- Email: [email protected]
Contingency planning—the consultant's rôle
Vol. 10, No. 9, Page 9 14.
The provision of specialist skills from a reputable consultancy gives immediate access
Document how files can be recovered following loss, destruction or corruption.
to the knowledge and experience of seasoned individuals who can bring industry-wide knowledge and expertise to the client organization. There will be no question of worrying about redeployment or career progression after the work is done as the consultant’s engagement is of such short-term duration that overheads such as pensions and national insurance contributions or the nuances of trade union job termination rules simply do
Bill Farquhar, BIS Applied Systems Ltd, Manchester, UK
CONTINGENCY PLANNING -THE CONSULTANT’S R6LE Introduction
not apply.
Unlike the consumer products market which is well served by product surveys and Which? reports, there are no buyers’ guides available for employing the services of security consultants. This paper seeks to explain the role of the security consultant to those who need specialist support. Three questions are addressed: -
do you need a consultant?
-
what will the consultant do?
-
how to get the best results.
Project consultant: To advise the client’s in-house project manager and his staff on the strategy of the project approach, to act as a sounding board to deal with any issues arising, and to advise on the pros and cons of various solutions or techniques put forward. He will also provide quality assurance for the project team’s work;
On face value, the consultant is an expensive commodity. The much cheaper alternative is to use in-house staff to do the work. At times it may prove difficult due to skills or manpower shortages to tackle a task internally within the timescale required and with the quality of work assured. To train a member of staff to take on a special task could involve a substantial amount of effort in the initial skills training, with attendant schedule delays on task completion. If this is a one-off project, the specialist skills acquired might not be applicable to other project areas afterwards, bringing dubious returns to the initial investment on skills acquisition. The new in-house specialist may feel frustrated at the lack of opportunities to apply his new skills elsewhere in the organization, and may move on to pastures new, where his expertise will be better appreciated and exploited. In the end, the employer will be no better off since the continuous retention of specialist expertise in his staff can rarely be assured.
0 1988 No
Else&x
By and large, consultants are employed to take on one of the following roles: Project management: To steer, guide and lead a project team comprised entirely of client staff, and to assure the quality of work in project implementation;
Do you need a consultant?
COMPUTER FRAUD & SECURITY BULLETIN
If staff are working side by side with the consultant, hopefully his specialist knowledge and professional approach will rub off onto others to give added benfits to the client organization.
Science
Publishers
Ltd., England.
Consultancy support: To supplement the in-house project team with external specialist skills and knowledge to tackle the tasks in hand, or to provide additional helping hands to overcome manpower shortage for some limited period; Project team: The client has contracted out to the consultancy company to take on the entire project work, again to overcome short-term in-house resource and skills shortages; What will the consultant
do?
The only tangible commodity the consultant offers to the client is his time. He has to make best use of this commodity to ensure the client gets value for money, to deliver what he has
/88/$0.00
+ 2.20
part of this publication may be reproduced, stored in a retrieval system. or transmitted by any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers. (Readers in the U.S.A. ~ please see special regulations listed on back cover.)
Vol. 10, No. 9, Page 10 committed to undertake, at agreed cost estimates (measured in man days and per diem
the various proposed backup and standby provisions to completion, and to produce a set
rates), an agreed schedule of work over an elapsed time period, and with the quality and standard of work which meets the client’s approval and requirements.
of contingency action plans for the Disaster Recovery Team;
The nature and extent of the consultant’s involvement must be clearly defined and agreed with the client so that both parties are in no doubt on what the consultant is committed to deliver, and on what the client expects to obtain. The usual mechanism is for the consultant to submit a proposal to the client, stating the following aspects for the proposed work to be undertaken: -
Terms of Reference and Scope of the project
-
Method of Working
-
Schedule, Staffing, and Reporting
-
Fees and Terms of Business
-
Consultancy Company’s Competence to take on the work
-
Career Resumes of Consultants
The Terms of Reference and Scope section defines the boundaries of the project work area and the deliverables. The bigger the project, the better defined must be the boundaries; and the better structured is the project into a number of distinct phases of task schedules, the easier it is for both client and consultant to monitor, control and manage the project. For instance, in a standard BIS contingency planning project, the work is structured into four phases: Business Impact Review-to assess the impact on the client’s business following a short-, medium- or long-term disruption to the computer and/or communications facilities; Contingency Planning Strategy Review given the various options available for computer and communications backup, what are the pros and cons of each viable option with its attendant set-up and running costs, and which is the preferred option to best suit the client’s needs? Contingency
Plan Preparation
COMPUTER FRAUD 81 SECURITY BULLETIN
-to
progress
Testing and Review - to plan and design a series of tests to check that the disaster recovery plan will work and that individual action plans are properly co-ordinated. At the end of each phase, the output (or deliverable) is a draft report for discussion with the client before a final report is issued. This may sound trivial, but such discussions are vital to ensure the report’s acceptance and project’s success. This is because the consultant(s) working on the project will only have limited exposure to the client’s operations and internal politics, and may well misjudge certain operational or political issues which may not be apparent to short-term contractors of the organization. Also the report’s stance or emphasis on new working practice or recommended actions and implementation schedule may not prove helpful or practical in some circumstances - e.g. trade union rules and budgetary considerations. These issues and any possible misunderstandings between the consultant’s perception of the situation and the correct interpretation of circumstances should be raised and discussed, and properly resolved in the draft report discussions. The consultants must not tell lies to protect the skins of incompetent client staff. Equally, correct emphasis and understanding of the real situation will help speed up project progress and ensure endorsement of recommended future actions. Referring to the four phases of a contingency planning project, the consultant’s tasks will be split into the three aspects of fact finding, analysis of results, and report writing and presentation. Fact finding is done mostly on the client’s premises and mainly comprises interviews with management and staff, site inspection, and review of documentation and procedures. As far as client staff is concerned, the information-gathering process is generally perceived as strictly one-way, i.e. staff telling the consultant what they already know in the
@1988 Elsevier Science Publishers Ltd., England. /88/$0.00 + 2.20 No part of this publication may be reproduced. stored in a retrieval system, or transmitted by any form or by any means, electronic, mechanical. photocopying, recording or otherwise, without the prior permission of the publishers. (Readers in the U.S.A. -please see special regulations listed on back cover.)
Vol. 10, No. 9, Page
11
organization, and seems an expensive way of teaching outsiders about themselves. However,
three hours of his time for the interview, and later reviewing the draft report on those aspects
this is what consulting is about. If the consultant does not understand your real problems and issues, how can he prescribe an effective solution for you?
relating to his own business area, before passing comments for inclusion in the final
The analysis of findings is the acid test of the consultant’s expertise and skill -the ability to see the wood from the trees, to sum up the situation, determine a course of action with priorities for urgency of implementation, and point the best way forward. He will probably draw from his company’s corporate expertise, his own experience with other clients and previous project work which gives him a wider perspective and understanding of the real issues at hand, together with well-tried practical approaches adopted by others to tackle similar problems. The art of report writing lies in the communications skill of the consultant. He has to target the report to its intended readership to ensure the purpose of the report is achieved, by adopting the correct terminology and emphasis to acquaint the reader with the project findings and to appreciate the need for actions recommended. For instance, the Business Impact Review report is targeted at senior management and the reporting is necessarily free of technical jargon, but with the correct emphasis on business needs and adverse impact on business following a computer disaster. The Contingency Planning Strategy Review report, on the other hand, is targeted at senior IT managers, and a certain amount of technical details must be included in the review of various standby and recovery options. The Contingency Plan is designed to be used by members of the disaster recovery team immediately following a disaster. The contents must be easy to understand, unambiguous, and follow in strict chronological order. As far as the respective roles of the consultant in the above four-phase project is concerned, the Business Impact Review is conducted by the consultant interviewing the key senior business users of the client, with each senior manager contributing some two to
COMPUTER FRAUD CL SECURITY BULLETIN
report. The Contingency Planning Strategy Review is again mostly undertaken by the consultant, with input from IT management and staff to provide the necessary technical details relating to the computer and network configuration and processing requirements. The various action checklists in the Contingency Plan, on the other hand, must be produced by the disaster recovery team members themselves, under the guidance and control of the consultant. We hold the view that unless the individual team member believes in the action checklists he is asked to follow, more likely than not, in times of extreme commotion, such checklists tend to get ignored. This is why he has to plan and think through every step he proposes to take, to ensure effective action to progress recovery in his own area. The consultant’s role is to check for any errors and omissions, and to ensure the action plans from all quarters are properly co-ordinated to secure a systematic and speedy recovery of services. During the Testing and Review phase, the consultant’s role is to indent@, plan and document a set of tests to check the Contingency Plan will work in parts and in its entirety in an emergency. Client staff will undertake the individual tests themselves. Afterwards, the consultant will come back to review the test findings, and if necessary, to update the contents of the Contingency Plan. How to get the best results The more the client understands the method of working, and the practical limitations of external consultancy support, the more likely he is to get the best results from outside help. The better the consultant, the more marketable his services, and the less likely he will be immediately released from existing commitments to take on new project work. The more notice the client gives the consultant of his intention to engage his services and of a scheduled forward starting date, the more likely
0 1988 Elsevier Science Publishers Ltd., England. /88/$0.00 + 2.20 No part of this publication may be reproduced. stored in a retrieval system, or transmitted by any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers. (Readers in the U.S.A. -please see special regulations listed on back cover.)
Vol.
10, No. 9, Page 12
he is to secure the services of his favourite consultant, and not his substitute. In Central Government and certain sectors of private industry, the general practice is to invite individual consultancy companies to tender for a particular project and to arrange for a sales presentation to give the client the opportunity to meet the proposed project team in person. Bearing in mind that you are paying for their services and expertise, you may want to feel comfortable in the following areas: -
Do you like the individuals
-
Would your staff be happy to work with them and under their guidance?
-
Are they helpful? their field?
-
Are they well organized
-
Are they good communicators presenters?
-
put forward?
And knowledgeable
in
as a team? and
Do they have relevant experience in your type of business and organization?
Stick to the Terms of Reference and project objectives, and agree clear deliverables at the end of each phase of the project. If you ask for additional work to be carried out during the project, or veer away from the initial objectives, you will find the consultant has to divert his attention to cover the widened project scope. This could have the adverse efect of diluting essential project resources necessary to meet the original project objectives. As a result, the quality of work suffers beause one is now dealing with a moving target. This tends to be the general malaise of some software development projects, and contingency planning consultancy support is no exception. A far better approach is to either agree extra resource funding for the additional work required, or to cover the additional work in a separate project. Avoid time-wasting, especially if the consultant has to travel for miles to go to the client’s premises. Unnecessary time and resources will be wasted on unnecessary journeys through poor interview schedules and interviewing the wrong individuals who really were in no position to provide the necessary
COMPUTER FRAUD & SECURITY BULLETIN
details to the consultant. If the interview is of a sensitive nature, the interview location is important. Otherwise the interviewee may feel embarrassed about passing over confidential or personal information within earshot of his colleagues. The project team should be given suitable working accommodation on the premises to allow them to prepare notes or interview checklists between or before interview appointments. Apart from fact-finding investigations, it is pointless insisting that the consultant work on the premises at all times. At the end of the day, it is the quality of work and completion of tasks within stipulated project estimates and elapsed periods that counts. Many consultants can be more productive in their analysis of findings and in report writing in the comfort of their homes or back in their own offices, instead of having to travel to the client’s offices just to show their face and be seen to work a nine-to-five day in front of the client. Stick to the original project budget and delivery schedule. Unless there are good reasons for exceeding the agreed limits, e.g. the need for additional interviews with business managers, difficulties with making interview appointments (especially with busy executives), feeble excuses for budgetary shortfalls or project delays should not be entertained. Make sure there are adequate progress review checkpoints built into the project schedule, to ensure good project control and consultant liaison, and to deal with any problems arising. Such review meetings should be short, informal, but frequent, i.e. every two to three weeks. Avoid lengthy progress meetings and do not demand frequent interim reports be produced. They would simply cut into the manpower resource required to progres productive project work. Be involved and show interest in what the consultant is doing. Consultants like their work to be appreciated too! Also, a certain amount of in-house staff involvement would provide some project continuity even after the consultant has departed, and staff and management will still be in tune with details of the project work. On the other hand, too much interference is counterproductive and tends to stifle any innovative
@1988 Elsevier Science Publishers Ltd., England. /lW/$O.OO + 2.20 No part of this publication may be reproduced. stored in a retrieval system, or transmitted by any form or by any means. electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers (Readers in the U.S.A.-please see special regulations listed on back cover.]
Vol. 10, No. 9, Page 13 approaches the consultant intends to bring into the project. Organize a debriefing session after the project’s completion. The following aspects should be discussed with your management and staff: -
Were the consultants helpful?
-
Did you get what you wanted, i.e. meeting quality and timescale requirements?
-
Did you get more than you wanted? What additional benefits were obtained through the consultant’s involvement?
-
Were the recommendations practical?
-
Did you achieve the original project objectives?
-
Would you want to work with the consultant again?
-
What lessons have you learnt from the project experience? What do you need to look out for when using consultants again?
Conclusion A consultant gets a lot of job satisfaction when his work pleases the client. Like everyone else, he likes his work to be appreciated. The consultant is always learning on the job, particularly with difficult clients, when he has to double-check his work and be on his toes at all times. Equally, his work can be made easier and more pleasurable if the client understands his method of working and the constraints he has to work within. It is only in developing a mutual understanding and appreciation of each other’s needs and restrictions that one can be assured of a healthy and rewarding business relationship between the consultant and his client. Dr Ken Wong, BIS Applied Systems Ltd London
CONFERENCE REPORT COMPACS ‘88 The London Hilton in Park Lane was the venue for the Twelfth International Conference on Computer Audit Control and Security (COMPACS) run by the UK Institute of Internal Auditors on 22-25 March 1988. The conference attracted 960 day delegates. The conference theme was “The Impact of Emerging Technologies on Auditors” and the sessions were arranged on sub-themes to cover a broad review of current issues of interest to auditors and to control/security specialists. In the first session, Bill W. Murray, now of Ernst & Whinney, but formerly for 25 years with IBM, examined the impact of the convergence of computing, recording and communications technologies on computer audit control and security. He contrasted data security in the pre-computer age which was based on the security of the media (for example, holding paper-based records in lockable cabinets and mailing information in sealed envelopes) with that of computer systems. Contrary to popular belief, Murray argued, the computer had proved superior to paper so long as the environment was controlled as well as the media. A well-controlled computer system could restrict access to data and provide greater accountability by recording who had access to data and when. This combination of media and environmental controls would not however be adequate for the future. The new problem which had arisen was that the boundaries of the control environment may no longer be coincident with the boundaries of a single system or a single organization or institution. Planning and organizing effective access control systems in a wider environment is difficult enough when all of the application is on one readily identifiable system, usually all in one site and with a limited number of identifiable managers. “As the number of applications, systems, sites, managers and users in the environment goes up, it becomes increasingly difficult for anyone to have the necessary knowledge and influence to specify controls and access rules”,
COMPUTER FRAUD & SECURITY BULLETIN
0 1988 Elsevier Science Publishers Ltd., England. /SS/$O.OO + 2.20 No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers. (Readers in the U.S.A. - please see special regulations listed on back cover.]
The provision of specialist skills from a reputable consultancy gives immediate access
Document how files can be recovered following loss, destruction or corruption.
to the knowledge and experience of seasoned individuals who can bring industry-wide knowledge and expertise to the client organization. There will be no question of worrying about redeployment or career progression after the work is done as the consultant’s engagement is of such short-term duration that overheads such as pensions and national insurance contributions or the nuances of trade union job termination rules simply do
Bill Farquhar, BIS Applied Systems Ltd, Manchester, UK
CONTINGENCY PLANNING -THE CONSULTANT’S R6LE Introduction
not apply.
Unlike the consumer products market which is well served by product surveys and Which? reports, there are no buyers’ guides available for employing the services of security consultants. This paper seeks to explain the role of the security consultant to those who need specialist support. Three questions are addressed: -
do you need a consultant?
-
what will the consultant do?
-
how to get the best results.
Project consultant: To advise the client’s in-house project manager and his staff on the strategy of the project approach, to act as a sounding board to deal with any issues arising, and to advise on the pros and cons of various solutions or techniques put forward. He will also provide quality assurance for the project team’s work;
On face value, the consultant is an expensive commodity. The much cheaper alternative is to use in-house staff to do the work. At times it may prove difficult due to skills or manpower shortages to tackle a task internally within the timescale required and with the quality of work assured. To train a member of staff to take on a special task could involve a substantial amount of effort in the initial skills training, with attendant schedule delays on task completion. If this is a one-off project, the specialist skills acquired might not be applicable to other project areas afterwards, bringing dubious returns to the initial investment on skills acquisition. The new in-house specialist may feel frustrated at the lack of opportunities to apply his new skills elsewhere in the organization, and may move on to pastures new, where his expertise will be better appreciated and exploited. In the end, the employer will be no better off since the continuous retention of specialist expertise in his staff can rarely be assured.
0 1988 No
Else&x
By and large, consultants are employed to take on one of the following roles: Project management: To steer, guide and lead a project team comprised entirely of client staff, and to assure the quality of work in project implementation;
Do you need a consultant?
COMPUTER FRAUD & SECURITY BULLETIN
If staff are working side by side with the consultant, hopefully his specialist knowledge and professional approach will rub off onto others to give added benfits to the client organization.
Science
Publishers
Ltd., England.
Consultancy support: To supplement the in-house project team with external specialist skills and knowledge to tackle the tasks in hand, or to provide additional helping hands to overcome manpower shortage for some limited period; Project team: The client has contracted out to the consultancy company to take on the entire project work, again to overcome short-term in-house resource and skills shortages; What will the consultant
do?
The only tangible commodity the consultant offers to the client is his time. He has to make best use of this commodity to ensure the client gets value for money, to deliver what he has
/88/$0.00
+ 2.20
part of this publication may be reproduced, stored in a retrieval system. or transmitted by any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers. (Readers in the U.S.A. ~ please see special regulations listed on back cover.)
Vol. 10, No. 9, Page 10 committed to undertake, at agreed cost estimates (measured in man days and per diem
the various proposed backup and standby provisions to completion, and to produce a set
rates), an agreed schedule of work over an elapsed time period, and with the quality and standard of work which meets the client’s approval and requirements.
of contingency action plans for the Disaster Recovery Team;
The nature and extent of the consultant’s involvement must be clearly defined and agreed with the client so that both parties are in no doubt on what the consultant is committed to deliver, and on what the client expects to obtain. The usual mechanism is for the consultant to submit a proposal to the client, stating the following aspects for the proposed work to be undertaken: -
Terms of Reference and Scope of the project
-
Method of Working
-
Schedule, Staffing, and Reporting
-
Fees and Terms of Business
-
Consultancy Company’s Competence to take on the work
-
Career Resumes of Consultants
The Terms of Reference and Scope section defines the boundaries of the project work area and the deliverables. The bigger the project, the better defined must be the boundaries; and the better structured is the project into a number of distinct phases of task schedules, the easier it is for both client and consultant to monitor, control and manage the project. For instance, in a standard BIS contingency planning project, the work is structured into four phases: Business Impact Review-to assess the impact on the client’s business following a short-, medium- or long-term disruption to the computer and/or communications facilities; Contingency Planning Strategy Review given the various options available for computer and communications backup, what are the pros and cons of each viable option with its attendant set-up and running costs, and which is the preferred option to best suit the client’s needs? Contingency
Plan Preparation
COMPUTER FRAUD 81 SECURITY BULLETIN
-to
progress
Testing and Review - to plan and design a series of tests to check that the disaster recovery plan will work and that individual action plans are properly co-ordinated. At the end of each phase, the output (or deliverable) is a draft report for discussion with the client before a final report is issued. This may sound trivial, but such discussions are vital to ensure the report’s acceptance and project’s success. This is because the consultant(s) working on the project will only have limited exposure to the client’s operations and internal politics, and may well misjudge certain operational or political issues which may not be apparent to short-term contractors of the organization. Also the report’s stance or emphasis on new working practice or recommended actions and implementation schedule may not prove helpful or practical in some circumstances - e.g. trade union rules and budgetary considerations. These issues and any possible misunderstandings between the consultant’s perception of the situation and the correct interpretation of circumstances should be raised and discussed, and properly resolved in the draft report discussions. The consultants must not tell lies to protect the skins of incompetent client staff. Equally, correct emphasis and understanding of the real situation will help speed up project progress and ensure endorsement of recommended future actions. Referring to the four phases of a contingency planning project, the consultant’s tasks will be split into the three aspects of fact finding, analysis of results, and report writing and presentation. Fact finding is done mostly on the client’s premises and mainly comprises interviews with management and staff, site inspection, and review of documentation and procedures. As far as client staff is concerned, the information-gathering process is generally perceived as strictly one-way, i.e. staff telling the consultant what they already know in the
@1988 Elsevier Science Publishers Ltd., England. /88/$0.00 + 2.20 No part of this publication may be reproduced. stored in a retrieval system, or transmitted by any form or by any means, electronic, mechanical. photocopying, recording or otherwise, without the prior permission of the publishers. (Readers in the U.S.A. -please see special regulations listed on back cover.)
Vol. 10, No. 9, Page
11
organization, and seems an expensive way of teaching outsiders about themselves. However,
three hours of his time for the interview, and later reviewing the draft report on those aspects
this is what consulting is about. If the consultant does not understand your real problems and issues, how can he prescribe an effective solution for you?
relating to his own business area, before passing comments for inclusion in the final
The analysis of findings is the acid test of the consultant’s expertise and skill -the ability to see the wood from the trees, to sum up the situation, determine a course of action with priorities for urgency of implementation, and point the best way forward. He will probably draw from his company’s corporate expertise, his own experience with other clients and previous project work which gives him a wider perspective and understanding of the real issues at hand, together with well-tried practical approaches adopted by others to tackle similar problems. The art of report writing lies in the communications skill of the consultant. He has to target the report to its intended readership to ensure the purpose of the report is achieved, by adopting the correct terminology and emphasis to acquaint the reader with the project findings and to appreciate the need for actions recommended. For instance, the Business Impact Review report is targeted at senior management and the reporting is necessarily free of technical jargon, but with the correct emphasis on business needs and adverse impact on business following a computer disaster. The Contingency Planning Strategy Review report, on the other hand, is targeted at senior IT managers, and a certain amount of technical details must be included in the review of various standby and recovery options. The Contingency Plan is designed to be used by members of the disaster recovery team immediately following a disaster. The contents must be easy to understand, unambiguous, and follow in strict chronological order. As far as the respective roles of the consultant in the above four-phase project is concerned, the Business Impact Review is conducted by the consultant interviewing the key senior business users of the client, with each senior manager contributing some two to
COMPUTER FRAUD CL SECURITY BULLETIN
report. The Contingency Planning Strategy Review is again mostly undertaken by the consultant, with input from IT management and staff to provide the necessary technical details relating to the computer and network configuration and processing requirements. The various action checklists in the Contingency Plan, on the other hand, must be produced by the disaster recovery team members themselves, under the guidance and control of the consultant. We hold the view that unless the individual team member believes in the action checklists he is asked to follow, more likely than not, in times of extreme commotion, such checklists tend to get ignored. This is why he has to plan and think through every step he proposes to take, to ensure effective action to progress recovery in his own area. The consultant’s role is to check for any errors and omissions, and to ensure the action plans from all quarters are properly co-ordinated to secure a systematic and speedy recovery of services. During the Testing and Review phase, the consultant’s role is to indent@, plan and document a set of tests to check the Contingency Plan will work in parts and in its entirety in an emergency. Client staff will undertake the individual tests themselves. Afterwards, the consultant will come back to review the test findings, and if necessary, to update the contents of the Contingency Plan. How to get the best results The more the client understands the method of working, and the practical limitations of external consultancy support, the more likely he is to get the best results from outside help. The better the consultant, the more marketable his services, and the less likely he will be immediately released from existing commitments to take on new project work. The more notice the client gives the consultant of his intention to engage his services and of a scheduled forward starting date, the more likely
0 1988 Elsevier Science Publishers Ltd., England. /88/$0.00 + 2.20 No part of this publication may be reproduced. stored in a retrieval system, or transmitted by any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers. (Readers in the U.S.A. -please see special regulations listed on back cover.)
Vol.
10, No. 9, Page 12
he is to secure the services of his favourite consultant, and not his substitute. In Central Government and certain sectors of private industry, the general practice is to invite individual consultancy companies to tender for a particular project and to arrange for a sales presentation to give the client the opportunity to meet the proposed project team in person. Bearing in mind that you are paying for their services and expertise, you may want to feel comfortable in the following areas: -
Do you like the individuals
-
Would your staff be happy to work with them and under their guidance?
-
Are they helpful? their field?
-
Are they well organized
-
Are they good communicators presenters?
-
put forward?
And knowledgeable
in
as a team? and
Do they have relevant experience in your type of business and organization?
Stick to the Terms of Reference and project objectives, and agree clear deliverables at the end of each phase of the project. If you ask for additional work to be carried out during the project, or veer away from the initial objectives, you will find the consultant has to divert his attention to cover the widened project scope. This could have the adverse efect of diluting essential project resources necessary to meet the original project objectives. As a result, the quality of work suffers beause one is now dealing with a moving target. This tends to be the general malaise of some software development projects, and contingency planning consultancy support is no exception. A far better approach is to either agree extra resource funding for the additional work required, or to cover the additional work in a separate project. Avoid time-wasting, especially if the consultant has to travel for miles to go to the client’s premises. Unnecessary time and resources will be wasted on unnecessary journeys through poor interview schedules and interviewing the wrong individuals who really were in no position to provide the necessary
COMPUTER FRAUD & SECURITY BULLETIN
details to the consultant. If the interview is of a sensitive nature, the interview location is important. Otherwise the interviewee may feel embarrassed about passing over confidential or personal information within earshot of his colleagues. The project team should be given suitable working accommodation on the premises to allow them to prepare notes or interview checklists between or before interview appointments. Apart from fact-finding investigations, it is pointless insisting that the consultant work on the premises at all times. At the end of the day, it is the quality of work and completion of tasks within stipulated project estimates and elapsed periods that counts. Many consultants can be more productive in their analysis of findings and in report writing in the comfort of their homes or back in their own offices, instead of having to travel to the client’s offices just to show their face and be seen to work a nine-to-five day in front of the client. Stick to the original project budget and delivery schedule. Unless there are good reasons for exceeding the agreed limits, e.g. the need for additional interviews with business managers, difficulties with making interview appointments (especially with busy executives), feeble excuses for budgetary shortfalls or project delays should not be entertained. Make sure there are adequate progress review checkpoints built into the project schedule, to ensure good project control and consultant liaison, and to deal with any problems arising. Such review meetings should be short, informal, but frequent, i.e. every two to three weeks. Avoid lengthy progress meetings and do not demand frequent interim reports be produced. They would simply cut into the manpower resource required to progres productive project work. Be involved and show interest in what the consultant is doing. Consultants like their work to be appreciated too! Also, a certain amount of in-house staff involvement would provide some project continuity even after the consultant has departed, and staff and management will still be in tune with details of the project work. On the other hand, too much interference is counterproductive and tends to stifle any innovative
@1988 Elsevier Science Publishers Ltd., England. /lW/$O.OO + 2.20 No part of this publication may be reproduced. stored in a retrieval system, or transmitted by any form or by any means. electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers (Readers in the U.S.A.-please see special regulations listed on back cover.]
Vol. 10, No. 9, Page 13 approaches the consultant intends to bring into the project. Organize a debriefing session after the project’s completion. The following aspects should be discussed with your management and staff: -
Were the consultants helpful?
-
Did you get what you wanted, i.e. meeting quality and timescale requirements?
-
Did you get more than you wanted? What additional benefits were obtained through the consultant’s involvement?
-
Were the recommendations practical?
-
Did you achieve the original project objectives?
-
Would you want to work with the consultant again?
-
What lessons have you learnt from the project experience? What do you need to look out for when using consultants again?
Conclusion A consultant gets a lot of job satisfaction when his work pleases the client. Like everyone else, he likes his work to be appreciated. The consultant is always learning on the job, particularly with difficult clients, when he has to double-check his work and be on his toes at all times. Equally, his work can be made easier and more pleasurable if the client understands his method of working and the constraints he has to work within. It is only in developing a mutual understanding and appreciation of each other’s needs and restrictions that one can be assured of a healthy and rewarding business relationship between the consultant and his client. Dr Ken Wong, BIS Applied Systems Ltd London
CONFERENCE REPORT COMPACS ‘88 The London Hilton in Park Lane was the venue for the Twelfth International Conference on Computer Audit Control and Security (COMPACS) run by the UK Institute of Internal Auditors on 22-25 March 1988. The conference attracted 960 day delegates. The conference theme was “The Impact of Emerging Technologies on Auditors” and the sessions were arranged on sub-themes to cover a broad review of current issues of interest to auditors and to control/security specialists. In the first session, Bill W. Murray, now of Ernst & Whinney, but formerly for 25 years with IBM, examined the impact of the convergence of computing, recording and communications technologies on computer audit control and security. He contrasted data security in the pre-computer age which was based on the security of the media (for example, holding paper-based records in lockable cabinets and mailing information in sealed envelopes) with that of computer systems. Contrary to popular belief, Murray argued, the computer had proved superior to paper so long as the environment was controlled as well as the media. A well-controlled computer system could restrict access to data and provide greater accountability by recording who had access to data and when. This combination of media and environmental controls would not however be adequate for the future. The new problem which had arisen was that the boundaries of the control environment may no longer be coincident with the boundaries of a single system or a single organization or institution. Planning and organizing effective access control systems in a wider environment is difficult enough when all of the application is on one readily identifiable system, usually all in one site and with a limited number of identifiable managers. “As the number of applications, systems, sites, managers and users in the environment goes up, it becomes increasingly difficult for anyone to have the necessary knowledge and influence to specify controls and access rules”,
COMPUTER FRAUD & SECURITY BULLETIN
0 1988 Elsevier Science Publishers Ltd., England. /SS/$O.OO + 2.20 No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers. (Readers in the U.S.A. - please see special regulations listed on back cover.]