System Penetration Motivation

Ø  Blackmail

Ø  Challenge

Ø  Competitive advantage

Ø  Curiosity

Ø  Destruction

Ø  Destruction of information

Ø  Economic espionage

Ø  Espionage gains

Ø  Exploitation

Ø  Illegal info disclosure

Ø  Intelligence

Ø  Monetary gain

Ø  Monetary payoffs

Ø  Multiple Motivations

Ø  Omissions

Ø  Perceived challenge

Ø  Personal ego

Ø  Rebellion

Ø  Revenge

Ø  Unauthorized data alteration

Ø  Unintentional errors

 

Information EFFICIENCY Attributes

v  Accessibility

v  Believability

v  Cost of Provisioning

v  Ease of Operation

v  Productivity Measure

v  Reputation

   

Sources of System Risk

§  “Forces of Nature"

§  Computer criminal

§  Corporate Espionage

§  Cracker

§  Employee mistakes

§  Foreign Government Espionage

§  Government Espionage

§  Hackers

§  Industrial espionage

§  Malicious insiders

§  Multiple Sources

§  Outdated technology

§  Technical failures

§  Terminated employees

§  Terrorists

§  Vendor negligence

Information EFFECTIVENESS attributes

·         Appropriate Amount

·         Consistency

·         Interpretability

·         Objectivity

·         Pertinence

·         Relevance

·         Timely Delivery

·         Understandability

·         Usability

Benefits of Virtualization

Virtualization is going back to central storage and computing.  Here are the benefits proclaimed these days:
 §  Reduce hardware vendor lock-in
 §  Increase uptime
    §  Isolate applications to prevent problem moving across systems
    §  Extend the life of older applications
    §  Help move things to the cloud
    §  Improve business continuity and disaster recovery
    §  Flexibility and agility with multiple systems on a single platform
    §  Reduced downtime
    §  Reduced administration costs as faster provisioning
    §  Increase space usage efficiency by reducing hardware units
    §  Save energy
    §  Reduce the data center footprint by consolidating servers
   

Bad Communication Tips

You know that communication is bad when

•         Formal communication has been less than optimal

•         Communication is infrequent and sporadic

•         Communication is not monitored and evaluated for its effectiveness

•         Over-reliance on non-face-to-face communication media

•         Messages/media are not within the scope of interest of intended audience

•         Communications are not two-way

•         Change is communicated as a placation.

•         No feedback loops are associated with each communication

•         The same words are used repeatedly to describe the project when not understood the first time.

•         Communication is not modeled to meet the needs of the stakeholders at a given time

Computer Tips

1.  Typing DELETE does not !

2.  Create Folder without name by using RENAME on an existing folder and then typing 0160 on the numeric keyboard while holding ALT, then release ALT and hit ENTER.  Really cool.

3.  Forbidden Name of Folder !  "Con"  Try it.  You cannot create a folder named "Con."

4.  Weird word trick.  Just enjoy it.  In MS Word, type =Rand(200,99),  and hit ENTER.

5.  Become buzz-word compliant!!!
6.  Hardware: The parts of a computer system that can be kicked.
7.  Computer dating is great for computers.

8.  Viruses, unlike operating systems, rarely fail.
9.  Prepare for disaster:  Save Your Buffers !
10. Someone knocked over my recycle bin... There's icons all over my desktop...
11. The more I C+, the less I see.

12. Smith & Wesson, the original point and click interface.
13. Please press CTRL ALT DEL now for IQ test.
14. An application is never finished until the developer finds another job.

15. Eve used an Apple in Paradise.  The rest is history.
16. How many times you need to hit CTRL to be in control?
17. If a train station is where the train stops, what is a work station?

18. Computers, like air conditioners, stop working when you open Windows.
19. Bad or missing mouse driver. Spank the cat [Y/N]?
20. Error: Keyboard not attached. Press F1 to continue.


    

Components of Best Practice Governance

1.      Governance (foundations layer)

§  Regulatory (national/international) governance

§  Industry governance (HIPAA, GLBA)

§  Your company governance

§  ISD Infrastructure governance

2.      ITIL and Business Process Models (service management layer)

3.      CobiT (controls layer)

4.      Six Sigma (process engineering layer)

5.      CMMI (process maturity layer)

6.      ISO/IEC 20000-1:2005 IT Service Management Specification for Service Management  (overall objective layer)

Why Request an Audit

1.  Detect ongoing fraud
2.  Improve existing controls
3.  Prevent fraud
4.  Discover new money saving approaches
5.  Operate more efficiently
6.  Stop or prevent data breaches

Evaluation Criteria for Communication

·         Stakeholder inclusiveness

·         Accuracy

·         Timeliness

·         Completeness

·         Transparency (balance and neutrality)

·         Accessibility of information

·         Clarity of Information

On the lighter side

Why was the auditor named, Mr. Magoo?  He kept getting lost on the audit trail.

How do cannibal auditors honor their clients?  They toast them.

What do you call an accountant with an opinion?  An auditor

What did the auditor do at a vampire convention?  Count Dracula

How expensive is cannibal auditor's consulting?  They charge an arm and a leg.

How can you cook the books without burning down the office?

Why auditors appears so reserved?  They have strong internal controls.

What does accountant do hitting the mid-life crisis?  Gets a faster calculator.

Effective Motivation for Increased Productivity

• You can attempt to get blood out of a stone.
• You can attempt to motivate a stone to give blood.
• You can empower a stone to motivate itself to give blood.
• You can inspire a stone to empower itself to motivate itself to give blood.
• You can embolden a stone to inspire itself to empower itself to motivate itself to give blood.
• You can ennoble a stone to embolden itself to inspire itself to empower itself to motivate itself to give blood.

Characteristics of Processes

Processes

•         Are defined in terms of actions, dependencies, and sequence

•         Are measurable in management terms, such as cost and quality, and in practitioner terms, such as duration and productivity.

•         Exist to deliver specific results, which are identifiable and countable.

•         Have customers or stakeholders with expectations that must be met by the result that the process delivers

•         Respond to specific events, which act as triggers for the processes.

Estimating Costs of Automated Controls

ü Cost of hardware and supporting software

ü Cost of automated control software, through license fees

ü Cost of implementation and continuing maintenance

ü Cost of developmental and operational training

Major IT Governance Areas

•         Human Resource Governance

•         IT Business Governance

•         Application Governance

•         Infrastructure Governance

•         Information Governance

•         Security Governance

•         Strategy & Governance

•         Architecture Governance

Goals of Process Improvement

·         Align to business goals:   Strategic goals should provide the key direction for any process improvements, with help of programs like Balanced Scorecard, Six Sigma, and metrics.

·         Further focus on customer:  Fast-changing needs underscore the importance of aligning business processes to achieve higher customer satisfaction through ascertaining the input from customer for reviewing or redesigning any process.

·         Benchmark to determine results: Benchmarks may be internal (within the organization), external (from other competing / noncompeting organizations) or dictated by the senior management of the organization as an inspirational target.

·         Assign process owners:   To control a process, clarity on who is the process owners, and what constitutes success/failure of the process, for a range of acceptable results.

Governance Process Principles

Clearly Defined Logical Process:  The Governance process must be efficient effective, clear, consistent, enforceable, a standard operating procedure and automated wherever feasible.

Flexible Accommodating Process:  The process must be flexible to accommodate planned, emergency and expedited changes.

Change Management Information:  Key release notes and activity reports will be viewable and published to primary stakeholders and groups

Process Governance:  The process will include a procedure for governing  the prioritization of changes.

Process Maturity:  Process measurements will be defined and trends tracked to facilitate continuous improvement

Politics of Cost Cutting

Identifying opportunities for cost cutting leaves those in charge vulnerable to accusations of inadequate cost monitoring.  “If it is possible to cut costs now, why were they not cut before?”  This risk increases for quick wins, as they take least effort and have the least amount of negative impact.  

A cost-conscious continuous-improvement culture implies that room for improvement exists; continuously look for improvements and being mindful of complacency.  Communicating during cost reductions is critical and can be the difference between a successful and unsuccessful cost reduction effort.

Define cost reduction proposals using words such as eliminate waste, increasing productivity, streamlining operations, reducing, transforming, and obtaining more value for expenditures.

Avoid words with negative impressions such as cost cutting, belt tightening, downsizing, and eliminating redundancies, terminating, and eliminating the dead weight.

Risk Treatment

Risk treatment involves the modification of risks using one or approaches, such as

•         Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk

•         Taking or increasing the risk in order to pursue an opportunity

•         Removing the risk source

•         Changing the likelihood

•         Changing the consequences

•         Sharing the risk with another party or parties (including contracts and risk financing)

•         Retaining the risk by informed decision.

Improving Judgment

Most will admit to a certain degree of forgetfulness, but who will admit to making consistently bad decisions, or to having bad judgment?

·         Seek diverse friends and diverse opinions.

·         Run away when experts agree on something.

·         Validate your convictions, no matter how carefully developed based on best data.

·         Look for input from the odd balls.

·         If everyone were right, we all would be driving Mercedes’s or BMW’s, even Bentley’s.

·         Eradicate every cognitive filter you discover during self-exploration.

·         Excessive optimism makes you take more risks than you should or can afford.

·         What is your Plan “B”?

·         Try not to be just another sheep, if you can, by deciding based on what makes someone else happy.

Avoiding Drift from Established Procedures

- Develop more effective cross-functional teams.

- Perform detailed after-action reviews to improve processes.

- Foster a climate of open and candid dialogue.

- Focus on information “handed off” from one unit of the IT to another.

- Challenge silo thinking and work out inter-unit rivalries.

- Support transparency in the IT organizational units and systems.

- Avoid duck-tape approaches to small problems.  Small problems may hide large ones.

Change Strategy in Complex Systems

1.  CHANGE = Mission, Skills, Incentives, Resources, Project Plan
2.  Inappropriate Starts = No Project Plan
3.  Frustration = Lack of Resources 
4.  Slow change = Lack of Incentives  
5.  Errors Made = Lack of Skills  
6.  Confusion = Lack of Mission or vision

Risk Factors in Complex Systems

• Inter-dependency among system components
• Connectedness of a each component to the number of other components of a system
• Diversity exists where different software packages perform same function (not good thing)
• Adaptation through fixes and upgrades allowing the system to handle new conditions

Risk Categories

1.   Routine, simple cause-effect relationship risks

2.   Complex and moderately uncertain risks

3.   Highly uncertain risks

4.   Highly ambiguous risks (high degree of controversy, variety of judgments)

5.   Imminent dangers or crises (need for fast response)

Key Risk Governance Concepts

1.  Both “real” and "perceived" risk elements are significant.

2.  For risk planning all stakeholders should be included as contributors.

3.  Risk evaluation should be focused and based on impact and likelihood.  It should be transparent, equitable, effective, efficient, and accountable.

4.  Risk determination should be based on a model that integrates various components of complex systems.

5.  Timely updates should be made to assure that risk assessment is based on the best available knowledge and judgment.