Risk // Compliance
8/6/2013
04:57 PM
50%
50%

Zoo Dog

A personal tale of documentation failure

On the occasion of my recent birthday, my mother brought me an unusual gift. It was a faded drawing I had made when I was 5 years old. She said the drawing was one I made of my younger brother, John, complete with ribs and heart. The faded paper had all ten single-digit numbers carefully written, as well as these two words: "ZOO DOG."

My mother believes I was calling my brother "Zoo Dog" instead of "John." However, I think perhaps, just like the numbers, these were simply two words I happened to know how to spell, and I merely wanted to express the range of my skills. I mean, I was five and this was long ago before all five-year-olds were brilliant writers, mathematicians, and athletes.

Writing two words, even with only three letters each, was probably a point of pride for me. And Mom hadn't concluded I was renaming my brother, "1234567890," even if the argument for it was almost as solid.

What did I really mean when I wrote "Zoo Dog?" No one really knows for sure, not even my mother, who was a competent supervisor at the time. Not even me, the author.

So what in the world does this have to do with technology, security, or compliance? It demonstrates an important lesson about documentation. No matter how obvious documentation may seem to be when created, over time the meaning can be lost, unless the documentation was systematic, thorough, and maintained.

I'm the author of a document that might be about my brother John the Zoo Dog. Or it may not have anything to do with him. I'm sure it was clear to me what Zoo Dog meant when I wrote it. Now, I'm not only unsure, I'm guessing wildly. And I'm not going to figure it out either. (Frankly, we're working on a guess that the drawing is even my brother.)

A similar loss of meaning commonly happens in systems and compliance documentation. In fact, few will admit it, but what I will now call the Zoo Dog Documentation Issue is actually quite common in many organizations that have invested in documentation for security or compliance.

Companies often spend significant time and money to create crucial business operations and security documentation. All too often, this documentation is created in response to an upcoming audit or review. After the audit, the documentation is often neglected, soon becoming obsolete or unclear as memories fade, new projects gain attention, technology changes, and people move on in their careers.

Take the documents out of routine use for long enough and the entire investment can easily be wasted. In time, even the original author may no longer recall the meaning or intent. And if the original author doesn't know, why would anyone else know with any accuracy? These documents must then be recreated, or at least subjected to extensive verification, before they will be relevant again, more than duplicating their original cost and in the meantime leaving your business open to real vulnerabilities.

Do you have old, vague Zoo Dog documentation at your business? What did it cost your organization to create, and, more important, if you don't update and maintain it, do you know the extent of the potential risks and consequences it has for you today?

Whether I call my brother John or Zoo Dog won't really make much difference, since he knows the story and will recognize I'm talking to him. But outdated and confusing documentation can cause a serious problem for you and your business, since it can render your organization uncompliant, unsecure, and in some cases, unstable.

Glenn S. Phillips now wonders what to call his brother. He is the president of Forte' Incorporated where he works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. Glenn is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish. Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Becca Lipman
50%
50%
Becca Lipman,
User Rank: Apprentice
8/14/2013 | 5:56:20 PM
re: Zoo Dog
You make an excellent point, illustrated with an equally excellent story I'm sure every one of us can relate to in business and in life. Especially when turnover is high companies can quickly compile Zoo Dog information that takes up valuable server space.

I can only hope you've created a globally adopted industry term. "John, what is the meaning of this report?" "I'm not sure sir, must be Zoo Dog."
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.