Does Knowledge Management include aspects of Information Security?

[Paul Simpson]

Those Covers out there that know me will confirm I'm not one for extending the scope of ISO 9001 into other areas but there are a few issues doing the rounds currently that made me question whether some aspects of information security are required where an organisation handles a lot of customer / stakeholder data.

My logic here is that you cannot deliver a 'quality' service without looking after customer information and that brings in a couple of clauses of 9001:2015:

• 4.2 - needs of interested parties to keep their information secure
• 5.1.2 b Customer Focus - addressing the risks to conformity of products and services
• 6.1.1 c - planning to prevent undesired effects
• 7.5.3.1 b adequate protection of documented information
• 8.2.1 d handling customer property
• 8.5.3 protecting customer property

I think the logic is ok but would welcome feedback.

 

[Sidney Vianna]

Re: Does knowledge management includes aspects of information security?

I wholeheartedly agree Paul. if an organization handles sensitive information from customers, a strong component of customer satisfaction happens in the information security dimension. A credit card company that offers me 0% interest rates, but is easily hacked and allows my private information to be stolen is of no use for me.

Understanding the context of the organization and the needs of customers would (or should) easily lead to the conclusion that information security might be a very strong component of service quality.

 

[normzone]

The fine print of the NIST 800 - 171 (network security) says you've crossed the line and are required to play if you even have customer billing information in your network.

 

[Mike S.]

Those Covers out there that know me will confirm I'm not one for extending the scope of ISO 9001 into other areas but there are a few issues doing the rounds currently that made me question whether some aspects of information security are required where an organisation handles a lot of customer / stakeholder data.

My logic here is that you cannot deliver a 'quality' service without looking after customer information and that brings in a couple of clauses of 9001:2015:

• 4.2 - needs of interested parties to keep their information secure
• 5.1.2 b Customer Focus - addressing the risks to conformity of products and services
• 6.1.1 c - planning to prevent undesired effects
• 7.5.3.1 b adequate protection of documented information
• 8.2.1 d handling customer property
• 8.5.3 protecting customer property

I think the logic is ok but would welcome feedback.

Passed the Vulcan logic test from my perspective!

 

[Paul Simpson]

For those that followed the WannaCry ransomware hack I recently posted an article on Bywater's site about the need for quality professionals to think about Information Security as an area for continuing professional development (CPD). I put the post on LinkedIn - here - and thought I'd add it to this thread.

This article was published today on the Bywater site and looks at the role of the Quality Manager in ensuring quality systems are secure from cyber attack.

It is not for me to heap further woes on the NHS and recent news has to be taken in the context of the immense size and complexity of that organisation. The WannaCry attack has hit around 200,000 computers globally and covered organisations as diverse as Renault / Nissan and Deutsche Bahn, companies under a lot less scrutiny for how they spend their money than our National Health Service provider.

Information security is interwoven in the way we do business and, as in my earlier article, becomes, at least partially, under the remit of the quality professional. Just thinking about some of the areas in the news now and some of the specific requirements of ISO 9001:2015:
•4.1 – Context of the organization. Any organization that manages information has to consider cyber criminals as ‘interested parties’ that can affect their ability to go about their business
•4.4.1 – Processes. Where the organization operates processes that rely on information then any risks associated with use of data and with cyber-attacks have to be considered.
•6.1 – Planning. In reviewing its external environment and the processes it operates the organisation should build appropriate plans into its quality management system

– if it chooses to adopt a separate information security management system based on ISO 27001 then the QMS can simply refer out to it but the controls help deliver services that satisfy customer requirements.
•7.1.3 – Infrastructure. One of the notes under this clause makes specific reference to hardware and software and this has to be provided and maintained.
•7.5.3.1 b) – Control of documented information. The organization has to protect documented information.
•7.5.3.2 b) – Control of documented information. The organization has to store and preserve documented information.
•8.5.3 – Property belonging to customers or external providers. The organisation has to safeguard customer property including information.
•Even if we choose not to implement a comprehensive information security management system as responsible quality professionals we have to ensure that we satisfy the above requirements as a bare minimum.

As quality professionals we are committed to keeping our skill set up to date and to develop those skills by undertaking CPD and what better way to serve our organisations and, at the same time maintain our own professional standing, than by looking at information in the public domain about how to keep your personal and organisational information safe.

Here are a couple of suggested resources:
•The Cyber Essentials programme
•The IIRSM cyber security mini site
•This article on the origins of the attack
•ISO / IEC 27001
•ISO / IEC 27001 Lead Auditor training
•Government Cyber Essentials documents

We should each have a plan to carry out CPD and keep our knowledge current. It should be a mixture of personal research and study, seminars and part and full time training. The first step is to follow the Deming cycle and ‘Plan’.

There are a few links in the original post and on the LinkedIn article, particularly in the 'Resource' bulleted list, if it is of interest.

 

[matkins]

Many thanks, Paul.
As Quality Manager at a small distributor/manufacturer for Aerospace/Defense, we are required to be compliant with NIST 800-171 by the end of 2017. After getting our feet wet, I am looking for resources and training for myself as well as others in my organization. Need to educate all in what is required within our QMS and ensure that what we put into place for cybersecurity dovetails into our QMS.

 

[Paul Simpson]

Many thanks, Paul.
As Quality Manager at a small distributor/manufacturer for Aerospace/Defense, we are required to be compliant with NIST 800-171 by the end of 2017. After getting our feet wet, I am looking for resources and training for myself as well as others in my organization. Need to educate all in what is required within our QMS and ensure that what we put into place for cybersecurity dovetails into our QMS.

Thanks, matkins. NIST 800-171 isn't a standard I'm familiar with but I have downloaded a copy here if anyone else is interested in following the thread. It looks quite similar to a set of EU regulations - explained for the UK here and know as the General Data Protection Regulation (GDPR).

When I've read the standard I may post some thoughts here.

There seem to be a lot of people offering training and consultancy in this space.

 

[Paul Simpson]

Continuing the theme of integration between information security and quality management I have recently published another article on Bywater's site and on LinkedIn.

Again to save Covers searching too far the article is reproduced below:

Following on from my colleague, David Cole’s, article on information security news stories on this topic keep coming and the breadth of scope of application grows with every headline. There was the ransomware story that was lead item on news bulletins for days and lately it transpires another headliner, BA’s Disaster Recovery story, also appears to have roots in data corruption.


The message I am hearing is that we all need to be better aware of obligations in the markets we operate and under current legislation. All organisations use information as part of their core processes and have duties to manage security of that information. We have less than 12 months until the introduction of heightened obligations under the General Data Protection Regulations (GDPR) and indications are that the UK is not ready to meet these new requirements.

Not quite at the same level of dramatic impact, the Information Commissioner’s Office (ICO) recent list of enforcement action indicates continuing data protection lapses across sector. The list includes a Council’s prosecution for publishing sensitive information in the form of a statement supporting a planning application. The issue of liability centred on the balance between the Council’s need to publish information and for it to protect personal privacy. In its judgement, the ICO highlighted failures in Council procedures and training for protecting data in the course of carrying out its duties.

In the same listing we can see evidence of the ICO’s approach to dealing with data security breaches and their follow up regime. RBS undertook to introduce revised procedures for managing faxes after breaches in October 2014 and the ICO lists the results of their follow up process with the need for further action by the bank to ensure faxes remain secure.

The role of the ICO is not confined to Local Councils and large companies; in the same listing the ICO refers to prosecution of an individual for unauthorised access to personal records.

As quality professionals we need to ensure management systems we have responsibility for reflect changes to our organisations operating environment – its ‘Context’ in ISO 9001 terms and, as in my earlier article linked above that we keep our skill set up to date through CPD. Only by being aware of changing requirements can we advise our organisations of the need for process enhancements, updated controls and employee awareness and training to be able to comply with regulatory requirements.

The resources listed in my previous article still apply. A suggested new resource for this challenge is:

ICO 12 step plan for preparing for the GDPR

Quality professional’s may also be interested in Integrated ISMS and QMS Auditor Training Course which covers how to incorporate Information Security within a Quality Management System Audit – for Existing QMS Auditors.

You'll have to visit one or other of the sites to be able to follow the links to supporting articles and materials - sorry my cut and paste skills aren't that good!