Saturday, November 27, 2010

Information Assurance in Estonia

David Haydter

After MSIA graduate David Haydter returned to his current home in Virginia after Residency 2010, he mentioned in an email that he’d received an award for his IT/IA work in Estonia.  We asked him for details, and here’s his story. 


As for the award, there were three parts to it.  As the Information Management Officer (IMO) at American Embassy Tallinn, Estonia, I supervised six people and was ultimately responsible for all IT, IT security, and communications at the Embassy.    The Department of State uses software to monitor all its subnets (over 400 of them), collect metrics, and to determine the overall network risk and health of each subnet.  Tallinn consistently ranked number one out of all the Department's domestic offices and foreign missions for its network risk score.  This means our patches are applied immediately, our virus definitions are up to date, our security templates are current, permissions, user accounts, registry settings, etc. are all exactly where they should be.  My staff deserves the credit, and I wrote them a separate award which was presented by our Ambassador.

The second part was for the installation of a new messaging (aka telegrams or cables) system which replaced our legacy system from the early 1990s.  Embassy Tallinn was the only mission to successfully install, learn and administer the application, and train its users without flying in outside support.  The third part of the award was not IT or IA related.  The award was a Superior Honor Award which had to be approved in Washington (as opposed to other awards which can be approved at the Embassy level) and signed by an assistant secretary.  Normally, it would then be presented by our Ambassador.  In this case, Secretary Clinton was in town for a NATO summit, and the Ambassador arranged for her to present it to me.

I was in Estonia for three years from 2007-2010.  It is a beautiful country and has come a long way since the fall of communism.  It sits against the Baltic Sea only 50 or so kilometers South of Finland and has a magical old town full of medieval castles.  The winters are very cold, but I know Vermont gets its fair share too!  Being so far north, the days are extremely short in the winter time (only about five hours of daylight) but long in the summer.  The sun doesn't set until around 11:00 p.m. in June and July and it doesn't get completely dark.  The song festival happens every five years - it just happened this year and was a great experience.  [ed. Learn more at http://www.estemb.org/estonia/estonian_song_and_dance_festival ].  There's also a lot of knitting.  There are several shops, mostly in old town, that sell knitted items to the many tourists that come to town.

There was no base - just the Embassy in the middle of the city.  We lived amongst the Estonians and were immersed in their culture.  Very few State Department Missions (Embassies, consulates, U.S. Missions) have a base-type setup.  Our neighbors are typically citizens of the host nation, and we eat, shop and play just as they do.  This is what makes the Foreign Service so interesting.  

Last Week’s Quiz Question
In what year was the Ticonderoga moved to the Shelburne Museum?
Answer: 1955
http://shelburnemuseum.org/collections/steamboat-ticonderoga/

Winner: William R. Lampe

This Week’s Quiz Question
In what year did Norwich University start the first Civil Engineering program in the US?

Past winners
Andrey N. Chernyaev:  5 wins
Bill Lampe: 4 wins
Matt Bambrick: 3 wins
Dianne Tarpy: 2 wins
Scott Madden: 2 wins
Sam Moore
Autumn Crossett
Gil Varney, Jr.
Glen Calvo
Thomas Reardon
Sherryl Fraser
Srinivas Chandrasekar
Marc Ariano
Linda Rosa
Joanna D'Aquanni
Srinivas Bedre
Christian Sandy
Joseph Puchalski
Ken Desforges
William Westwater
Posted by at No comments:

Saturday, November 6, 2010

Business Continuity—Fact or Fiction?

John Orlando, Program Director

I’ve always been bothered by the nagging suspicion that the body of knowledge in the business continuity field is more fiction than fact.  Let me explain.

Think about people’s option on the shape of the world.  For most of human history people believed that the world was flat.  The view that the world was round didn’t come into vogue until relatively recently (OK, technically it’s more of a sphere, but you get the idea). 

We consider the change in belief from flat-earth to round-earth to constitute a move from ignorance to insight.  This is because we consider the belief that the world is round(ish) to better match the reality of the shape of the world than the belief that the world is flat.  Science is “world-guided” in this way—the objects that it studies are out there in the world--and so there is a fact of the matter against which its beliefs can be judged.

This does not mean that all scientific beliefs are true.  In fact, most scientific beliefs eventually turn out to be false.  Reference the aforementioned belief that the world was flat.  The fact that everyone believed that the world was flat at one time did not make the world flat, it just meant that a lot of people were wrong about the shape of the world. The truth or falsity of scientific beliefs is not determined by how many people who hold them, but rather by their match with reality.

But can the same be said for business continuity beliefs?  For instance, we are told that there are four parts to the emergency management process--mitigation, preparedness, response and recovery.  But does the four part division represent a real division in the emergency management process, or just an arbitrary categorization?  Does the emergency management process naturally fall into four parts, rather than five or three, or is it more like the birthday cake that is cut into eight parts because eight people happened to have shown up at the party?  Is there a sense in which we can say that someone who believes that the emergency management process has three, or five, steps is wrong, or are they just not buying into the categorization system that everyone else adopts? 

Now, even if business continuity concepts are created, rather than discovered, they would still have value.  Conventions facilitate discussion by giving everyone the same language.  But the absence of solid evidence supporting business continuity practice hampers the profession’s growth.  Years ago it was predicted that insurance companies would provide discounts to organizations with business continuity plans, thus creating incentives for developing continuity plans (and to hire continuity practitioners), but that did not materialize because insurance rates are dictated by actuarial tables.  An insurance company might provide you with a discount on your policy for not smoking because statistics show that by not smoking your total healthcare outlays will be X% lower than if you smoked, and they can pass the savings on to you.  But no similar statistics exist for business continuity programs.

Lacking evidence to support its practices, the BC profession is primarily intuition-driven rather than evidence-driven.  While intuition is not a bad thing if faced with a lack of evidence—after all, it’s all that you’ve got to go on--intuition can be misleading.  For instance, at one time doctors treated illnesses by the accepted method of blood-letting.  We may laugh today, but at the time this made more intuitive sense in their world-view than the belief in germs that were too small to see.  It was only after doctors actually compared the recovery rates of people treated with bloodletting with those treated without it that they discovered, much to their surprise, that this method didn’t work so well after all.   

I don’t think that business continuity practice is on par with blood-letting (at least I hope not), but proving that to others is another thing. If we can’t provide the evidence to prove that business continuity is a world-guided science, then it becomes hard to justify the expertise of practitioners to the outside world. 

This is why we are developing the Norwich University Business Continuity Research Institute.  The institute will sponsor research that puts the business continuity field onto a firm foundation.  Some of the research will compare different methodologies to determine which works the best.  Other research will try to simply establish that business continuity programs to pay off for an organization in the long run. 

Our plan is to contract with faculty, students, alumni to do much of the research, but also to commission outside investigators.  We will disseminate the results through face-to-face talks, online classes, social media, etc. 

Mostly we want to foster an atmosphere of open and critical investigation that will impart the foundations of evidence and reasoning to common beliefs of the field, and expose where those beliefs are mere conventions without firm backing. 

The goal is to put business continuity on par with other accepted professions in society.  Only then will the field gain legitimacy to the outside world. 

Please take this as an open invitation to join us in this journey.

Last week’s Quiz Question
Question: In what year did the current Norwich University library open?
Answer:  The Kreitzberg Library opened in 1993.
Winner: William R. Lampe

This week’s quiz question
In what year was the Ticonderoga moved to the Shelburne Museum?


Past winners
Andrey N. Chernyaev:  5 wins
Matt Bambrick: 3 wins
Bill Lampe: 3 wins
Dianne Tarpy: 2 wins
Scott Madden: 2 wins
Sam Moore
Autumn Crossett
Gil Varney, Jr.
Glen Calvo
Thomas Reardon
Sherryl Fraser
Srinivas Chandrasekar
Marc Ariano
Linda Rosa
Joanna D'Aquanni
Srinivas Bedre
Christian Sandy
Joseph Puchalski
Ken Desforges
William Westwater

Posted by at No comments:
Subscribe to: Posts (Atom)