The Grey Chronicles

2008.November.6

The IQA of Information Security


I was assigned to conduct an Internal Quality Audit [IQA] for GSPI’s Information Systems and Services [IS&S] Department. This was already my second IQA for that department.

During the first IQA last 15 July 2008, I cited the following as major non-conformances:

  1. No objective evidence of draft of Info Security Policy. No documented Quality Objective to monitor (part of Dept’s function).
  2. Inconsistent delineation of responsibility for specific Technical Team members. Inconsistent Limits of Authority versus the published ISO Procedures and Work Instructions.
  3. No indicative retention period specified for archive for Cold Rolling Mills Production Database.
  4. No Objective evidence on Data Analysis, Preventive Action for the Resolution of User-Reported Information Technology problems.

During a closing meeting with the Information Systems and Services [IS&S], the department head announced that they were in the process of reviewing the whole IS&S’s ISO Manual and would likely include whatever was found during the first IQA.

When I conducted the second IQA last 10-11 September 2008, I found out that although the whole ISO Manual for IS&S was revised, some of the major non-conformances were not addressed. Giving a draft of the findings to the IS&S Document Officer, the department head sent me an email arguing that the Information Security function have been included in the ISO Manual and sent me an overview of the GSPI Information Security Policies. I replied:

Thanks for your clarification. I asked for a documentary evidence during the audit last July but none was produced. This Record "GSPI Information Security Policies" was not provided to me during the follow-up [11 September].

I acknowledge the fact that we talked about Information Security being incorporated in the revised Business Process and ISS QMS Manual sometime lunch time last 10 September and our brief discussion in the afternoon. Also, I know as you have discussed that the Info Security forms part of ALL processes as stipulated in your Business Process, but unfortunately during the document review done last 10-11 September, 2008 only flitting references to Information security activity were noticed or referenced in the ISS Procedures and Work Instructions , to wit:

PEQM-ISS-0401: Limits of Authority :
Item 4: Administer the Network Firewall

GP-F-010 Quality Objectives / GP-F-011 Quality Management Plan
A separate QO for Information Security is essential if this FUNCTION, as I surmised
from the reviewed QMS documents of ISS, is performed by the department and the
position of the Information Security Officer (TO: ISS-version) [or Specialist per HR
version of ISS T/O] as stipulated in the ISS Table of Organization is to be recognized as
also part of the ISS team. Otherwise, no basis of KPI or performance measure of the
department for this partifular function can be gleaned in the present revision of the ISS
ISO Manual.

Based on the published QMS manual, although there is a singular reference to the Information Security Officer for Action 4: Acquisition of effective antivirus software, in page 3 of 7 of the GP-F-010 (Division Quality Objectives Monitoring Report) but this particular action alone does not constitute, as we all know, a viable quality plan or the sole objective evidence for ALL Information Security functions of the department. Even the attached "GSPI Information Security Policies.doc" specified a LOT of other policies thus respective action plans could be readily made from each. Thus, the GSPI Information Security Policies could be the basis for the Quality Objectives/Plan for the ISS Information Security function.

PEQM-ISS-0501: Business Process :
Contrary to our two (2) brief discussions on ISS QMS manual revision, claimed that the
Information Security function is already incorporated therein, the new Business Process
does not show any objective evidence that the supposed function of the Information
Security Officer/Specialist is merged with any of the six (6) processes.

  • ISS-PR-001: Developing Application System == no reference to Information Security
    Q: Is Information Security Officer also part of Tech Architecture, the DC or DB Admin?

  • ISS-PR-002: Evaluation/Acquisition of Third Party Software== no reference to Information Security
    Q: Is the ISO part of the Project Team? However, Project Team is even undefined.!

  • ISS-PR-003: Acquisition of IT Hardware/Software == no reference to Information Security
    Q: Is the Information Security Officer also the IT Technician, the responsible person?

  • ISS-PR-004: Provision of Messaging Services == no reference to Information Security
    Q: the Information Security Officer is also the LN Administrator?

  • ISS-PR-005: Provision of Network Facility == no reference to Information Security
    Q: Is the Information Security Officer also the Network Administrator/IT Technician?

  • ISS-PR-006: Resolution of IT Problems == no reference to Information Security
    Q: Is Information Security Officer part of 1st/2nd Level Support, refer to the definition of terms?

  • ISS-PR-007: Database Backup == no reference to Info Security or Archiving (part of Security)
    Q: Is Information Security Officer also the DB Admin, there is no archiving process stipulated

  • ISS-PR-008: Server Monitoring == no reference to Information Security Officer
    Q: Is Information Security Officer also part of Tech Architecture, the Data Center or Database Administrator?

All these procedures and the associated work instructions do not have any objective reference to the Information Security function of ISS, even if only as a documentary Reference cited somewhere in the respective Procedures’ or Work Instructions’
sentences.

Incidentally, based on the Corretive Action Report [CAR] 2008-0814-ISS-006, under the Containment Measure, Item 1 the ISS wrote: Prepare the Quality Objective for Information Security | Resp: JAB | Application ITD | Execution Date 09/08/08. Under the same CAR’s Corrective Action R.C. 2 it was specified there to "Revise TO ; Develop Infosec Quality Objective" Thus, having called Information Security as a Major Non-Conformance during the 1st IQA last July, and the fact that the Containment Meassure and and the Corrective Action as provided in the CAR mentioned above are yet to be done, thus, unfortunately there is still no documentary evidence that this IMPORTANT department function is included or incorporated in the QMS manual, I as an Internal Quality Auditor cannot "CLOSE" or downgrade this Non-Conformance to Minor or Observation.

What I was looking for during the Document Review and the Audit Interview were Documented Records (paper-based or software-based) and not an oral declaration that the same was done or being completed. If the ISS could show me a draft copy of the Information Security Quality Objective, the inclusion of the Information Security function in all the mentioned Quality Plans, Procedures and Work Instructions, as claimed during the two brief meetings, that would be sufficient, including a time table of Execution Date, that the CAR for Information Security was acted upon by the ISS department.


Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: