Risk // Compliance
8/6/2013
04:57 PM
50%
50%

Zoo Dog

A personal tale of documentation failure

On the occasion of my recent birthday, my mother brought me an unusual gift. It was a faded drawing I had made when I was 5 years old. She said the drawing was one I made of my younger brother, John, complete with ribs and heart. The faded paper had all ten single-digit numbers carefully written, as well as these two words: "ZOO DOG."

My mother believes I was calling my brother "Zoo Dog" instead of "John." However, I think perhaps, just like the numbers, these were simply two words I happened to know how to spell, and I merely wanted to express the range of my skills. I mean, I was five and this was long ago before all five-year-olds were brilliant writers, mathematicians, and athletes.

Writing two words, even with only three letters each, was probably a point of pride for me. And Mom hadn't concluded I was renaming my brother, "1234567890," even if the argument for it was almost as solid.

What did I really mean when I wrote "Zoo Dog?" No one really knows for sure, not even my mother, who was a competent supervisor at the time. Not even me, the author.

So what in the world does this have to do with technology, security, or compliance? It demonstrates an important lesson about documentation. No matter how obvious documentation may seem to be when created, over time the meaning can be lost, unless the documentation was systematic, thorough, and maintained.

I'm the author of a document that might be about my brother John the Zoo Dog. Or it may not have anything to do with him. I'm sure it was clear to me what Zoo Dog meant when I wrote it. Now, I'm not only unsure, I'm guessing wildly. And I'm not going to figure it out either. (Frankly, we're working on a guess that the drawing is even my brother.)

A similar loss of meaning commonly happens in systems and compliance documentation. In fact, few will admit it, but what I will now call the Zoo Dog Documentation Issue is actually quite common in many organizations that have invested in documentation for security or compliance.

Companies often spend significant time and money to create crucial business operations and security documentation. All too often, this documentation is created in response to an upcoming audit or review. After the audit, the documentation is often neglected, soon becoming obsolete or unclear as memories fade, new projects gain attention, technology changes, and people move on in their careers.

Take the documents out of routine use for long enough and the entire investment can easily be wasted. In time, even the original author may no longer recall the meaning or intent. And if the original author doesn't know, why would anyone else know with any accuracy? These documents must then be recreated, or at least subjected to extensive verification, before they will be relevant again, more than duplicating their original cost and in the meantime leaving your business open to real vulnerabilities.

Do you have old, vague Zoo Dog documentation at your business? What did it cost your organization to create, and, more important, if you don't update and maintain it, do you know the extent of the potential risks and consequences it has for you today?

Whether I call my brother John or Zoo Dog won't really make much difference, since he knows the story and will recognize I'm talking to him. But outdated and confusing documentation can cause a serious problem for you and your business, since it can render your organization uncompliant, unsecure, and in some cases, unstable.

Glenn S. Phillips now wonders what to call his brother. He is the president of Forte' Incorporated where he works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. Glenn is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish. Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Becca Lipman
50%
50%
Becca Lipman,
User Rank: Apprentice
8/14/2013 | 5:56:20 PM
re: Zoo Dog
You make an excellent point, illustrated with an equally excellent story I'm sure every one of us can relate to in business and in life. Especially when turnover is high companies can quickly compile Zoo Dog information that takes up valuable server space.

I can only hope you've created a globally adopted industry term. "John, what is the meaning of this report?" "I'm not sure sir, must be Zoo Dog."
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

CVE-2014-7142
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?