Quality management articles - Quality Matters Blog

Security of Passwords ISO27001

2008-06-02T18:26:00.001+01:00

Each year, just before the INFOSEC (Information Security Exhibition) a test is carried out to asses the level of security placed upon workplace passwords.

This year your password could be exchanged for a chocolate bar. It is still shocking that some 64% of people challenged outside Liverpool Street railway station in Central London, were prepared to give their passwords away for a paltry chocolate bar. The findings were further segmented when the split of sexes was added into the equation; more of those giving away their passwords were women.

Where the questions were extended to ask for telephone numbers, place of work and dates of birth in exchange for the chance to win a holiday then results were down but still more women than men gave their details but only just.

The only crumb of consolation is that the total numbers prepared to compromise their personal or work security is down on last year by about 20%.

Government and big business continues to exhibit a less than satisfactory level of care with our security; indeed another case where there had been a problem with email attachments resulted in a disc being sent by normal post. The disc contained important information but was only protected by a basic password, which the company admitted, could be broken in a matter of minutes. The disc did not arrive.

It is not known how many of the security details given away at Liverpool Street Station were genuine and how many were simply wrong, but working on the 70:30 principle a good number were genuine. It is fortunate that details obtained were not used for any unauthorised use.... but they could have been.

Vigilance is required to ensure security of all our systems

Corporate Manslaughter Act 2007 and BS OHSAS 18001

2008-05-20T11:23:00.002+01:00

This Act of Parliament brings into law an offence of Corporate Manslaughter where a Company, Partnership or Owner can be found guilty of causing death by gross negligence. Previously it was necessary to prove that someone within a Company, Partnership or Owner was guilty of gross negligence.

Far from bringing relief to Company Director, Managing Partners and Owners, this could be a double edged sword as the organisation can be prosecuted as well as the Senior individual and Health and Safety Officer.

Here is part of the Act which gives guidelines for Jurors to consider when trying a case brought under the Corporate Manslaughter Act:

(1)(a) it is established that an organisation owed a relevant duty of care to a person, and
(b) it falls to the jury to decide whether there was a gross breach of that duty.

(2) The jury must consider whether the evidence shows that the organisation failed to comply with any health and safety legislation that relates to the alleged breach, and if so:

(a) how serious that failure was;
(b) how much of a risk of death it posed.

(3) The jury may also:

(a) consider the extent to which the evidence shows that there were attitudes, policies, systems or accepted practices within the organisation that were likely to have encouraged any such failure as is mentioned in subsection (2), or to have produced tolerance of it;

(b) have regard to any health and safety guidance that relates to the alleged breach.

(4) This section does not prevent the jury from having regard to any other matters they consider relevant.

(5) In this section "health and safety guidance" means any code, guidance, manual or similar publication that is concerned with health and safety matters and is made or issued (under a statutory provision or otherwise) by an authority responsible for the enforcement of any health and safety legislation.

Clearly under "any other matters that the Jury considers relevant" could include a defence that the organisation had 'taken all reasonable steps'; this could include a good Health & Safety Management System.

If this system complies with BS OHSAS 18001:2007 and is assessed and accepted by an accredited certification body then this defence is valid and should result in the jury finding that the accident was exactly that, 'an accident'.

The costs of incorporating 18001 and then having it formally assessed can be fully justified as an insurance against conviction against Corporate Manslaughter. It will also allow Directors, Managing Partners and Owners to sleep soundly in their beds, knowing that they have done everything possible to avoid death or injury in their enterprise.

What Value is an External Consultant?

2008-05-05T20:00:00.000+01:00

Most companies holding a certification to ISO9001 have done so for many years and although the standard call for 'Continual Improvement' this is often product or service based and often reflects the normal organic growth. While there is nothing intrinsically wrong with this approach, Directors are not always taking advantage of the latest techniques and processes.

Many companies certified over five or six years may have a fairly large quality manual and processes to match; some of these will have been expanded as a result of auditors' comments and some by customers complaints or observations, but not all will add any value to the company's operation.

What is a good idea is to have someone have a look with fresh eyes at what you are doing; get a real heads-up on the latest techniques and ways to reduce the administrative burden of Systems Management.

This not only applies to ISO9001 but to all the other standards, Environmental, Information Security, Health & Safety, individual Product standards and others.
Professional consultants have verifiable qualifications and accreditations plus Professional Indemnity Insurance. Also any consultant will be able to furnish you with a list of satisfied clients with whom you can obtain references.

A good consultant is worth his/or her weight in gold; not only can an MOT actually save money it can result in greater efficiency. Remember an experienced consultant will have been involved with a number of organisations and will be able to use that experience to help you. Cherry picking the best practices and techniques while retaining strict confidentiality will add real value to your business.

There are other advantages, such as no holidays to pay for, no sickness or other absence to factor in and the best bit is you only pay for actual work performed.

OHSAS 18001 Health & Safety Management Standard

2008-04-21T23:02:00.003+01:00

OHSAS 18001 has become one of the most widely recognised standard in the world. Last year the standard was adopted as a British Standard and can be formally assessed and certified.

What is OHSAS 18001?

18001 or more correctly BS OHSAS 18001:2007 (in the UK) is a registration scheme where an organisation's Health & Safety Management is assessed against a set of rules; if successful the organisation can use the logo to endorse the management system incorporated in the organisation. The logo along with the 'tick and Crown from UKAS' means that the company can demonstrate full compliance with the standard.

What does OHSAS 18001 cover?

The standard covers all elements of Health & Safety in the organisation and ensures that the Safety at Work legislation is fully implemented. With the ever increasing regulation and legislation it is important to have any internal systems validated. It may prevent inadvertent breaches of the Law and the prosecutions that may follow.
In short, all the health and safety activities normally carried out within a well ordered organisation.

Below is the BS OHSAS 18001 model which is designed to turn OH&S Policy, through planning and implementation into continual improvement of the Health & Safety system employed by the company.

The information gathered at every stage is fed to top management to allow for continual improvement. In this way the organisation is able to make decisions based on fact and so develop and evolve.
Many companies are opting for a fully integrated approach of Quality, Environmental and H&S in one management system.

ISO14001 Environmental Management Standard

2008-04-07T09:54:00.004+01:00

What is ISO14001?

14001 is an externally assessed scheme where an organisations declared environmental practices are checked against a set of rules; if successful the organisation can use the logo to endorse the environmental management system incorporated in the organisation.

An additional advantage is that cost savings brought about by reductions in gas, electricity and fossil fuels can be significant.

What does ISO14001 cover?

The standard covers the impact on the environment made by the product (or service) from customer's order through order acceptance, design and development if appropriate, planning, production or service delivery and control of calibration devices. Also included is training and the selection of suppliers that are able to meet the organisation's environmental needs, together with controls on energy usage and waste generation.

The activities are those carried out by most 'Green' companies.
Below is the ISO14001 model which is designed to allow for continual improvement through planned and operated policy.

As is the case with ISO9001 (Quality Management Standard) the information gathered from the processes is fed to top management to allow for continual improvement. In this way the organisation is able to make decisions based on fact and so develop and evolve.

The two standards 9001 and 14001 are often integrated into a single management system.

ISO9001 Quality Management Standard

2008-03-24T20:20:00.005Z

ISO9001 has become the most widely recognised standard in the world. In the UK the 'Crown and Tick' logo alongside the Certification Body shows that the certificate of registration is valid worldwide.

What is ISO9001?

9001 or more correctly BS EN ISO9001:2000 (in the UK) is a registration scheme where an organisation is assessed against a set of rules; if successful the organisation can use the logo to endorse the management system incorporated in the organisation.

What does ISO9001 cover?

The standard covers all stages of a product (or service) from customer's order through order acceptance, Design and development if appropriate, planning, production or service delivery and quality control checks such as inspection, and control of calibration devices. Also included are the selection of suppliers and purchase of goods, together with control of customer complaints and the measurement of customer satisfaction.

In short, all the activities normally carried out within a well ordered organisation. There is no rocket science involved.

Below is the ISO9001 model which is designed to turn customer enquiries into customer satisfaction:

The information gathered from the processes is fed to top management to allow for continual improvement. In this way the organisation is able to make decisions based on fact and so develop and evolve.

Encryption and ISO27001

2008-03-09T20:34:00.005Z

What is encryption?

Encryption is a method of scrambling a message or other data so that is cannot be read by an unauthorised person. Sadly it has become too easy to intercept messages and use them for illegal purposes. Encryption protects that data.

A simple encryption might be to use the alphabet In reverse:

'Please reply to this message' becomes KOVZHV IVKOB GL NVHHZV
Unfortunately this code would be broken very easily. A more secure system would use the shift method where the table is used but each letter is shifted to the right by 3 boxes.

'Please reply to this message' Now becomes SOSWVS FSHLE DI DPOE KSEEWQS. This is better but relies on the person receiving the message knowing the key (what method was used). This type of encryption would be broken in second by an experienced cracker.

Modern computers rely on even more secure methods:

The first of these is the SYMMETRIC KEY where the sender and the receiver know the key and the message is decrypted. Anyone else will see a jumble of letters.
The second method is known as PUBLIC KEY, a typical system uses PGP (pretty good privacy) and relies on a public key which is available in the message and a private key which is know to only to the sender and the receiver. Again anyone else will see gibberish.

The third method is known as DIGITAL CERTIFICATE where the certificate acts as a middleman, checking the identity of both the sender and the receiver; if both are genuine the certificate allows the message to be decrypted.

Additionally financial transactions use a secure system know as SSL (Secure Sockets Layer) the user will notice that the usual http:// is replaced by https:// and a small padlock is normally present on the web-site to show that SSL is in use. Credit Card transactions use this very secure method of encryption.

The Information Security Standard ISO27001 recommends the user of encryption to protect data.

ISO27001 Information Security

2008-02-25T21:56:00.002Z

Data security, or lack of it is in the news almost daily and the news is pretty alarming. Report after report reveals, the often casual way, the shortfalls in care of our data.

Every cloud has a silver lining however; we have seen a huge increase in enquiries for consultancy in setting up ISO27001 systems. It seems that industry and commerce are taking data security very seriously, unlike the Revenue.

ISO27001 sets up a number of steps that protect data and other information from unauthorised access and release. It also ensures compliance with the Data Protection Act and ensures that companies are protected from litigation concerning data.

Surely it cannot be long before the Information Commissioner takes action or failing that litigation against those who loose or act in a cavalier manner with data under their care.

Every organisation employing ISO27001 can claim that they have used best practice and have taken all reasonable steps to ensure that the elements of Data Security have been employed. This is a valid defence in a Court of Law (if it should go that far).

C. I. A. are the main requirements:

Confidentiality

To ensure that data is not compromised or released

Integrity

To ensure that data is protected from unauthorised alteration

Availability

To ensure that data is available when and where required

If we all carry this out then there is hope for us yet.

At the moment, I for one, am unwilling to trust my valuable data to any organisation not complying fully with ISO27001.

Social Engineeering

2008-02-11T22:19:00.000Z

Social engineering is the name given to attempts to gain secure information by gaining the trust of the person holding such information.

With Valentine's Day fast approaching, I recall methods used in the past to gain entry to some of London's most secure buildings.

Imagine the scene, a pretty girl with a teddy bear and a box of chocolates presents herself at reception, "It's a surprise for Jason Brown from his girlfriend and the bear, chocolates and message have to be delivered in person". The Receptionist says that security policies will not allow her in, but she pleads that this is an emergency, and trusting the girl, just this once, lets her in. Of course she isn't delivering a Valentines Gift, she has been sent to test the company security.

Imagine the second scenario, the telephone rings and the person on the other end explains that he is one of the IT engineers testing the company intranet and has foolishly gone to the data centre without taking his book of secure passwords, if he is found out he will probably be sacked; can the person please help him out this once and give him log in and password information. The result can be scary.

The third scenario is even more worrying; on a train station the offer is a free pen if the person will simply write their log in and password on a slip of paper. Each person so doing will be entered into a draw with the chance to win a holiday, one million pounds, or some other prize. Sadly too many people take up this offer and compromise their security systems.

This year with February 29 being the day when traditionally ladies can propose to their men it will be entirely possible that many secure buildings will be penetrated by women claiming to want to propose, and it must be surprise mustn't it?

And finally the smoking ban has had a very detrimental effect on security; the fire doors at the back of the building are left open to allow smokers to go out for a cigarette, and get back in afterwards. The social engineer will simply mingle with the smokers and follow them in. Security breached.

Business Continuity Planning BS25999-2:2007

2008-01-24T14:23:00.000Z

I wonder how many companies were faced with the same problem that I faced following the Christmas and New Year shutdown: my office landlord decided that he would turn off the heating during this period in order to save money. The net result was that the office, and more importantly the computer equipment, became very cold. Upon turning the heating back on, condensation formed and this caused the equipment to short out.

The resulting bang not only did my constitution no good, it meant that the computer equipment had to be repaired. Fortunately our company has a business continuity plan which was put into action and none of our clients were put to any inconvenience.

At the end of 2007 The British Standards Institute produced an new standard BS 25999-2 Business Continuity Management and its code of practice BS25999-1. This can be either a stand-alone system or as part of ISO27001 (Information Security Management Standard).

BS25999-2 sets out the requirements for BCM (business continuity management) and how any organisation can reduce or mitigate any incident which interrupts or degrades the company or its operations.

The main areas are:

Identify what potential risks could affect the company;

Know what equipment would be needed in the event of a loss of building/facility;

Keep copies of staff information off-site to be able to contact key personnel if required;

Plan who will do what and when;

Make contingency plans for staff if buildings are unavailable;

Keep copies of important information off-site;

Review and train everyone in the continuity plan and IT disaster recovery routine;

Test the plan regularly;

Learn lessons from any tests;

Ensure the plan is kept up to date.

Having a business continuity plan in place will not stop a disaster happening, but it certainly will ensure that its effect can be mitigated and will ensure that the company can be up and running in the shortest possible time.

It is important to note that many companies that have been subject to a major disaster and do not have a business continuity plan have gone out of business.

Be prepared. It is not only for boy scouts.

Business Continuity Planning

2008-01-17T10:23:00.000Z

Business continuity planning is one subject that is often left to the last minute but is one of great importance.

If you wait until 'something' happens, it could be too late. I have seen people wading in calf deep water looking for the stopcock; others reading the instructions on a fire extinguisher in the middle of a fire.

In reality we should all know what to do in an emergency well before the emergency happens and be prepared for most eventualities.

We have read about the terrorist attack, the dirty bomb and other major catastrophes but it is often the 'soft' disasters which can cause irreparable damage to a company.

One such problem occurred recently; the company uses a card entry system to gain access to the building. The server housing the operating system failed and prevented anyone entering the building. It was apparent that there was no manual override; people milled around outside the building, not really knowing what to do. Eventually someone broke a window to gain entry. Of course the alarm went off and before it could be turned off the police were on site; embarrassment all round.

The company has now put a system in place to override the card system if it fails in the future.

The winter season also means that illness will increase; how many companies have prepared for a flu epidemic? Sadly very few.

Companies that have incorporated ISO27001 (Information Security Management System) will have an emergency plan in place, regularly tested and validated. This together with an IT disaster Recovery Plan will be able to deal with most eventualities. The old saying that 'if you hope for the best but prepare for the worst' is a good mantra to use.

Companies that have suffered major disaster, like being in the vicinity of the Buncefield fuel depot fire, and did not have any business continuity plan have disappeared without trace. Insurance cover just didn't mitigate all the problems. Those companies that did have a plan in place, had difficulties but managed to survive.

It is a pity that, as of December 2007, there are only 363 companies in the UK certificated to ISO27001. It is a very big standard to achieve but the benefits are huge.

IS09001 Quality Management Standards

2008-01-10T09:31:00.000Z

In the UK there are some 6.6 million companies trading and of these over a million are certificated to ISO9001:2000. These companies have procedures and processes in place which are tested by independent certification bodies accredited by UKAS (The United Kingdom Accredited Service).

Companies certificated to ISO9001 have to provide evidence of their compliance to the standard.

This testing is repeated on a regular basis to ensure continued compliance.

Essentially, 9001 is a management system process to turn customer enquiries into customer satisfaction and provide information to the management of the company. The measure of customer satisfaction is an important one and must be measured in a proactive way. The absence of complaints is not a sure fire way of monitoring customer satisfaction; often dissatisfied customers will simply go elsewhere. The sad thing is that the company may never realise why customers do not return. The only way to find out how your customers perceive the quality of service they receive is to ASK them.

The other measures in 9001 are monitoring and measuring of processes and products which ensure that the resulting product (or service) really does meet requirements.

Nowadays 9001 is expected as an entry point for tenders; Government contracts often specify 9001 as a mandatory requirement. If companies do not have this, any submitted tender does not get past the starting gate.

One other point about 9001 certificated companies relates to survivability during tough times; 9001 are more likely to weather difficult times as they have documented and tested procedures in place to cope with problems.

A Happy New Year (and a more secure one!)

2008-01-03T11:47:00.000Z

We should all hope that 2008 is going to be a more secure year for our data. It seems that every day brings fresh news that our data has been compromised in one way or another. The chief culprits appear to be government departments which are being forced to own up to data breaches in the past rather than being found out by the Information commissioner.

In addition to lost disks, there are paper records discarded in public dustbins and lost laptops by the boat-load. Security which was trumpeted by ministers as being paramount seems to have been very low on their priority list in their own domains. It is also lamentable that there has been a deliberate policy of hiding the facts from those people most at risk.

We must be vigilant as these data breaches might not affect us until some date in the future. Criminals will wait until the furore has died down before using the data illegally.

Let us make sure that 2008 is a year of data security, here is a recap of precautions:

Always shred confidential documents or documents having identifiable data;

Never give passwords or log on information to email enquiries, telephone callers or visitors;

Be wary of emails directing you to a bank or other secure site which ask for personal information;

Do be aware that information put into social sites such as Facebook may be visible to people other than the intended audience. Dates of birth, names and addresses, telephone numbers and details of family can be used to steal identities.

Never dispose of old computers until the hard drives have been removed or destroyed; remember deleting or re-formatting the disk does not actually delete the data;

Never leave confidential documents on desks overnight or when unattended (clear desk policies);

Laptops should be secured with a multistrand cable to an immovable object like a radiator when unattended;

Laptops should be password protected;

Laptops should be encrypted if data is sensitive;

Never share passwords and use complex passwords to prevent other gaining access to desktops and laptops;

The list goes on and on but use common sense - assume that the worst may happen and take precautions to stop or at least reduce it.

Let us all have a Happy and safe New Year

ISO9001 Quality Management Standard Upgrade - 2008

2007-12-29T12:29:00.000Z

ISO9001 has been around now since 2000 and it is normal practise for Standards to be reviewed and updated every five years or so. This update is now overdue.

The PDCA model has been retained and one member of then committee said it should stand for 'Please don't change anything' rather than PLAN-DO-CHECK-ACT.

The ISO Committee has proposed that only minor changes should be incorporated into the 2008 update:

Clause 0.2 (Process approach)

Text added to emphasize the importance of processes being capable of achieving desired outputs

Clause 4.2.3 (Document control)

Clarification that only external documents relevant to the QMS need to be
controlled

Clause 4.2.4 (Records control)

Editorial changes only (better alignment with ISO 14001)

Clause 5.5.2 (Management rep)

Clarifies that this must be a member of the organization's own management

Clause 6.2.1 (Human resources)

Clarification that competence requirements are relevant for any personnel who are involved in the operation of the quality management system

Clause 6.3 (Infrastructure

Includes information systems as example

Clause 6.4 (Work environment)

Clarifies that this includes conditions under which work is performed and includes, for example physical, environmental and other factors such as noise, temperature, humidity, lighting, or weather

Clause 7.2.1 (Customer related processes)

Clarifies that post-delivery activities may include:
- Actions under warranty provisions
- Contractual obligations such as maintenance services
- Supplementary services such as recycling or final disposal

Clause 7.3.1 (Design & development planning)

Clarifies that design and development review, verification and validation have distinct purposes

These may be conducted and recorded separately or in any combination as suitable for the product and the organization

Clause 7.3.3(Design & development outputs)

Clarifies that information needed for production and service provision includes preservation of the product

Clause 7.5.4 (Customer property)

Explains that both intellectual property and personal data should be considered as customer property

Clause 7.6 (Now retitled Control of Monitoring and Measuring equipment)

Explanatory notes added regarding the use of computer software:

"Confirmation of the ability of computer software to satisfy the intended application would typically include its verification and configuration management to maintain its suitability for use."

Clause 8.2.1 (Customer satisfaction)

Note added to explain that monitoring of customer perception may include input from sources such as customer satisfaction surveys, customer data on delivered product quality, user opinion surveys, lost business analysis, compliments, and dealer reports

Clause 8.2.3 (Monitoring / Measurement of process)

Note added to clarify that when deciding on appropriate methods, the organization should consider impact on the conformity to product requirements and on the effectiveness of the quality management system.

I must emphasise that these are proposed changes and not 'set in stone'.

The 2008 Standard is expected to be published in November 2008.

Auditing Top Management

2007-12-19T21:15:00.000Z

Internal auditors are required to audit top management as part of both ISO9001 and ISO14001 Management systems and most auditors find this task difficult.

The questions that I am asked include:

If I criticise my boss, will it affect my future with the company;

If I do not audit strictly enough will my boss think I am weak;

If I audit too hard will my boss think me too pushy?

The way to audit top management is to apply a code of conduct that cannot be misunderstood:

Make an appointment to audit your boss, giving ample time;

Always arrive at the appointed time;

Determine what you need to know;

Prepare your questions in advance;

Always be polite and do not raise your voice;

Treat any non-conformity as a matter of fact and not a triumph over your boss;

Remember that your boss may feel the necessity to justify any non-conformity and you should allow him/her time to state the reasons for this;

Always agree where a non-conformity is present and do not get into a discussion if this cannot be substantiated;

Do not allow your boss to take over the process; you are in control;

And finally do not carry on the audit beyond the agreed time;

If you do all these thinks you will find that auditing top management is as easy as normal auditing.

Information Security - AGAIN

2007-12-02T20:27:00.000Z

The latest security lapse where the HMRC ( Her Majesty's Revenue and Customs Service) has 'lost' a CD containing names, addresses , NI numbers, dates of birth etc of up to 15,000 Standard Life customers has provided a new round of concerns about security of data. Apparently the disk, containing very useful information to identity thieves went missing while being transported from HMRC TO Standard Life Offices in Newcastle. Standard Life Customers have been warned to look out for any unusual activity in their financial accounts.

As we approach the season of goodwill it makes even more sense to guard against identity fraud and unauthorised transactions in credit cards and other banking areas. Copied or cloned credit cards, people watching as you enter pin numbers into 'Hole in the Wall cash machines' or just simple pickpockets taking a wallet or purse are just some of the ways that we can be relieved of our hard earned cash.

Don't discard paper that has any personal or company details in the rubbish - shred all identifiable paper.

Destroy all expired or replaced credit and debit cards. Cut into many pieces or put into a shredder (if it had the ability to shred credit cards)

Don't respond to emails asking for user names and passwords - Banks never ask for this type of information in email.

Make the run up to the festive season a poor one for thieves.

Security of Data

2007-11-25T19:45:00.000Z

The loss and compromise of sensitive data by the Revenue has left most of us dumbfounded as every security precaution that could have been provided to protect this data were totally ignored.

Security professionals across the country gasped in amazement as the story unfolded. If a private company had lost this amount of data the Data Protection Act would be invoked and a criminal investigation and prosecution would follow. Will this happen in this case? I doubt it. Will the truth come out? Again I doubt it particularly as Civil Servants have been told to keep quiet or risk prosecution under the Official Secrets Act.

Government departments with their immunity from prosecution are often cavalier with the rules that apply to the rest of us.

This scandal should bring down the Government or as an absolute minimum result in the sacking of the Chancellor.

However for the law-abiding and professional users of data here are the basic precautions that should be taken when transmitting sensitive data:

Never send data over the internet unless securely encrypted;

Never send more data that is actually required;

If data is to be burned onto CD or DVD, it must be properly authorised and the disks numbered, monitored and tracked.

Never send disks of this type by post;

If they need to be sent to another location, a hand to hand transfer is most secure followed by a data tracking delivery and lastly by a registered method.

Once the disks have been used they should be returned to the originator by a secure method for destruction.

If there is an apparent loss of disks then an immediate and high priority search should be made and interested parties informed.

These are the basics which seem to have been ignored by the custodians of our personal information.

If the Government is to hold even more data (ID cards for example) then their systems have to be bomb proof.

Industry is adopting ISO27001 - information security management - to protect data and so it should. It is a sad reflection on HMG that these standards are not adopted by them.

BS OHSAS 18001:2007 - Health & Safety Management

2007-11-03T21:20:00.000Z

18001 has at last been issued as a formal standard which can be assessed and a certificate issued. Previously the guidelines could be adopted but didn't carry the same weight as a British Standard. Many organisations wanted a recognisable occupational health and safety management system standard that could be assessed and certificated.

The format of the standard is similar to the template set for ISO9001 - the quality standard and ISO14001 - the environmental standard. The structure of all three standards allow for integration if desired.

There are elements of communality:

Management review

Internal audit

Non-conformity control

Evaluation of compliance

Performance measuring

Document control

Control of records

Communication

Competence, awareness and training

Control of resources

Objectives & targets

Many organisations are choosing the integrated approach to incorporate
'industry best practice' to maximise compliance to the raft of regulations
facing businesses today. Certification provides independent evidence of compliance which can be used to offset any problems in the quality, environmental of H & S areas.

Myths Surrounding ISO27001 Information Security

2007-10-28T19:18:00.000Z

This week I am carrying the series of myths forward and this time surrounding Information Security (ISO27001).

Information Security is for big companies

False Most small companies (and individuals) are targeted at
some time.

My computer has virus control software so I am safe.

False Anti-Virus software is only one area of protection.

I have turned off the Microsoft Automatic Update to protect my computer.

False Auto-update provides security patches to help protect your computer.

I always tear up sensitive paper information before putting it in the dustbin to
protect myself.

False tearing up paper is never as secure as shredding.

Cutting a credit card in half makes it useless to a thief.

False Shred any non required credit cards as a thief can copy the detail and your signature.

Email is a secure method of communication.

False Unless you encrypt your email, it is visible.

I can't remember complex passwords so I use my dog's name, but that is secure.

False A hacker will run a dictionary test to find easy passwords like this.

My company insists on 8 digit passwords so I have to write them down – but this is safe.

False Writing down passwords is a bad idea and is full of risk.

In my company we all share a generic password but this is secure.

False If there is s problem with a generic password is it almost impossible to find out who is responsible.

When we get new computers we always format the old hard disks to ensure they cannot be hacked.

False Hard disks should be physically destroyed otherwise data can be recovered, sometimes by simply un-formatting.

Information security is everyone's responsibility.

ISO9001 Quality Management System Myths

2007-10-21T16:03:00.000+01:00

There are loads of myths concerning ISO9001 and most are perpetrated by those who are ignorant of the true facts, nevertheless I hear these repeated as though they were absolute gospel.

Here are just some of these:

ISO9001 is a bureaucratic system which requires a piece of paper for everything.

False. The system should work for the organisation and not the other way round. If set up correctly ISO9001 will prove highly beneficial. Paper heavy systems are really out of date.

Dictates how any business must be run.

False. The standard states that all businesses are different and that the standard should be adapted to fit the business and not be prescriptive so that the business has to fit the standard. However the main elements are parts of any good practice system and there is no 'Rocket Science' involved.

Inflexible system.

False. If correctly set up the system will allow for unexpected events and can be as flexible as you need it to be.

Directors only must sign off all released work.

False. It is usual for identified job functions to release work but these do not have to be Directors. Most good systems will allow deputies to release work if the primary release person is unavailable.

Costs a fortune to set up and run.

False. The actual assessment and certification fees vary between certification bodies and of course the size of your company but these can be very reasonable.

As far as setting up your system, you could do it yourself. It could be more effective in the longer term to employ the services of a qualified consultant who will utilise best practice.

Requires huge quality manuals.

False. The days when manuals filled a bookcase and were almost too heavy to lift are long gone

Requires procedures for everything.

False. The standard specifies only six mandatory procedures;
Documents control, control of records, internal audit, Control of Non-conforming product/service, Corrective action & preventive action. Most businesses will have other process orientated elements documented but these are decided by the management of the business

You can produce faulty products and still meet ISO9001 provided you do it all the time.

False. Customer satisfaction is a primary measure. Poor quality products would mean dissatisfied customers and not meet ISO9001

Does not allow for quick turnaround of urgent work.

False. ISO9001 does not hinder fast turnaround of orders, in fact it ensures that records are kept to show what has been done and when

Must answer a phone by the third ring.

False. There is no mention of this in ISO9001. Some call centres have this as a requirement but it is certainly not specified in the standard.

The standard says "Say what you do - do what you say and prove it".

True. The standard uses the PDCA model - Plan, Do, Check, Act.

Most good businesses are already doing most of the requirements of ISO9001.

True. Enough said?

Security of Credit Cards

2007-10-14T09:45:00.000+01:00

The criminal fraternity are again turning their sights on credit cards, not just in the UK where face to face sales and chip and pin have made considerable reductions in fraud, but in 'Customer not present' transactions, often on the internet where fraud has risen.

The real growth area for fraud has been in overseas transactions, particularly where chip and pin has not been fully implemented. These transactions use the magnetic stripe on the back of the card and a signature for evidence of card ownership. There are a great number of counterfeit cards doing the rounds and these net the thieves a considerable bounty.

We all pay the costs of these frauds in card charges and interest rates, so it is in all of our interests to combat this fraud wherever possible.

There are various systems which can help to prevent these frauds but most rely on cardholders taking responsibility:

Ensure that your card does not get taken away for scanning (it could be copied)

Always shield the keypad when entering your four digit pin (opportunists can see your pin)

Never tell anyone your pin number (that is just plain stupid

Never lend your card to anyone else (that is worse)

Take receipts for ATM transactions away and not put them in the bin provided by the ATM owner (the information contained on these slips could be useful to thieves)

If you are suspicious about a transaction tell the card issuer (common sense)

Tell your card issuer if you are going abroad so they don't suspend your card for unusual transactions (prevents embarrassment)

Taking these sensible precautions could help stop these unscrupulous people from taking your money.

Protect your Cards from Fraud

Monitoring and Measuring Devices

2007-09-30T16:05:00.000+01:00

Both ISO9001 Quality Management and ISO14001 Environmental Management systems require that devices used for making meaningful measurements or tests should be calibrated or verified before use. Any calibration must be traceable to a National or International Standard.

There is an increasing trend for small companies to purchase so called "calibration boxes" and do it themselves. While this may be adequate as a verification it cannot take the place of a proper calibration by a calibration house.

I have witnessed the level of checking that takes place during a routine calibration and in comparison with a quick plug in check shows how much risk could be generated by not knowing the level of uncertainty.

Some electricians and electrical system testers are relying on the calibration box to assure themselves that their equipment is accurate. This may not be the case and if (when) someone is injured or killed their Insurance Company may void the policy for the company and the liability would then revert to the directors/owners for compensation. This could mean seizing of assets, and at worst bankruptcy.

The small amount of money that is saved by the DIY calibration route may well prove to be an expensive option. In addition the loss of reputation and damage to personal pride in the job may well have far reaching consequences.

Generally, the 'calibration boxes' that are available today are designed to be used for a daily or weekly check of the proper operation of equipment. However, such checks should no more be relied upon as a demonstration of accuracy than you would rely upon a check of the dipstick to replace servicing of a modern motor car.

The message is clear: If you use any monitoring and measuring equipment that is used for making meaningful measurements or tests then have it calibrated by a professional calibration house to ensure that the risk is minimal.

ISO9001 Certification or Not

2007-09-21T21:05:00.000+01:00

Many organisations put a quality management system into place but don't go forward to formal certification. This is usually due to the fear of failure and of course cost.

The advantages of formal certification are many:

An independent verification of the organisation's quality arrangements;

Formal recognition, that is accepted world-wide;

Continuing checks that the system is still valid;

Requires evidence of continual improvement.

Systems that are not formally certified tend to drift over time. It is often the case that the system will deteriorate and the people involved with the quality management system are so close to it that they don't actually see the downward trend.

Where formal certification is used there is always a degree of uncertainty about the regular surveillance visits: "What will the assessor find?", "Will he/she still recommend continuing certification?"

It is this regular routine that ensures that the system retains that edge and still meets the needs of the organisation.

When all is said and done, the organisation wants to see some benefits from a quality management system and this can only really be achieved by third party certification.

ISO09001 vs ISO027001

2007-09-09T21:20:00.000+01:00

ISO9001

What is ISO9001?

A Quality Management system for turning customer requirements into customer satisfaction.

Provides the mechanism for continual improvement.

A set of common sense guidelines for running a successful business.

What are the benefits of ISO9001 Registration?

Internationally recognised quality mark

Certificates awarded by independent accredited organisations.

Customers do not have to do their own checks on a supplier.

How many ISO9001 Certificates have been issued?

Over 1 million worldwide.

The Model for ISO9001

What is covered by ISO9001?

BS EN ISO 9001:2000 requires 5 main sections to be addressed, these are:

Quality Management System;

Management Responsibility;

Resource Management;

Product Realisation;

Measurement, Analysis and Improvement

Each section is subdivided as required and covers all elements of the business having an impact on quality.

ISO27001

What is ISO27001?

An Information Security Management System for protecting customer information and data from unauthorised disclosure.

Confidentiality, Integrity and Availability

Risk assessment and management

Access controls and computer security

Protection of hardware and software assets

Business continuity management and disaster recovery

What are the benefits of ISO7001 Registration?

Internationally recognised Information Security Mark.

Certificates awarded by independent, accredited organisations.

3rd Party assurance of information security credentials.

How many ISO27001 Certificates have been issued?

Under 4000 worldwide (includes BS7799 certificates)

The Model for ISO27001

What is covered by ISO 27001?

ISO27001 requires 5 main sections to be addressed, these are:

Management Responsibility;

Internal ISMS Audits;

Management Review;

ISMS Improvement

Correlation between ISO9001 and ISO27001

How long does it take to obtain certification?

This obviously varies from organisation to organisation, but the prime requirement is that the organisation must have three months of 'track record' from completion of the document set.

As a rough guide, ISO9001 can be achieved in about 6 months while ISO27001 takes about 12-18.

What documentation is needed?

A Quality & ISMS manual and procedures/processes for operating the systems.

Once certificates are issued what happens next?

The certification authority will carry out surveillance visits each year to ensure continued compliance.

Phishing and Computer Security

2007-08-30T20:58:00.000+01:00

I am sure everyone has received an email advising them that their bank has introduced some new security method which requires them to enter passwords and other security details into a web page or face discontinuation of a service.

This is called PHISHING and is usually carried out by criminals to persuade innocent victims to give away information that they may use to gain access to bank accounts, credit card accounts or other financial accounts.

It usually starts with an email

'The xyz bank has recently upgraded its security systems to make your account more secure and to protect your account from unauthorised access. To ensure that these new security measures are applied to your account you must change your password.
Click on the link www.any1bank.co.uk.'

If you click on the link you are taken to a web-site which looks remarkably like the web-site for your bank, cheekily, it may even have a warning on it that you should take care to make sure any information you provide is secure. You are invited to enter your security details. By doing this you have provided the phisher with information to permit theft of your money.

No bank or other financial institution would ever ask you to enter these details on an email.

If in any doubt carry out the following:

Never put passwords into an email (email is not secure)

If asked to click on a link, hover your mouse over then link and see if the link is the same as the hover information

If possible type in the web information you hold already for your bank

On a bank website look for the closed padlock symbol which shows that the site is secure

If it looks at all suspicious don't do anything with it

Forward the email to your bank for them to deal with it

Telephone your bank and ask if the email is genuine

If you have been fooled and do enter information into a phishing web-site contact your bank immediately and them what you have done. This may mean that your account is frozen while action is taken. You will have to change passwords of course.

Phishing is the number one method at the moment for fund generation by criminals.

Don't fall for it