieved December 1, 2005 from http://www.bls.gov/oes/current/oes132011.htm. 146 NASB, National Association of State Boards of Accountancy. Retrieved November 1, 2005 http://www.nasba.org/nasbaweb.nsf/?Open. 147 ACLU, (American Civil Liberties Union). Free Speech. Retrieved November 1, 2005 from http://www.aclu.org/freespeech/index.html. 148 Edwards Deming (1986), "14 Points for Management", in Out of Crisis, 1986, Cambridge: The MIT Press. Retrieved December 1, 2005 from http://www.deming.org/resources/books.html. Note: Found at http://www.deming.org/instituteinfo/wedihistory.html, “The W. Edwards Deming Institute® was founded by Dr. Deming in 1993. The Institute is headquartered in Washington, D.C. It is a nonprofit corporation which provides educational services related to the teachings of Dr. Deming. These services include conferences and seminars. The Institute also makes Dr. Deming's personal and professional papers available to researchers at the U.S. Library of Congress. The Deming Collection at the Library of Congress includes an extensive audiotape and videotape archive of Dr. Deming. The aim of The W. Edwards Deming Institute® is to foster understanding of The Deming System of Profound Knowledge™ to advance commerce, prosperity and peace." 149 U.S. Navy, "Increasing Contractor Commitment", in Benefits, DoN Acquisition One Source. Retrieved from December 1, 2005 http://www.ar.navy.mil/aosfiles/tools/turbo/topics/cj.cfm. Note: Argument promotes the works of Edwards Deming as reason for DoD changes in procurement and acquisition practice. 150 Deming, op.cit. Chapter 2. Note: Edwards Deming, author of Out of the Crisis and The New Economics and father of Quality Management – Perhaps, best known for “14 points for Management”. The Edwards Deming Institute, "Condensation of the 14 Points for Management", in The Deming System of Profound Knowledge (Continued). Retrieved December 1, 2005. (not my Dad) (real Dad) I sincerely apologize to any member of the actual Deming family. What I said was, "My Dad is "TQM" This is true. He worked for International Telephone & Telegraph, ITT, during the 60s and up to the 80's during the era of CEO "No Surprises", "leadership through action" Harold Geneen. My Dad's full name is... Alvin Martin



Silver. I still like to call him TQM. I also said I wish I had been raised by wolves. I meant to disrespect to dogs or my own family. 151 Get the Data and Proportionality 152 The Fog of War 153 Morris explains in NPR interview that reading Paul Hendrickson book. 154 You can't change human nature. 155 The Fog of War included Robert McNamara’s recit. 156 Rudyard Kippling’s Law For Wolves. Note: Joseph Rudyard Kipling (December 30, 1865 – January 18, 1936) was a British author and poet, born in India. He is best known for the children's story The Jungle Book (1894), the Indian spy novel Kim (1901), the poems "Gunga Din" (1892) and "If— " (1895), and his many short stories. In 1907 he was awarded the Nobel Prize for Literature, and in 1934 he shared the Gothenburg Prize for Poetry with William Butler Yeats. 157 Note: Recently, while preparing to take the CISA exam, a download found way to my inbox claiming 600 study examples based in the 2005 information audit competency requirements. They were an export of the ISACA study manual questions, not only under copyright but representing critical revenue to an important organization. I was outraged. ISACA enforced the removal of the distributed material, but not before it had been downloaded. 158 Note: Contributing member to far too many publications, it is notable that Tom Lamm was part of The World Bank Technology Risk Checklist 6.0, a highly organized overview for assurance of implemented banking security practice. Published by The World Bank in 2003, Tom worked with a team that included Julia Allen. It’s that pattern again, of good minds showing up for all the most important occasions. 159 Charles Le Grand, CIA, CISA, CDP, [email protected], was formerly Assistant Vice President of Technology Practices for The Institute of Internal Auditors. He provided direction to all areas of The IIA in the use of technology to deliver programs and products for the internal auditing profession. He was Director of Research for The IIA Research Foundation. Le Grand has served as technical advisor to the International Federation of Accountants Information Technology Committee and worked with other organizations concerned with technology and its security, control, auditing, and educational aspects. He also was IIA's staff member responsible for the landmark Systems Auditability and Control (SAC) research projects in 1990 and 1993. 160 Richard P. Feynman & Jeffrey Robbins, The Pleasure of Finding Things Out, Cambridge: Perseus Publishing, 1999, p. 1. 161 Note: This analogy is not alluding SarbanesOxley being extricated by congress like a large pile of dung. That would lack respect. The sprouting of mushrooms on dung, are the “self proclaimed control experts” selling compliance service based in FUD tactics (Fear, Uncertainty, Doubt). 162 Note: Efforts to keep ISO adapting are so pervasive that this would merit a full thesis of information on its own. 163 EDUCAUSE. Information Security Governance Assessment Tool For Higher Education. Retrieved December 1, 2005 from http://www.educause.edu/ir/library/pdf/SEC0421.pdf. 164 EDUCAUSE & Internet2. Computer and Network Security Task Force. Retrieved December 1, 2005 from http://www.educause.edu/Elements/Attachments/security/flyer.pdf. Note: "Established by EDUCAUSE and Internet2 in July 2000, the Computer and Network Security Task Force works to improve awareness among the EDUCAUSE and Internet2 memberships and throughout higher education and actively promotes effective practices and solutions for the protection of information assets and critical infrastructures. The Security Task Force coordinates its efforts on behalf of institutions of higher education with the support of the Higher Education Information Technology Alliance (www.heitalliance.org), whose members include the American Association of Community Colleges, the American Association of State Colleges and Universities, the American Council on Education, the



Association of American Universities, the National Association of Independent Colleges and Universities, and the National Association of State Universities and LandGrant Colleges." 165 Public Law 10413 http://www.educause.edu/ir/library/pdf/SEH. As explained on their web site: EDUCAUSE and Internet2 established the Computer and Network Security Task Force in July 2000. The Task Force is working to improve awareness among the EDUCAUSE and Internet2 memberships and throughout higher education. The Security Task Force actively promotes effective practices and solutions for the protection of information assets and critical infrastructures. The Security Task Force is coordinating its efforts on behalf of institute.

About the Author:

PB&SP founder, Robin Basham, began Phoenix with over a decade experience managing Information Technology and Audit services within public, private and federal/government, banking, education, telcom, defense and manufacturing industries . Designing and implementing ITIL® Service Support and Infrastructure Management programs, contributing to various Application Life cycle and Database Management initiatives, participating in advance degree and technical committees across areas such as Java Enterprise and Open Source Standards,, leading Process Engineering (as conforming to ISO 9000), delivering Capital Projects Requirements Analysis (as aligned to Department of Defense), completing major OSS Migration across two platforms including SAP, MetaSolve an Remedy (Telcom), and currently delivering project management, ongoing control self assessment programs, SAS 70 and SarbanesOxley internal compliance reporting, supplemented by 100+ workflow process diagrams mapping COBIT®.and ITIL® controls across entire organizations, and facilitating live compliance reporting using mainstream desktop applications.

PB&SP provides regular on line and face to face certified COBIT®.4.0 and ITSM ISEB Foundation level IT Governance and Regulatory Training.

Bringing education, technology and assessment to audit

Entering IT a fifteen year veteran to assessment, graduate level training, and the implementation of networking and software to meet special learning in mainstream environments, Ms. Basham discovered that industry efforts to operate at a profit in spite of complex financial, legal, conformity assessment standards presented a familiar challenge. Projects aiding conformity to (ISO 9000, ISO 14000 and ISO17799), and evolving certifications around SDLC and CMM standards, extended programs from utility and data management to facilitating standard practice in development of procedures and guidance toward maintaining acceptable risk and compliance management posture.

Working extensively in the design and data management, projects ranged from:

§ Decision Support Systems (DSS) to § Order Management Systems (OMS) and § Data Center Management (DCM) according to TMN, ITIL® and FCAPS § Operations Support System and § Data Integrity between Financial, Service and Network Management Systems.

The following consistent and increasingly normalized elements emerged:

§ Process architecture models must adapt to meet specialized business requirements § Any variance from the norm needs policy, work instructions, and monitoring § Process Controls Map, aligning Risk to Legal Requirement and control to meeting risk § Business case workflow and data validation controls were only as effective as the communication across all

phases of the Development Life cycle § Role based access is driven by policy, no matter what the condition or product § Anything measured is fair game for audit and data retention § Performance Metrics are more than executive show and tell



The first storm

1996 marked the millennium bug and mounting concerns over business continuity. Career and Education Director for Association for Women in Computing (AWC), Robin pitched a Y2K Conference promoting SDLC and Quality Management standards. Joining AWC forces with ASM (Association for Systems Management) SIM (Society for Information Management), and PMI (Project Management Institute), Robin directed, RoadMap 2001. 30 industry leaders and 400 Babson attendees collaborated on best management and project practice necessary to avert the pending crisis. Unfortunately no one’s vision included the business scandals and failures of ethic that lay ahead.

Banking to Telecommunications

Codes of Federal Regulation exploded with the onset of on line Banking, but even more demanding were those with responsibility to enforce FCC regulations in an industry evolving technologies and products adapted as mainstream and made obsolete by competition or bad design overnight. Attempts to maintain market position unleashed a frenzy of cutting edge software and devices, always claiming alignment to IEC and TeleManagement Forum (TM Forum) standards, and always released with little or no attention to testing, support, change, security and performance management process. Where small configuration anomalies affected legal and financial requirements, Telcom OSS platforms too came and went, costing the industry billions of dollars, but never providing audit with simple clean answers to inventory and count. After two unsuccessful OSS migrations, Ms. Basham proposed a grass roots Performance Management Forum, networking metrics to finance and service data, with comparative reports presented monthly to CTO and Executive Board. People realized the numbers told the truth, and soon after joined the ranks of WorldCom, Global Crossing and MCI.

Ominous clouds and biting wind

2001 marked by common stories of hidden debt, overstated value and manipulated dates in the name of stock values and ironically keeping shareholders happy, Corporate scandals such as WorldCom and Enron rippled through Wall Street, swelling to an unemployment tsunami. With so many peers out of work, Ms. Basham took a leap of faith, turning private practice into corporation. Upholding conformity to legal mandates had been simply a part the last twenty years in professional practice, (See RegWatch), but with SarbanesOxley Act of 2002 there was widespread need of Facilitated Compliance Management™ and documentation of all controls related process.

The SEC asked for internal controls reporting as aligned to The Committee of Sponsoring Organizations of the Treadway Commission (COSO), adding to the implications of the Clinger Cohen act, suggesting efficient balance between business and systems, where IT scores aligned to meeting business objectives. The accounting oversight mandate aimed to force order out of chaos, but the renaissance came from ISACA in the form of an IT controls assessment roadmap, Control Objectives for Information and related Technology (COBIT®.). The breakthrough IT governance standard did not’t introduce new methods or technologies. To the contrary, this IT toolkit provided a comprehensive matrix enabling controls visibility across all enterprise IT functions. Using language that spoke to an overall business assessment, an underlying organizations resource model and all other form of audit and conformity requirements were now represented with one single compliance standard.

After 9/11 and more than half million technology layoffs, Ms. Basham regarded COBIT®. as the phoenix. Phoenix Business and Systems Process, (PB&SP) adopted COBIT®., ISO/IEC 17799:2000 and ITIL® (BS15000 and ICT Infrastructure Management Best Practice) standards as comprehensive response to all mandates over IT control. As SarbanesOxley’s requirements immobilized the United States economy, PB&SP first two years assisted corporations as well known as Siemens, Raytheon and Journal Communication to implement IT Infrastructure and Assessment programs entirely aligned to the measurements found in COBIT®..

Bracing for the big storm

Released January 2003 to the Association for Women in Computing, “Scoping SarbanesOxley.” urged a lowest common denominator approach, meeting section 404 general control attestation requirements A full two years in advance of the ISACA, PricewaterhouseCoopers LLC, IIA, AICPA landmark direction “IT Control Objectives for SarbanesOxley, [i] Ms. Basham’ s strategy stressed a risk based approach, lowest cost and highest return controls, and distributed self assessment activity that would enforce a program of sustainable compliance.

Participation and Contribution



Avoiding claim to answers, Ms. Basham’s wisdom is aligning questions to authorities, and tools to business, technology and audit requirements. Firm believer in collaboration, she makes full use of platforms for professional development, offering any new ideas to a team “reality check” on the ISACA list services open forum of technology, audit and legal experts. Keeping current in definitive rulings, PB&SP leverages collaboration among leaders at IIA, ISACA, OASIS, their associated committee members and resources, and guidance as provided by the efforts of our Big5 (PricewaterhouseCoopers LLP, Deloitte & Touche LLP, Ernst & Young global, KPMG International, and Protiviti® Inc). Global Communications by ISACA and direct attention to posted changes by FASB, GASB, AICPA, ISACA, and IFAC, as would affect Information Systems Audit and Control guidelines is of primary focus to PB&SP.

Acting as liaison between OASIS, ISACA, itSMF and the IIA, Ms. Basham’s influence is seen in practical templates, UML proposals and applications for RunBook and Risk Management. Robin’s most current publication, a satire regarding the struggle to stay current with industry is titled The Perils of Mount Must Read Introducing a new theory of Compliance Professional Evolution, the story reveals a common mission to unite by way of standards and alignment to the best each has to offer. The Perils are caused by everyone’s pervasive anxiety in just trying to stay afloat.

What is Facilitated Compliance Management™ (FCM)?

DoD, Telcom, Securities and Trading, Education, Government and Banking regulations, impact every aspect of systems and operations management. PMM (Personal Maturity Management) methods guided creation of a process and controls tracking application. Database and grew from Help Desk, to Order Management, to Process Engine and Knowledge Base. Managing Process Engineering and later Controls Assessment teams the application became known as the SamePage Process Development Tracking, an unofficial and non registered trade mark. Designed as an evolving compliance prototype, the tool is provided to clients and was never intended to be sold as product. Discovering that SamePageSolutions had registered and been provided a SamePage trademark, application for FCM, "Facilitated Compliance Management" trademark was immediately filed and the use of SamePage in reference to PB&SP practice is now phased out. Resisting offers to turn what is now FCM into another compliance product, the tool remains true to its intended purpose, offering open code and data models for use as a compliance prototype, leveraging the portability of Microsoft HTML, BPEL and XML Compliant Microsoft Visio Standard and VBA forms posting to a SQL back end.

FCM is under agreement with OMG, Object Modeling Group, for 2007 release as a fully open source ORCAS product.

Core Value

PB&SP keeps clients ahead of the compliance curve. Using a combination of best of breed tools and processes for RunBooks, Configuration and Change Management, Enterprise Risk Management, Security Management and Performance Management, PB&SSP emphasizes ITIL® 165 [ii] , and COBIT® frameworks ., prudent examination of existing infrastructure, and technology acquisition recommendations based in a risk and legal context. PB&SP utilizes partner resources to provide clients with extended requirements in long term data support, network management, software development and staff augmentation. These are no fee, value add perks and are among the many reasons clients remain satisfied with PB&SP.

Bread Crumbs

Presentations in the last year include, Organization for the Advancement of Structured Information Standards (OASIS) 2005 Symposium in New Orleans, Information Technology Service Management Forum, New England (itSMF), Information Systems Audit and Control Association Chicago and Cleveland Chapters (ISACA), Financial Executive and Technology Executive Networking Groups (FENG/ TENG) Robin is a regular contributor and a founding member of the OASIS Configuration Compliance Technical Committee and an regular contributor the ISACA IT Governance, Information Security and SarbanesOxley Compliance and COBIT®.list services.

Shingles

Among Robin's credentials are Certified Information Systems Auditor (CISA), ITIL® Foundations certification (ISEB), Master Degree in Information Technology (M.IT), and a Masters of Education (M.Ed).

The Perils of Mount Must Read

Documents

Transcript of The Perils of Mount Must Read