Vendor Management and the Labour Party

Vendor Management and the Labour Party

I wrote a blog on linkedin, on what I call Vendor Management. This is based on my experience as an IT Security and Compliance consultant, and leans on ISO 27001. Some of the words in this article, mirror what I say in the linkedin post. I argue that rule one is to have a policy which must deal with how to apply a risk based approach to the supply chain. This means segmenting suppliers into value or risk classes, using a classic risk matrix of estimating probability of failure vs. the impact. This will help one understand how important any supplier is to the business. The policy should also have authorisation limits and policies to counter the threat of corruption and life-cycle policies inc. sunset clauses to ensure it remains relevant. The policy must define the monitoring requirements, which may create liabilities on both sides and also the need for terms to exit the contract, and remediation where the supplier unilaterally exits the market.

All IT supply must be under contract which must be appropriately authorised financially, legally and technically, i.e. someone must have signed of on the risks of confidentiality, availability and integrity. The nature of the contract and risk analysis will depend on the importance of the supplier to the enterprise. Contracts need to establish the right to use, rights to software updates, the rights to bug fixes and engineering effort under a service level agreement, the right to request enhancements, contingency in the case of the vendor’s market exit such as code escrow, functional future proofing (most importantly compliance functionality), intellectual property transfer and its exclusions, termination conditions and data protection commitments and controls. Contracts must be monitored and compensation agreed for failure to meet service levels which may exist on both sides, for example, the buyer will need to ensure it meets the agreed licensing rules and payments, and the supplier that any availability guarantees are met.

The Party must consider getting its software portfolio and IT Organisation ‘branded’ as of a suitable and professional quality. The GDPR defines a 3rd party certification as proof of that an organisation’s controls are adequate and the Party must for many reasons also register its HR systems with, possibly both, “Investors in People” and “A great place to work” , as it’s clear that professional advice and goals are needed to fix the problems obvious in the behaviour of several Regional Directors and first identified by the Chakrabarthi Report.

Do the Labour Party have a robust vendor management policy? The critical software product for compliance is probably the financial system, and to drive this, the membership system is required to record facts required for selection and to record if members are in good standing. Also do the Labour Party own a data centre (or two) or do they use a cloud provider? It’s obvious that some software is SaaS. Has due diligence been done, has a risk register been created for the portfolio? Not everyone will remember but Nationbuilder, no longer used by the party, which was the volunteer management product failed during the 2015 general election. This is important to get right and with questions raised by Unite’s evidence to the Forde Enquiry the audit and authorisation functionality of our financial systems must be questioned as must recent portfolio acquisitions such as Anonyvoter.

This is all kept secret, and it would seem that many NEC members have little interest in this part of the job.

The important thing here is that these problems have been solved before, and there is agreement on the right way to do things. The Labour Party can’t make this stuff up, as the whole of local government have just discovered with the imposition of Commissioners in Liverpool.  …

Virtuality & the Labour Party

Virtuality & the Labour Party

Somewhere inside my head there’s an article on how businesses weren’t planning for a pandemic as a business continuity risk, most plans were about protecting infrastructure. My most recent linkedin article looks at the under-licensing and data leakage risks exposed by the spontaneous adoption of remote desk top technology but the country has had to adopt a much wider “work from home” practice than previously, stressing those parts of the economy that serve it, including home space and furniture supply. This all leaves unanswered how are democratic decisions being taken? Let’s look at the Labour Party; I wouldn’t want to be the Labour Party apparatchik that allowed 7.IV.H.8 (P41) 2019 to expire. It used to say,

The NEC shall invite CLPs to take part in pilots of staggered meetings, electronic attendance, online voting and other methods of maximising participation. The NEC may immediately give effect to these pilots and may incorporate any resultant rules into this rule book, subject to approval at Annual Conference 2019, when this sub-clause shall expire.

It wasn’t extended at Conference 19, and the rule now no-longer exists and virtual meetings are not permitted to take decisions. Someone’s going to be happy.

If deliberate, it’s another example of the bureaucracy just not giving a shit. …

Reinforcing Monopoly

Hereby are two stories about how software acts as a barrier to entry to a market and reinforces the monopoly power of its provider.

The first is shown by the fact that industrial content are getting cold feet over the EU copyright directive as the service providers have switched to supporting Article 13 since they already have the so-called “upload filters”. Only the big boys will be able to remain in the game of hosting user authored content. As predicted, the new regulations will inhibit both startups and SMEs.

The second story is closer to home. The UK have decided to mandate age verification functionality for porn sites. Who do you think is going to build that? Alec Muffet and the Open Rights Group have been tracking this and even if you think it’s a good idea, they way it’s being done is disastrous. The BBFC is the regulator and this is a massive piece of scope creep, it looks like they will licence a third party to act as the software provider and again the favourites to win this business is an interested party. Alec’s latest blog post is on Medium and is critical of the regulator’s stance and IT Security expertise and he previously wrote about the competitive dynamics and opportunities created by the new laws. Muffet is also concerned about the profiling use of such a database of porn users. It’s almost back to the days of the Roman Empire where monopolies were licensed. …

I.T. implications

In my many articles on Labour’s Democracy Review, and in a preview I talk about the Information Technology implications of Labour’s coming rule changes. I have extracted the following quote from my article, The denoument, as I’d like it to be easier to find,

In the NEC rule changes as presented to Conference the NEC talks about using IT to maximise participation. All constituency documents, are to be available to all members via a clockwork platform, sorry, I made it up, an electronic platform, “provided by the Party”; I hope that’s the national party as I have thought hard about this and creating a shared disk is not hard, managing the Access Control List (ACL) is, particularly if your membership and volatility is large.

 …

Equifax

Bruce Schneier testified to Congress on the Equifax Breach and posted his testimony onto his blog. .Because of the political nature of the content, he is frequently much more technical some of the the comments are very superficial, complaining about the need for more regulation.

The problem is, as he says, that without regulation business wont keep personal data secure. The problem is bad corporate behaviour.

His testimony, in my mind, shows the weakness of seeing this as a consumer protection issue. Much of the bad behaviour comes from 3rd parties; the data subject is not the customer and thus have no rights of tort and in the US, the FTC can’t pursue the data controllers. By placing privacy in a consumer protection framework, they also leave it to the victims of breaches to prove harm.

In the EU, our rights based legal framework means that a breach is harm, because our human rights to privacy have been infringed.

Schneier raises the GDPR as an example of how companies can confirm to better standards and raises the spectre of the EU imposed fines on US companies. He also hints at the fragility of safe harbour/privacy shield. …

A note on IT Integrity and authority

I posted an article that had taken a long time to get approval for on my employer’s blog, Information Integrity, the final frontier. I argue that the business has not taken integrity as seriously as it has availability and confidentiality. In the blog, I state that,

Information integrity requires an accurate representation of the state of the business and the audit records as to how it got there. Modern systems need to record both; it’s not enough that the system is provably accurate, records are required to ensure that transactions and changes are appropriately authorised.

The key insight is that not only must the true state of the data be recorded but that the person verify this truth must be recorded.

The article talks about strong “Requirements Management” and good “Testing” processes, and then talks about the use of PKI to sign application to application feeds or transactions to guarantee to the system of record that the author is a permitted actor and that the delivered data is accurate and authorised. I also propose that application logs as proposed under the “Application Security” domain of ISO/IEC 27034 should be used to record the authority/author of a database update.

ooOOOoo

Given the startling longevity of this blog, I have made a mirror of the Citihub article and loaded it to this site; integrity: the final frontier, a mirror …

More reasons to be doubtfull

More reasons to be doubtfull

I had reason to read the Register’s front page this morning and came across these three IT Security and e-voting gems. Firstly the New Zealand Government uses NSA surveillance tools to spy on the a number of APAC governments to help in their campaign to win one of the World Trade Organisation’s elected positions. Secondly the Australian ivote’s practice system has been compromised in such a way that cast votes can be infected. This project was lead by Vannesa Teague and Alex Halderman; Teague has previously spoken of the inherent weakness of [ei]-voting., not a fan it would seem. And thirdly, CISCO’s CTO gives up on security, or at leas that’s what the Register reports as a headline; the comments by Hartman, CISCO’s CTO are more nuanced but he definitely proposes that devices cannot be secure, and need to be monitored against change and current and future threats, and how do you do that in the home. …

pictfor: democracy 2.0

pictfor: democracy 2.0

Last night I went up to Westminster for a Pictfor meeting; this time, Parliament 2.0: How can the internet revolutionise British Democracy. The panel speakers were, Jaan Priisalu, Director General of the Estonian Information System’s Authority, Katie Ghose, CEO, Electoral Reform Society & Ruth Fox, Director, Hansard Society, while the meeting was chaired by Stephen Mosley MP, it was kicked off by the John Bercow MP, the Speaker. The centre piece of Bercow’s speech was an introduction, for me at least, to the Speaker’s Commission on Digital Democracy which is reviewing Representation, Scrutiny and the legislative process. Jaan Priisalu talked about Estonia’s e-voting paltform, while Ghose and Fox spoke about democratic engagement.  …