Availability is simply the ability to get what you want from the system when you need it. There should not be any barriers outside of the checks and balances that manage the other security perspectives in the CIADA model.

Given that Excel is a fairly robust and prevalent industry application, there are not many software ‘features’ that may deliberately or inadvertently withhold information from its own users; though a side thought would caution against passwords only known by one person which is a simple but important risk.

Beyond this, I am slightly at a loss with regards to the specific availability threats in the context of decision support and reporting with Excel. The threats would be largely similar to any system I think… maybe there is something I am missing under this heading.

Appropriateness and alternatives advice is thin on the ground given that the risks cross solutions. So… um… yeah… (tumbleweed).

Contact me if you think of anything deep and meaningful – tweet me using @stugom or email me using stuart [dot] gomersall at bsguk [dot] co [dot] uk – and we can revise this post with appropriate credits where due.

The post Spreadsheets in the enterprise, considering availability (pt 3/5) appeared first on BSG (UK).

This post looks at the perspective of integrity – defined for this purpose as “concerning the unwanted modification of data.”

Modifying the data in a sensitive data set is a huge risk. Potential ruinous of the result in its entirety and in the context of a decision support system – it is the kind of thing that people lose jobs, homes and businesses over. Shockingly, people may even want to do this for selfish and malevolent reasons… and in an Excel world they can do this without a trace (almost – which is a thought for another post).

The threat is multi-dimensional:
1. Altering a data element directly – like lowering your own sales target in the evaluation sheet
2. Altering referenced data – linking your sales total to salesman of the year Bob’s total
3. Removing key data points – deleting Bob’s biggest sales account entirely
4. the list goes on…

There are complex tools within Excel and, if you speak “formulae” and can trace through multiple sheets simultaneously then you’re all good, you could find the modifications. Which is cool, right? What could possibly go wrong? Well – how do you know you’ve found them all, how long have you got to do the searching and fixing? And most importantly, how do you even know that there is a data integrity problem in the first place? On top of all this, the “business case” for Excel is usually that it is quicker, but by the time you’ve done all of this digging, that business case no longer stacks up.

Of course, even transactional enterprise systems of any type are vulnerable to data threat. The difference is that an enterprise system is layered: the data source and the reporting are separated which is not the case in Excel.

To repeat the rallying cry. Use common sense, think about the data you are handling, analysing, modelling and use the appropriate systems and countermeasures to make your work simple at the same time minimising risk of breaches. Easy, right?

The post Spreadsheets in the enterprise, considering integrity (pt 2/5) appeared first on BSG (UK).

For the sake of this post, I’ll define confidentiality as “concerns regarding the unwanted disclosure of information.”

Confidentiality is complex as it is both role-driven and time-driven, i.e. sensitive data may only be applicable to me in my current role and for a specific timeframe after which it may become stale and elicit invalid results.

Without deploying additional layers (e.g. using the file system layer to assign access via login to specific roles) neither angle is covered by Excel (or any Office-style application). Access is blanket applied – you are in or out of the loop. Hidden sheets help, but security by obscurity is never a great design choice and is not sustainable. And let’s not get started on the concept of using a tool designed for collaboration with others as a store of sensitive and/or confidential information – it is certainly paradoxical!

All of the above really depends on the inherent “value” of the data (or asset) you are trying to secure, if it is public information then, by all means, use Excel. For example, the Guardian makes chart data available via Excel for further analysis. Sensitive financial or people data is another matter. It is crucial to apply a set of reasonable countermeasures to data and systems based on the valuation of the asset from each perspective of the CIADA model.

Assessing the alternatives available to maintain data confidentiality may be simple. If the alternatives are very obscure, very expensive or a change management bridge too far then go back to your valuation of the asset. You may be inflating the valuation based on an incorrect view from the relevant stakeholders. Or maybe rudimentary controls are appropriate as countermeasures.

My rallying cry is simple. Excel is fine, in context. Be sure to complete the valuation of the information asset as well assessment and deployment of appropriate countermeasures over the blind use of a collaboration tool.

The post Spreadsheets in the enterprise, considering confidentiality (pt 1/5) appeared first on BSG (UK).