Spreadsheets — often spread across servers, network drives, usb keys, or email messages — are what makes a modern business function properly. The information stored in Excel sheets is often critically important not only to the organization but also to the data subjects - ranging from business plans to competitive proposals or salary or HR data.

Considering the prevalence of data stored in Excel and the importance of such data, it is surprising that there are few good technical information security solutions to protect Excel data. Microsoft doesn’t provide much security with Excel. In fact, as Microsoft has stated, the security features in Excel are not actually there to provide security but to make life easier for users. For example, you can hide worksheets from users so as not to confuse them and you can apply what locking is available for the same reason: so that users just focus on what they need to do and not on other stuff.

Phil Howard has an article in the Register in which he criticizes all major enterprise spreadsheet management vendors for not focusing at the right place. Currently, such vendors put emphasis on Sarbanes-Oxley (and similar) compliance regulations - for example, the ability to track changes on spreadsheets so that there is an accountability track if a spreadsheet turns out to “misstate” corporate earnings by a major amount. This is an important task in corporate governance and after SarbOx regulations created a need and (pretty lucrative) market for such kind of software, many vendors have not looked at the building blocks of spreadsheet security.

What good does a tracking mechanism do if a spreadsheet is so insecure that can be manipulated easily? We should not be putting the cart in front of the horse. Instead, spreadsheet vendors (including Microsoft) should focus on providing adequate tools for spreadsheet security (cell locking, role-based access, etc.) before they focus on money- and headlines-making features. Because without baseline security the enterprise is likely to lose money and make the wrong headlines when it suffers a breach because of its poor lack of spreadsheet security.

2 Responses to “Spreadsheet information security”

• Patrick O'Beirne 21June2007

  Re: ” Instead, spreadsheet vendors (including Microsoft) should focus on providing adequate tools for spreadsheet security (cell locking, role-based access, etc.) ”

  Take a look at
  http://office.microsoft.com/en-us/excel/HA102244131033.aspx
  The first white paper entitled, “Spreadsheet Compliance in the 2007 Microsoft Office System”, focuses on using Office Excel 2007 and Excel Services in a spreadsheet compliance framework.

  The European Spreadsheet Risks Interest Group (EuSpRIG), in association with Compassoft, is holding its 2007 conference on the theme of “Enterprise Spreadsheet Management: A Necessary Evil?” on the 11th - 13th July 2007 at Greenwich University, London, United Kingdom. Keynote speakers include Professor Ray Panko of the University of Hawaii, who will be speaking on “Spreadsheet Errors - What the Research Says”, Dean Buckner of the Financial Services Authority who will be giving a regulatory update on the use of spreadsheets in the financial markets, and Paul Bach, CEO of Compassoft, who will be outlining the state of technology identifying and managing spreadsheets in enterprise environments.

  http://www.eusprig.org/prog2007.htm

• Gary HInson 21June2007

  Patrick, you are far too modest: your book dispenses excellent, worthwhile and pragmatic advice.

  I’ve .

  My own well-thumbed copy was ‘borrowed indefinitely’ by one of my esteemed colleagues at our last client, a bank
  G.

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>