ITIL starting point

June 11, 2006

Do you know what ITIL is? If don’t you can try quick search on the net, or you better read this excellent article from IIA’s IT audit. A digest that will clarify some questions on the topic that all auditors should read, it’s also a good staring point for approaching this IT Framework.

Specially interesting the implementation strategies:

1. Designate an ITIL adoption project owner and develop an implementation team
2. Train employees
3. Establish a Service-level Agreement (SLA) process
4. Evaluate IT needs
5. Perform a gap analysis.

Although it is self-evident that all steps would be mandatory to be successful in the endeavors of implementing ITIL, I’d recommend focusing on the 2nd and 4th items. Without employee empowerment and sound business alignment all the efforts in ITIL implementations would be lost of time and money.

X for Tax

March 26, 2006

SOXLast week I was invited to a IT Audit conference in Sao Paulo to give an speech on risk assessment methodologies applied to IT. There I’ve the opportunity to speak with many professionals from Internal audit, public accountant firms and consultant services. Their most common concern was the compliance with SOX Act (Non U.S. companies and subsidiaries listed SEC regulated stock markets must comply this year) and the associated costs (not only money but also knowledge and human capital) they are incurring. As two years ago in the US the Audit and risk consultancy markets are heating and overwhelmed, all want to be ready for internal control attestation derived from the law. There are no way out , they must make it!

 The last year I was involved in a SOX project and I must admit it, it was difficult to deal with some unclear and bureaucratic requisites of the Act. SOX implementation processes have many positive consequences(from IT’s point of view) but, of course, it is not perfect and satisfactory for all possible cases. Are the positive consequences of SOX more valuable than the negative? The answer is not straightforward in many aspects, and we haven’t sufficient historical data to measure the effects, and if we’d have it , it wouldn’t simple to do. The pertinent question is: What really this bill means?

Let suppose that I and some partners have a property in Hawaii, because we have not enough time to use it we decide to rent it. Taking care of the renting details (like dealing with tenants, maintenance, security…) requires time as well, so we decide to contract an administrator to manage the whole thing. The administrator contracts several services including a surveillance to ensure our(and tenants’s) assets are properly safe. Two year latter we visit the property and we discover that we were wrong. The property is devastated, the administrator in collusion with security services have bee stealing assets, the good tenants we have gone. The value we thought we’ve got, blew. Fraud was taking place. The case arises in the local media, the city major is concerned because the housing system of the city is based on properties like ours, and try to respond by creating a new local regulation to increase security (for example – buildings must have a 24h surveillance cameras, security teams, locks,…) free for the tenants. So we (and all other owners) must spend more money in security services to comply with the new regulations.

Economists who have researched this regulations conclude that the effect of them is the same as a tax. In this case, a tax, that transfers resources from property owners to security providers and tenants. The irony in this history is that the regulation set a premium for security firms who were involved in the fraud.

Enron and similar financial scandals are used to justify the issue of SOX Act by US Congress in order to protect stakeholders (an important part are owners). Like in the history above SOX is a tax imposed to owners and customers. Whether the tax is desirable or not is another question but the bottom-line is that we should be aware of the existence of it. Therefore, IT managers should consider the SOX tax as an additional cost when performing projects plans or estimating ROI drivers. Thus, avoiding or underestimating this cost could transform a profitable project into a unprofitable one. Actually the problem, is greater, Why the government (who ignores the real organization’s risks and strategy) has transform a profitable project into a unprofitable one?. But that’s is another history….

ISACA announces global governance Report 2006

March 14, 2006

The Information systems audit and control association (ISACA) has released they 2nd (the first was in 2003) of IT governance. The report contains interesting information about the current “state of art” of IT governance. I’ve just take a look into it and it looks like pretty good (its for free 🙂 ). I’ll dig more deeper in the graphs but in my first cross-reading I have found this curious data:


CEOs consider IT more important for overall strategy of the organization than IT management! That is not what common sense tell us every day. But of course it’s a survey…. It stands for what it’s said not what it’s done.

RFID privacy and more

February 22, 2006


Radio Frequency ID tags are wonderful! Hi-tech embedded in a thin plastic band. Cheap, flexible, powerful and useful for a wide-range of applications; but since its popularisation there is some controversy about the security and privacy issues. Civil rights groups and privacy-concerned public are claming against the use of this devices and demanding government regulations. The are right, but just partially. Some cases could be pretty sound like pharmaceutics –really I don’t want that someone knows that I’ve got Viagra in my briefcase!- , but if the company uses RFID to manage inventory, supply-chain or maintenance processes. It is affecting anybody’s privacy?

The privacy problems are mainly two, one technical and the other psychological:

  • They must be low-cost devices and therefore they can implement only a limited set of algorithms for encryption and authentication mechanisms. News like this one (Yes is the S from RSA!) show the reality of RFID security. Now it’s just an isolate experiment, but recent events in the security market .(A good example is the WEP encryption standard for WiFi networks, in only months the Wire-equivalent-Protection become synonymous of insecurity)
  • The fear to progress forces and technology changes. Politics and lobbing agents also matters, but, of course, they need some gas in form of public support. Here, unfortunately is messier to deal with.

In addition, some other managerial questions are also relevant. If some critical processes are relying on information gathered by RFID infrastructures, there some question we should answer (a first approach):

  • There is some concern and aware of RFID Risks?
  • Is your organization managing policies and procedures related to RFID and complying current regulation?
  • Are controls in place to assure that RFID tags are properly issued and scraped?
  • Are controls in place to assure that RFID infrastructure systems are tracking all items with reliability?
  • Are the RFID tags properly deactivate to safeguard clients or suppliers privacy?
  • Who is accountable of all this stuff?

Let me show a simple example: A regular task for financial auditors is to estimate inventory accounts based on physical inventories using samples. What if your systems provide a quasi-physical inventory based on RFID warehouse facility?. Should the auditor relay totally on this data? Should the auditor work if the were no RFID system?. I let the answer to the reader

Pending task: How about a good IT Audit program for RFID enviroments?

Strategy Tip: Don’t forget, new emerging technologies come together with “emerging” risks.