I found some old notes on classifying and evaluating risk and have put them on my LinkedIn blog. How does one work out the importance and value of a risk and how much to spend on mitigation. Some of this article repeats what was said in the previous article. …
Can’t make it up
A note on LinkedIn on why managements need IT usage policies to prove their compliance and to act legally and fairly towards their employees. I suggest that ISO27001 is useful as a technical standard and COBIT as an organisational one.
This was written in the light of a couple of cases I had to deal with as an accompanying rep. or as an advisor.
You can’t claim that users are not performing if you can’t prove the IT systems work as documented. You can’t pursue a conduct disciplinary against people operating a policy. You can’t fulfil FOI or SAR requests if the data retention policy is suspect. You can’t be sure that corruption has not occurred if there is inadequate segregation of duties.
Having policy will help the organisation answer the following questions. Is our software supported? Why and how was that data deleted? What should be logged? Who has permission to read, amend and run these programs and/or this data? Are our vendors signed up to our IT security goals? Why do you not know this?
This is all defined in these standards, and the GDPR makes certification to good practice evidence of good will. ISO27001 and COBIT are the big boys in town to prove technical and organisational protection.
You can’t make it up anymore. …
Virtuality & the Labour Party
Somewhere inside my head there’s an article on how businesses weren’t planning for a pandemic as a business continuity risk, most plans were about protecting infrastructure. My most recent linkedin article looks at the under-licensing and data leakage risks exposed by the spontaneous adoption of remote desk top technology but the country has had to adopt a much wider “work from home” practice than previously, stressing those parts of the economy that serve it, including home space and furniture supply. This all leaves unanswered how are democratic decisions being taken? Let’s look at the Labour Party; I wouldn’t want to be the Labour Party apparatchik that allowed 7.IV.H.8 (P41) 2019 to expire. It used to say,
The NEC shall invite CLPs to take part in pilots of staggered meetings, electronic attendance, online voting and other methods of maximising participation. The NEC may immediately give effect to these pilots and may incorporate any resultant rules into this rule book, subject to approval at Annual Conference 2019, when this sub-clause shall expire.
It wasn’t extended at Conference 19, and the rule now no-longer exists and virtual meetings are not permitted to take decisions. Someone’s going to be happy.
If deliberate, it’s another example of the bureaucracy just not giving a shit. …