Let me begin with the admission that I know very little of the Control Objectives for Information and Related Technologies (COBIT) or International Organization for Standardization (ISO) standards or any of the other criteria that are used to assess the integrity of information systems. I’m sure they’re good tools because they help auditors identify gaps and risks in the systems, platforms, environments, etc. And I know that if those weaknesses aren’t addressed, serious problems could occur, things so bad we don’t talk about them in public because it would only be an open invitation to the Huns, Vandals and Visigoths to pillage and plunder the system, wreaking havoc on those unfortunates whose personal information resides on it.
So you’ve now seen the full extent of my IT audit knowledge, and the terror instilled in me by the unknown enemy that is lurking out there, somewhere on the other side of those wires. Needless to say, I believe IT audits are an important element of a comprehensive audit function. But my version of IT standards is a simpler version. And it’s not something I made up, and it even has international recognition. I propose the Boy Scout standard for computer systems, and it is something I became familiar with even before there were computers.
My fundamental belief is that computer systems should function like good boy scouts and that they can be evaluated on that basis. Some of you may scoff and say that you’ve never had a computer system help you cross the street, although an IT audit of a traffic signal control system is well within our purview. Set aside your presumptions for a moment and consider the Boy Scout Code, which has a great set of criteria for judging computer systems integrity.
First and foremost a computer system needs to be trustworthy. We need to rely upon the system to capture, process and report accurate information. 2 + 2 should always equal 4. Trustworthy, no question about it.
The second element of the Scout Code is to be loyal. The system needs to protect information and software from those Huns, Vandals, and Visigoths. And gremlins too. A disloyal system can’t keep secrets.
And we pay good money for these systems to be helpful. They are supposed to offer a user interface to meet us halfway. If they are built well, they make our jobs easier, and make us more successful in our efforts. If I type something that is obviously wrong, the system should give me a nudge, like “Are you sure?” And if I want something special, it should not just be helpful, but solicitous.
Which is the next element, friendly. As in user-friendly. These systems need to speak in plain language, give easy cues, proceed through straightforward processes, and clear instructions.
Being helpful and friendly are only the first part. When we do make a mistake or something goes wrong a courteous computer would be nice. Error messages can be infuriatingly unclear. How many times have you gotten an error message that made no sense? How did that make you feel? A little courtesy would help.
It may seem random or accidental but when a crash happens, it can come at the worst times. Irretrievably losing our work is one of the cruelest acts a computer can commit. Redoing work is like writing on the chalkboard one hundred times, “I will frequently save my work.” No, we want computer systems to be kind.
Obedient: sometimes I want to hurt my computer system. I know it’s a character flaw but when it refuses to do what I want it to, even when I tell it several times, well, those chips and electrons need to feel the pain. If only I could figure out how…
Cheerful. That’s what I want. I not only want the computer system to be responsive to my orders; I want it to be eagerly awaiting them. I don’t need any sullen, slow, morose system that isn’t enthusiastic about the work. Happy workers are good workers.
My computer system should be thrifty and not a constant drain on my wallet. The cost of licenses, upgrades, and maintenance shouldn’t bankrupt me. Naturally, cost and quality are correlated but some of these vendors seem to believe we’ll pay anything and then they price accordingly.
Brave happens when someone takes an enormous risk to avoid serious consequences. A brave system jumps in front of the viral bullet, slams the door shut on the intruder, and shuts itself down to save our information. That’s brave.
Clean, of course, needs little explanation. Good computers don’t catch any bugs, or pass them on.
And lastly, I would hope that my computer is reverent. I am its master after all and it should revere me. Sometimes computer systems forget this primary law of robotics. I tried setting my screensaver to say, “I await your direction, master,” although it doesn’t seem to have gotten the message. But it sure is nice to return to my desk and read that anyway.
So, those of you who experienced that youth organization will recognize these twelve elements of the Boy Scout Code and may have also indulged in your own memories of knots and first aid and whittling. I’m sure there are other good standards out there, most notably the Girl Scout Code, and I mean no disrespect to any of them. These tenets are simply what I can’t seem to forget after all these years, and I expect them of good scouts and good computers.
Oh, and there is that other fundamental Boy Scout motto: Be prepared.
