Information Security and Spreadsheets

From Slashdot:

G Roper writes "Studies show that most spreadsheets have critical errors in one percent of their cells, well beyond a permissible level. Here are some news stories about spreadsheet errors. Spreadsheets won't protect a firm from liability when they are audited and spreadsheet errors found: spreadsheets are not secure, provide no audit trail and won't pass HIPAA or Sarbanes-Oxley auditing. How are Slashdotters coping with the proliferation of spreadsheets in the face of greater legal accountability and auditing?"

I am very glad I have not yet had to deal with spreadsheet integrity issues. I am starting a new information security position at a Finance company next week so I will not be able to avoid this too much longer.

The problem with using spreadsheets for critical data analysis and manipulation are:

  • developed usually by programming amateurs
  • lack of validation / verification
  • lack of change control and revision control
  • Often these are "off-the-books" and how they effect the organization is not well know, if known at all

The idea of going through and checking out all of an organization's spreadsheets (well, critical impact spreadsheets) would be costly and time consuming.

Now that I think of it, there is most likely a business opportunity here for the entrepreneurs that can:

  • create a quick and effective process for gathering requirements from an organization
  • checking out the spreadsheets using round the clock offshore labor
  • reporting back in a meaningful way with a compliance action plan

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: