Vendor Management and the Labour Party

Vendor Management and the Labour Party

I wrote a blog on linkedin, on what I call Vendor Management. This is based on my experience as an IT Security and Compliance consultant, and leans on ISO 27001. Some of the words in this article, mirror what I say in the linkedin post. I argue that rule one is to have a policy which must deal with how to apply a risk based approach to the supply chain. This means segmenting suppliers into value or risk classes, using a classic risk matrix of estimating probability of failure vs. the impact. This will help one understand how important any supplier is to the business. The policy should also have authorisation limits and policies to counter the threat of corruption and life-cycle policies inc. sunset clauses to ensure it remains relevant. The policy must define the monitoring requirements, which may create liabilities on both sides and also the need for terms to exit the contract, and remediation where the supplier unilaterally exits the market.

All IT supply must be under contract which must be appropriately authorised financially, legally and technically, i.e. someone must have signed of on the risks of confidentiality, availability and integrity. The nature of the contract and risk analysis will depend on the importance of the supplier to the enterprise. Contracts need to establish the right to use, rights to software updates, the rights to bug fixes and engineering effort under a service level agreement, the right to request enhancements, contingency in the case of the vendor’s market exit such as code escrow, functional future proofing (most importantly compliance functionality), intellectual property transfer and its exclusions, termination conditions and data protection commitments and controls. Contracts must be monitored and compensation agreed for failure to meet service levels which may exist on both sides, for example, the buyer will need to ensure it meets the agreed licensing rules and payments, and the supplier that any availability guarantees are met.

The Party must consider getting its software portfolio and IT Organisation ‘branded’ as of a suitable and professional quality. The GDPR defines a 3rd party certification as proof of that an organisation’s controls are adequate and the Party must for many reasons also register its HR systems with, possibly both, “Investors in People” and “A great place to work” , as it’s clear that professional advice and goals are needed to fix the problems obvious in the behaviour of several Regional Directors and first identified by the Chakrabarthi Report.

Do the Labour Party have a robust vendor management policy? The critical software product for compliance is probably the financial system, and to drive this, the membership system is required to record facts required for selection and to record if members are in good standing. Also do the Labour Party own a data centre (or two) or do they use a cloud provider? It’s obvious that some software is SaaS. Has due diligence been done, has a risk register been created for the portfolio? Not everyone will remember but Nationbuilder, no longer used by the party, which was the volunteer management product failed during the 2015 general election. This is important to get right and with questions raised by Unite’s evidence to the Forde Enquiry the audit and authorisation functionality of our financial systems must be questioned as must recent portfolio acquisitions such as Anonyvoter.

This is all kept secret, and it would seem that many NEC members have little interest in this part of the job.

The important thing here is that these problems have been solved before, and there is agreement on the right way to do things. The Labour Party can’t make this stuff up, as the whole of local government have just discovered with the imposition of Commissioners in Liverpool.  …

Can’t make it up

Can’t make it up

A note on LinkedIn on why managements need IT usage policies to prove their compliance and to act legally and fairly towards their employees. I suggest that ISO27001 is useful as a technical standard and COBIT as an organisational one.

This was written in the light of a couple of cases I had to deal with as an accompanying rep. or as an advisor.

You can’t claim that users are not performing if you can’t prove the IT systems work as documented. You can’t pursue a conduct disciplinary against people operating a policy. You can’t fulfil FOI or SAR requests if the data retention policy is suspect. You can’t be sure that corruption has not occurred if there is inadequate segregation of duties.

Having policy will help the organisation answer the following questions. Is our software supported?  Why and how was that data deleted? What should be logged? Who has permission to read, amend and run these programs and/or this data? Are our vendors signed up to our IT security goals? Why do you not know this?

This is all defined in these standards, and the GDPR makes certification to good practice evidence of good will. ISO27001 and COBIT are the big boys in town to prove technical and organisational protection.

You can’t make it up anymore. …

Technology lessons

Technology lessons

It seems the police have found insufficient evidence to prosecute Boris Johnson for misconduct in a public office with respect to his alleged relationship with Jennifer Arcuri and decisions taken by the Mayor's Office to support her business. His day-time visits to her home, presumably during working hours, were, it seems, for 'technology lessons'. It seems that some emails seem to be unavailable, possibly in contravention of the Mayor's statutory record keeping rules and duties. The rest of this blog looks at alternative legal approaches to investigating if wrong doing has occurred. It looks at how good good IT Security controls are needed to allow essential audit questions to be answered.

Virtuality & the Labour Party

Virtuality & the Labour Party

Somewhere inside my head there’s an article on how businesses weren’t planning for a pandemic as a business continuity risk, most plans were about protecting infrastructure. My most recent linkedin article looks at the under-licensing and data leakage risks exposed by the spontaneous adoption of remote desk top technology but the country has had to adopt a much wider “work from home” practice than previously, stressing those parts of the economy that serve it, including home space and furniture supply. This all leaves unanswered how are democratic decisions being taken? Let’s look at the Labour Party; I wouldn’t want to be the Labour Party apparatchik that allowed 7.IV.H.8 (P41) 2019 to expire. It used to say,

The NEC shall invite CLPs to take part in pilots of staggered meetings, electronic attendance, online voting and other methods of maximising participation. The NEC may immediately give effect to these pilots and may incorporate any resultant rules into this rule book, subject to approval at Annual Conference 2019, when this sub-clause shall expire.

It wasn’t extended at Conference 19, and the rule now no-longer exists and virtual meetings are not permitted to take decisions. Someone’s going to be happy.

If deliberate, it’s another example of the bureaucracy just not giving a shit. …