Risk //

Compliance

8/6/2013
04:57 PM
50%
50%

Zoo Dog

A personal tale of documentation failure

On the occasion of my recent birthday, my mother brought me an unusual gift. It was a faded drawing I had made when I was 5 years old. She said the drawing was one I made of my younger brother, John, complete with ribs and heart. The faded paper had all ten single-digit numbers carefully written, as well as these two words: "ZOO DOG."

My mother believes I was calling my brother "Zoo Dog" instead of "John." However, I think perhaps, just like the numbers, these were simply two words I happened to know how to spell, and I merely wanted to express the range of my skills. I mean, I was five and this was long ago before all five-year-olds were brilliant writers, mathematicians, and athletes.

Writing two words, even with only three letters each, was probably a point of pride for me. And Mom hadn't concluded I was renaming my brother, "1234567890," even if the argument for it was almost as solid.

What did I really mean when I wrote "Zoo Dog?" No one really knows for sure, not even my mother, who was a competent supervisor at the time. Not even me, the author.

So what in the world does this have to do with technology, security, or compliance? It demonstrates an important lesson about documentation. No matter how obvious documentation may seem to be when created, over time the meaning can be lost, unless the documentation was systematic, thorough, and maintained.

I'm the author of a document that might be about my brother John the Zoo Dog. Or it may not have anything to do with him. I'm sure it was clear to me what Zoo Dog meant when I wrote it. Now, I'm not only unsure, I'm guessing wildly. And I'm not going to figure it out either. (Frankly, we're working on a guess that the drawing is even my brother.)

A similar loss of meaning commonly happens in systems and compliance documentation. In fact, few will admit it, but what I will now call the Zoo Dog Documentation Issue is actually quite common in many organizations that have invested in documentation for security or compliance.

Companies often spend significant time and money to create crucial business operations and security documentation. All too often, this documentation is created in response to an upcoming audit or review. After the audit, the documentation is often neglected, soon becoming obsolete or unclear as memories fade, new projects gain attention, technology changes, and people move on in their careers.

Take the documents out of routine use for long enough and the entire investment can easily be wasted. In time, even the original author may no longer recall the meaning or intent. And if the original author doesn't know, why would anyone else know with any accuracy? These documents must then be recreated, or at least subjected to extensive verification, before they will be relevant again, more than duplicating their original cost and in the meantime leaving your business open to real vulnerabilities.

Do you have old, vague Zoo Dog documentation at your business? What did it cost your organization to create, and, more important, if you don't update and maintain it, do you know the extent of the potential risks and consequences it has for you today?

Whether I call my brother John or Zoo Dog won't really make much difference, since he knows the story and will recognize I'm talking to him. But outdated and confusing documentation can cause a serious problem for you and your business, since it can render your organization uncompliant, unsecure, and in some cases, unstable.

Glenn S. Phillips now wonders what to call his brother. He is the president of Forte' Incorporated where he works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. Glenn is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish. Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Becca Lipman
50%
50%
Becca Lipman,
User Rank: Apprentice
8/14/2013 | 5:56:20 PM
re: Zoo Dog
You make an excellent point, illustrated with an equally excellent story I'm sure every one of us can relate to in business and in life. Especially when turnover is high companies can quickly compile Zoo Dog information that takes up valuable server space.

I can only hope you've created a globally adopted industry term. "John, what is the meaning of this report?" "I'm not sure sir, must be Zoo Dog."
WSJ Report: Facebook Breach the Work of Spammers, Not Nation-State Actors
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/19/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
NC Water Utility Fights Post-Hurricane Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.