The road to/from deficiency

I found the following definition of “significant deficiency” in a GAO report and I liked it. If you are outside of the US or not regulated by US regulations, you can change the reference regulations mentioned in the first sentence:

A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process, or report financial data reliably in accordance with U.S. generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the entity’s financial statements that is more than inconsequential will not be prevented or detected.

Then, it also explains what a control deficiency is:

A control deficiency exists when the design or operation of a control does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatements on a timely basis.

It was a typical day. Jose Arcadio was at his office in Los Gatos CA, probably planning the next perfect restaurant visit.  Consuela Martinez was (as always) at a random hotel. This time it was in Manila, the Philippines, just before bedtime. In Sunnyvale CA Porky Leibowitz was Blackberry-ing .

9:34 AM| Los Gatos CA|Jose: What the heck is wrong with Security Pie – It came up all jumbled.

1:46 AM+1 day | Manila, Philippines |Consuela: Looks fine to me. What exactly do you see, Jose?

9:48 AM |Sunnyvale CA|Porky : See how we see it here in the US: Chrome and FF (screen shoot added )

1:50 AM +1 day |Manila, Philippines |Consuela: Did anyone touch the style or the sidebar plugin recently?

10:51 AM |Sunnyvale CA|Porky : Not me…

10:52: AM |Los Gatos CA|Jose: Ok. So this morning it looked okay. But then I posted my post as a page (by mistake). I then reposted it as a post. It happened somewhere there. But I did not knowingly make any changes anywhere. Just wrote a blog item. But I can hear Silvester saying “did you touch it”? So it was probably me…

1:55 AM +1 day|Manila, Philippines|Consuela : Okay let’s backtrack. What is the sequence of operations that you did, precisely?

10:52: AM |Los Gatos CA|Jose: I think I did the following:

1. Clicked new page.

2. Wrote.

3. Clicked save and then post.

4. Couldn’t find it on front page.

5. Went back, looked around, found Hong Sin’s remark under moderation and allowed it, and then figured out it was a page and not post.

6. Copied the page to a post, named it the same and posted it. It posted corruptly.

7. Deleted the page (but not the post).

2:10 AM +1 day |  Manila, Philippines|Consuela: Okay fixed. The culprit was a <div class=”main”> tag that was somehow transferred with your post when you cut and pasted it. It isn’t visible in the “visual” view, only when you switch to “HTML” view. I suggest you style-edit your post, it contains this ugly link in the middle; I think you can have some text instead where the link is just the target.

What’s the moral?

There is always more one bug. There is always something that can go wrong and you can bet your pie that it would.  Paraphrasing Assaf, I have interest in PCI section 6.6 (don’t sue me).  As I wrote in another place, things will go wrong. The above example takes place every day in different places. Innocent mistakes that can go wrong. This time, nothing serious happened and our man in Manila was able to take care and fix the problem. Is your organization is as lucky as Securitypie ?

‘American economy is facing unprecedented challenges‘ added a concerned George W. Bush http://www.foxnews.com/story/0,2933,425261,00.html

“The Secretary of the Treasury, Henry Paulson, will be granted unprecedented authority in the financial bailout plan” http://www.lockergnome.com/forsythe/2008/09/29/unprecedented-authority-granted-to-henry-paulson/

In a series of moves culminating overnight, Washington took an unprecedented step into the financial sector in a bid to steady an ailing housing market and ease a global credit crunch, analysts said. http://www.theaustralian.news.com.au/story/0,25197,24310593-20142,00.html

Tuesday, Paulson is spearheading an unprecedented global change as the Bush administration point man for the proposed $700 billion bailout of the U.S. financial industry as the economy reels from the credit crisis sparked by the national real estate slump and spiraling mortgage failure rates. http://www.usatoday.com/money/economy/2008-09-22-paulson-treasury_N.htm

But the $700bn (€480bn, £380bn) bail-out marks an unprecedented test of both the Democratic and Republican leadership in Congress, who are seeking to pass a proposal that they know will be unpopular among voters in an important election year and is opposed for ideological reasons by factions within both political parties. http://www.ft.com/cms/s/0/2c86b58a-89a4-11dd-8371-0000779fd18c.html

Bush: ‘unprecedented challenges‘ call for ‘unprecedented action‘ http://network.nationalpost.com/np/blogs/fpposted/archive/2008/09/19/bush-unprecedented-challenges-call-for-unprecedented-action.aspx

Why terrifying?
Because after all these exciting ‘unprecedented firsts‘ everything will be ‘precedented seconds’ or, in other words, bland.

Meanwhile, while things are still interesting, have you placed your bets on September Madness?

SBInet, DHS Secure Border system

Just replace some of the names and you feel like your in the Middle East, where projects are known to be delayed, technology is always ahead of what was originally planned and the overall cost is several times higher then originally planned….

Important aspects of SBInet remain ambiguous and in a continued state of
flux, making it unclear and uncertain what technology capabilities will be
delivered, when and where they will be delivered, and how they will be
delivered. For example, the scope and timing of planned SBInet deployments and
capabilities have continued to change since the program began and, even now,
are unclear. Further, the program office does not have an approved integrated
master schedule to guide the execution of the program, and GAO’s assimilation
of available information indicates that the schedule has continued to change.
This schedule-related risk is exacerbated by the continuous change in and the
absence of a clear definition of the approach that is being used to define,
develop, acquire, test, and deploy SBInet. The absence of clarity and stability in these
key aspects of SBInet impairs
the ability of the Congress to oversee the program and hold DHS accountable for
program results, and it hampers DHS’s ability to measure program progress.

SBInet requirements
have not been effectively defined and managed. While the program office
recently issued guidance that defines key practices associated with effectively
developing and managing requirements, such as eliciting user needs and ensuring
that different levels of requirements and associated verification methods are
properly aligned with one another, the guidance was developed after several key
activities had been completed. In the absence of this guidance, the program has
not effectively performed key requirements definition and management practices.
For example, it has not ensured that different levels of requirements are
properly aligned, as evidenced by GAO’s analysis of a random probability sample
of component requirements showing that a large percentage of them could not be
traced to higher-level system and operational requirements. Also, some of SBInet’s operational
requirements, which are the basis for all lower-level requirements, were found
by an independent DHS review to be unaffordable and unverifiable, thus casting
doubt on the quality of lower-level requirements that are derived from them. As
a result, the risk of SBInet not
meeting mission needs and performing as intended is increased, as are the
chances of expensive and time-consuming system rework.

SBInet testing
has not been effectively managed. For example, the program office has not
tested the individual system components to be deployed to the initial
deployment locations, even though the contractor initiated integration testing
of these components with other system components and subsystems in June 2008.
Further, while a test management strategy was drafted in May 2008, it has not
been finalized and approved, and it does not contain, among other things, a
clear definition of testing roles and responsibilities; a high-level master
schedule of SBInet test
activities; or sufficient detail to effectively guide project-specific test
planning, such as milestones and metrics for specific project testing. Without
a structured and disciplined approach to testing, the risk that SBInet will not satisfy user
needs and operational requirements, thus requiring system rework, is increased.

Seriously, long term, highly technological projects always risky to manage. In a way, I admire those that can manage a project with hundreds and thousands of dependencies, external controls, budget constrains and eventually deliver a solution. I am sure that under the proper guidance, this said system will become the cornerstone of the border control system.

]]> http://securitypie.com/you-dont-build-a-fence-this-way/feed/ 0