With compliance becoming an ever greater challenge to manage (e.g., Sarbanes-Oxley, privacy regulation) and standards being pushed to the forefront (How do ISO17799 and Cobit complement each other?) we thought we wanted to address this issue in a bit of more detail.
A standard is basically a guide to how one should do things. However, how a standard is implemented is affected by political, cultural and technical differences. As well, a certification agency in one country may assess a firm trying to get certified following a standard differently than its counterpart in another country.
A standard can also be a reference point against which other things can be evaluated against. A standard reflects agreements on products, practices, or operations by such as nationally or internationally recognized industry associations, non-governmental organisations and governments. Standards can be proprietary or open standards.
_What is an open standard?_
An open standard is usually a standard that has been developed by interested parties in an open process, whereby interested parties can participate in all or parts of the work required to develop an open standard.
One of the rights one tends to associate with open standars is that meetings have to be open. Unfortunately, if the group adheres to a have a pay-to-become-a-member policy, joining a newly formed working group that is developing a new standard may be difficult for economically less fortunate parties. In his paper, Ken Krechmer - The meaning of open standards, suggests that standardization documentation falls into two classes:
a) work-in-progress documents (e.g., individual technical proposals, meeting reports), and
b) completed standard documents (e.g., standards, test procedures).
The transparency of a meeting is closely related to the availability of the documents from the meeting including the work-in-progress and completed standard documents.
_Why does Microsoft’s Office Open XML (OOXML) not qualify as open standard?_
Various people have pointed out that Microsoft’s Office Open XML cannot become an open standard. Beginning, several of the rights outlined by Ken Krechmer’s paper are not met by the Office Open XML including but not limited to property rights, patents and compatability. You can find some information about these problems here:
Finally, there are some conditions that most people attach to open standards, these are outlined here:
In all the above instances, Microsoft’s OOXML is not measuring up to standards that must be met before something can be called an ‘open standard.’ But besides these conceptual and definitional issues, Microsoft’s Office Open XML has some serious implications for information security and risk management.
_What does this all mean for information security and risk management?_
The problem for Microsoft is that it must assure to ‘keep the compatibility with the existing Microsoft Office users’. OOXML must help in assuring compatability between Microsoft Office users. Nonetheless, it will also be the default format for any piece of data within the Microsoft ecosystem.
By bringing several format specifications together and merging them into one tends to cause problems. For starters, past programming, engineenring errors, mistakes regarding the architecture may not have been fixed and are, therefore, taken over into the new ’standard’ Accordingly, the Office Open XML standard has to carry over office bugs and information quarks to assure compantability.
One also has to wonder how it will be possible to implement 6,000 pages of program specifications. ODF specifications are 756 pages long (Please click on the link, Login as guest - click on this link again and voila free access)
Did the members of Technical Committee 45 (Ecma TC45), which includes representatives from Apple, Barclays Capital, BP, The British Library, Essilor, Intel, Microsoft, NextPage, Novell, Statoil, Toshiba, and the United States Library of Congress really review these 6000 pages of specifications. Already Apple seems to have decided that Microsoft Office for Mac will not be able to use Office Open XML for some years because things are too complex. On top of it, TC45 has been charged with the following responsibility:
“The Ecma TC45 will continue to be responsible for the ongoing maintenance of the standard, and for enhancing the standard with new and innovative features while simultaneously preserving backwards compatibility.” (see ECMA press release about Microsoft Office Open XML standard).
Will these company representatives to TC45 be able to really keep track and discharge of their responsibilities appropriately. Or, will they just trust the benevolent dictator called Microsoft to do the right thing?
The above also suggests that for security and risk management considerations it is not in users’ best interest to have the Open XML standard become predominant in the industry. In fact, it is much better to adopt the OpenDocument Format (ODF) standard instead to better protect privacy, security and risk issues.Find related stories to this posting also here:
To make it more convenient for you to take advantage of CyTRAP Labs’ offerings, just provide us with your e-mail address below. You can personalize your subscription to make it suit your needs.
best practice, Cobit, CyTRAP Labs, ECMA, ECMA standard 376, information security, International Organization for Standardization, ISACA, ISO, ISO17799, legal compliance, Microsoft open XML, Microsoft Open XML Standard, ODF, Office Open XML, OOXML, Open System Interconnection, Open XML standard, OpenDocument Format, OSI Model, OSI Reference Model, policy, risk, risk management, ROI, Sarbanes Oxley, security metrics, standard, The British Library, trend, United States Library of Congress