Feeds

•  Posts RSS
•  Comments RSS
• Subscribe via Email

Phone-Readable

Recent Comments

• Darren Couch on DHS is Looking for a CISO
• MMO Tag on Training for the Zombie Pandemic
• Sam Bowne on The Rise of the Slow Denial of Service
• jg on Apache Killer Effects on Target
• Apache Killer Effects on Target | The Guerilla CISO on The Rise of the Slow Denial of Service

What’s Hot

Tags

Categories

• Army (24)
• BSOFH (15)
• Cyberwar (7)
• DDoS (7)
• Diary of a Startup (3)
• DISA (9)
• FISMA (148)
• Flyfish (20)
• Hack the Planet (28)
• IKANHAZFIZMA (79)
• ISM-Community (15)
• NIST (93)
• Odds-n-Sods (117)
• Outsourcing (32)
• Public Policy (35)
• Rants (108)
• Risk Management (75)
• Speaking (32)
• Technical (93)
• The Guerilla CISO (80)
• Uncategorized (6)
• What Doesn't Work (87)
• What Works (112)
• Zombies (44)

Blogroll

• Amrit Williams
• Ascension Blog
• BackTrack
• Backwater Angler
• Chateau Blogsville
• Chris Hoff
• Cypher Punk Reading List
• Emergent Chaos
• Gunnar Peterson
• How Is That Assurance Evidence
• InfoSecAlways
• ISM-Community
• ISM-Community Blogs
• ISM-Community Combined Feed
• Jack Whitsitt
• Layer 8
• LOLFED
• Martin McKeay
• My Linux Blog
• NoVa InfoSec Portal
• Rich Smith
• Riskanalys.is
• Rob Newby
• Security Buddha
• Securosis
• Technology Liberation Front
• The New School of Information Security
• The Ninja CISO
• This is Fly
• TSSCI Security

Archives

• October 2012
• May 2012
• December 2011
• November 2011
• September 2011
• August 2011
• April 2011
• February 2011
• January 2011
• December 2010
• November 2010
• October 2010
• September 2010
• August 2010
• July 2010
• June 2010
• May 2010
• April 2010
• March 2010
• February 2010
• January 2010
• December 2009
• November 2009
• October 2009
• September 2009
• August 2009
• July 2009
• June 2009
• May 2009
• April 2009
• March 2009
• February 2009
• January 2009
• December 2008
• November 2008
• October 2008
• September 2008
• August 2008
• July 2008
• June 2008
• May 2008
• April 2008
• March 2008
• February 2008
• January 2008
• December 2007
• November 2007
• October 2007
• September 2007
• August 2007
• July 2007
• June 2007
• May 2007
• April 2007
• March 2007
• February 2007

Blog under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License

First Shelfware, now Liarware

Posted June 18th, 2007 by rybolov

We used to call it “shelfware”–the documents that people write once and throw up on a shelf where nobody touches it until the next audit.
I humbly propose a new linguistic creation: “Liarware”.  This is the documentation that has no grounding in reality because it was written by people who were paid to create documentation to check a box that the document exists.

Similar Posts:

• Preliminary Findings on Cybersecurity Review Now Out
• Being the Resident Curmudgeon
• Needed: Agency CSOs
• It’s All About Common Controls!
• Some Thoughts on “Malicious Compliance”

Posted in Rants | 7 Comments »

7 Responses

1.  LonerVamp Says:
   June 18th, 2007 at 5:35 pm

   I think that is an appropriate term for some. I know a company I worked for did/does that with not just their audit/security policies, but also DR. These things don’t live by themselves, and they certainly didn’t pay enough for something robust enough to work over the years without review.

2.  LonerVamp Says:
   June 18th, 2007 at 5:38 pm

   You could include buried and/or non-reported incidents in there too… “We have not had an incident in years!” *quickly use hand to cover the mouths of protesting techies*

3.  rybolov Says:
   June 18th, 2007 at 5:39 pm

   So why would a company pay the money just to have liarware written?

   The only thing that I can think of is for a compliance purposes. From where I stand, I would rather not have a DR/Coop plan than one that is wrong.

4.  Darren Couch Says:
   June 18th, 2007 at 6:02 pm

   Sounds like patent-medecine mentality — “Cures rickets and brightens teeth!”

5.  LonerVamp Says:
   June 18th, 2007 at 9:41 pm

   Yes, they did it for compliance and just to be able to check a box for clients. “Sure, we have a DR plan! Moving on…”

6.  h@lon73 Says:
   June 19th, 2007 at 12:55 am

   I see this fraud going on in my current environment. How can you call a “live” contingency plan test even remotely valid to recover a general support system when all you are allowed to do is move a CAT V cable from one CISCO 2600 switch to another and call that a recovery capability for a site that is “VERY REMOTE”. (Ahem… ends of the earth remote.)

   Honestly if the site were knocked offline (loss of power, fire, volcano) no one would even know what the maximum tolerable outage time would be!!! So I say “hell yeah” we need the ammo and more importantly whistle blowing protections to get the liars out in the open. BOFH who think that having a “live test” means that you “fail” (power down) one switch and boot another up 2U’s above it are frauds! Worse yet are the contractors who look the other way and take the check from the COTR.

   MY EYES ARE BLEEDING… Make the bad man stop.

7.  The Guerilla CISO » Blog Archive » Guerilla CISO Tip–Avoid “Boilerplate” Says:
   November 12th, 2007 at 10:48 am

   […] a bunch of lies because it never gets […]

Leave a Comment