It was OK before; why is it broke now?

Change in scope requires a recheck

As I was rebuilding my network I came across a problem.

In my basement I had previous run a cable from my core switch around the room to the other side, where I had a small 100baseT switch to handle the equipment on that table. I’d also run another cable across the ceiling to the back of the house, where I had the Powerline network.

Everything seemed to be working fine, and it had been doing so for years.

But when I upgraded the equipment to handle gigabit I was annoyed to see both of these links only connected at 100Mbit speeds. WTF? I checked the cable itself. That’s fine; it’s cat5e. I did a pin test. That’s fine; all 8 pins had proper continuity, no breaks.

So then I looked closer. WTF? I had wired the pairs wrong.

A normal UTP cable (defined as T568) has the pin pairs as 12 36 45 78. Somehow I had wired them 12 34 56 78. So this meant the original RX pair were not across a single twisted pair, but across two separate wires.

At 100Mbit speeds this didn’t seem to matter. But at Gigabit speeds it just didn’t work. Cutting off the bad ends and crimping new ones on solved the problem.

Vendor Risk Management

The next day, at work, I had to have a similar discussion, but around vendor risk.

Normally when we look at a vendor (say, we’re outsourcing data processing, or selecting a SaaS provider) we look at the type of data we will be using with that vendor, and look at their controls and determine if they’re good enough. After all, we don’t need as much control around a site that just has pictures of the CEO’s cat doing funny things as we would around a processor of credit card information.

We’ll document what we found out about the vendor, the risk management team will do their due diligence and give an approval.

Then a year later someone decides “Hey, these guys are cheap, let’s move all our HR ID photos into their system”.

At this point alarms should start ringing.

A new evaluation of the vendor is now required. You’ve changed the scope of the engagement, the riskiness of the data they’ll be processing. What was OK for the cat pictures may not be OK for HR data.

It’s not just data; it could also be access. A site that was accessed by two people… we could get away with local admin control. But if we then open up that site to a thousand people (“let’s allow all staff members to upload cat pics”), we’re going to need to look at access admin and controls. We might even need an approvals workflow, to prevent staff from uploading inappropriate photos.

So quantity can also impact control requirements.

But not all changes do; if the CEO got a dog and wanted to make it “cat and dog pictures” we haven’t appreciably changed the scope, and a new risk evaluation wouldn’t be needed.

Summary

Don’t assume that what was good in the past will be good after a change has been made. In my case the cable that worked fine for years was no longer suitable.

Similarly, engagement changes may require a re-evaluation of the current service to determine if it’s good enough.