Risk //

Compliance

8/6/2013
04:57 PM
50%
50%

Zoo Dog

A personal tale of documentation failure

On the occasion of my recent birthday, my mother brought me an unusual gift. It was a faded drawing I had made when I was 5 years old. She said the drawing was one I made of my younger brother, John, complete with ribs and heart. The faded paper had all ten single-digit numbers carefully written, as well as these two words: "ZOO DOG."

My mother believes I was calling my brother "Zoo Dog" instead of "John." However, I think perhaps, just like the numbers, these were simply two words I happened to know how to spell, and I merely wanted to express the range of my skills. I mean, I was five and this was long ago before all five-year-olds were brilliant writers, mathematicians, and athletes.

Writing two words, even with only three letters each, was probably a point of pride for me. And Mom hadn't concluded I was renaming my brother, "1234567890," even if the argument for it was almost as solid.

What did I really mean when I wrote "Zoo Dog?" No one really knows for sure, not even my mother, who was a competent supervisor at the time. Not even me, the author.

So what in the world does this have to do with technology, security, or compliance? It demonstrates an important lesson about documentation. No matter how obvious documentation may seem to be when created, over time the meaning can be lost, unless the documentation was systematic, thorough, and maintained.

I'm the author of a document that might be about my brother John the Zoo Dog. Or it may not have anything to do with him. I'm sure it was clear to me what Zoo Dog meant when I wrote it. Now, I'm not only unsure, I'm guessing wildly. And I'm not going to figure it out either. (Frankly, we're working on a guess that the drawing is even my brother.)

A similar loss of meaning commonly happens in systems and compliance documentation. In fact, few will admit it, but what I will now call the Zoo Dog Documentation Issue is actually quite common in many organizations that have invested in documentation for security or compliance.

Companies often spend significant time and money to create crucial business operations and security documentation. All too often, this documentation is created in response to an upcoming audit or review. After the audit, the documentation is often neglected, soon becoming obsolete or unclear as memories fade, new projects gain attention, technology changes, and people move on in their careers.

Take the documents out of routine use for long enough and the entire investment can easily be wasted. In time, even the original author may no longer recall the meaning or intent. And if the original author doesn't know, why would anyone else know with any accuracy? These documents must then be recreated, or at least subjected to extensive verification, before they will be relevant again, more than duplicating their original cost and in the meantime leaving your business open to real vulnerabilities.

Do you have old, vague Zoo Dog documentation at your business? What did it cost your organization to create, and, more important, if you don't update and maintain it, do you know the extent of the potential risks and consequences it has for you today?

Whether I call my brother John or Zoo Dog won't really make much difference, since he knows the story and will recognize I'm talking to him. But outdated and confusing documentation can cause a serious problem for you and your business, since it can render your organization uncompliant, unsecure, and in some cases, unstable.

Glenn S. Phillips now wonders what to call his brother. He is the president of Forte' Incorporated where he works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. Glenn is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish. Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Becca Lipman
50%
50%
Becca Lipman,
User Rank: Apprentice
8/14/2013 | 5:56:20 PM
re: Zoo Dog
You make an excellent point, illustrated with an equally excellent story I'm sure every one of us can relate to in business and in life. Especially when turnover is high companies can quickly compile Zoo Dog information that takes up valuable server space.

I can only hope you've created a globally adopted industry term. "John, what is the meaning of this report?" "I'm not sure sir, must be Zoo Dog."
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now about that mortgage refinance offer from Wells Fargo .....
Current Issue
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3937
PUBLISHED: 2018-08-14
An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera G5 firmware 1.87.00. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability...
CVE-2018-3938
PUBLISHED: 2018-08-14
An exploitable stack-based buffer overflow vulnerability exists in the 802dot1xclientcert.cgi functionality of Sony IPELA E Series Camera G5 firmware 1.87.00. A specially crafted POST can cause a stack-based buffer overflow, resulting in remote code execution. An attacker can send a malicious POST r...
CVE-2018-12537
PUBLISHED: 2018-08-14
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.
CVE-2018-12539
PUBLISHED: 2018-08-14
In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows,...
CVE-2018-3615
PUBLISHED: 2018-08-14
Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.