Tuesday, March 02, 2010

A non-secure survey from ISACA...


I'm disappointed. As a member of ISACA, I do expect them to be a role model for their members, in terms of security. "Do as we say, not as we do" a colleague once told me, before leaving the organisation we both worked for once upon a time. For years I have told family, friends, colleagues and others to follow some simple pieces of advice for securing their online activity. One advice is to always ensure that a website uses https (ssl) before you log in or answer questions that might do damage to you or others in any way. I expect ISACA to do the same thing.

Last wednesday (February 24), I received this e-mail from ISACA (Rings by me, obviously. Click for full size):

No ISACA, I will not not answer this survey. Promising me that my answers will be held strictly confidential while the survey is conducted using unencrypted HTTP traffic towards www.surveymonkey.com is simple not acceptable. Yes, the survey doesn't really ask for anything sensitive regarding me or ISACA, but to me this is about principles.

As it happens, I've got an account at Surveymonkey myself. And yes, they do support using SSL. In fact, even with my free account i can put HTTPS in the URL for any given survey i create, and there I have SSL in place. Not really that difficult, right?

(Note to Surveymonkey: if SSL is only supposed to be availabe with the PRO or unlimited paid plans, you should probably make a little configuration change.)

So please ISACA and the Media Relations Team: please use SSL for any new surveys you want your members to answer. As I've written and said before; using SSL may actually increase the percentage of responders, as people will automatically trust it a little bit more when they see the familiar lock and eventually the green URL field indicating a validated and trusted certificate.

A few more tips from me, translated from Norwegian from a previous blog post:

1. Announce the survey in advance
I really don't like receiving e-mails from obviously forged senders (like many surveys do), asking me to click a link leading to an unsecure website, and fill out lots of information about myself, my job, incidents or whatever one can ask about.

I want the following information in advance (intranet, website or other channels):
1.1 Purpose of the survey
1.2 Owner of the survey, data and reports (names please!)
1.3 Timeperiod for conducting the survey, including when any results will be published
1.4 Who will be participating (how were they selected?)
1.5 How they will be contacted (mail?), and by whom (sender)
1.6 Contact information if there are any questions regarding contents or security 

2. Any e-mail sent should repeat the above, preferably with a link to your site for validation

3. Repeat the information on page 1 of the survey

4. End the survey with contact details (again)

As soon as this becomes the default of any surveys you would like to do, this should not represent much additional workload, but I'm sure it will aid in establishing better trust and increasing the percentage of respondents.

Best regards,
Per Thorsheim


  1. As President of ISACA Norway Chapter I couldn't more agree with you. I've posted a notice to ISACA HQ from our local chapter with link to your blog as well.

    Please notice that the last survey hosted by ISACA Norway Chapter in 2008 (also utilizing surveymonkey) was done with SSL/https. Also notice that the email we sent then (from isaca@isaca.no) to our members included information regarding intent and type of questions to be expected.

    Gaute Lien, President ISACA Norway Chapter

  2. On March 26 i received a reply from the ISACA media relations department, informing me that they will be making some changes to future surveys. Changes will include a few of the aspects addressed by my blog post, including the use of SSL and additional information in the body of the survey.

    Their response is highly appreciated of course, and i look forward to future surveys from ISACA.

    (Thanks Deb!)


All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.