Thursday, April 28, 2011


Best Practice
The details are too boring to recount.  Impossibly large amount of records “exposed” due to human error.  Nothing new, same old. 

The only reason to watch is to see how the impact plays out.  It is Texas Politics, after all, and the Lege is in session, and this could prove to be a mild distraction from birthers and budgeteers. 

The data loser in this instance is an elected official, with aspirations to higher office.  Ms. Combs was angling to grab one of the vacant seats when Lite Gov Dewherst runs for US Senate.  So, there’s that.  I doubt many folks enter politics hedging against the risk of career flameout by batch job misconfiguration.  Time to update some campaign risk models. 

The lawsuit loser in this instance has tapped into the type of outrage commonly expressed in writers of comments in newspaper websites  - the "SOMEONEOTTAPAY tiny fist shaking, foot stamping" yadayada.  Sure, they wanna get to the bottom of this for the dignity of the victims.  With no damage, the victims will have a tough road to hoe.  Maybe they are discovering for attack ad quotes.  

At about six minutes in to her interview, we get the biggest loser.  Comptroller Combs says Gartner and Deloitte are on the case to advise on "best practices."  (It looks like Deloitte may be getting a small return on their campaign investment. )  This sort of reaction chafes me to no end, and is an assault on my dignity.  I might be wrong on this, but the evolving SOP for privacy incident response appears to be to spend money willy-nilly on whatever threat is foremost in the populace's mind regardless of the proximal cause of the incident.  One company's reaction to some speed freaks carrying away a safe with a couple of DVDs of data was to air gap their production environment and embark on a FISMA compliance project.   This firehose approach appears to be designed to make the potential victims feel better, I guess, but only enriches the best practitioners and "safe bet" consultants.   To me, it just seems a waste, and decreases my confidence in the competence of the organization.    

And, to quote the Comptroller, "oh my gosh, think of Sony... and think of you grocery store loyalty card."  

Well, at least country music is alive and kicking every night south of Round Rock, Texas. (The sight of a youthful Dale Watson and the State Capitol restores a measure of my Texan dignity.  That, and Chicken Shit Bingo.)

Best Practices in Risk Management Image courtesy of KoryeLogan.

Monday, April 25, 2011

Up Yours

Nice metric courtesy of Grits - the costs of false alarms.  And the casualties found at the intersection of reliable metrics and public policy. To quote Grits:

But as [Former Dallas Police Chief] Kunkle says, this is an instance where tuff-on-crime politics interferes with good public policy and common sense. The small minority being subsidized by police responses to alarms are extremely vocal and well-organized by alarm companies, who have lists with contact info of concerned customers that would be the envy of any political consultant. Plus, those with alarms almost by definition are relatively wealthier - after all, they got an alarm because they have stuff to steal - and therefore also more politically influential. By contrast, the 86% of Dallasites without burglar alarms who're footing most of the bill are unorganized, unaware of the subsidy, and may not even perceive they have a dog in the fight.
This balance of this conflict is similar to those that are duked out in meeting rooms, with varied stakes and different arguments.
Maybe a similar "verified response" should be assessed consultants or auditors who elevate low impact / low frequency risks up to the Board.

Or for the one who turned the risk management dashboard day glo.

Or fought the crisis you can't see.

(So RIP Poly Styrene, unless this is a false alarm.)

Tuesday, April 19, 2011

Audit Drips

I was catching up on the podcast backlog today. I listened for the first time to the Risk Hose, which had a meaty midsection on the internal auditing profession, and whether and how internal auditors assess, analyze and otherwise manage and misconstrue risk.
(A couple caveats. I speak as an internal auditor, with a background in food service and deckhanding. I'm ISACA Platinum, which is more like Centruum Silver than American Express Gold, i.e., it is bestowed upon age. I'm an autodidact when it comes to information risk analysis, but I'm trying to learn.)

Firstly, the standards. The Red Book, or more correctly, the International Professional Practices Framework, includes the following standard (2010 A1)

The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.
So, every internal audit shop has to perform a risk assessment annually, and use it to plan which audits will be performed in the next year.
This type of risk assessment evaluates "audit risk," defined in Sawyer's Internal Auditing (from my raggedy 4th edition, Part 3 Scientific Methods* Chapter 8 "Risk Assessment") as the following:

Audit Risk = Inherent Risk x Control Risk x Detection Risk
A heavy dose of "professional judgment" (also known as "the gut") is used in this method.   The output of this assessment prioritizes the auditable units (chunks of business functions which make up the audit universe), and crank them through the cycle to maintain "coverage."  Purchasing on even years, Accounts Payable on odd, et cetera.  Area with weak controls and lots of potential loss should probably float to the top.  This method is old fashioned even for the conservative internal audit profession, but has the backing of some of the AICPA's more ancient Statements of Auditing Standards.   The resulting assessment is used  internally for audit's planning purposes, and, from talking to my peers in industries without a regulatory mandate to perform risk assessment, it may be the only organization-wide assessment that gets performed.   The methods vary, as do the results.

The recent revisions to the Red Book standards state that internal auditors  "must evaluate the effectiveness and contribute to the improvement of risk management processes."  So a shop that follows standards will be in the business of whoever is performing the "risk management" function, including "information systems."   Internal auditors can't manage risk, but can help assess.

 From my perspective, a lot of internal auditors have a lot of experience in an old fashioned style of risk assessment, and end up with a gut quantification exercise.  There may be some bet hedging, vindictiveness and four tons of politics involved in the process (see above as to who must have input into it), and, in the end, the board will get what it wants.  Quality and sophistication of boards will vary widely, and if they want red, yellow, and green heat maps, by gum they are going to get it.  If they want quant analysis, they'll get that too, especially if there is overlap between the Audit Committee and the Risk Committee.

Personally, it is approaching risk assessment season for my shop, and, with Hubbard and FAIR in hand,  I'm working with our CAE to get together at least some quantitative analysis.  Gotta start somewhere.  I'll get the blame regardless.

*I think I hear a head exploding somewhere.