Gee… DPR on Profiling

This again about that pesky new legislation that just won’t go away not even before it will be legally-effectively enforced [as you know, the thing has been around already for a year and a half, but will only be enforceable, in pure theory, per upcoming May 25th but your mileage may (huh) vary greatly – when Risk = Impact x Chance [don’t get me started on the idiocy of that, as here of 2013, Dec 5th – Gift time!] the chance is Low of Low and Impact can be easily managed down, legally yes don’t FUD me that will be the truth, the whole and nothing but it. So it will be legally effective but not in any other sense let alone practically].

For those interested, there’s this piece on Profiling. That has, on p.16 last full para (‘systems‘ that audit ..!?), p.19 3rd para from the bottom “Controllers need to introduce robust measures to verify and ensure on an ongoing basis that data reused or obtained indirectly is accurate and up to date.“, p.30 in full and many other places, pointers towards … tadaaa,

Auditing AI

with here, AI as systems that process data – as close to ‘systems’ in the cybernetic sense as one may get even when needing the full-swing wormhole-distance turn of the universe consisting not of energy but of information to abstract from the difference between info and data.

Where I am developing that auditing of AI systems as a methodologically sound thing. And do invite you to join me, and bring forward your materials and ideas on how to go about that. Yes, I do have a clue already, just not the time yet to write it all up. Will do soon [contra Fermat’s marginal remark].

Oh and then there’s the tons of materials on how anyone (incl corporate persons) will have to be able to explain in no complex terms (i.e., addressing the average or even less clever) how your AI system works…

So, inviting you, and leaving you with:
[What corks are good for, well after having preserved good wine – decoration. Recycle raw materials, don’t re-use data! Ribeauville]

Awaiting Asibot

All Are Ardently Awaiting – stop, semantics go over syntactic alli – the release of Asibot, as here.
Because we all need such a system. The inverse of Dragon Naturally (into Nuance, too little heard of as well!) combined with a ghost writer, as it were / is / will be. When prepped with one’s own set of texts, should be able to generate useful ground work for all those books you have been wanting to write for a long time but couldn’t get started.
Now, would such a system be able to extract hidden layers, stego-type of themes, that are in your texts that you aren’t even aware of ..? What kind of services would be interested most? Oh, that one’s answered before I finished typing; the three-letter abbrev (uh?) kind of course.

Still, would very much want to meddle with the system… Plus:

[If applicable to music, sunny Spring days in Saltzburg, too for …]

The Legend of Knuth the Agile

Once upon a time in a land far, far off-shore to today’s centers of economic, political of civilised-society gravity, before DevOps was a thing even, there was a great algorithm champion warrior named Knuth. Unlike his fellow programmer clansman, that coded for fun and profit deep innovation and peer recognition [f&p came only decades i.e. ‘centuries’ later; ed.], in a world that was barren of bad code but still inhospitable to what later would become hero geeks and nerds (for whom this was still obvious), Knuth was just that little bit less quickly-footed in his subject matter, earning him the nickname The Agile, just to deride his profound work.

Because, you see, he was a man of honour and clean algorithms, two things that in his days were nearly the same. And he was in favour of solving things with fundamental parts. Not ‘process steps’ or so – how would he laugh at those that propose that, these days. Nor happenstantially bundled ‘sprints’ of fast (hacked, in its profound meaning) coding – though extreme coders live on here and there, not given the honour and credit they deserve.
But real, standardised, tried and tested (even in a semi- or fully mathematical way) logically consistent actual process steps. But then, he understands that the real warrior body (brains) belong only to those that have honed the warrior spirit, have grinded and polished their skills over decades to shine like blank sheet metal of the finest alloys. So, not like ‘hey I had this one-year (??, mostly one-week or so ..!) course in agile programming now I’m a l33t h@x0r’ kind of pre-puerile nonsense.

Well, dear readers, you know how times can fly and how reputations can change overnight. So it happens that his nickname suddenly meant something else. No more poetic escapes of sparse code and clean, logic-based algorithm library linking and calling/returning at the side of the waterfall. development method. No more re-use of the tried and tested. No more frozen waterfalls at all, due to scope creep leading to progress-temperature drops to zero and below, leading to icy atmospheres where nothing works anymore. No more basic weapons training of even knowing how to deploy re-usable code and algorithms…
All we have now, in these days with no more heroes (but the baddies are still out there, everywhere), is/was faint attempts at “patterns”, being of course the latter-day devolution of the very algorithms that made Knuth the hero he was. Is.

And then, DevOps came to the scene. If only Knuth were still in his prime, he would know what to do


[Only in such art is extremely precisely applied sloppiness a virtue …! Gemeentemuseum Den Haag]

Having a Coboll

Just when you thought that some problems had come and gone to be never heard from again, it turns out that it’s not that easy but big-time help is here.
Got tipped by a peer that flagged one particular company for help. No endorsement outright, no financial or other interest whatsoever [maybe I should, for the odds are with them], just plain ol’Hey Look That’s Interesting.

Because you didn’t get it; they help converting COBOL (and other mummyfied LoC) to New stuff.

On that note, I leave you with
[Images of volcanic activity keep blubbering out of your new systems infra, too; Zuid-As Ams]

Emergent logic

Some time ago I posted something(s) on how the audit community could become relevant again, veering away from compliance(-only or -not even a bit by the disclaimers that destroy a rainforest on every occasion) and moving into the world of ‘ethicality audits’ on autonomous decision( system)s.
Now with the insight that until now, the humans in the loop, the big loop with many steps of analysis to be taken, were as a matter of fact complicit in drafting and applying patterns and pattern matching techniques.
Which is no news, but when we see now the automated-logic type of decision making that is no more than a black box, the question is: How can we analyse what happens inside ..? Answer: Use the tools that Big Data analysts use; extend them to cover specific cases / transactions and see how the argumentation flow was.    ..?

Still, there may be progress in this way. E.g., by the ‘decision’ or behaviour of the system, being emergent. So that we don’t focus on the bits (almost literally) of the case at hand but on the meaning of those bits. Because that’s the level that ‘conscious’ reasoning works on, seeking the nous from the lower and material levels, working on the ‘machine’ at the higher level, and then translating it back to the material outcome.
Which is similar to the analysis that is Process Analysis, if done properly.

I’ll expand, later. And:
[Aranjuez to impress; same]

4Q for quality assurance

To go beyond the usual, downtrodden ‘quality in assurance’ epitome of dullness, herewith something worth considering.
Which is about the assessment of controls, to establish their quality (‘qualifications’) on four, subsequent, characteristics [taking some liberties, and applying interpretation and stretching]:

  • Design. The usual suspect here. About how the control, or rather set of them, should be able to function as a self-righting ship. Point being, that you should+ (must?) evaluate the proposed / implemented set of controls to see whether self-righting mechanisms have been built in, with hopefully graceful degradation when not (maintained) implemented correctly and fully — which should be visible in the design or else. Or, you’re relying on a pipe dream.
  • Installation. Similar to implementation-the-old-way, having the CD in hand and loading / mounting it onto or into a ‘system’.
  • Operational. Specifies the conditions within which the control(s) is expected to operate, the procedural stuff ‘around’ the control.
  • Performance. Both in terms of defining the measuring sticks, and the actual metrics on performance attached to the control(s). Here, the elements of (to be established) sufficiency of monitoring and maintenance also come ’round the corner.

Note; where there’s ‘control(s)’ I consider it obvious, going without saying (hence me here now writing instead of that), that all of the discussed applies to singleton controls as well as sets of controls grouped towards achieving some (level of) control objective. All too often, the very hierarchy of controls is overlooked or at best misconstrued to refer to organisational / procedural / technical sorts of divisions whereas my view here is towards the completely ad hoc qua hierarchy or so.
Note; I have taken some liberty in all of this. The Original piece centered around hardware / software, hence the Installation part so explicitly. But, on the whole, things shouldn’t be different for any type of control or would they in which case you miss the point.

And, the above shouldn’t just be done at risk assessment time, in this case seen as the risk assessment time when one establishes the efficacy, effectiveness of current controls, to establish gross to net, inherent to residual risks, on all one can identify in the audit universe, risk universe, at various levels of detail. On the contrary, auditors in particular should at the head of any audit, do the above evaluation within the scope of the audit, and establish the four qualities. Indeed focusing on Maturity, Competence, and Testing to establish that — though maybe Competence (not only the competence of the administrator carrying out the control, but far more importantly, the competence of the control to keep the risk in check) is something just that bit more crucial in the Design phase, with Maturity slightly outweighting the others in Installation and Operational, and Testing of course focusing on the Operational and Performance sides of things.

Intermission: The Dutch have the SIVA method for criteria design — which may have some bearing on the structure of controls along the above.

Now, after possibly having gotten into a jumble of elements above, a closing remark would be: Wouldn’t it be possible to build better, more focused and stakeholder-aligned, assurance standards of the ISAE3402 kind ..? Where Type I and II mix up the above but clients may need only … well, hopefully, only the full picture.
But the Dutch (them again) can at once improve their hazy, inconsistent interpretation of Design, Existence, and Effectiveness of control(s).
With Design often, mistaken very much yes but still, meaning whether there’s some design / overall structure of the control set, some top-down detailing structure and a bit of consistency but with the self-righting part being left to the overall blunder-application of PDCA throughout…;
Existence being the actual control having been written out or more rarely whether the control is found in place when the auditor come ’round;
Effectiveness… — hard to believe but still almost always clenched-teeth confirmed — being ‘repeatedly established to Exist’ e.g., at surprise revisits. Complaints that Effectiveness is utterly determined by Design, fall on stone deaf ears and overshouting of the mortal impostor syndrome fears.

Back to the subject: Can four separate opinions be generated to the above four qualities ..? Would some stakeholder benefit, and in what way? Should an audit be halted when at some stage of the four, the audit opinion is less than very Satisfactory — i.e., when thing go downhill when moving from ideals and plans to nitty practice — or should the scope of the audit be adapted, narrowed down on the fly so the end opinion of In Control applies only to the subset of scope where such an opinion is justified?
But a lot needs to be figured out still. E.g., suppose (really? the following is hard fact at oh so many occasions) change management is so-so or leaky at best; would it be useful to still look at systems integrity?

Help, much? Plus:
DSCN4069[An optimal mix of complexity with clarity; Valencia]

"Compliance auditing"

Is two distinct things, or a contradictio if taken as one.

  • The ‘compliance’ thing is just rote checking of the implementation of all petty rules. The Certificate certification type. If I’d even need to say more…
    Some even claim that by repeated checks of implementation, ‘operating effectiveness’ would be established. Fools. The operating effectiveness can only be designed in, so the first 99% of operating effectiveness can be checked in the design; what do you check the design for in the first place? Why would you check the design otherwise? And if you don’t, then what value to the petty paper that the standards are?
    Ah, “…the slavery of fear had made men afraid to think.” (Thomas Paine, Rights of Man, p.159) — that’s what this is about… As in a couple of last days’posts. But this is Not Auditing, since ..:
  • Auditing is the art of application of risk management upfront, and insight and wisdom afterwards. (as also in this.)
    Risk management upfront: Even when taking up some standards first and then seeing how it would apply to the case at hand, a true auditor would select, inter alia based on informal and formal risk assessment (in a mix dependent on the case, and experience) wat rules from the standard apply and which ones to check for in what various levels of detail. If ‘all’, you’re doing something Wrong like doing compliance checking.
    Insight and wisdom after: There’s no value whatsoever in noting deficiencies as such, or recommending on their remediation simply by inner-productlike fixes. There is value when taken one, two, more, many more, levels up and digging deep (upwards, usually) to find the true causes, possibly root causes (but do NOT overdo this), and then advising in smart, intelligent, wise ways to remediate those. Don’t think black-white here, but about (fundamentally different!) thesis versus antithesis, towards Synthesis… And, along the way of the audit, support and encourage those under stress/duress of audit requirements, petty standards requirements, and micromanaging bosses all standing in the way of actual performance and use of brain. When then, a final overall conclusion is to be had, this would be based on the ability and application to weigh arguments (as Cicero, utterly correct: “One should not count arguments but weigh them”, De Oratore 307-310 LXXVII) and hand down a verdict which all embrace for its wisdom and authority — your personal authority which isn’t power, not rightiousness-by-procedural-justice! Let alone attachment to some organisational body (self-aggrandised company or professional association), or by it of a title to you.

So, either you set your mind to Blank and do compliance checking, or you use your brain for its intended purpose [“irregardless” of its nature/nurture capability levels with you] and audit.
The first, not for nothing to be replaced by AI soon, very soon. The second, the almost-definition of what AI still (your mileage may vary) can’t do, yet… The first, for DAOs; the second, lost through Bureaucarcy (see previous posts).

[Shifty facades/faces; Zuid-As Amsterdam]

Two's a Charming Bureaucratic Voilence

First, two (yes) quotes:

To put it crudely: it is not so much that bureaucratic procedures are inherently stupid, or even that they tend to produce behaviour that they themselves define as stupid — though they do do that — but rather, that they are invariably ways of managing social situations that are already stupid because they are founded on structural voilence. (p.57) [ Where structural voilence is … look it up in your sociology study’s notes. Implicit or even explicit threats with disciplinary boards (however pastiche) and ostracism certainly gives you the right idea; ed. ]

At the same time, if one accepts Jean Piaget’s famous definition of mature intelligence as the ability to coordinate between multiple perspectives (or possible perspectives) one can see, here, precisely how bureaucratic power, at the moment it turns to violence, becomes literally a form of infantile stupidity. (pp. 80-81) [ Emphasis mine; ed. ]

This being from Graeber’s Utopia of Rules of course.

Now, apply this to the obviously receptive [what is the opposite side from ‘applicable’?] situation at some petty association that aggrandised itself and use the introduction of ‘quality control’ — not over itself but over parts of its member base — in a criminal way [since the legal and (self- and external) regulatory arguments were and are simply invalid, and procedures at points illegal outright] to force them into obedience to Kafkaesk procedures that wouldn’t and still don’t apply to those in power at the association. Gollum “the ring is mine!”.

My point being the conclusion of infantile stupidity. Charming for its tragicomedy. A disaster at many fronts for those affected by it…

Oh well:
[To swat a completely imagined fly; Edinburgh]

The year of IT is no more Department

Or, once upon a long, long time ago in a land far, far away, there was IT, the hero department that ruled over all of information processing. Because information processing was a strange and dangerous thing and if you chopped off one security flaw, seven others would be introduced. So, the IT department was well-trained in keeping the architecture-and-infrastructure beast alive, with all its fresh new and old legacy body parts, fed every now and then with a fair maiden project.

Oh how things evolved. Lately (being the past couple of decades), the department was split, incompletely, between Development/Maintenance, and Operations. Things were run with ITIL and CobIT — as In Name Only as PINO was to the Prince, II.

The INO part being audited throughout (see previous post) but without anyone really caring about the outcomes of that. NO not even regulators or so, so devoid of truly understanding that the qualification ‘parasite’ isn’t too far off, even.

And now, there’s a slow but steady breakthrough of bands of liberators. Deperimetrisation, socmed, cloud, Big Data, flex work(place), hackers-contra-cyber (#ditchcyber), … the many-headed Central Scrutiniser is sprayed wth acid from all sides and is slowly shrunk. Softly wailing for mercy, some do but to not much avail. Maybe an embrace of Sloterdijk’s Part III foams may help.

Ah, I’m not positive but can be — at least, life will remain in the body that is infrastructure management (-coordination) and incident management, etc.

First, this:

Then, this:

[Outsourcing basic shopping to the experts at Milan]

Low standards

The compliance check-box approach is an atrocious thing for and to many things and reasons, but has been induced by the very growth of the industry. Since all margin calls at all controls and controls objectives achievement have been whipped out — and no-one dares to or has the experience for margins calls anymore. How low can your standards of professionalism dive.

Sic transit gloria mundi; the trade once was a veritable gentleman’s (M/F/~) affair, for one put up one’s honour and good name (and standing including life, liberty, welfare and happiness) for the value of the second opinion over the full width of the (opinion about subject matter) playing field.
But one’s good name is no more. Men are no longer honorable, virtue isn’t a thing anymore; pluto reigns, in particular at 1600 Penn Ave — the demise of humanity. In the coming years, the standards will follow; having deteriorated from standards to hold Men to, to straight jackets most easily escaped from by surreptitiously gaming the system, making the system the mockery of men. I repeat myself.

But ideals, values, virtue and all things principle-based will resurface; if only trivially since the now resurgent risk-management approach would not work otherwise. The value is already returning to the dare of the expert to call it not to fold on details.
Hence, new standards will emerge. Pure-principles lists, no nitty-gritty stuff. To be audited on, by knowledgeable advisors that can relate sample controls / -frameworks to the principles and back. The 27k1/2 divide, but strengthened, widened.

About the latter; the renewed gap between principles and samples, will also allow auditors more flex when determining their audit approach as in next week’s post ;-|

By the way, the Dutch may read a bit on the same issue, au fond, and some pointers to solutions, if they’d work (put hypothetically for a reason), in this here piece, released after my draft of the above.

Oh, and:
[A winery, of course; Douro valley]

Maverisk / Étoiles du Nord