More Related Content
More from EnterpriseGRC Solutions, Inc.
More from EnterpriseGRC Solutions, Inc. (10)
The Perils of Mount Must Read
- 2. The Perils of Mount Must Read™
©Robin Basham Page 2 5/15/2006
Table of Contents
Preface....................................................................................................................................................4
The Perils of Mount Must Read™: Confessions of a Cliff Note Junky.......................................................5
Are you sure I’m in recovery? ..................................................................................................................5
I will conquer Mount Must Read™........................................................................................................5
Waste no time......................................................................................................................................6
Compliance Farm™: Theory of Professional Practice Evolution (Nonlinear)............................................8
What should an Information Systems Auditor eat?................................................................................. 10
Touchdown! Mount Must Read™ 7, Hometown 0............................................................................... 11
Blame someone................................................................................................................................. 11
Legal GAP....................................................................................................................................... 11
What I don't know can't hurt me.......................................................................................................... 12
Please don’t make me go back to high school........................................................................................ 15
Good News, they pay people in congress to think............................................................................... 15
Say "Goodbye" to statute virginity....................................................................................................... 17
Give up the white paper crutch........................................................................................................... 18
Can someone help me down from my horse?..................................................................................... 19
My Mother told me to say I’m sorry..................................................................................................... 19
Basic principals of a well rounded diet ................................................................................................... 20
How do you keep that stunning figure?............................................................................................... 20
Trade secrets..................................................................................................................................... 21
You can’t make me download!............................................................................................................ 21
GAO, is that you? ........................................................................................................................... 21
Regarding recovery ........................................................................................................................ 22
Even the score ............................................................................................................................... 22
The diet starts today: All right today... first thing in the morning… I mean it this time......................... 22
Birth records, death certificates and standards euthanasia ................................................................. 23
If it makes sense, it exists .................................................................................................................. 23
A trip to the Standards Mall ................................................................................................................ 24
Lowest Common Denominator........................................................................................................... 25
How low can you go? ......................................................................................................................... 26
The more you know, the less you have to say................................................................................. 27
Fundamental Five .............................................................................................................................. 27
A simpler selection criteria.................................................................................................................. 28
How did I miss the Common Criteria?................................................................................................. 29
These are not Cliff Notes.................................................................................................................... 30
Seems like a Schema to me............................................................................................................... 33
- 3. The Perils of Mount Must Read™
©Robin Basham Page 3 5/15/2006
Where are you taking me? ................................................................................................................. 35
Honest Doc, I looked everywhere. No expiration date. ................................................................... 36
Darker and deeper ............................................................................................................................. 36
Sucked in by detail............................................................................................................................. 37
Get to higher ground .......................................................................................................................... 37
Open the computer bay, HAL............................................................................................................. 37
Scope ................................................................................................................................................ 38
The Classification Framework ............................................................................................................ 40
Naked without our tools ......................................................................................................................... 41
Buyer beware..................................................................................................................................... 41
Second greatest hook of all time..................................................................................................... 41
COTS alone can’t save us.................................................................................................................. 42
Process alone can’t save us ........................................................................................................... 42
Factors affecting world trade: ............................................................................................................. 44
Birth announcement .............................................................................................................................. 45
The buddy system.............................................................................................................................. 45
Enough about them, let’s talk about us............................................................................................... 46
Say it ain’t so ..................................................................................................................................... 47
Did you happen to notice where I left a half million auditors? .............................................................. 47
Found them!....................................................................................................................................... 47
A problem not owned equals a problem not solved............................................................................. 48
You want me to kill them now? (But they're so cute!)......................................................................... 48
I don’t want a baby brother. Tell the stork to bring ideas. ................................................................... 50
Competition is the spice of life............................................................................................................ 52
Get the data and proportionality............................................................................................................. 53
Does the punishment fit the crime? .................................................................................................... 54
Do you mind one last question?............................................................................................................. 54
Why didn’t I write any of that?............................................................................................................. 56
Conclusion: ........................................................................................................................................... 57
Appendix A: Database and Ontology ..................................................................................................... 58
Appendix B: Must Read's™ “Security and Risk Management”................................................................ 60
Bibliography .......................................................................................................................................... 62
- 4. The Perils of Mount Must Read™
©Robin Basham Page 4 5/15/2006
Preface
...Why should anyone read a story about a possessed reading pile and a
recovering workaholic?
With liberal dose of fantasy and humor, “The Perils of Mount Must Read™” chronicles a quest to conquer
the mountain of reading required to just stay competent in information audit and technology..
Admittedly, the intended audience has some background in compliance and IT. Even if the reader is not
an IT auditor, the challenge to stay ahead of new tools and research in an industry with no respect for
“too much information” is a familiar predicament. Add to that, an ego driven compulsion to make sense of
every digitally available IT resource, and you have the essence of a modern day tragic hero, an
information overload villain, and a quest for information peace and enlightenment. Becoming caught up in
the race to remain competent in one’s profession is probably not unique to audit or technology.
Blending fiction and truth, the tale aims for insight, suggesting solutions to the problem of what to read
and who to regard as “expert” in our field.
Laugh with me or at me, but please relax and consider quality over quantity as an alternative to drinking
from the digital fire hose.
Events transpire between October and December, and conclude with the New Year, 2006. Part fantasy
and part truth, the characters admit their flaws and evolve a strategy for survival against “The Perils of
Mount Must Read™.”
Many thanks to the persons who provided a wealth of great resources. Credits are scattered throughout
the story and detailed in the endnotes.
Hope you enjoy the read.
Kind Regards,
Robin Basham, M.IT, M.Ed. CISA, ITSM
- 5. The Perils of Mount Must Read™
©Robin Basham Page 5 5/15/2006
The Perils of Mount Must Read™: Confessions of a Cliff Note
Junky
© By Robin Basham
Ever have a day where the more you learn the less you know? Around here, it’s been that kind of year.
Printing any resource that might aid a losing race to stay current in regulations and frameworks, a reading
backlog grew from a minor elevation to hill. As autumn fell, the pile extended beyond the height of our
office, and the perilous pile acquired a name: “Mount Must Read™.”
In hindsight, I agree, this is hard to believe, but the story needs to be told. At the very least, consider it a
fair warning that you could be next.
Are you sure I’m in recovery?
I had every right to feel on top of things. The degrees, certifications, business, friends, were perfectly
valid indicators for professional competence. Where the SarbanesOxley Act of 2002 (SOA or SOX)
1
,
data privacy, COBIT® 2
, COSO 3
, ITIL® 4
and ISO/IEC 17799:2005 5
frameworks or any area of IT Audit
were involved, I felt solid. Not a day went by without time on the ISACA 6
home page, and I can honestly
say with each visit we gained at least one significant download. Like a lot of people in my field, the list of
what I should read increasingly outpaces the list I could read. Secretly, confidence in my ability to lead in
my field had been replaced by a nagging paranoia that I would not maintain respectable position in the
reading race. In fact, I doubted my ability to finish the race at all.
Then I found out I’d be having surgery classified as major and to plan one to two months in ‘recovery’. No
problem. White papers packed with slippers and duck, I slated five to ten hours of hospital down time to
chapters 4 through 8 of the ICT Infrastructure Management Manual 7
.
I realize people don’t read text books as they roll out of surgery, but the situation was beyond my control.
I’m a pawn, a powerless sheep, manipulated by anxiety over an out of control reading list. It’s not just the
daily emails listing articles and white papers that can’t be ignored. I’m a compulsive downloader, printing
everything that seems to have use. The symbol of all knowledge became that mountain of unread
documents.
More like Edgar Allen Poe’s Tell Tale Heart 8
, than a personal Everest, Mount Must Read™ controls my
life. It started as a harmless stack, documents I truly intended to read, but then I planted a flag at the
summit. That fateful red and white postit included two words. They were “Must Read™.” Once the pile
knew its name, it gained power. Somewhere between hill and mountain, its soul became corrupted by
the Dark Side 9
.
I will conquer Mount Must Read™
I have to conquer him. For one thing, he’s blocking sunlight. (Please don't ask how I know Mount Must
Read™ is male. You'll see soon enough.)
“Recovery” is great word. I place it in the same category as “Down Time.” (I have no idea what either
word means.) Using down time to tackle Mount Must Read™ (a.k.a. “MMR™” and “Must Read™”) is a
perfect illustration of this problem.
Realizing that a stack of neglected documents would not hold attention for very long, I constructed a
challenge that might result in wealth or fame. I announced to myself, and in ear shot of Mount Must
Read™, “I will resolve duplicate legal requirements and rid our profession of redundant, competing
technology standards.” It’s clear we need a short pile of "definitive required knowledge" and a safe
means to disregard the rest. How many laws do we really need? Seems like the ones that aren’t
obsolete either mandate concepts that people don’t understand, can’t be implemented, or are completely
ignored. Deduplicating laws and standards meant we might finally operate with a short list of laws and
standards, earn back some actual “downtime” and achieve the mission to deliver visibility and assurance
of IT compliance. I am an information systems auditor. Someone’s gotta do it.
- 6. The Perils of Mount Must Read™
©Robin Basham Page 6 5/15/2006
Waste no time
Post surgery, day one was not as productive as planned. The only perk you get in ‘recovery’ is unlimited
self delusional power naps (the kind where you know everything and people care). Aided by a steady
morphine drip, this particular dream began with a typical scenario. I propose a completely implausible
solution to world hunger and a full session of Congress erupts into accolades. Feeling confident in my
powers I make a classic Matrix gesture, the one where Neo signals Morpheus to “bring it on
10
." A voice
on the floor asks “are there any U.S. statutes that allow us to charge Superman in connection with
hurricane Katrina?” I say "we have to review his contract," but no one is satisfied. The room fills with
auditors, business owners, five star generals, and bankers. Like a thousand Mr. Smiths entering from a
myriad of hallway doors, people keep asking questions with random sounds like, “national strategy,
FIPS 11
, jurisdiction, FISMA 12
, legal precedent, court marshal, and FEMA 13
. Someone’s shouting “Senator
did you even read FISCAM 14
?" My ears sting from the buzz of federal codes, defense directives, public
executive orders and a list of my apparent violations. Dream panic ends as I shout from my bed “that
wasn’t even in the manual.”
A nurse is measuring milliliters of urine and smiling like I’m about to get a gold star. I hear, “Would you
like something for the pain, honey?” mingled with the sound of squeaky treads fading out into the hall.
The dream was completely wrong. I’d been doing the delusional power routine long enough to know this
was not my own mind's doing. Something or someone was responsible, and I only knew of one
“something” that had motive to make me feel this way. I’ve suspected, but resisted speaking the words
even to myself. It had been 72 hours since my last download. Mount Must Read’s™ hunger for fresh
paper had driven him to new heights of intimidation. His evil broadcast storm followed me right into
surgery.
Should this have worried me? Did he know that I knew? Was he listening now?
I shook off the experience as a post anesthesia fluke. The moment they freed me from nurse and
catheter, it was business as usual.
Per my instruction, employees had carefully relocated Mount Must Read’s™ amputated peak to a stack of
documents by my bed. The papers piled next to rolling laptop tray, a gigabit LAN port, and a two line
phone. Browser poised to Google™, (the Oracle of all downloads), my quest and journey was ‘good to
go’.
Being educated in research and statistics, my first steps began as three part hypothesis.
1. People create overlapping standards because they solve problems in isolation.
2. When existing law appears out of pace with technology people create new laws to
hinder technology instead of understanding the technical context of an existing law's
applicability.
3. People describe same problems and find same solutions as limited by their ability
to perceive and describe. We can't see the overlap. We think we are different, but our
standards are essentially the same.
I typed “audit frameworks standards law” and said with glee, “we’re off!” The Oracle answered, “Your
search Results 1 10 of about 7,345,032 in .35 seconds.” Instant headache: much too wide a topic for
my recovering mind. (I can’t imagine which of these four words unleashed smutty pop ups, but clearly, I
would have to do my own thinking until the antispam tool finished inoculating against 7,354 new browser
exploits.)
First thought, “Why did I think I can do this?”
Took a legally prescribed substance and used a familiar warmup question; “Why is there world hunger?”
If Miss America can answer this, it shouldn’t cause a brain cramp. I’m thinking “why can’t we feed entire
regions of starving people, while the local health news says the only thing we’re loosing is ground in the
war against obesity. Do the people with food know that people are starving?” I can’t surf T.V., answer
the phone, read the mail or go to the movies without someone suggesting ten new ways to donate. I
admit that’s where I lost interest. Hunger is a challenge for Superman or Congress. I only like a
- 8. The Perils of Mount Must Read™
©Robin Basham Page 8 5/15/2006
Compliance Farm™: Theory of Professional Practice
Evolution (Nonlinear)
Potato
§ Interprets all knowledge as explained by prime time television
Fish
§ Eats bait
§ Captured for sport
§ Required in food chain
Sheep
§ Lives in a heard
§ Keeps head down via lifelong commitment to grazing
§ Fears Dogs
§ Greatest accomplishment – Is not a Potato
Self Aware Sheep
§ Realizes there’s more to life than being a Sheep, but can’t put hooves on what to do about it
Snake, Rats and Pigs
§ Not useful to this discussion, but snakes and pigs are out there
Shark
§ See Snakes, Rats and Pigs
Dog
§ Loyal to one or more professional cause
§ Enthusiastic bark
§ Limited bite, growls via email, i.e., flaming for fame
§ Wildly sniffs while investigating new smell
§ Quickly loses interest in familiar stink
DogSquirrel
§ Keeps a copy of everything
§ Buries files in back yard
§ Prepares to read in winter
DogFish
§ Resolves all problems by being a Fish, otherwise Dog
Rescue Dog
§ Registered to Vote
§ Board member in one or more professional chapters
§ Known to rescue the cold and stranded
§ Reads journals and at least one newspaper
- 9. The Perils of Mount Must Read™
©Robin Basham Page 9 5/15/2006
§ To a large extent, views hard work as its own reward
§ Looks up to Wolf
§ Known to generate legal smudge, causing others to mistake Dog for Donkey
§ Loves brandy
§ Sleeps anywhere warm
Wolf
§ Mates for life
§ Keen sense of direction and survival, develops tools to serve the Wolf’s purpose
§ Travels in a pack, yet stands alone
§ Hunts for its own food, sometimes penetrating thick walls of ice
§ Tremendous ingenuity
§ Known to eat Dogs and Sheep who “flame for fame”
§ Not concerned by other packs unless fighting over territory
§ Votes per instruction of Leader, enlisting RescueDog to heard sheep to polls (sheep never
register to vote)
Leader of the Pack
§ Picks the party candidate, and directs every Wolf to get out there and vote
§ Uses instinct to advance the pack, marketing products and ideas for both profit and real utility.
(Not a Shark)
§ Takes risks and fights for territory, able to sell the tools made by the pack
§ Exceptional instinct is used to assure everyone’s survival
§ Uses public image for being ruthless, to hide evidence of self sacrifice and compromise for a
greater good
§ Long cleared on charges regarding Little Red
Eagle
§ Soars above the fight, preferring observations of trend over facts
§ Leverage simultaneous centers of focus, seeing both forward and peripherally
§ Critical to the balance of vermin, spotting rats at altitudes of a 1000 feet
§ Eagles are the only species in possession of the big picture
§ They see what others can’t imagine, and most refuse to believe
§ Eagles accurately pinpoint by longitude and latitude, every national fault
Human Being (Human)
§ Marked by goals involving world value achieved through arts and sciences, Surpasses Wolf in
vigilance, to create new standards for both ethics and practice
§ Faces actual threats, by leveraging Eagle’s data to prioritize faults, and Wolf’s ingenuity for
tools, survival instinct and good sense in designing a practical response strategy
§ Humans can be found in think tanks, governments, clergy, universities, private industry and
even the world of entertainment
- 10. The Perils of Mount Must Read™
©Robin Basham Page 10 5/15/2006
§ They commit with or without promise of glory, are more often sentenced to death than awarded
a Nobel Prize
§ Humans admit to having been Fish, Dog, Wolf and Sheep, because they have humility
§ Regardless of whether we agree with a Human’s goal, chances are we would not last a day in
their shoes
Under the right set of circumstance every animal has the potential to be both Eagle and Human
16
Cartoon plan:
Why Can‛t The Government Fix It?
Two women in hiking gear, far off mountain peak creates enormous shadow-
Woman with binoculars asking: “Has NASA found a reason for the region‛s sudden lack of sunlight?”
Woman two answers: “They know the cause. It‛s Mount Must Read™, increasing at a rate of 2.4
kilometers a day. No one knows how to stop it.”
What should an Information Systems Auditor eat?
Back to the quest: There had to be a faster approach to the overlapping mandates question, like one
single standards/frameworks and laws inventory. Starting points included sources I use regularly,
acclaimed web sites like KNET 17
, Security Benchmark 18
, CERT/CC® 19
, IIA 20
, and the ISACA Member
Downloads 21
. If you spend a portion of every day at these sites you will never be disappointed. On this
particular day, I landed a substantial jewel, the newly released Aligning COBIT®. ITIL® and ISO 17799
for Business Benefit 22
. Nothing speaks louder to the cause of harmony among standards than the highly
planned marriage of giants; ISO/IEC 17799:2005 (developed by ISO 23
and the IEC 24
), COBIT®. 3rd
Edition 25
(under ISACA copyright 26
), and ITIL® (the flagship standard and product, produced by the
United Kingdom’s Office of Government and Commerce
27
). Barriers to effectively combine assessment
frameworks are dismantled as each body revises their newest release, adapting wherever possible
vocabulary and control concepts. The organizations worked together, leveraging the best each offers to
business, supplying one definitive meaning; a single unified model which is useful to any person engaged
IT Governance.
I felt a new confidence, (counted the pills again), and looked right into Must Read's™ eyes asking: “You
still here? Take a hike! Beat it, scram. You’ve seen the list on KNet. I don’t need you.”
This wasn’t even dignified by a response. Must Read™ smirked, the kind that mothers and high school
teachers use to say “You can’t be serious,” which would have been bad enough, but then Mount Must
Read’s™ reign of terror truly came down.
“Where do you get the audacity to claim competence using the exclusive direction of Everett C.
Johnson 28
(ITGI's International President), Tom Lamm 29
(ISACA's Director of Research, Standards, and
Academics), and a handful among thousands of standards from ISO? Can you even spell GAAP? 30
It’s the perfect word to describe the span of your pathetic attempts at thinking. Can you tell me one thing
about David Richards 31
(President of IIA)?”
This is when he threw the killer blow, tossing the Global Technology Audit Guide (GTAG 32
), Information
Technology Controls 33
right in my face.
Did I mention that it’s sundown on Halloween and I’m trapped by a psychotic reading stack? I live on a
quiet street. No one will care if I scream.
Cliff Notes 34
were too risky. I might miss a critical detail, never having time to get off a second shot.
This would end in a single bullet. I picked up the Global Technology Audit Guide (GTAG) and without
stopping, read every word to the last reference and copyright on the report cover’s back page.
In addition to appeasing Must Read™, the learning experience was tremendous. Like great documents
produced by ITGI and contributors to ISACA, this IIA’s Technology Audit Guide provided a
comprehensive overview in approach and standards for IT Control Audit, including COBIT® as a primary
- 11. The Perils of Mount Must Read™
©Robin Basham Page 11 5/15/2006
and foundation IT Control standard. The journey, however, went beyond familiar ground, displaying a
scrumptious menu of dishes I did not even know an IT Auditor was allowed to eat.
Reviewing the resources and contributor background shows IIA's coordinated efforts with the AICPA 35
,
CIS – Center for Internet Security 36
, CMU/SEI (CarnegieMellon University Software Engineering
Institute)
37
, ISSA (Information Systems Security Association)
38
, NACD (National Association of Corporate
Directors)
39
, and SANS Institute
40
. Just getting a group this size to agree to one paragraph is notable, but
this document amounted to agreement on the entire IT Control Map. I’m sure I’ll continue my heavy us of
COBIT® Online 41
as a fundament tool for my practice, but the list of additional resources found in the
GTAG held a great deal of promise.
Triumphant: “I shaved 7/10 cm off your peak without downloading Cliff Notes, summary, or random
surfing. Bet you weren’t expecting that?”
Mount Must Read™ is still laughing. “Did you catch those footnotes, hyperlinks, appendixes, and
references? You’ll be downloading all night!” He was right. They were new titles.
Touchdown! Mount Must Read™ 7, Hometown 0
I knew the “newly fallen Must Read’s™” might accumulate a light dusting. November nights are like that.
This single night’s accumulated information fall dumped the equivalent of two years of collected readings.
I tried to relax, telling myself the titles would melt off by halftime. Nine years of paper grazing, web
surfing, earned degrees, and professional collaboration built a library more than 2000 files high.
Timestamps alone attested my entire 21st century digital whereabouts. How many titles could I miss?
Halftime came and went with little to no melting. 900+ substantial regulations, frameworks, events and
organizations remained firmly fallen aiding only height to the perilously high Mount Must Read™ 42
? I
need a better defense, or at least to get within punting range.
Blame someone
I wish I’d been raised by wolves. The cubs next door had it made; eating off the floor, playing in dirt,
chasing mice for school credit and earning advanced degrees with nothing more than their instinct. Their
Dad has a seat in the Senate. I’m the grown up child of Mr. and Mrs. Quality Management. Mom’s name
is ISO. Her life is a standard. Dad’s a complete perfectionist. His name is TQM 43
. What would they say
if they could see me? Ivey League obedience school, private barking lessons and constant lectures;
“there’s more to life than digging holes, chasing cars, HIPAA 44
, SOX and GLBA 45
!”
Legal GAP
I had to turn this around quick. First order of clean up was the legal GAP 46
. The investment in reading
on the topics of the SarbanesOxley Act (SOA or SOX) Public Law 107204
47
, GrammLeach Bliley Act of
1999 (GLBA) Public Law 106102 48
, and The Health Insurance Portability and Accountability Act of 1996
(“HIPAA” not HIPA) Public Law 104191 49
exposed me to Securities Exchange Act of 1934 50
, crimes
involving computer abuse and fraud, and specific areas affecting records management in audit such as
17a4 in final rule by the SEC. Please don’t ask how I missed FISMA, FOIA 51
, or that government
regulated industries, use NIST 52
and FIPS as mandated by law. The list of regulations affecting IT
standard alone quickly jumped over one hundred. Realizing there had to be a strategy to get arms
around this task; I began rating laws based in immediate IT Audit requirement. This still left over sixty
regulations. Relegating laws exclusive to Britain and Canada to the items with less immediate impact
only lowered the list by two
53
. Even attempts to separate “critical” or “background” material, did not
change that when I asked “how can not knowing this hurt me?” the answers were fairly substantial, and at
the least, not to be ignored. I settled on the following three dozen laws, spending time reviewing each,
and keeping the summary in a database. I eventually read all the laws, but there are still items from the
recent blizzard that compel me as more threatening areas of my mental gap.
- 12. The Perils of Mount Must Read™
©Robin Basham Page 12 5/15/2006
What I don't know can't hurt me
Title Type Regulation Primary Name Date Valid Copy in Public
Domain: Web Reference
United States of America
Patriot Act of 2001
United States Federal Law
P.L. 10756, 115 Stat. 272
October 26,
2001
Uniting and Strengthening
America by Providing
Appropriate Tools Required to
Intercept and Obstruct
Terrorism (US Patriot Act) Act
of 2001
United States Copyright
Law, Title 17
United States Code 17 U.S.C.
§§ 101 – 810
October 19,
1976
Circular 92: Copyright Law of
the United States of America
and Related Laws Contained
in Title 17 of the United States
Code
Uniform Accountancy Act State Board Uniform
Accountancy Act
November,
2002
Uniform Accountancy Act,
Third Edition, Revised,
November, 2002
Title 21 Code of Federal
Regulations (21 CFR Part
11) Electronic Records;
Electronic Signatures
Code of Federal Regulation
21 CFR Part 11
August
2003
21 CFR Part 11: Electronic
Records; Electronic
Signatures
Securities Exchange Act of
1934
United States Code 15 U.S.C.
§§ 78
July 1934 Securities Exchange Act of
1934
Section 17a4: Final Rule:
Applicability of CFTC and
SEC Customer Protection,
Recordkeeping, Reporting,
and Bankruptcy Rules and
the Securities Investor
Protection Act of 1970 to
Accounts Holding Security
Futures Products
United States Federal Law 15
U.S.C. §§ 78 Rule 17a4
1934 Final Rule: Applicability of
CFTC and SEC Customer
Protection, Recordkeeping,
Reporting, and Bankruptcy
Rules and the Securities
Investor Protection Act of 1970
to Accounts Holding Security
Futures Products
SarbanesOxley Act of 2002 United States Federal Law
P.L. 107204
July 2002 Public Law 107–204—July 30,
2002—116 STAT. 745
Safe Harbor Privacy
Framework
United States Code 15 U.S.C.
§§ 4458 Section 5
July 21,
2000
Introduction to the Safe Harbor
Ronald W. Reagan National
Defense Authorization Act
for Fiscal Year 2005
United States Federal Law
P.L. 108375
October
2004
Public Law 108–375 – October
28, 2004 118 STAT. 1811
Paperwork Reduction Act of United States Federal Law May 1995 PUBLIC LAW 104–13
- 13. The Perils of Mount Must Read™
©Robin Basham Page 13 5/15/2006
Title Type Regulation Primary Name Date Valid Copy in Public
Domain: Web Reference
1995 P.L. 104–13
OMB Circular A130:
Management of Federal
Information Resources
United States Office of
Management and Budget
Circular/Bulletin/Memorandum
OMB Circular A130
September
29, 1995
Circular A130 Management
of Federal Information
Resources
OMB Circular A119,
Federal Participation in the
Development and Use of
Voluntary Consensus
Standards and in Conformity
Assessment Activities
United States Office of
Management and Budget
Circular/Bulletin/Memorandum
OMB Circular A119
Effective
February
19, 1998
Revised OMB Circular A119
National Technology
Transfer and Advancement
Act of 1995
United States Federal Law
P.L. 104113
March 7,
1996.
Public Law 104113 3/7/96
National Archives and
Records Administration
United States Code 44 U.S.C.
§§ 2101 to 2118
Founded in
1934
NARA
Homeland Security Act of
2002
United States Federal Law
P.L. 107296
2002 Homeland Security Act of
2002
Health Insurance Portability
and Accountability Act of
1996
United States Federal Law
P.L. 104191
April 2003 Public Law 104191
GrammLeach Bliley Act of
1999
United States Federal Law
P.L. 106102
November
12, 1999
GrammLeach Bliley Act
Freedom of Information Act United States Code P.L. 104
231
1966,
Amended in
2002
Freedom of Information Act
Foreign Corrupt Practices
Act 1977
United States Federal Law
P.L. 105366
1977 Foreign Corrupt Practices Act
1977
FIPS Publication 201,
Personal Identity Verification
(PIV) for Federal Employees
and Contractors
Federal Information
Processing Standard FIPS
201
February
2005
FIPS Publication 201,
Personal Identity Verification
(PIV) for Federal Employees
and Contractors
FIPS Publication 200,
Minimum Security
Requirements for Federal
Information and Information
Systems
Federal Information
Processing Standard FIPS
200
July 2005 FIPS Publication 200,
Minimum Security
Requirements for Federal
Information and Information
Systems
- 14. The Perils of Mount Must Read™
©Robin Basham Page 14 5/15/2006
Title Type Regulation Primary Name Date Valid Copy in Public
Domain: Web Reference
FIPS Publication 199,
Standards for Security
Categorization of Federal
Information and Information
Systems
Federal Information
Processing Standard FIPS
199
February
2004
FIPS Publication 199:
Standards for Security
Categorization of Federal
Information and Information
Systems
Final Act of The 19861994
Uruguay Round Of Trade
Negotiations Agreement On
Technical Barriers To Trade
International Trade
Agreement
P.L. 103465, 108 Stat. 4809 April 15,
1994
WTO | legal texts A
Summary of the Final Act of
the Uruguay Round
Federal Trade Commission
(FTC) Act of 1914, amended
in 1938
United States Code 15 U.S.C.
§§ 4158
1914,
Amended in
1938 and in
2000
Federal Trade Commission
Act, Title 15 Commerce and
Trade
Federal Information Security
Management Act of 2002
United States Federal Law
P.L. 107347, Title III
July 30,
2002
Federal Information Security
Management Act of 2002, 44
USC 101 note
Fair Credit Reporting Act or
Bank Secrecy Act
United States Federal Law
P.L. 91508
1970,
Amended in
1996 and in
2003
Internal Revenue Manual
4.26.5 Bank Secrecy Act
History and Law
Fair and Accurate Credit
Transactions Act of 2003
United States Federal Law
P.L. 108159
December
2003
PUBLIC LAW 108–159 DEC.
4, 2003 117 STAT. 1952; 15
U.S.C. § 1601
Executive Order 13103 of
September 30, 1998
Computer Software Piracy
Executive Order Executive
Order 13103
September
30, 1998
Executive Order 13103:
Computer Software Piracy
EGovernment Act of 2002 United States Federal Law
P.L. 107347
December
2002
H. R. 2458: EGovernment
Act of 2002
DCI Directive 6/3, Protecting
Sensitive Compartmented
Information within
Information Systems
Director of Central
Intelligence Directive Central
Intelligence Policy
June 1999 DCID 6/3 Policy
Cyber Security Research
and Development Act of
2002
United States Federal Law
P.L. 107305
February 7,
2002
Cyber Security Research and
Development Act of 2002
National Institute of United States Federal Law October Computer Security
- 15. The Perils of Mount Must Read™
©Robin Basham Page 15 5/15/2006
Title Type Regulation Primary Name Date Valid Copy in Public
Domain: Web Reference
Standards and Technology
Act formerly Computer
Security Enhancement Act
of 1997, amendment to
Computer Security Act of
1987
P.L. 100418 was P.L. 100
235
1998 Enhancement Act of 1997
(Reported in Senate);
THOMAS U.S. Congress on
the Internet
Computer Fraud and Abuse
Act of 1986
United States Code 18 U.S.C.
§§ 1030
October 11,
1996
Computer Fraud & Abuse Act
ClingerCohen Act of 1996 United States Federal Law
P.L. 104106
1996 Illinois Land Conservation Act,
P.L. 104106 S.1124
Chief Financial Officers Act
of 1990, A Mandate for
Federal Financial
Management Reform
United States Federal Law
P.L. 101576
September
1991
GAO/AFMD12.19.4 CFO Act
Please don’t make me go back to high school
Maybe it was withdrawal from pain medication or just pure frustration, but taking down Mount Must
Read™ required some clean up I’ve been putting off for too long. Most aspects of legal reference leaves
me totally confused. Seeing what seemed to be the same law as U.S. Code, Public Law, Code of
Federal Regulation, Bill, Section, Circular, Directive, Amendment or simply sited under a variety of entirely
different names, convinced me that I wasn’t cut out to understand the law. In fact, I can’t tell if my own
government follows the law. Maybe that is by design, but seems that I should. And I don’t mind shucking
a little blame. Judging by printed and internet text, a lot of people are generally confused about the law.
Education Mandate: Almost every U.S. State has legally mandated basic mastery of U.S. Government
and the foundations of our legal system as a requirement for high school graduation and or examination
equivalency. (See, Citizenship Education Inclusion in Assessment and Accountability Systems, Copyright
2002 by the Education Commission of the States, ECS 54
.)
Seems safe to say then, that any college graduate should be able to read a law and minimally appreciate
its intent. This would also suggest that by the time we are earning our audit credentials, it would not fall
to our national standards organization to be accountable to this same requirement. I only suggest that
the scope of our most impacting laws tends to be straightforward. My personal struggle is interpreting
audit and business accountability within our own code of profession practice. I would never attempt to
embark on this alone.
Good News, they pay people in congress to think
Researching legal statutes, national standards and the organization of code is a cared for by our own
government. (See How Our Laws Are Made 55
.) Congress has allocated budget to assure timely reports
on all upcoming and recent changes to our legal system. Found at Internet: Think Tanks & Research
Institutes 56
, SIL DC List of Think Tanks 57
, and Earth's Common Sense Think Tank 58
, three independent
sources support the following conclusion; The United States still pays people to think.
Congressional Research Service Reports 59
are legal summaries that even people with limited exposure to
the law will fully understand. After drinking in a few days of legal process and glossary, I have to say, it
isn’t as bad as you might think. Eventually, even I could swallow raw statute without holding my nose.
- 16. The Perils of Mount Must Read™
©Robin Basham Page 16 5/15/2006
The short title, or name of a law, provides common language for the purpose of discussion and
amendment by our members of congress. We avoid speaking with numbers, chapters, and sections by
using “short titles” as a way to make laws and their amendments accessible. The overall intent of Bill, is
enacted in the final rule of an Act, and enforced as positive law through a process of codification, where
its language rests in permanent legal code
60
. (Codification is defined in endnote.)
I admit the choice to cite an act as Public Law vs. its final area(s) in U.S. code is for me at least, a
judgment call. Laws, unlike us, are not created equal. How we cite them may require historical context.
For example, dozens and even hundreds of amendments to any title or chapter of code can occur based
in the final ruling of a single Act. In reverse, multiple acts can affect on single area of code. Whether we
cite public law or code, we are talking about the exact same thing. Law is law. Regulation is regulation.
Federal regulation for a single law will spawn further directives and regulation for alignment among all
major regulatory bodies. Recognition plays a big factor in how we speak about legal ruling. When
reading the word “SOX” (Public Law 107204) most of us sense the allusion to financial controls and
regulatory penalty. In ten years, reading “SOX” in text regarding ethics and financial control will likely be
interpreted as a funny typographical error. Where a law is more recognized than its eventual areas of
code, such as the legislation resulting in the SarbanesOxley Act of 2002, using the short title makes
more sense as a common frame of reference. The Security Exchange Act of 1934, for example, extends
concepts in Security Exchange Act of 1933, but has different scope and intent. They are not the same
law. It’s easy to see why people become confused. Where a collection of acts continue to affect a single
area of code, it is practical to bundle discussion to a single substantial area of legal reference, as for
example the Copyright Law of the United States of America
61
, sometimes identified as just “Title 17”
within U.S. Code. As noted in the preface of this GPO 62
document,
The United States copyright law is contained in chapters 1 through 8 and 10 through
12 of title 17 of the United States Code. The copyright Act of 1976, which provides
the basic framework for the current copyright law, was enacted on October 19, 1976,
as P. L. 94553, 90 Stat. 2541. Listed below in chronological order of their
enactment are subsequent amendments to copyright law. Chapters 9 and 13 of title
17 contain statutory design protection that is independent of copyright protection.
Chapter 9 of title 17 is the Semiconductor Chip Protection Act of 1984 (SCPA), as
amended. On November 8, 1984, the SCPA was enacted as title III of P. L. 98620,
98 Stat. 3335, 3347. Chapter 13 of title 17 is the Vessel Hull Design Protection Act
(VHDPA). It was enacted on October 28, 1998 as title V of the Digital Millennium
Copyright Act (DMCA), P. L. 105304, 112 Stat. 2860, 2905. Subsequent
amendments to the SCPA and the VHDPA are also included in the list below, in
chronological order of their enactment.
Please don’t let a block of text unravel the entire argument. Consider the block again. Here’s what I see.
The United States copyright law is contained in chapters 1 through 8 and 10 through
12 of title 17 of the United States Code. The copyright Act of 1976, which provides
the basic framework for the current copyright law, was enacted on October 19, 1976,
as =P. L. 94553, 90 Stat. 2541. Listed below in chronological order of their
enactment are subsequent amendments to copyright law. Chapters 9 and 13 of title
17 contain statutory design protection that is independent of copyright protection.
Chapter 9 of title 17 is the Semiconductor Chip Protection Act of 1984 (SCPA), as
amended. On November 8, 1984, the SCPA was enacted as title III of P. L. 98620,
98 Stat. 3335, 3347. Chapter 13 of title 17 is the Vessel Hull Design Protection Act
(VHDPA). It was enacted on October 28, 1998 as title V of the Digital Millennium
Copyright Act (DMCA), P. L. 105304, 112 Stat. 2860, 2905. Subsequent
amendments to the SCPA and the VHDPA are also included in the list below, in
chronological order of their enactment.
I am an Information Systems Auditor. This is my “take away” for “critical mass.”
Copyright Acts are Codified in Title 17 within = Chapter 18, 1217 of Title 17 but not
9 and 13
- 17. The Perils of Mount Must Read™
©Robin Basham Page 17 5/15/2006
Critical and current statute representing roll up of copyright laws: Digital Millennium
Copyright Act (DMCA), P.L. 105304, 112 Stat. 2860, 2905
Both items are immediately added to my source documents database, representing
two, not six, items for “critical reading.”
(Note: Endnote includes directions for joining the Information Security Management group as sponsored
by ISACA. Here’s your chance to speak with the Eagles who influence the design of the Digital
Millennium Copyright Act 63
.)
Laws resurface based in the context of historical events. In some cases, a new name will be used to
identify the review of the Act. An example is the Computer Fraud and Abuse Act of 1986
64
, also known
as 18 U.S.C. § 1030, (as it is amended) National Information Infrastructure Protection Act of 1996, and §
1030. Fraud and related activity in connection with computers, as chapter heading as found in the Legal
Information Institute’s sanctioned rendering by title of all U.S. Code.
Say "Goodbye" to statute virginity
Like any of the frameworks we use, understanding the shape of Code and Federal Regulation goes a
long way.
Warning to DogSquirrels and Sheep under the age of 18: The following title is not an actual directive.
“Download the United States Code Office of the Law Revision Counsel
65
" is an online U.S. Code library,
managed under the authority the U.S. House of Representatives. You can, search and, yes, legally
download every character in our Code… but, trust me on this, don’t do it.
Title
Title 1: General Provisions Title 2: The Congress
Title 3: The President Title 4: Flag and Seal, Seat of Government, and
the States
Title 5: Government Organization and Employees
(and Appendix)
Title 6: Domestic Security
Title 7: Agriculture Title 8: Aliens and Nationality
Title 9: Arbitration Title 10: Armed Forces (and Appendix)
Title 11: Bankruptcy and Appendix Title 12: Banks and Banking
Title 13: Census Title 14: Coast Guard
Title 15: Commerce and Trade Title 16: Conservation
Title 17: Copyrights Title 18: Crimes and Criminal Procedure (and
Appendix)
Title 19: Customs Duties Title 20: Education
Title 21: Food and Drugs Title 22: Foreign Relations and Intercourse
- 18. The Perils of Mount Must Read™
©Robin Basham Page 18 5/15/2006
Title
Title 23: Highways Title 24: Hospitals and Asylums
Title 25: Indians Title 26: Internal Revenue Code (and Appendix)
Title 27: Intoxicating Liquors Title 28: Judiciary and Judicial Procedure (and
Appendix)
Title 29: Labor Title 30: Mineral Lands and Mining
Title 31: Money and Finance Title 32: National Guard
Title 33: Navigation and Navigable Waters Title 34: Navy (Repealed)
Title 35: Patents Title 36: Patriotic Societies and Observances
Title 37: Pay and Allowances of the Uniformed
Services
Title 38: Veterans' Benefits (and Appendix)
Title 39: Postal Service Title 40: Public Buildings, Property, and Works
Title 41: Public Contracts Title 42: The Public Health and Welfare
Title 43: Public Lands Title 44: Public Printing and Documents
Title 45: Railroads Title 46: Shipping (and Appendix)
Title 47: Telegraphs, Telephones, and
Radiotelegraphs
Title 48: Territories and Insular Possessions
Title 49: Transportation Title 50: War and National Defense (and
Appendix)
Give up the white paper crutch
There’s nothing wrong with an occasional white paper. Many are nothing more than benign
generalizations of laws and standards, usually written to pass a class or sell a product. Laws however
are neither static nor general. Even when accurately cited, laws are amended, superseded, repealed,
codified, and renamed. White papers just sit on our hard drives. This is why we need at least one
government approved and maintained repository in our circle of reference. National Archives, The
Government Accountability Office Portal, Thomas 66
, and our Library of Congress are free and available
on line resource.
Reading laws instead of reading what others say about them supercharged my diet and completely
removed my craving for smudge (i.e., legal fudge). If you let reading law evolve into habit, you may
experience vision of national landscape. The stronger our wings, they more our minds begin to soar.
Mountains and valleys seen from a thousand feet in the air will take your breath away.
- 19. The Perils of Mount Must Read™
©Robin Basham Page 19 5/15/2006
I only know this because I occasionally get a window seat to the West Coast. When I am lucky, I get to
see the Rockies.
§ U.S. House of Representatives Internet Law Library
§ Statutes
§ Code Of Federal Regulations Background
§ Code Of Federal Regulations Searchable
§ U.S. Code Searchable
§ Thomas, In the spirit of Thomas Jefferson, legislative information from the Library of Congress
Can someone help me down from my horse?
Panic Attack: “No Officer, I swear on my vintage Batman comic books, I have no idea how all those
copyrighted files got there.”
On day sixteen of my Cliff Note recovery, I discovered there is no ladder down from a high horse. You
just have to jump. Day sixteen was a Saturday deleting 2000+ standards and white papers spanning 15
blissful digital years of “right click, save target as” copies, stored for no better reason than because “I
could.”
The effort gained back a maxed out drive share and an enormous waste of resources spent backing up
essentially dead information. Even though we have long implemented Software Asset Management,
content assets had been largely overlooked. Validating the right to store and save information extends
beyond client and legal documents. Downloads need valid reason to be stored on a business network.
Valid license and accurate workstation configurations includes all forms of contents.
Any standard or law identified as mandate will have one authoritative source. The documentation will be
stored as a hyperlink reference, leaving copyrighted content in its rightful home, allowing for its timely
removal and update by the document's legal owner. The only exception to keeping locally either publicly
accessible or by authentication available links, are the books and materials we purchase. Representing
standards and guidelines used in professional practice, these should be managed as a material assets
with locations and copies managed in the context of their copyright.
My Mother told me to say I’m sorry
“I'm Sorry.”
I had no grounds to comment on laws that conflict. In the event I do come across a question or an actual
issue, we have Codification Legislation as managed by the Office of the Law Revision Counsel:
Codification Legislation Office of the Law Revision Counsel
As currently proposed by H.R. 866 (109th Congress, 1st Session), and under the
management of the Law Revision Counsel
Technical Corrections to the United States Code Public Law 93554 (2 U.S.C. 285b)
currently enforces technical corrections to the United States Code relating to cross
references, typographical errors, and stylistic matters. […]
“Positive law codification is the process of preparing and enacting, one title at a time,
a revision, and restatement of the general and permanent laws of the United States.
Because many of the general and permanent laws that are required to be
incorporated into the United States Code are inconsistent, redundant, and obsolete,
the Office of the Law Revision Counsel of the House of Representatives has been
engaged in a continuing comprehensive project authorized by law to revise and
codify, for enactment into positive law, each title of the Code. When this project is
completed, all the titles of the Code will be legal evidence of the general and
- 20. The Perils of Mount Must Read™
©Robin Basham Page 20 5/15/2006
permanent laws and recourse to the numerous volumes of the United States Statutes
at Large for this purpose will no longer be necessary.
Positive law codification bills prepared by the Office do not change the meaning or
legal effect of a statute being revised and restated. Rather, the purpose is to remove
ambiguities, contradictions, and other imperfections from the law.
The legal process begins and ends with the same goal, to serve unique useful purpose with clear
conditions, boundaries, and scope. Real issues of clarity can escalate as high as the United States
Supreme Court. Representing a law left or right of original context, stretching its interpretation or
extending its intent, creates the legal smudge that pollutes everyone’s atmosphere.
IIA and ISACA make frequent efforts to assure our accurate reference to U.S. and International Laws. In
fact, my exposure to the EU Directive and cross border privacy began with the ISACA and ISACAF
collaborated paper on Electronic and Digital Signatures: A Global Status Report 67
.
Basic principals of a well rounded diet
Being a cliff note junky, my health condition had long shown signs of chronic “Vertical Stack.” Left
untreated for a period of many years, I ran risk of acquiring “Swiss Cheese” syndrome.
Well rounded, balanced consumption across all major food groups, minimizing potential gaps in
awareness as might cause failures during periods of stress (i.e., climate change in career stalls, shifts in
corporate regulations, and so on). Balanced consumption is best achieved by a diet of mainly raw
publications, as processing is known to remove most essential nutrients.
At the opposite end of “well rounded” is the malnutrition condition known as “vertically stacked.” A
stacked professional maximizes consumption in a narrow selection of food groups producing single areas
of expertise characterized by tremendous height. Weakness includes, stacks can’t roll, tip easily, and
once down, are impossible to stand back up. Similar to “Stack” is a state known as “Swiss Cheese”; low
calorie snack, full of holes, not a substantial meal.
These conditions are quickly cured by a steady diet including areas high in nutritional content. Fresh,
inexpensive content is found in a range of local markets including the FFIEC 68
, NIST 69
, AICPA 70
, COSO 71
,
National Archives and Records Administration, (NARA) 72
and Government Accountability Office, (GAO) 73
.
Deciding what to read has a lot to do with where we find it. My lists began as “scraping”, taking titles from
news and email, especially those from George Spafford Jr. 74
and Dan Swanson 75
. Having plenty of
caloric content the links are rolled in a spreadsheet preservative allowing them to appear fresh during the
next Future Surf (FS) event. First cousin to Mount Must Read™ (MMR™ in most health journals), FS’s
virtual tasty bone flavor has an addictive quality, causing even the healthiest Dog to indiscriminately bury
them in a digital back yard.
Trade Secrets: Reporter with microphone asking, “What‛s your secret?” 17th Century Art Studio -
Michael Angelo: “Throw the bad paintings out.” Scaffold with baskets and heads - Hooded Man with
guillotine: “Keep the blade sharp.
How do you keep that stunning figure?
For me, people like George Spafford Jr., Gene Kim, Dan Swanson, Bruce Winters, Kevin Behr, Mike S.
Hines, Tim Howes, James Bryce Clark 76
and far too many more to list, collectively represent the Eagles.
They remain a vigilant lookout, perched high, eyes watching for movement legal, technical, and/or social
on everyone’s horizon. Their letters and posts amount to a habit of vision, spotting nourishment and
vermin at a distance of a thousand feet.
Contrary to popular belief, long lists are not the ultimate tie breaker for the last seat in heaven. Lists don’t
help us find a mate or increase our salary. I’m fairly certain they send us the information as a reminder.
They’re telling us to look alive and keep sharp 77
.
- 21. The Perils of Mount Must Read™
©Robin Basham Page 21 5/15/2006
Trade secrets
On the point of “where” we find things, valid security portals meet every resource information criteria, with
one providing particular advantage to audit. They explain their current legal mandates and current best
strategies for implementation of specific published standards. For example, “OMB Circular A130:
Management of Federal Information Resources 78
," OMB Circular A119, Federal Participation in the
Development and Use of Voluntary Consensus Standards and in Conformity Assessment Activities
79
, The
Cyber Security Research and Development Act
80
, enforce, among other things, National Institute of
Standards and Technology (NIST) 81
authority to perform oversight, research and development,
management and distribution of security standards and various benchmarking tools. Security Technical
Implementation Guides (STIGS) 82
, found at DISA Checklists / Implementation Guides, exemplify a
regulated and monitored security source. Equal in rank, and including duplication in some areas of
information, is the Center for Internet Security (CIS). CIS checklists 83
are categorized by use, as applied
to various industry requirements. U.S. Commerce Department's Technology Administration funding and
guidance to NIST is a part of our United States Law, and plays a leading role in our “National Strategy to
Secure Cyberspace 84
.” The works produced by NIST, under U.S. Commerce Department's Technology
administration’s authority, is “critical” and essential to our practice. It’s at the top of my list.
You can’t make me download!
It took several days just to review publication dates, document contents, organizations and authors. In
spite of Mount Must Read™, I resisted impulses to save and print. The titles remained in their native
homes, while records only stored hyperlinks, along with background details and high level metadata
regarding criticality, use and contents. The most notable reference was a very short document simply
listing titles used to evaluated best security practices by the House of Representatives committee known
as the CISWG
85
. United States Cyber Security Reference List
86
highlights a standards review process
resulting in improvements to the way we define, prevent, regulate, and criminally penalize cyber crimes.
CISWG Human and Eagle efforts continue to impact law, standards, and technology as an industry 87
.
Under the Directive of the Cyber Security Enhancement Act, Report To The Congress: Increased
Penalties For Cyber Security Offenses (As Required By Section 225(C) of The Homeland Security Act of
2002, Public Law 107296), provides excellent summary of laws designed to manage international and
national cyber risk, explaining the nature of data privacy rulings and the need for greater controls, in a
manner I found unsurpassed 88
.
GAO, is that you?
Beware of our Government Accountability office, GAO. Pack a lunch before you launch, as you may
become glued to the monitor for the next several days. Auditors and IT professionals will feel compelled
to read the “Yellow Book” series, but my advice is to go straight for the Federal Information and
Communications Audit Management Guide (FISCAM)
89
. Skip the search for Cliff Notes. You simply have
to put on high boots and march through these pages one at a time. Having a mental picture of FISCAM’s
framework will alter all future thinking in terms of what is available to us in the world of audit.
A mental hierarchy will evolve. With visibility, you gain confidence in the knowledge that two reams of
unread white papers are, by virtue, obsolete better practices. This is a reminder that federally mandated
standards (FIPS) should be exclusively viewed at the Computer Security Resource Center’s (CSRC's)
Computer Security Division (CSD) web site, which is the only place that holds responsibility for their
distribution and content 90
. Similarly, keep COBIT® standards linked to the ISACA web site and check
back often for new release and updates. There are thousands of sites posting rogue copies of out of date
standards. As IT professionals, this is a habit we all should break.
If this is your first exposure to the words FIPS and NIST, excellent presentations by Marianne Swanson
and Dr. Ron Ross can help to quickly fill in what you missed
91
. As indicated in their presentations, they
collectively manage projects, publications, and training for the Computer Security Division of the
Information Technology Laboratory at NIST. In draft, NIST SP 800 53a, identifies Dr. Ross as
government appointed FISMA Implementation Project Leader. Most recently, Dr. Ross made publicly
available, Building More Secure Information Systems 92
, A Strategy for Effectively Applying the Provisions
of FISMA.
- 22. The Perils of Mount Must Read™
©Robin Basham Page 22 5/15/2006
Regarding recovery
I knew I’d completely lost my mind. Anyone with impulse to wrap their head in tin foil in order to conceal
thoughts from a stack of reading material, (even if the stack has glaring eyes, and a pitching arm), is
minimally experiencing “a cry for help.” I made many calls, left messages, demanding information about
my anesthesia and the array of federally regulated recovery aids. NFL nurses kept me from reaching the
surgeon, since apparently paranoid delusional panic is completely normal. The nurses kept saying, “You
just had surgery. These things take time. You’re in recovery for crying out loud. Go back to bed.”
Even the score
I realized I had to find a way to slip Must Read™ all of my remaining drugs. After all, I’m in recovery, so
he needs the pills more than I.
The Ruse: An entire bottle of sleeping pills ground to fine powder and sprinkled between the pages of
bogus publication, tucked deep within his stack, under pretext of adding fresh reading. While Must
Read™ surrendered to a deeply delusional power nap, I snatched away redundant copies of web enabled
resources. 47 inches shorter, Must Read™ eventually woke, oblivious to any change.
The diet starts today: All right today... first thing in the morning… I
mean it this time
After consuming twenty five pounds of regulation and Halloween candy, the previous night’s reading fall
began to melt. I’d gained a range of tools, saved $75.00 in ink, and noticed common evolutionary
patterns in the list of significant mandates.
Returning to the Compliance Farm™ Theory of Evolution 93
, the details aligned to framework quite nicely.
Eagles report observed faults, which spawn wolf teams to analyze risk impact. Wolves define details of
the problems, breeding theories, tools, and best practice. These discoveries influence ideals, and
Humans form committees to amend our laws. This leads to regulation requiring supporting standards.
The standards evolve increasingly efficient methods to mitigate the exact same observation that started
the cycle in the first place, a fault, a perceived weakness affecting the survival of the pack.
These factors further strengthen the quest to conquer Must Read™:
Duplications exist across organization and lists because most webmasters apply unique names to
identical content. Focus on the diamond domains like www.crcs.nist or www.gpo.gov.
Laws are introduced, amended, enacted and codified, each version having its own short title. With the
help of LOC (our Library of Congress) and institutions like Cornell, Duke and Harvard Law, legal lists
normalize by 80%, if you simply check the history on any law or act.
Favorite discovery: Among the Humans (i.e., authors, organization leaders, committee chairs), were
names I actually know. If you take part in the ISACA list services, you may be posting with them on a
regular basis. Members of ISACA, CMU, Perdue and IIA had cross pollinated years ago. Reference after
reference demonstrate the same sets of names, executive board members, professors, engineers,
directors, corporate owners (large and small), and security professionals; essentially a list of people that
look and feel a lot like “us.”
A good diet can make anyone strong. I told Mount Must Read™ (MMR™., since we’ve become more
familiar) to “Back off! I don’t have to pick a winner. The frameworks don’t compete.” Mount Must Read™
only shrugged in submission. We both knew the “building in isolation” hypothesis wasn’t working.
“Is it possible” I asked aloud, “that the proliferation of laws and standards is just our need to improve on
existing ideas? All I need to solve this problem is to start finding document nutrition labels and checking
for expiration dates.”
Did I have him now? Was this the blow that would take him down?
“Expired Ideas? Blah ha, ha, ha! You’re killing me!” Mount Must Read™ exploded in earth quaking
laughter.
- 23. The Perils of Mount Must Read™
©Robin Basham Page 23 5/15/2006
“Laws have Sundown dates. Drugs have "use by" dates. Even car parts have warranty and recall dates.
Why shouldn't standards have "applicable by" dates? Stop laughing at me!”
Birth records, death certificates and standards euthanasia
It seemed reasonable to me, a rule that let a standard it has outlived its usefulness. We could establish a
committee to determine recommendations for putting various standards down. On second thought, I was
beginning to see Mount Must Read’s™ point. We are not a culture that likes to throw things out, never
mind recognize when it’s time to gracefully stepdown. The solution had to be data driven and non
emotional.
First attempts at gathering a baseline inventory of registered standards, relied on nonmember area
publications at ISOIETF hosted sites. Unfortunately, the number of technical committees alone spans
hundreds of web locations, and the 2004 year end report by ISO lists more than a thousand standards in
active use. FFIEC, ANSI, NIST, and NISO had more generic lists, but still failed to establish an altitude to
consistently represent domains, framework concepts, categories, or classes. Listing everything would be
too much information and instantly obsolete. There must be a Standard for the Classification of
Standards. How can organizations like ANSI and ISO exist without it?
Long time user of the ISO’s 9000 and 17799 series, I can’t tell where the standards end and my own
thinking begins. With bias, I’ll suggest that published ISO/IEC Directives make the best model for a
framework to create or manage standards. A review of recent Supplement Procedures specific to ISO
94
,
located at the ISO TC Portal, reveals that ISO committees, by design, will not approve the scope of a
Technical Committee (TC), unless thorough review, which verifies the standard to be unique and not in
conflict with a known charter or activity by any other registered standards body. ISO is without question
the highest ranking standards organization world wide. Templates for the development of a standard
alone can make other efforts and products appear trivial, (although I’m not saying that they are). To
consider a means for evaluation and comparison of standards should begin with consideration for the
values expressed in a world report published December 2004, stating the criteria for the adoption of any
ISO standard. They should:
§ respond effectively to global regulatory requirements, market needs and scientific/technical
developments;
§ not distort markets nor have adverse effects on fair competition;
§ not stifle innovation or technological development;
§ not give preference to the requirements of specific countries or regions; and
§ be performancebased rather than designprescriptive 95
.
ISO provides templates for the development of standards. The models found here should be part of the
collective consideration establishing the bar for the quality of standards produced by any organization.
There is a published standard for the Conformity Assessment: Code of Good Practice: ISO/IEC Guide
60:2004, describing “[…] all elements of conformity assessment, including normative documents, bodies,
systems, schemes, and results. It is intended for use by individuals and bodies who wish to provide,
promote or use ethical and reliable conformity assessment services. ISO/IEC Guide 60:2004 is designed
to facilitate trade at the international, regional, national and subnational level(s) 96
." This guide
establishes a clear target for the implication of a standard to promote safe trade through a process of
clear measurement.
If it makes sense, it exists
I wondered if I could just buy the data. ANSI pointed to the following sources:
§ NSSN / Standards Mall
§ Homeland Security Standards Database
§ The Hydrogen Codes and Standards portal
- 24. The Perils of Mount Must Read™
©Robin Basham Page 24 5/15/2006
§ Standards Information
§ Standards Developing Organizations
§ National Standards Bodies
§ Other Organizations/Topics of Interest
A trip to the Standards Mall
Do you see it? There is a Standards Mall. For a fee of only $99.00, anyone can obtain a database of
coordinates, locations and access to an untold number of standards. Actually, the number is over a
quarter million.
The NSSN: A National Resource for Global Standards includes contributions by 600 developers and is
grouped into six categories:
§ Approved Industry Standards
§ Approved International Standards
§ Approved U.S. Government Standards
§ Industry Standards Under Development
§ International Standards Under Development
§ U.S. Government Standards Under Development
With updates ranging from weekly to monthly, this number is no doubt already greatly increasing.
Standards Tracking and Automated Reporting (STAR) Services are described this way:
In today's world of change, the best laid business plans can be swept away almost
without warning. Speed has become the name of the game and instant information
provides the competitive edge.
Users require immediate access to data organized in a meaningful format. The
NSSN's Standards Tracking and Automated Reporting (STAR) Service […] keeps
you informed by tracking critical updates in the standards arena. Current status
reports on more than 270,000 standards under development, revision and
maintenance are as close as your desktop and as easy as sitting back and reading
your email.
Available only by subscription via NSSN, STAR identifies new project proposals and
automatically tracks changes in status of a development project or standard under
maintenance 97
.
Each change of document status is compared to a directory of userestablished
profiles profiles broad enough to span an entire industry or focused enough to track
updates to a single standard. Users impacted by an update receive an email
summary and a URL link to a personal web page cataloguing details of the
modification.
After 30 or 40 links, it was clear I had too many choices and no compelling hierarchy for gathering a
baseline of standards. I left the mall hungry for one high level list.
NISO, the National Information Standards Organization 98
, for example, provides a comprehensive
overview of TC international standards, commentary regarding how standards are created, as well as
current U.S. (Technical Committee), JTC (joint) and WG (Working Group) involvement with ISO 99
. The
U.S. involvement in technical standards is vast. U.S. TAG to ISO TC 46 on Information and
Documentation provides information regarding naming classifications, libraries and works across all
organizations involved in creation and management of standards; and is organized in the following five
categories.
§ SC 4 Technical Interoperability
- 25. The Perils of Mount Must Read™
©Robin Basham Page 25 5/15/2006
§ SC 8 Quality Statistics and Performance Evaluation
§ SC 9 Identification and Description
§ SC 11 Archives/Records Management
§ WG 2 Coding of Country Names and Related Entities
Attempting any single Joint Technical Committee's list of standards is a mistake. There are hundreds of
subcommittees, each managing hundreds of standards, and their own lists. Clearly, this issue is
important to all of our nations, as ISO has a committee dedicated to nothing more than a means to simply
classify the standards. ISO 5963:1985 aims to provide a catalogue of standards, with scope including
“Documentation Methods for examining documents, determining their subjects, and selecting indexing
terms.”
Updates to drafts and release occur with all the regularity of an atomic clock. In 2004, ISO 100
reported
1,247 publications in use by a member body, which can only be counted by number of countries and
member associations 101
. It is clear that if any group has in its possession a true need for an ontology
governing the comparative record of all known standards, it will be found in the coordinated efforts of ISO,
IEC, ANSI and NIST. This core group is regulated by a variety of local, industry, national and
international laws. Bound by MOU (Methods of Understanding) and in accordance with The Agreement
on technical cooperation between ISO and CEN 102
, Public Law 104113 103
, and the WTO Final Act of the
Uruguay Round, this core group is recognized by the principle of US National Conformity Assessment 104
to the extent that their implementation may be assessed by conformity assessment bodies, such as
CASCO.
To speak for the workings of even one technical area requires a long period of involvement. To speak
with authority to any single standard, one would at least need to be a contributing member of the
Information Technology Task Force (ITTF) 105
. I find it hard to believe anyone knows every consideration
ever made within every area of ISO, IEC, ANSI and NIST aligned committees.
Given the choice to build a list or get the list from ISO, the choice is fairly obvious. ISO wins.
I’m not suggesting we can’t perform an information audit unless we use standards as created by ISO. If I
try to isolate and extract all ISO influence in my own thinking, I’m left with a big empty space in my head.
At best, I have evolved to the professional ranks of dogsquirrel. Part squirrel and part rescue dog, I don’t
pick up the principals of ISO based in pure wolf instinct. I sniff at everything new and then bury it in the
yard, I store nuts for winter, and I need a good master to tell me what to do. I’m pretty loyal to ISO.
In the event you are not familiar with ISO, I suggest a warm up using the two documents I mentioned
before. Start with the GTAG Information Control Guidance, because it is easy to understand, and
provides thoughtful insight in the way we conduct our practice. Then read Aligning COBIT®, ITIL® and
ISO 17799 for Business Benefit, because exposure begins with the advantage of ISO standards in an
audit context 106
.
Lowest Common Denominator
High School math is not often listed as a “critical thinking” requirement. It should be. Halfway through the
ninth grade, most of us learned how to reduce miles of numbers to their lowest common denominator. No
matter how large, any equation could be reduced according to a few simple rules. I wonder what our task
would be like if IT audit had been planned by Socrates and Euclid 107
? Every standard would have
applicable rules for the factoring, reduction and calculated probability of its impact to any organization.
Committees for audit organizations produce a list of authors whose names can be placed at the scene of
every significant law and standard affecting IT over the entire digital age. Given generations of cross
pollination, our major standard bodies share expression of a mission to simplify, deduplicate and align
information controls to one common framework of standards. In spite of differing charters, they are all
concerned with efficiency and effective controls. For example, in recent interpretive documents, the
PCAOB and the FASB ask that we make it easier, not harder, to meet audit requirements. ISACA and IIA
publications consistently consider the FASB
108
and PCAOB concerns over cost and waste by offering
- 26. The Perils of Mount Must Read™
©Robin Basham Page 26 5/15/2006
tools and resources designed to support the process of audit, to measure, benchmark and report, and to
guide the selection of critical controls using a risk based audit management approach.
All groups agree that frameworks are resources made available to our audit strategy. They are not laws in
of themselves. All committees share a valid concern for the oversimplification and misinterpretation of
laws governing business and systems. Unfortunately, Euclid and Socrates aren’t here to help us. We
rely, in their absence, on ethical judgment in selecting the fewest requirements necessary to the
attestation of control. The better we are in selecting a lowest common denominator of standards, laws
and frameworks, the more we benefit our clients while reducing escalating and burdensome compliance
costs.
The true test of those ethics is maintaining the intent of the law and being certain our method of reducing
the numbers also keep those numbers real. Our challenge is to remember, no matter how long and
complicated the equation, when we've found that lowest common denominator, it must still be the same
number.
Reduction versus oversimplification is the essence of detection risk. It is a legitimate and driving fear that
keeps us from proclaiming an algorithm to reduce regulatory requirements. We must not cross the line
between standard of practice and code, as if a practice were a mathematic law. We are not served by
“dumming down” the information problem. So we are left with a truly ethical challenge: How do we
reduce complexity and verify that at the end of the day, we still have the same raw number?
The GTAG, references two works reflecting summary of larger security standards. They reduce
complexity define standards for secure technology for specific areas of industry. Both standards are
widely used by merchants and educators, primarily those in the United States. The Payment Card
Industry (PCI) Data Security Standard, produced by VISA, enforces the management of credit card data
and the protection for an industry that is constantly under attack 109
.
Cartoon Plan: Commercial: […] is everywhere you want to be Private Incorporation: $1200. Printing
and Marketing: $15,000. Web Site Shopping Cart: $30,000. Over 40,000 Verified Credit Cards
transactions per day: Priceless. VISA, PCI Data Standard, is everywhere your electronic business
wants to be.
How low can you go?
I recall having seen the VISA standard as a single file pulled back by a Google search. Out of
surrounding context, I initially felt the standard served no purpose, seeming to paraphrase a number of
standards in the public domain, and lacking attribution or recorded peer review. The Global Technology
Audit Guide (GTAG) only needed to make one point to inspire me to dig out the standards from the stack
and reprioritize its reading. The GTAG simply stated that the PCI VISA Data Standard is in wide use.
Definition for a “good” standard clearly needed an adjustment. Is it more important to represent every
security detail, or prioritize a high level list of concepts? What we see in the PCI CISP, (aka CISP V2.3),
is that merchants and electronic markets get it.
Even if it looked to me like an ISO Light, anything extending critical security practice to businesses
engaging in poor data security, is at the very least “spot on.”
Maybe it’s “spot on” for another reason. A small amount of digging for contributors to the credit card
standards revealed the chairman of ISO TC68 SC2 Security Management and General Banking
Operations, Mike Versace and Secretary Cynthia L. Fuller. With biographies published in English and
French, their efforts to assure financial industry standards and automation reap results that go way
beyond humbling. Ms. Fuller’s name leads to the “ISO 20022 Universal Financial Industry message
scheme”, which can be viewed at ISO 20022 Financial Repository: Business Process Catalogue & Data
Dictionary. Mike Versace, in addition to full time industry position, travels world wide in support of
numerous financial security standards. ISO delegates representing: Canada, United Kingdom, United
States, Germany, France, South Korea and Japan include organization and business representation from
CLEARSTREAM, IBN, MasterCard, SWIFT, UN/ECE, and of course, VISA 110
.
- 27. The Perils of Mount Must Read™
©Robin Basham Page 27 5/15/2006
Reviewing current works and the 34 published and current standards used in security and banking, as
produced by this single TC, did not lower the height of Mount Must Read™. The study of the VISA
standard, however, provided a means for quick demonstration of compliance evidence is specific areas of
data and retention management. The PCI Visa Data standard test procedure check list is clean, clear and
achievable.
“Good things, when short, are twice as good”
Baltasar Gracián y Morales (16011658)
The more you know, the less you have to say
The second “short and sweet” standard, also listed in the GTAG, is the "Fundamental Five.” I first heard
of it while reading posts in the ISACA information security list service. Mike S. Hines, a frequent
contributor within many substantial information security organizations, made no mention of working on the
project 111
. He simply asked me if I had seen the ISG Tool and if I knew about the work of the Corporate
Information Security Working Group: CISWG. This was a humbling day. As current as this 2005 writing,
they work to introduce the ‘‘Corporate Information Security Accountability Act of 2003.’’ The bill will
further amend the Securities Exchange Act of 1934 with bolder restrictions controlling IT products on a
scale that many find to be excessive. Stating the need for “Internet Service Providers and Operating
Systems manufacturers to work more aggressively with other public and private stakeholders to provide
consumers of all levels of sophistication with information about affordable and userfriendly tools that are
available to help them protect themselves and immediately improve their cyber security hygiene.” this act
has potential to impact technology manufacturing with force equal to the wallop of SOX 112
.
Produced by the subcommittee on Technology, Information Policy, Intergovernmental Relations and the
Census, chaired by Adam H. Putnam, few efforts compare with the CISWG’s elegance in considering all
best and current contribution to security, and compiling them to a single list; Information Security
Management References.
The ISG Tool gives cyber security what the home pregnancy instant strip test gave to medical practice.
The Fundamental Five concept answers tell us fairly quickly if information practice is healthy or having
problems. No pretense of an easy fix or exhaustive technical detail is made. IT control is simply made
accessible to education, affecting practice as witnessed by our youngest minds, and in protecting our
country's most valuable asset; our intellectual capital.
Fundamental Five
The Consensus Benchmarks, from the Center for Internet Security (www.cisecurity.org), provide guidance
on the “Fundamental Five” of basic security hygiene. Use of these benchmarks typically results in an 80
percent to 95 percent reduction of known vulnerabilities.
1. Identity and Access Management (including privilege assignment and
authentication)
2. Change Management (including patch management)
3. Configuration Management
4. Firewalls (workstation, host, subnetwork, and perimeter)
5. Malware protection (including worms and viruses) 113