1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Role of information security in quality management

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by Paul Simpson, May 30, 2017.

  1. Paul Simpson

    Paul Simpson Member

    Joined:
    Aug 6, 2015
    Messages:
    41
    Likes Received:
    61
    Trophy Points:
    17
    Here in the UK our health service was one of the key targets of the recent WannaCry ransomware attack and that got me thinking about information security as one aspect of a quality management system. I posted an article on Bywater's site and reproduced it on LinkedIn and a couple of other sites. There are a lot more aspects of this attack and I'd welcome views on how quality professionals should consider information security in the systems we have responsibility for.

    I've a few more ideas and questions that I'll bring back to this thread.
     
  2. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Depending upon the "Context of the Organization", Paul, I'd say it's very germane to controlling customer intellectual property. As far back as QS-9000, there's been a stated requirement to do that (for the auto industry, for example). So, why not extended it across the customer base? I'm behind anything which protects the client. Just might have to judge their maturity towards such a thing, however...o_O
     
  3. Nick1

    Nick1 Member

    Joined:
    Jan 27, 2016
    Messages:
    49
    Likes Received:
    20
    Trophy Points:
    7
    Andy makes a good point on protecting customer intellectual property and that you should always protect. In Holland there are certain laws on how to handle these circumstances. We always try to cover a good amount during the laws and legislations compliance check which helps but doesn't prevent. Well even the ISO27001 doesn't help you to prevent it from happening and this standard is designed for data security. Unknown factors are put on the action list for further investigation to see how we can handle them.
     
    Andy Nichols likes this.
  4. Paul Simpson

    Paul Simpson Member

    Joined:
    Aug 6, 2015
    Messages:
    41
    Likes Received:
    61
    Trophy Points:
    17
    I said I'd be back! :)

    I posted a follow up on Bywater's site - continuing the theme of integration between information security and quality management.

    Following on from my colleague, David Cole’s, article on information security news stories on this topic keep coming and the breadth of scope of application grows with every headline. There was the ransomware story that was lead item on news bulletins for days and lately it transpires another headliner, BA’s Disaster Recovery story, also appears to have roots in data corruption.


    The message I am hearing is that we all need to be better aware of obligations in the markets we operate and under current legislation. All organisations use information as part of their core processes and have duties to manage security of that information. We have less than 12 months until the introduction of heightened obligations under the General Data Protection Regulations (GDPR) and indications are that the UK is not ready to meet these new requirements.

    Not quite at the same level of dramatic impact, the Information Commissioner’s Office (ICO) recent list of enforcement action indicates continuing data protection lapses across sector. The list includes a Council’s prosecution for publishing sensitive information in the form of a statement supporting a planning application. The issue of liability centred on the balance between the Council’s need to publish information and for it to protect personal privacy. In its judgement, the ICO highlighted failures in Council procedures and training for protecting data in the course of carrying out its duties.

    In the same listing we can see evidence of the ICO’s approach to dealing with data security breaches and their follow up regime. RBS undertook to introduce revised procedures for managing faxes after breaches in October 2014 and the ICO lists the results of their follow up process with the need for further action by the bank to ensure faxes remain secure.

    The role of the ICO is not confined to Local Councils and large companies; in the same listing the ICO refers to prosecution of an individual for unauthorised access to personal records.

    As quality professionals we need to ensure management systems we have responsibility for reflect changes to our organisations operating environment – its ‘Context’ in ISO 9001 terms and, as in my earlier article linked above that we keep our skill set up to date through CPD. Only by being aware of changing requirements can we advise our organisations of the need for process enhancements, updated controls and employee awareness and training to be able to comply with regulatory requirements.

    The resources listed in my previous article still apply. A suggested new resource for this challenge is:

    ICO 12 step plan for preparing for the GDPR

    Quality professional’s may also be interested in Integrated ISMS and QMS Auditor Training Course which covers how to incorporate Information Security within a Quality Management System Audit – for Existing QMS Auditors.
     
    Raffy and Andy Nichols like this.
  5. k_richer

    k_richer Member

    Joined:
    Nov 14, 2016
    Messages:
    22
    Likes Received:
    3
    Trophy Points:
    2
    We've had a lot of issues here with some attacks on our system, I mean, we've always had some policies when it came to IT and stuff, but definitely after what's been going on here at my work, audits in the IT department have become a little bit more in focus, and also trying to get my IT to do their own internal security audits as well.

    I definitely think it's part of quality, it may not effect the customer right away, however it slows us down to getting the product out of the door when everything is down.
     
  6. Kamran ali

    Kamran ali New Member

    Joined:
    Mar 5, 2019
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
  7. Graham Thorpe

    Graham Thorpe Member

    Joined:
    Feb 2, 2019
    Messages:
    30
    Likes Received:
    12
    Trophy Points:
    7
    Location:
    Milton Keynes, UK
    Interesting debate. We are 2 weeks into our 9001 project but in our analysis of the organisation the loss of our design data was highest on or risks list. So that's the main thing I am working on ( well it saves showing the owner I know squat about the 2015 revisions ). As more and more company data goes electronic I believe its getting harder to separate IT from Quality. For us as a techie company the two fit so well together.