I wrote a piece on Release Management on my LinkedIn Blog. I talk about the minimum properties of a change control authorisation system, the minimum evidence required before agreement can be issued, the need for emergency change control process, the need for post implementation reviews, treating failures as incidents and applying problem management tools to them, and ensuring that there is an appropriate segregation of duties. …
The UK’s world class “Track & Trace” application “lost” 16,000 cases for over a week, as reported in the Register. Plenty of people have decided to comment and so I thought I’d join in and posted my thoughts in a linkedin blog, although I start this post with a quote from the Register, including the fabulous phrase, "Ridicule and despair, those shagged-out nags of our Johnsonian apocalypse, once again trudged exhaustedly across the plaguelands of England". For more see below/overleaf ...
A note on LinkedIn on why managements need IT usage policies to prove their compliance and to act legally and fairly towards their employees. I suggest that ISO27001 is useful as a technical standard and COBIT as an organisational one.
This was written in the light of a couple of cases I had to deal with as an accompanying rep. or as an advisor.
You can’t claim that users are not performing if you can’t prove the IT systems work as documented. You can’t pursue a conduct disciplinary against people operating a policy. You can’t fulfil FOI or SAR requests if the data retention policy is suspect. You can’t be sure that corruption has not occurred if there is inadequate segregation of duties.
Having policy will help the organisation answer the following questions. Is our software supported? Why and how was that data deleted? What should be logged? Who has permission to read, amend and run these programs and/or this data? Are our vendors signed up to our IT security goals? Why do you not know this?
This is all defined in these standards, and the GDPR makes certification to good practice evidence of good will. ISO27001 and COBIT are the big boys in town to prove technical and organisational protection.
You can’t make it up anymore. …