Senator Feinstein had some pretty clear warnings about the appointment of Alito, in her Judiciary Committee statement today. Apparently she feels the best thing for America is to vote against his nomination to the bench:

I listened carefully to the testimony of many legal specialists, including professors in constitutional law. I listened to Professor Tribe. And something he said really struck me.

This is what he said: ‘The court will cut back on Roe v. Wade step by step, not just to the point where, as the moderate American center has it, abortion is cautiously restricted, but to the point where the fundamental underlying right to liberty becomes a hollow shell.’

And then I began to think about all of the things the fundamental right to liberty in this country encompasses such as: end of life decisions, privacy of medical records, privacy from unwarranted government intrusion.

On February 6 we begin the discussion and hearings on an interpretation of the use of force resolution to countenance something that none of us ever thought it would countenance – a threat to this liberty interest.

And I came to the conclusion that the fundamental right to liberty is at issue with this nominee.

It has nothing to do with his qualifications and his credentials. But it does have something to do with how far we are willing to see this Court move to the right and out of the mainstream of legal thinking in this great country.

And I, for one, really believe that there comes a time when you just have to stand up, particularly when you know that the majority of people think as you do.

And I truly believe that. I really believe the majority of people in America believe that a woman should have certain rights of privacy, modified the state, but a certain right to privacy. And if you know that this person is not going to respect those rights, but holds to a different theory, then you have to stand up.

And so all of this is in answer to Senator Kyl, because this is a hard vote. But it is a vote that is made with the belief that legal thinking and personal views, especially at times of crisis, at times of conflict, and at times of controversy do mean something. And those of us that don’t agree with the view have to stand up and vote no.

And so I am one of those.

Several people have asked me what’s new and different about the latest release of the Control Objectives for Information and related Technology (CObIT4). I have not read the official release yet from the Information Systems Audit and Control Foundation and IT Governance Institute (the primary backers) but here are some of the things that have stood out so far:

The framework has some basic rewording and reorganization that is intended to be more consistent with other standards, such as ITIL (convergence is good). For example Plan and Organize 8 (PO8) “Ensure compliance with external requirements” has been completely removed and the text transfered to a new Monitor and Evaluate 4 (ME4) “Ensure regulatory compliance”, which replaces the old ME4 “Provide for independent audit” since that was considered outside the scope of IT. Deliver and Support 8 (DS8) was renamed “Manage service desk and incidents” with Deliver and Support 10 (DS10) being renamed to “Manage problems”, which means problems will be handled separately. You get the idea…

There is also a shift from five resources to four:
– People
– Information (instead of “Data”)
– Applications
– Infrastructure (to replace both “Technology” and “Facilities”)

And the overall structure has been changed to
– Control over IT processes of…
– to satisfy the business requirement of…
– is achieved by…
– is managed by…
– and is measured by…

A recent decision of the Bankruptcy Appeals Panel of the 9th Circuit (VEE VINHNEE v. AMEX: Dec 16, 2005) seems to suggest that adequate controls to protect audit logs must be in place in order to prove the authenticity of digital information.

I have heard some conclude that this leads directly towards cryptographic protections, but it seems plausable to me that proper access controls and strong identity management might also be argued to be sufficient, if not compensatory.

The testimony by AMEX employees who routinely accessed the data was non-expert, and it suggests that they could only assume controls were in place but did not know/verify. This appears to have opened up the possibility that the data could not be proven to be authentic.

The decision explores the issue of authenticity and has some interesting citations such as “George L. Paul, The “Authenticity Crisisâ€? in Real Evidence, 15 PRAC. LITIGATOR No. 6, at 45-49 (2004). It also calls out a specific “scientific” methodology to help examine the “validity of the theory underlying computers and of their general reliability”:

Professor Imwinkelried perceives electronic records as a form of scientific evidence and discerns an eleven-step foundation for computer records:
1. The business uses a computer.
2. The computer is reliable.
3. The business has developed a procedure for inserting data into the computer.
4. The procedure has built-in safeguards to ensure accuracy and identify errors.
5. The business keeps the computer in a good state of repair.
6. The witness had the computer readout certain data.
7. The witness used the proper procedures to obtain the readout.
8. The computer was in working order at the time the witness obtained the readout.
9. The witness recognizes the exhibit as the readout.
10. The witness explains how he or she recognizes the readout.
11. If the readout contains strange symbols or terms, the witness explains the meaning of the symbols or terms for the trier of fact.

The decision then suggests that step four is of particular importance, given the lack of proof that controls existed to ensure the accuracy of data:

The testimony of the records custodian at trial regardingthe computer equipment used by American Express was vague, conclusory, and, in light of the assertion that “[t]here’s no way that the computer changes numbers,� unpersuasive.

If you read the testimony yourself, you can see the issue the decision is referring to…

I couldn’t testify to exactly what – what the model is or anything like that. It’s – you know, our computer system that we’ve used for, you know, quite some time to produce the documents, to gather the information, to store the information and then, you know, produce the statements to the card members. And we – you know, it’s highly accurate. It’s based on the fees that go in. There’s no way that the computer changes numbers or so.

I can imagine a million ways to be more convincing/prepared with regard to the controls used to protect the data in question. But the real question, I guess, is whether cryptographic controls should now be considered a minimum requirement?

With the recent release of ISO17799:2005 and CObIT4 I guess I need to rewite my controls map (not to mention the long list of privacy laws debated in California during 2005). I really like the ISO revision, but am still catching up with CObIT. One of the challenges of helping organizations stay on top of their controls is chosing the right blend of guidance and frameworks. I’m not saying you have to use a blend, but since they are never a perfect fit and different groups have their favorites (Auditors love COSO/CObIT, Engineers go for ISO, Ex-gov bring up the NSA and NIST, etc.) I find it helps to pull it all together into a shared map. For example: