Does Knowledge Management include aspects of Information Security?

Paul Simpson

Trusted Information Resource
#1
Those Covers out there that know me will confirm I'm not one for extending the scope of ISO 9001 into other areas but there are a few issues doing the rounds currently that made me question whether some aspects of information security are required where an organisation handles a lot of customer / stakeholder data.

My logic here is that you cannot deliver a 'quality' service without looking after customer information and that brings in a couple of clauses of 9001:2015:
  • 4.2 - needs of interested parties to keep their information secure
  • 5.1.2 b Customer Focus - addressing the risks to conformity of products and services
  • 6.1.1 c - planning to prevent undesired effects
  • 7.5.3.1 b adequate protection of documented information
  • 8.2.1 d handling customer property
  • 8.5.3 protecting customer property

I think the logic is ok but would welcome feedback.
 
Elsmar Forum Sponsor

Sidney Vianna

Post Responsibly
Staff member
Admin
#2
Re: Does knowledge management includes aspects of information security?

I wholeheartedly agree Paul. if an organization handles sensitive information from customers, a strong component of customer satisfaction happens in the information security dimension. A credit card company that offers me 0% interest rates, but is easily hacked and allows my private information to be stolen is of no use for me.

Understanding the context of the organization and the needs of customers would (or should) easily lead to the conclusion that information security might be a very strong component of service quality.
 

normzone

Trusted Information Resource
#3
The fine print of the NIST 800 - 171 (network security) says you've crossed the line and are required to play if you even have customer billing information in your network.
 

Mike S.

Happy to be Alive
Trusted Information Resource
#4
Those Covers out there that know me will confirm I'm not one for extending the scope of ISO 9001 into other areas but there are a few issues doing the rounds currently that made me question whether some aspects of information security are required where an organisation handles a lot of customer / stakeholder data.

My logic here is that you cannot deliver a 'quality' service without looking after customer information and that brings in a couple of clauses of 9001:2015:
  • 4.2 - needs of interested parties to keep their information secure
  • 5.1.2 b Customer Focus - addressing the risks to conformity of products and services
  • 6.1.1 c - planning to prevent undesired effects
  • 7.5.3.1 b adequate protection of documented information
  • 8.2.1 d handling customer property
  • 8.5.3 protecting customer property

I think the logic is ok but would welcome feedback.
Passed the Vulcan logic test from my perspective!
 

Paul Simpson

Trusted Information Resource
#5
For those that followed the WannaCry ransomware hack I recently posted an article on Bywater's site about the need for quality professionals to think about Information Security as an area for continuing professional development (CPD). I put the post on LinkedIn - here - and thought I'd add it to this thread.
This article was published today on the Bywater site and looks at the role of the Quality Manager in ensuring quality systems are secure from cyber attack.

It is not for me to heap further woes on the NHS and recent news has to be taken in the context of the immense size and complexity of that organisation. The WannaCry attack has hit around 200,000 computers globally and covered organisations as diverse as Renault / Nissan and Deutsche Bahn, companies under a lot less scrutiny for how they spend their money than our National Health Service provider.

Information security is interwoven in the way we do business and, as in my earlier article, becomes, at least partially, under the remit of the quality professional. Just thinking about some of the areas in the news now and some of the specific requirements of ISO 9001:2015:
•4.1 – Context of the organization. Any organization that manages information has to consider cyber criminals as ‘interested parties’ that can affect their ability to go about their business
•4.4.1 – Processes. Where the organization operates processes that rely on information then any risks associated with use of data and with cyber-attacks have to be considered.
•6.1 – Planning. In reviewing its external environment and the processes it operates the organisation should build appropriate plans into its quality management system

– if it chooses to adopt a separate information security management system based on ISO 27001 then the QMS can simply refer out to it but the controls help deliver services that satisfy customer requirements.
•7.1.3 – Infrastructure. One of the notes under this clause makes specific reference to hardware and software and this has to be provided and maintained.
•7.5.3.1 b) – Control of documented information. The organization has to protect documented information.
•7.5.3.2 b) – Control of documented information. The organization has to store and preserve documented information.
•8.5.3 – Property belonging to customers or external providers. The organisation has to safeguard customer property including information.
•Even if we choose not to implement a comprehensive information security management system as responsible quality professionals we have to ensure that we satisfy the above requirements as a bare minimum.

As quality professionals we are committed to keeping our skill set up to date and to develop those skills by undertaking CPD and what better way to serve our organisations and, at the same time maintain our own professional standing, than by looking at information in the public domain about how to keep your personal and organisational information safe.

Here are a couple of suggested resources:
•The Cyber Essentials programme
•The IIRSM cyber security mini site
•This article on the origins of the attack
•ISO / IEC 27001
•ISO / IEC 27001 Lead Auditor training
•Government Cyber Essentials documents

We should each have a plan to carry out CPD and keep our knowledge current. It should be a mixture of personal research and study, seminars and part and full time training. The first step is to follow the Deming cycle and ‘Plan’.
There are a few links in the original post and on the LinkedIn article, particularly in the 'Resource' bulleted list, if it is of interest.
 

matkins

Starting to get Involved
#6
Many thanks, Paul.
As Quality Manager at a small distributor/manufacturer for Aerospace/Defense, we are required to be compliant with NIST 800-171 by the end of 2017. After getting our feet wet, I am looking for resources and training for myself as well as others in my organization. Need to educate all in what is required within our QMS and ensure that what we put into place for cybersecurity dovetails into our QMS.
 

Paul Simpson

Trusted Information Resource
#7
Many thanks, Paul.
As Quality Manager at a small distributor/manufacturer for Aerospace/Defense, we are required to be compliant with NIST 800-171 by the end of 2017. After getting our feet wet, I am looking for resources and training for myself as well as others in my organization. Need to educate all in what is required within our QMS and ensure that what we put into place for cybersecurity dovetails into our QMS.
Thanks, matkins. NIST 800-171 isn't a standard I'm familiar with but I have downloaded a copy here if anyone else is interested in following the thread. It looks quite similar to a set of EU regulations - explained for the UK here and know as the General Data Protection Regulation (GDPR).

When I've read the standard I may post some thoughts here.

There seem to be a lot of people offering training and consultancy in this space. :notme:
 

Paul Simpson

Trusted Information Resource
#8
Continuing the theme of integration between information security and quality management I have recently published another article on Bywater's site and on LinkedIn.

Again to save Covers searching too far the article is reproduced below:
Following on from my colleague, David Cole’s, article on information security news stories on this topic keep coming and the breadth of scope of application grows with every headline. There was the ransomware story that was lead item on news bulletins for days and lately it transpires another headliner, BA’s Disaster Recovery story, also appears to have roots in data corruption.


The message I am hearing is that we all need to be better aware of obligations in the markets we operate and under current legislation. All organisations use information as part of their core processes and have duties to manage security of that information. We have less than 12 months until the introduction of heightened obligations under the General Data Protection Regulations (GDPR) and indications are that the UK is not ready to meet these new requirements.

Not quite at the same level of dramatic impact, the Information Commissioner’s Office (ICO) recent list of enforcement action indicates continuing data protection lapses across sector. The list includes a Council’s prosecution for publishing sensitive information in the form of a statement supporting a planning application. The issue of liability centred on the balance between the Council’s need to publish information and for it to protect personal privacy. In its judgement, the ICO highlighted failures in Council procedures and training for protecting data in the course of carrying out its duties.

In the same listing we can see evidence of the ICO’s approach to dealing with data security breaches and their follow up regime. RBS undertook to introduce revised procedures for managing faxes after breaches in October 2014 and the ICO lists the results of their follow up process with the need for further action by the bank to ensure faxes remain secure.

The role of the ICO is not confined to Local Councils and large companies; in the same listing the ICO refers to prosecution of an individual for unauthorised access to personal records.

As quality professionals we need to ensure management systems we have responsibility for reflect changes to our organisations operating environment – its ‘Context’ in ISO 9001 terms and, as in my earlier article linked above that we keep our skill set up to date through CPD. Only by being aware of changing requirements can we advise our organisations of the need for process enhancements, updated controls and employee awareness and training to be able to comply with regulatory requirements.

The resources listed in my previous article still apply. A suggested new resource for this challenge is:

ICO 12 step plan for preparing for the GDPR

Quality professional’s may also be interested in Integrated ISMS and QMS Auditor Training Course which covers how to incorporate Information Security within a Quality Management System Audit – for Existing QMS Auditors.
You'll have to visit one or other of the sites to be able to follow the links to supporting articles and materials - sorry my cut and paste skills aren't that good! :notme:
 
Thread starter Similar threads Forum Replies Date
T Does Organization Size change a QE's Required Knowledge? Career and Occupation Discussions 1
Y Does anybody have any knowledge in Statistical Bin Limit (SBL)? Statistical Analysis Tools, Techniques and SPC 2
J Web Based Corrective Action Tracking Tools - Does anyone have any knowledge of? Nonconformance and Corrective Action 4
F Does anyone have an ESD quality/cooler talk to share? Training - Internal, External, Online and Distance Learning 4
A What does this line from MDCG 2020-3 (MDR art. 120 substantial change) mean to you? EU Medical Device Regulations 0
D Change Approval Requirements - Does every change need formal customer approval? Design and Development of Products and Processes 17
T What does AS9100 mean when it says you must establish a process to do X? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 24
L Does a backdate form format can be changed if wrong revision is used? Document Control Systems, Procedures, Forms and Templates 8
B General Motors and Honda Alliance - What does this mean to suppliers? IATF 16949 - Automotive Quality Systems Standard 3
C ISO 13485 :2016 - CAPA - Does every CAPA need to be checked by regulations? ISO 13485:2016 - Medical Device Quality Management Systems 9
A Does ISO 9001:2015 cover all the requirements of ISO 10012:2003? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
N FDA UDI - Label vs. Labeling - Does the insert need to include UDI? Other US Medical Device Regulations 0
A Does anyone have a checklist of API Spec 650 13th Edition? Oil and Gas Industry Standards and Regulations 0
D Does Manufacture can submit CE mark application under MDD with NB for his New product after May 2020? EU Medical Device Regulations 3
A What does this sentence "this symbol shall be used in the orientation shown" mean in ISO 780:2015? Other Medical Device Related Standards 4
L Turkish Requirements - Does the Software need to be translated? CE Marking (Conformité Européene) / CB Scheme 2
R Where does IATF 16949 address Process mapping? IATF 16949 - Automotive Quality Systems Standard 3
J Does Pakistan Medical Device Import License allows parallel import? Other Medical Device Regulations World-Wide 0
BeaBea Interesting Discussion Where Does Marketing/ Advertisement of Products fit in to ISO 9001? Process Maps, Process Mapping and Turtle Diagrams 39
P Does anyone have a API Q1 Documentation Package? Quality Management System (QMS) Manuals 1
N What is our product classification? (Does Unclassified classification still exists) Other US Medical Device Regulations 14
C Does a CE mark infer meeting all applicable standards? CE Marking (Conformité Européene) / CB Scheme 4
N Small Company - Internal audit process - Who does the audit? Internal Auditing 16
J Does anyone have an excel IATF 16949 Internal Audit checklist I could use? IATF 16949 - Automotive Quality Systems Standard 7
A Does AS9100 require traceability to operators performing the work? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
I Does anybody use Detection in medical device Design FMEA? ISO 14971 - Medical Device Risk Management 18
A EN ISO 14971:2019 does not include the Annex Zs ISO 14971 - Medical Device Risk Management 4
Watchcat Does "Similar Device" = "Predicate"? EU Medical Device Regulations 7
C Document Control Stamps - Does anyone still stamp their documents? Document Control Systems, Procedures, Forms and Templates 24
Y Does Solidworks (2D/3D drafting modules) need validation? Other Medical Device and Orthopedic Related Topics 5
M Definition Open Audit - What does an Open Audit mean? Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 3
I Does training have to be written? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
P What does UPH/m² mean? Quality Tools, Improvement and Analysis 3
L "IATF-Compliant" IATF 16949:2016 certification? What does this mean? IATF 16949 - Automotive Quality Systems Standard 13
D Why does Official Journal list superseded standards? EU Medical Device Regulations 6
B Record Management - Does the QMS need to control templates of records? Records and Data - Quality, Legal and Other Evidence 17
MDD_QNA QR Code Standard ISO/IEC 15417:2007 - Does anyone use it? Other Medical Device Related Standards 3
R Does any here use an internal auditing tool that works on different platforms? Internal Auditing 3
Sidney Vianna IAQG SCMH explains "positive risk"..........but does it? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
D Where does "as far as possible" stop? FMEA - EN 14971 ISO 14971 - Medical Device Risk Management 29
W Does anyone have an API Q2 checklist for internal auditing? Oil and Gas Industry Standards and Regulations 1
G Does pitch/increment/resolution of a ruled scale apply to measurement uncertainty as line item? Measurement Uncertainty (MU) 10
L External power supplies: How close does the safety report have to match the end-use application? IEC 60601 - Medical Electrical Equipment Safety Standards Series 4
Watchcat Does 820.30 include the manufacturing process? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
Watchcat Does ISO 13485 7.3 include the manufacturing process? ISO 13485:2016 - Medical Device Quality Management Systems 14
R When does the FDA consider a component a medical device? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 17
B Does EN ISO 15223-1:2016 include the graphic symbols to be added to software and IFU? Other Medical Device Related Standards 9
DitchDigger Boston Fire Code: Who Does What? (CAL TB 117-2013; CAL TB 133) Occupational Health & Safety Management Standards 2
GreatNate Metrotom - Does anyone have any exposure to the Zeiss Metrotom 800 or 1500? Manufacturing and Related Processes 0
G Is ISO 9001:2015 certification worth it for a company that does only contract manufacturing? Quality Management System (QMS) Manuals 14

Similar threads

Top Bottom