What's procedurally required for "cloud computing"? TS16949 Clause 4.2.4.

[Jen Kirley]

An auditee has opted to keep his records as Google Docs since our IT people moved us from Lotus Notes to Google mail. I wrote a nonconformance based on their losing records during the switch. They dug up paper copies and scanned them in. Now I am refusing to close the CA based on a lack of system corrective action: their not having a written procedure that addresses the requirements of TS16949, 4.2.4. My auditee has obtained the attached Google paper and wants to use it as a procedure.

I have said it isn't good enough because it does not go into enough specifics on how the data is protected and how my people might go about retrieval from backups (even if that is simply who we contact in Google) should a data loss occur.

My auditee says "Well, Google is certified SAS 70," to which I respond that's great, but the IT group has not yet established that as a proxy for providing specifics about how data will be protected.

Bottom line is, neither corporate or internal procedures yet exist for supplier control of contracted data management; they just haven't thought of it yet and were unlucky enough to have me audite them and bring it up as an issue.

Am I being too hard on my auditee?

 

[Jim Wynne]

Re: What's procedurally required for "cloud computing"?

An auditee has opted to keep his records as Google Docs since our IT people moved us from Lotus Notes to Google mail. I wrote a nonconformance based on their losing records during the switch. They dug up paper copies and scanned them in. Now I am refusing to close the CA based on a lack of system corrective action: their not having a written procedure that addresses the requirements of TS16949, 4.2.4. My auditee has obtained the attached Google paper and wants to use it as a procedure.

That Google document is just a loose description of the features and benefits of the service. Where are the "...controls needed for the identification, storage, protection, retrieval, retention time and disposition of records"? Your company's internal controls over these things are what the standard is looking for, not a third-party description of its controls. In other words, you should have a documented procedure that (a) identifies the approved storage medium; (b) tells how records are identified; (c) how records are stored and retrieved; (d) what happens in the absence of Internet access; (e) provides requirements for retention and disposition.

 

[AndyN]

Re: What's procedurally required for "cloud computing"?

I don't think so...however, it rather depends on how much IT were an integral part of your QMS in the first place...

So, for example, are they represented at Management Review? Did anyone see this "coming down the pike" at the last Management Review, such that you could have put the brakes on as far as making sure there was a plan to do what you've found was necessary to protect your organization?

If they aren't part of the overall QMS, or represented at Mgmt Review, then it's kinda tough to make them eat an NC, really, however much you feel like they should.

Let us know more about the degree to which they're part of your QMS

 

[Neil V.]

Re: What's procedurally required for "cloud computing"?

What's procedurally required for cloud computing? I don't think anything different than what's required for any other process.

I would demand corrective and preventive action from whomever initially used the term "cloud computing".

 

[Jen Kirley]

Re: What's procedurally required for "cloud computing"?

Thank you for this temperature check.

The thing that makes this discussion surreal is that I am arguing it with my manager two levels up - I feel like I'm in an alternate universe to be explaining this simple concept. He's just really in love with Google Docs, yet I am insisting he's not off the hook.

The other thing that creeps me out is my apparently being the first one to notice the gap. I have dragged a corporate IT manager into the issue and made it clear that his group is best positioned to define these controls.

Maybe it's just a test of some kind.

 

[Jen Kirley]

Re: What's procedurally required for "cloud computing"?

I don't think so...however, it rather depends on how much IT were an integral part of your QMS in the first place...

So, for example, are they represented at Management Review? Did anyone see this "coming down the pike" at the last Management Review, such that you could have put the brakes on as far as making sure there was a plan to do what you've found was necessary to protect your organization?

If they aren't part of the overall QMS, or represented at Mgmt Review, then it's kinda tough to make them eat an NC, really, however much you feel like they should.

Let us know more about the degree to which they're part of your QMS

These are all good questions. One tricky aspect of this is that I am a site auditor, on loan for this job because their guy can't audit himself. The IT group who makes these grand decisions to do away with our Lotus system is part of corporate, whom I do not audit. I sat with an IT manager and explained the records control needs, and pointed out these audit records are just small stuff really - the QMS entails many, many more important records and people need to know what their capabilities/constraints are for record keeping before they get big cloud computing ideas. I also want those same IT people to not get the big idea that we can just do away with our Novell networks and go solely to 3rd party data management without thoroughly thinking this through first. It's possible, though I hate to believe, that none of this has occurred to any of them because they have been outside the registrar's scrutiny until recently.

So I stressed they really need to understand this, and they should establish a corporate set of procedures we can all point to.

Meanwhile, my boss's boss is still stuck because he doesn't have an adequate procedure either. Thing is, he's high enough up in the food chain that he should be concerned about more than just closing out this CAR. I'm still holding my ground for a systemic corrective action.

 

[AndyN]

Can you leverage a Corporate attorney's input into the situation, in terms of the legal ramifications of not having a complete set of records. Or, if not, a high up in Finance, wrt to taxation impacts..?

 

[Jen Kirley]

Can you leverage a Corporate attorney's input into the situation, in terms of the legal ramifications of not having a complete set of records. Or, if not, a high up in Finance, wrt to taxation impacts..?

Well that would be a sight to behold! Surely, surely this is occurring to someone in the ranks of higher pay and authority. Surely this is a case of my not knowing what's gone on elsewhere. : (My husband, who used to manage a computer network, said "Don't count on it.")

In case it has not, I did describe to the IT manager in our meeting that some records, such as those needed for Sarbanes Oxeley are critical - then I sent him a link to a web site that briefly described the requirements of 4.2.4 (why reinvent the wheel?) and listed all the places in the standard (number and name of process) where these record retention requirements are cited. Yesterday I told my boss-boss that these records of his are low hanging fruit, he was just the lucky one to have me audit the thing and find the gap; "this issue is bigger than you and me."

That makes him feel like his nonconformance is a corporate nonconformance and he tried to wiggle out of it on that basis, but I came back and stressed that HIS record retention needs to be defined in writing. By this time he had got the IT manager in on the conference call - I told them they should work together, as my boss-boss isn't very well positioned to know what Google is doing or get a hold of the contract. I told the IT manager it would be better if the corporate guys made a procedure we could all point to, versus 180 of us making our own little record retention spec to deal with this.

He just wants to quick close it out, but so far I won't let go.

 

[John Martinez]

An auditee has opted to keep his records as Google Docs since our IT people moved us from Lotus Notes to Google mail. I wrote a nonconformance based on their losing records during the switch. They dug up paper copies and scanned them in. Now I am refusing to close the CA based on a lack of system corrective action: their not having a written procedure that addresses the requirements of TS16949, 4.2.4. My auditee has obtained the attached Google paper and wants to use it as a procedure.

I have said it isn't good enough because it does not go into enough specifics on how the data is protected and how my people might go about retrieval from backups (even if that is simply who we contact in Google) should a data loss occur.

My auditee says "Well, Google is certified SAS 70," to which I respond that's great, but the IT group has not yet established that as a proxy for providing specifics about how data will be protected.

Bottom line is, neither corporate or internal procedures yet exist for supplier control of contracted data management; they just haven't thought of it yet and were unlucky enough to have me audite them and bring it up as an issue.

Am I being too hard on my auditee?

While I have to thiink about your specific question, cloud computing is different than an internet based service such as internet e-mail.

While some services may play on this lack of knowledge, there is non the less a difference.

So long as the organization has a thought process, and does satisfy the requirement for documents, then the process is served.

My main issue is why they lost documents during the transfer? How about changes to the management system? How are they handled?

Just my opinion.

My reference PCToday Vol 7 Issue 13 "Separate the Cloud From the Crowd". "After all, service providers far and wide are quick to pick up on the cloud band-wagon, even if their services don't quite fit the classic definition of cloud computing".