Check the Scope

Situation

I once experienced a situation where the person responsible for security at an organization attempted to define the parameters for a certain security certification so that there were no computing systems within the scope of the testing & certification. There can be a number of reasons for defining a scope, but it’s often established in order to focus the required controls on the systems used for storing, transmitting & processing the data that is covered by a particular certification or regulatory framework, along with the data itself. (e.g. HIPAA / Health records; PCI-DSS / Credit card information) 

This request was something like asking a home inspector to perform a home inspection on an empty lot. Naturally, the assessor was rather surprised, and, of course, did not accept this proposal as valid.  A compromise was reached, such that one single system was included in the scope. The assessment continued and certification was eventually achieved – for this one system.

The manager and the organization went on to tout this certification as a feather in their cap, not mentioning that the scope of the certification was limited to one system, and leaving the impression that the entire organization was secure. 

Lesson Learned

One lesson learned here can be to always check the scope when it comes to certifications, audits, and the like. A little look beneath the surface can be very informative. Another could be that people may try just about anything. We should not be caught off guard when they do, and we should remain true to our principles.