Risk // Compliance
8/6/2013
04:57 PM
50%
50%

Zoo Dog

A personal tale of documentation failure

On the occasion of my recent birthday, my mother brought me an unusual gift. It was a faded drawing I had made when I was 5 years old. She said the drawing was one I made of my younger brother, John, complete with ribs and heart. The faded paper had all ten single-digit numbers carefully written, as well as these two words: "ZOO DOG."

My mother believes I was calling my brother "Zoo Dog" instead of "John." However, I think perhaps, just like the numbers, these were simply two words I happened to know how to spell, and I merely wanted to express the range of my skills. I mean, I was five and this was long ago before all five-year-olds were brilliant writers, mathematicians, and athletes.

Writing two words, even with only three letters each, was probably a point of pride for me. And Mom hadn't concluded I was renaming my brother, "1234567890," even if the argument for it was almost as solid.

What did I really mean when I wrote "Zoo Dog?" No one really knows for sure, not even my mother, who was a competent supervisor at the time. Not even me, the author.

So what in the world does this have to do with technology, security, or compliance? It demonstrates an important lesson about documentation. No matter how obvious documentation may seem to be when created, over time the meaning can be lost, unless the documentation was systematic, thorough, and maintained.

I'm the author of a document that might be about my brother John the Zoo Dog. Or it may not have anything to do with him. I'm sure it was clear to me what Zoo Dog meant when I wrote it. Now, I'm not only unsure, I'm guessing wildly. And I'm not going to figure it out either. (Frankly, we're working on a guess that the drawing is even my brother.)

A similar loss of meaning commonly happens in systems and compliance documentation. In fact, few will admit it, but what I will now call the Zoo Dog Documentation Issue is actually quite common in many organizations that have invested in documentation for security or compliance.

Companies often spend significant time and money to create crucial business operations and security documentation. All too often, this documentation is created in response to an upcoming audit or review. After the audit, the documentation is often neglected, soon becoming obsolete or unclear as memories fade, new projects gain attention, technology changes, and people move on in their careers.

Take the documents out of routine use for long enough and the entire investment can easily be wasted. In time, even the original author may no longer recall the meaning or intent. And if the original author doesn't know, why would anyone else know with any accuracy? These documents must then be recreated, or at least subjected to extensive verification, before they will be relevant again, more than duplicating their original cost and in the meantime leaving your business open to real vulnerabilities.

Do you have old, vague Zoo Dog documentation at your business? What did it cost your organization to create, and, more important, if you don't update and maintain it, do you know the extent of the potential risks and consequences it has for you today?

Whether I call my brother John or Zoo Dog won't really make much difference, since he knows the story and will recognize I'm talking to him. But outdated and confusing documentation can cause a serious problem for you and your business, since it can render your organization uncompliant, unsecure, and in some cases, unstable.

Glenn S. Phillips now wonders what to call his brother. He is the president of Forte' Incorporated where he works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. Glenn is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish. Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Becca Lipman
50%
50%
Becca Lipman,
User Rank: Apprentice
8/14/2013 | 5:56:20 PM
re: Zoo Dog
You make an excellent point, illustrated with an equally excellent story I'm sure every one of us can relate to in business and in life. Especially when turnover is high companies can quickly compile Zoo Dog information that takes up valuable server space.

I can only hope you've created a globally adopted industry term. "John, what is the meaning of this report?" "I'm not sure sir, must be Zoo Dog."
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2382
Published: 2014-11-20
The DfDiskLo.sys driver in Faronics Deep Freeze Standard and Enterprise 8.10 and earlier allows local administrators to cause a denial of service (crash) and execute arbitrary code via a crafted IOCTL request that writes to arbitrary memory locations, related to the IofCallDriver function.

CVE-2014-3625
Published: 2014-11-20
Directory traversal vulnerability in Pivitol Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.

CVE-2014-8387
Published: 2014-11-20
cgi/utility.cgi in Advantech EKI-6340 2.05 Wi-Fi Mesh Access Point allows remote authenticated users to execute arbitrary commands via shell metacharacters in the pinghost parameter to ping.cgi.

CVE-2014-8493
Published: 2014-11-20
ZTE ZXHN H108L with firmware 4.0.0d_ZRQ_GR4 allows remote attackers to modify the CWMP configuration via a crafted request to Forms/access_cwmp_1.

CVE-2014-8767
Published: 2014-11-20
Integer underflow in the olsr_print function in tcpdump 3.9.6 through 4.6.2, when in verbose mode, allows remote attackers to cause a denial of service (crash) via a crafted length value in an OLSR frame.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?