6. The successor of the auditors' control measure: the PCUBE-SEC operational activity
6.3 Attitude to handling problems
To the most important benefits of these definitions belong again the clarification of the statements, removal of inconsistencies, and, which is equally important, raising the level of both the target and the scope of the definitions again to that of the operations from the IT-level, where this is needed. Those best practice definitions here, that has a scope already risen above IT, has flaws, so they had to be rewritten, too.
It is important to emphasize, that here the attitude to handling problems is discussed, this attitude in itself has nothing to do with any improvement of an already good thing to an even better one. This is, of course, the final goal of the operational activities with these attitudes, too, as always, but this final goal is not to be mixed into this "nature-like"
The PCUBE-SEC benefit of separating the scope of the actions from their desired effect, the "inputs" from the "outputs" have a special significance when we classify operational activities according to their way of handling problems. We will see here, how does this separation help in identifying incosistencies, and in extending the scope from IT towards operations.
Thus such a confusion can be avoided, as mentioning desired events in one definition, and forgetting about them in an other, as it will be seen in the COBIT 4.1 "control" definitions, where, in the detective control, desirability is mentioned, while in the preventive one it is omitted, as it should be - I think - everywhere.
Another important benefit is, that it will be easier to formulate the definiton of the three different attitudes in such a way, that the detective, preventive and corrective approach will not be mixed with each other, as they are in the ISO 27000 definition, as it will be seen.
Thus the definitions will really correspond to the name of the given attitude.
Similarly to the discussion of the predecessors of the operational activity above, first the definitions taken from the ISO standards, and from the ISACA materials will be analyzed, justifying this way the necessity of the new definitions even for the IT case.
220.127.116.11 The ISO corrective action
The ISO 27000 corrective action is an "action to eliminate the cause of a detected nonconformity or other undesirable situation". [ISO 27000]
To require the handling of the cause of the problem is not corrective, but preventive from the viewpoint of a current situation, as dealing with the cause affects the future occurence of the mistake, but does not improve the current state of matters. Neither mitigating the consequences of a mistake committed, nor enlightening the consequences is mentioned. To define prevention such a way is not practical, either, as instead of a total elimination of a cause partial solutions could also have been accepted.
18.104.22.168 The CRM corrective control measure
According to the CISA Review Manual, it is: "designed to correct errors, omissions and unauthorized uses and intrusions once they are detected".
This measure is corrective, but sticks to IT, and, even in this domain, emphasizes some special type of mistakes.
22.214.171.124 Correction in COBIT
There is no corrective control measure mentioned in COBIT 4.1.
126.96.36.199 The proposed definition for the corrective attitude
An operational activity is corrective,
if it contributes to the elimination, or at least to the mitigation of the consequences of any kind of mistake that had not been recognized in time, so the mistake resulted in some unpleasant consequences, that need corrections.
188.8.131.52 Detection in the ISO standards
It is interesting to note, that the vocabulary to the ISO/IEC 27000 family, ISO 27000 does not define a detective type of "action". In the ISO/IEC 27001 the word "detective" was not found, but, interestingly enough, in ISO/IEC 27002, those, who intend to implement capacity management, are guided to apply "detective controls" in order to get timely notification on arising problems. This might be corrected in future versions, as 27001 deals with the information security management systems, while 27002 gives rather concrete advice on its practice. 27000 is a collection of definitions.
184.108.40.206 The CRM detective control measure
The scope of the CRM detective control measure is restricted to errors, and specific IT-, and physical security problems are emphasized. It says: it "exist(s) to detect and report when errors, omissions and unauthorized use or entry occur".
220.127.116.11 Detection in COBIT
The COBIT "detective control" definition in COBIT 4.1 is: "A control that is used to identify events (undesirable or desired), errors and other occurrences that an enterprise has determined to have a material effect on a process or end product".
This is quite close to my proposed definition, but "control" here means rather a control system, than a controlling activity.
18.104.22.168 The proposed definition for the detective attitude
I raise again the whole discussion above IT, and extend the things to be handled to any kind of problems besides events.
The role of a
detective operational activity
is to detect flaws in business and / or operations.
It should be noted,
that a best professional practice is to require the detection to be followed immediately with the documentation of the flaw, and the authentic collecting and storing of this
documentation, together with reporting the case to a specified problem solving unit, and / or to management level.
Some kind of means to document the flaws should be offered. The documentation process is to start first, with the definition of the processes, and both processes, that of the detection and that of reporting have to be defined in advance.
The authenticity of the documentation can often be vital. An example is the log management. Somebody can be accused with something only if the proof is authentic. If the proofs are logs, then they are authentic only if they are signed and time-stamped.
22.214.171.124 The ISO preventive action
With its generality there is no problem, ISO 27000 says: "preventive action" is "to eliminate the cause of a potential nonconformity or other undesirable potential situation."
The difference between this definition and mine is separating the possibility of committing a mistake from intentional damage and accidents.
126.96.36.199 The CRM preventive control measure
Unfortunately it had been left out from the Glossary of the CRM 2011, but a kind of explanation can be quoted, where the "controls" are classified by a kind of function description and examples. The function of "preventive control" is to:
• "Detect problems before they arise.
• Monitor both operation and inputs.
• Attempt to predict potential problems before they occur and make adjustments.
• Prevent an error, omission or malicious act from occurring."
Requirements, tasks, detection and prevention are mixed here. Making adjustments are corrective activities, monitoring is an example for a detective action.
188.8.131.52 Prevention in COBIT
The definition in COBIT 4.1 Glossary is quite close to mine, but it focuses on the effect of a negative event. I am sure, that the adequate behaviour of the staff is also important.
COBIT 4.1 says: "Preventive control—An internal control that is used to prevent undesirable events, errors and other occurrences that an organisation has determined could have a negative material effect on a process or end product".
184.108.40.206 The proposed definition for the preventive attitude
Preventive operational activity:
I define an activity as preventive, if it prevents
• the occurence of undesired events and / or
• the possibility of committing a mistake.
The novelty of my definition compared to COBIT 4.1 is, that I separate "our" mistakes from attacks, and accidents. This can greatly help in finding the appropriate preventive action.
What might be considered in the future development of PCUBE-SEC is, if attacks and accidents should also be separated, or is it better to leave, as it is now?
The already mentioned PCUBE-SEC program complex "statements" can be built of different type of "simple" activities from the viewpoint of the attitude, too. That is, detective, corrective, and preventive activities at the same time can be parts of the same complex statement.