Business' Ten Commandments

The Ten Commandments[1] were originally coined by turnaround expert Wilbur L. Ross, in regard to managing buyouts and mergers. But, as is evident, they are good advice for anyone reviewing any operation.

1. Ask about everything but be skeptical until you reach a conclusion.
2. Be polite, friendly and all-inclusive, but do not waiver.
3. Move quickly and decisively.
4. Admit errors and correct them immediately.
5. When in doubt, go for change.
6. Never give up.
7. Work 24 hours a day, seven days a week.
8. Do not expect credit for your work, but give others credit for theirs.
9. Do not settle for second-best staff.
10. Know when to fire yourself.

►

1. Cangemi, Michael P., Issues and Comments: Turnaround Management, Information Systems Control Journal, Volume 2, 2007, ISACA.

Information Security and High-Performance IT

Studies have shown that improving IT controls does improve performance. For example, a 2007 study by the Information Technology Process Institute (ITPI) indicates six “foundational” controls that characterize high-performing IT operations:

1. Monitoring of systems for unauthorized changes.
2. Defined consequences for intentional unauthorized changes.
3. A formal process for IT configuration management.
4. An automated configuration management process.
5. Tracking of the success rate for IT changes.
6. Ability to provide personnel with correct and accurate information on the present IT infrastructure configurations, including their physical and functional specifications.

An appropriate control framework, when well-planned and suited to the organization, can be effective in reducing organizational risks and can be applied to organizational systems at a net financial benefit.

►

FISMA Compliance: Metrics or Management?

The Federal government consistently gets poor marks in annual IT risk management reviews required by the Federal Information Security Management Act of 2002. A Government Computer News editorial by Wyatt Kash discusses the ramifications of the latest findings, and suggests that the source of the Government’s persistent and pervasive information security troubles is this: Information security management practices are not measured.That’s a compelling argument, given that government isn’t generally held to rigorous management performance criteria. And when agencies do have criteria in place, the measures are often distorted to present a picture of accomplishment where there is none. One agency, for example, measures the number of help desk calls as a success criterion; more help desk calls equals better service. Clearly, the focus should be on reducing the number service calls. But government managers unknowledgeable about IT management principles simply look at the numbers and assume that more is better.

The GCN article suggests that the audit guide used by the payment card industry (PCI) offers the measures of information security that NIST guidance, and the FISMA law itself, lacks. PCI audit guidelines have fairly specific success criteria, including:

• Maintain a firewall configuration to protect data;
• Don’t use vendor-supplied defaults for system passwords and other security parameters;
• Protect stored data;
• Encrypt transmission of sensitive information across public networks;
• Use and regularly update antivirus software;
• Restrict physical and logical access to cardholder data;
• Assign a unique identifier to each person with computer access;
• Track and monitor all access to network resources and cardholder data;
• Regularly test security systems and processes.

Jorgen T. Lazo, an IT Analyst with the Federal Reserve Board, rejects the GCN editorial’s suggestion that PCI metrics will solve security problems. “While security is the issue, the burden of managing our information systems is the real root of the problem.” Lazo goes on to say that IT systems passing security checklists are not necessarily secure-we have plenty of evidence of that in the number of reported breaches of systems that were supposedly secure. The problem lies in the way we design, build, and operate IT systems. Information security practices and techniques should be “baked into” IT delivery.

Both points of view are credible. IT management does need to measure security processes (Kash). Information security is not just operational; it’s the whole package—a strategic, tactical and operational concern. (Lazo)

Control Objectives for Information and Related Technology (COBIT) meets both goals. COBIT provides a strategic IT governance framework that defines management objectives for IT processes, and it defines performance measures informing management whether those objectives are being met. In COBIT, security objectives and measures are pervasive throughout every IT management activity: planning and organizing, acquisition, implementation, delivery and support, monitoring, and evaluating performance.

Let’s take an example. COBIT specifies that risk management is a significant component of planning and organizing the IT activity. Risk management requires processes that:

• Establish an IT risk management framework that is aligned to the enterprise’s risk management framework;
• Establish the context in which the risk assessment framework is applied to ensure appropriate outcomes;
• Identify events (important and realistic threats that exploit a significant vulnerability) with a potential negative impact on the goals or operations of the enterprise, including business, regulatory, legal, technology, trading partner, human resources and operational aspects;
• Determine the nature of risk event impacts, and record and maintain relevant risks in a risk registry;
• Assess the likelihood and impact of all identified risks on a recurrent basis, using qualitative and quantitative methods;
• Determine the likelihood and impact associated with inherent and residual risk individually, by category and on a portfolio basis;
• Develop and maintain a risk response process designed to ensure that cost-effective controls mitigate exposure to risks on a continuing basis; the risk response process should identify risk strategies, determine associated responsibilities, and consider risk tolerance levels;
• Prioritize and plan the control activities at all levels to implement the risk responses identified as necessary, including identification of costs, benefits and responsibility for execution;
• Ensure that committed actions are owned by the affected process owner(s);
• Monitor execution of the plans, and report on any deviations to senior management.

The measures of success toward meeting the goals of the above processes include:

• Percent of critical IT objectives covered by risk assessment;
• Percent of IT risk assessments integrated in the IT risk assessment approach;
• Percent of identified critical IT events that have been assessed;
• Number of newly identified IT risks (compared to previous exercise);
• Number of significant incidents caused by risks that were not identified by the risk assessment process;
• Percent of identified critical IT risks with an action plan developed;
• Percent of IT budget spent on risk management (assessment and mitigation) activities;
• Frequency of review of the IT risk management process;
• Percent of approved risk assessments;
• Number of actioned risk monitoring reports within the agreed-upon frequency;
• Percent of identified IT events used in risk assessments;
• Percent of risk management action plans approved for implementation.

Note that, in contrast to PCI, none of the success criteria mentions any specific security activity like maintaining firewalls or assigning a unique identifier to each person with computer access. Instead, COBIT supplies IT management with measures to evaluate how well risks have been identified, assessed, and managed. If maintaining a firewall won’t address a risk to IT assets, then it shouldn’t be a priority. But, for example, if there is a significant risk to information in transit, then encrypting the transmission of sensitive information across public networks is a good idea.

Mr. Kash accurately points to the need to measure how well you’re addressing security activities. But, as Mr. Lazo points out, addressing security from the bottom up won’t provide an adequate payoff. Yes, PCI provides a framework for good security practice; but it’s still just a checklist. Managers need to think strategically, not just operationally, about the real risks to IT assets. In short, management needs to apply governance. COBIT gives them the tools to do just that.

►

E-Discovery: Round Two

A new research report published by the National Association of State Chief Information Officers (NASCIO) is designed to help states prepare for requests for electronic information. The report, entitled The Search Is On: State CIO Starting Points for E-Discovery, is a response to last year’s amendments to the Federal Rules of Civil Procedure concerning the discovery of electronic information during litigation. (See Feds Get Tough on E-Discovery)

John Moore highlights the significance of the new research in Federal Computer Week, writing that “a multidisciplinary team should manage an electronic records management effort”, which can, according to NASCIO, ”reduce the risks associated with e-discovery.”

The full report is available as a PDF document at NASCIO’s publications library.

►

Feds Get Tough on E-Discovery

Recent changes to the Federal Rules of Civil Procedures in 2006 have put IT and internal audit departments under the microscope. According to the new rules, parties to civil litigation must disclose upon request “any documents or electronically stored information in any medium from which information can be obtained either directly or after translation into a reasonably usable form.”

Discoverable information now includes virtually all digital media including e-mail messages and message archives, digital audio recordings, digital images, USB flash drives, laptops, personal digital assistants, cell phones, temporary storage caches, personal audio players, and more. If you can think of a technology that creates, presents, alters, or stores your organization’s data, it’s probably discoverable because the Federal guidance casts a wide net.

The new rules can be devastating to organizations that do not have sound policies for the capture, retention, and disposal of electronically stored information. The inability of an organization to properly account its information can result in penalties ranging from loss of the right of document privilege (i.e. the right to protect privileged documents from discovery) to adverse inference rulings (i.e. undiscoverable information is presumed to have been adverse) and, in some cases, obstruction of justice charges.

In a November 10, 2007 article in the Institute of Internal Auditors e-magazine IT Audit, Shawna Scharf, contributing staff writer, discusses what the new rules mean for organizations. “By studying e-discovery law, recommending the implementation of sound data retention policies, investing in the right software tools, and working with the company’s legal counsel, auditors can reduce the risk of coming up empty handed in the e-discovery process.” Makes you want to review your document management policies, doesn’t it? You do have document management policies, don't you?

►