This is a series of posts from The Garland Group consultants from the road. Due to our wide range of clients, trends emerge and we want to share those insights with you.

This bit below is a from a blog i ran across a few days ago while doing a little project management research online.

“the main reason IT people are unhappy at work is bad relations with management”. It goes on to say that “the fact is that IT people hate bad management and have even less tolerance for it than most other kinds of employees”.

Banks we review that have well informed Board of Directors and functional Information Technology Committees have very successful IT controls and a stable IT staff that enjoys their work. A successful environment starts from the Board level and is dispersed to internal users through proper management and training. A well informed Board of Directors helps to ensure the proper allocation of funds for needed IT equipment and services(staff).

Some banks are still in need of good IT direction……

As technology folks, we like to get technical (read: geeky) from time to time. If you’re like us, this is the post for you. WARNING: Heavy technical speak ahead.

Subnetting is the most complicated and hard to understand section in network engineering. If you are planning to take certification exam such as CCNA then you must understand the nuts and bolts about subnetting. The more problems you practice the more you build confidence on how to do them. You can build your very own number chart to do subnetting. This table is just one of them…

subnet table:

If you have been in the IT field for a while you must have come across some annoying subnetting scenarios. From your favorite IT book and/or networking website, I am sure you already understand why we need subnetting. When networks grow larger it makes sense to subdivide it into smaller groups of networks that will improve performance, provide better handling of security and easy address management. Subnetting allows us to divide a larger network into logical broadcast domains called subnets. (If you are planning to take CCNA certification, you have to be prepared to answer subnet questions quickly while under time pressure) The quickest approach is to practice a diverse set of subnet questions multiple times.  Once you understand the math behind the subnetting then memorize this table; you should be able to answer any subnet question within seconds. If you practice enough problems, this number chart will remain in your mind for a long time! Forget one minute solutions when subnetting can be done within few seconds…   Now, let’s understand the numbers behind this table.

Table A has three rows:

1. Bit #: This row is the bit number of the 8 bit binary number

2. Power: This row shows the placement value of the corresponding bit number as a2 to the power value.

3. Value: This row shows the decimal value of the corresponding bit.

Table B has three rows:

1. No. Bits: This row shows number of bits.

2. Mask: This rows shows the subnet mask. For an example if all the 8 bits are ones, 11111111 then the mask is  255. If 7 bits are ones, 11111110 then the mask is 254. If 6 bits are ones, 11111100, then the mask is 252 etc.

3. The Magic #: This row shows the magic number. This number is the value when subtracts mask vale from 256. Ex  256-255 =1; 256-254=2; 256-4=252 etc.

(you could further refine this to remember the smaller purple colored  numbers as those are the only numbers that makes sense for subnetting) You can combine these two tables if you like or make any other variations so you can easily memorize it. Another important thing that you need to remember is the classes.

Class A: 1-126      Class B: 128-191    Class C: 192-223

Class A: NHHH Class B: NNHH Class C: NNNH (N= Network Bits; H = Host Bits)

Now lets put all this into action by tackling a subnet problem. I assume you have the understanding of CIDR notation.

Example: 192.168.40.0/27 What can you see from this?

192 is a Class C address therefore we have borrowed (27-24), 3, network bits. Using table B, bit 3, mask shows as 224 and the magic number is 32. 2*3 shows (table A) 8 which represents 8 subnets.

This tells you the 1^st subnet address is 192.168.20.32 and second subnet is 192.168.20.64 and the 3^rdsubnet is 192.168.20.96 and so on. So the subnets are counting by (32s); .32, .64, .96, .128, ..  Lets look at the second subnet address: 192.168.40.64. The 1^st usable host IP address would be 192.168.40.65; just add a one to the network address. The broadcast address for this subnet would be 192.168.40.95. We got 95 by subtracting a one from the next network address 96. Once we know the broadcast address, we can figure out the highest usable IP which is just subtracting one from the broadcast address: 192.168.40.94.

If you practice this enough you can answer most subnet problems just by looking at them. Then not only you can surprise your colleagues and friends but you can complete your CCNA certification exam with confidence.

Happy subnetting!

Wells Fargo implemented their Continuous Auditing process in 2001 and since then has continued to develop its program with tangible ROI: “$400,000 in travel expenses reduced annually and 23,500 budgeted hours reduced annually” Recently we had a chat with Erica Ocana-Smith Senior Audit Manager of Wells Fargo and she shared a few nuggets with us on how they changed their culture.

“Continuous auditing starts with a “cultural shift from policing to invisibility. You need to infuse it into business processes”

How is this done?

• Define the organizations security and compliance culture. “Our audit team sat down with the operations and management teams and defined what kind of culture we wanted. We came up with 7 culture statements the most critical one was – We want a culture of risk management and accountability of issues.”
• Get buy in from your entire audit and compliance team.
  “This is what we were doing. We understand we were interrupting your work flow so we want to do it better.” The team now feels a part of the decision and has a vested interest in the success.
• Show your team how it benefits them and makes their job easier.
  “Won’t you rather find this than waiting for the auditor?”
• Communication – collaborate with departments across the enterprise including management.
• Ensure ongoing awareness and training.

A cultural shift does not happen overnight, however if your entire organization is on board with continuous compliance or continuous auditing you lay the groundwork for having a secure enterprise.

Years ago in my IT capstone class we learned that you can’t manage what you can’t measure. This ultimately led us to cram, yes cram the Zachman’s framework to regurgitate it on our test. Shhhh don’t tell my professor. Despite the cramming something obviously stayed with me. That is that even though our threats, risks, and IT security issues have escalated, when we’re managing IT security we must consider every segment of the enterprise. I dare say collaboration.

Looking at all the frameworks can be quite daunting but if we break them down and hone in on key components it makes it easier to understand. Let’s look at three of the main ones: The Balance Scorecard, CobIT Framework, and Zachman’s framework

Balance Score Card

All the components can apply to security compliance. Working backwards – a breach affects internal business processes as we try to retrieve lost data, erodes finances with legal fees and fines, affects customer churn, impedes learning and growth and impacts the businesses vision and strategy.

CobIT

The key pieces we can look at are governance and business objectives. IT security is the umbrella that governs every facet of the enterprise. When an organization understands this they make a giant leap into mastering security and compliance.

Zachman’s

I love the People and Scope components of this framework. People are the biggest and most difficult part of the equation.How do we control them and instill a security culture? It’s not enough to lay down policies and rules without training or ensuring that they are being followed.

The common elements in each IT framework are vision and strategy, business objectives and scope. All these equate to enterprise goals. So as the IT department plays a role in defining enterprise goals it behooves us to employ a holistic approach to IT security and compliance as it ultimately affects the entire enterprise. Looking at the other components of the different frameworks we pull in governance, business processes, finance, people, and customers. What connects all these elements? – Collaboration.

We absolutely cannot have continuous compliance and a secure enterprise without collaboration. Departments, business units, and divisions cannot operate blindly with the mindset that security and compliance rests on the shoulders of the Audit or IT department. IT must have open dialogue with the Operations department who needs to communicate with Finance, with Human Resources with Customer Service and the executive management team. No area in the enterprise is exempt from the collaboration chain. Collaboration is the common link that can pull all the pieces together, enable communication, increase transparency, allow for training, and create a culture of continuous compliance within an enterprise.

Now who wants to take on the challenge of creating a framework for continuous compliance? Let’s do it! To give us your feedback, leave a comment below or contact us here!