I have written before, and will say again, that Microsoft Excel does not have security. It does actually have some security features but most users don't know about them and, if they do, they are frequently not implemented. In any case, as Microsoft has explicitly stated, the security features in Excel are not actually there to …
This topic is closed for new posts.
Posted Friday 6th April 2007 10:45 GMT
Security may be important for some categories of spreadsheet, but more fundamental is getting the spreadsheet correct in the first place. My experience (confirmed by numerous surveys) is that a substantial minority of spreadsheets contain significant errors. This has the potential to cause serious problems, particularly in SMEs that may not be able to implement the controls that are available to larger organisations.
Posted Friday 6th April 2007 11:44 GMT
I think spreadsheet errors are a very serious problem - see http://panko.cba.hawaii.edu/ssr/.
But I also think they are also a "security" issue - Security is Confidentiality, Integrity and Availability, not just Confidentiality. OK, I know that coding errors aren't usually considered security risks (although the fixes often are) but I think that our habit of treating security-related defects as something different to system defects in general tends to reduce security - things fall into the gap between the security assessment and normal testing...
Posted Friday 6th April 2007 13:53 GMT
Confidentiality, Availability, Non Repudiation, Integrity. As a security professional, this is the mantra I (and most of the industry) preach.
What I like (on cursory examination) is the possibility of assigning rules to spreadsheets that haven't even been created. That's a boon to those who have to manage the security of these files. What I suspect doesn't work, although the article talks about it in a roundabout fashion, is the transfer of cellular security. But access control to the actual spreadsheet is a good first step.
However, the stumbling block is that someone, perhaps the creator, must apply internal security. So the security manager has to personally touch every new file anyways, since I don't trust the creator to adequately set up permissions and ACLs.
dillon, CISSP, in Tejas
Posted Saturday 7th April 2007 12:15 GMT
The European Spreadsheet Risk Interest Group welcomes discussion of spreadsheet security at our annual conference:
http://www.eusprig.org/
'Enterprise Spreadsheet Management: A Necessary Evil'
University of Greenwich, London UK July 11-13 2007
This conference will provide attendees with an opportunity to share experiences with a broad range of researchers, practitioners and recognised leaders in the field of spreadsheet research.
Pre-conference information is at http://www.uwic.ac.uk/eusprig/2007
This topic is closed for new posts.
Back to the article
Transforming IT culture
Driving Situational Awareness:
Application Performance Management:
Ensuring service assurance in the new normal
