The Tester’s Riddle.

The Tester’s Riddle.

Remember those Christmas’s as a kid when your strange uncle used to turn up and tell the same old jokes and ask the same lame riddles such as ;

Q. When is a door not a door?

A. When it’s ajar.

Well I had a flashback to that sort of thing this week when I found myself asking “When is a requirement not a requirement?

Let me explain.

My current client is a nuclear energy generating company, and as such, they are regulated (In part) by The Office OF Civil Nuclear Security, (OCNS). The OCNS, not unreasonably, would prefer that we don’t release Restricted or Sensitive Nuclear Information (RoSNI) to the world and his wife. In fact they are pretty strict on the matter and people can go to prison if they deliberately or accidentally release such information.

The DLP Solution

As a consequence of the OCNS requirements we have for the past few months been working on a data loss prevention solution. The solution sits on all the PC’s in the organisation and every time someone interacts in any way with a document the solution scans it for keywords, word patterns and classifications. Depending on what it finds. it allows different types of actions. One document might be blocked from being sent via email, another might trigger a reminder about how certain classified documents should be handled etc.

So for months we have been trying to get the solution correctly configured and working to meet what our security team tell us are the requirements. It must scan these file types for these words, it must scan the header and footer of these documents for these phrases, etc. etc. These last two weeks it has come to a head.

The Crunch

We run into trouble with PDF and PowerPoint header and footer information. The issues were,

A: PDF’s allow you to create a footer, but when the document is opened by a reader such as Acrobat, the footer is not identified as a footer, it is just text on the bottom of the  page.

B: PowerPoint allows you to create a footer, but again the footer is just considered another piece of text on the page. Unlike Word or Excel, it is not specifically identified as a footer.

The requirement is that the solution scans the header and footer for documents including PDF and PowerPoint for specific classifications. The reality is that we can’t do that, PDF and PowerPoint do not have identifiable headers and footers in the same way Word does. As Lisa from ‘My Cousin Vinnie’ might say, “It’s a bogus requirement”

For weeks and weeks we have been trying to get this functionality to work, it has cost us tens of thousands, but in reality the requirement was not the requirement.

When is a requirement not a requirement?

In reality the requirement was that documents with specific classifications should not be released. It really did not matter about the header and footer, it’s just that this is where we tend to put the classification.

We had spent so long looking at the solution and how it might meet the requirement that we totally overlooked the actual requirement. As long as we capture these documents and only allow the correct action we are fine, we won’t release the wrong stuff.

In fact we already picked this information out at our mail gate, both in and out with our mail sweep software.  In fact he solution we had can also pick up this information if we extend the search to the body text for PDF and PowerPoint. In fact we could meet the actual requirement to prevent data loss, just not in the way that it was phrased.

The Lesson

The lesson I learnt was that it is important to keep looking up from the weeds every now and then and have a look at the whole field. It might just be that the requirement is not the requirement.

Tony Simms is the Principal Consultant at

Roque Consulting (http://www.roque.co.uk)

 

He can be contacted at tony.simms@roque.co.uk