Can’t make it up

Can’t make it up

A note on LinkedIn on why managements need IT usage policies to prove their compliance and to act legally and fairly towards their employees. I suggest that ISO27001 is useful as a technical standard and COBIT as an organisational one.

This was written in the light of a couple of cases I had to deal with as an accompanying rep. or as an advisor.

You can’t claim that users are not performing if you can’t prove the IT systems work as documented. You can’t pursue a conduct disciplinary against people operating a policy. You can’t fulfil FOI or SAR requests if the data retention policy is suspect. You can’t be sure that corruption has not occurred if there is inadequate segregation of duties.

Having policy will help the organisation answer the following questions. Is our software supported?  Why and how was that data deleted? What should be logged? Who has permission to read, amend and run these programs and/or this data? Are our vendors signed up to our IT security goals? Why do you not know this?

This is all defined in these standards, and the GDPR makes certification to good practice evidence of good will. ISO27001 and COBIT are the big boys in town to prove technical and organisational protection.

You can’t make it up anymore. …

Some IT technology & economics history

Some IT technology & economics history

I have finally installed a version of CA-Superproject under W98/Virtualbox and the experience reminded me of a couple of things, about the software, about its final custodian, Computer Associates (CA) and also some critical software project management issues. I have written a more formal note on Linkedin and this is my mirror/pointer to that; the rest of this article précises that article. For more, see overleaf/below. …  …

Technology lessons

Technology lessons

It seems the police have found insufficient evidence to prosecute Boris Johnson for misconduct in a public office with respect to his alleged relationship with Jennifer Arcuri and decisions taken by the Mayor's Office to support her business. His day-time visits to her home, presumably during working hours, were, it seems, for 'technology lessons'. It seems that some emails seem to be unavailable, possibly in contravention of the Mayor's statutory record keeping rules and duties. The rest of this blog looks at alternative legal approaches to investigating if wrong doing has occurred. It looks at how good good IT Security controls are needed to allow essential audit questions to be answered.

Fighting Corruption

Fighting Corruption

Sadly I have been looking to see what’s being said about Corruption and Anti-Corruption. I made a wiki post which includes some links on management strategy, which includes an article from McKinsey’s Journal which offers a brief taxonomy of corrupt practices, this is augmented by Transparency International’s tool kit, to which I link. TI also note that, “The UK Bribery Act, which was passed in 2010, introduces an offence of corporate failure to prevent bribery.”. There are also some specific action plans inc. current advice from the MoJ. Interestingly, to me, the action plans share many ideas from risk management practices and IT Security controls that I have been working with for many years, and that having a robust programme of controls is the only defence against the aforementioned corporate crime.

Construct a taxonomy, develop controls, measure the effectiveness of the controls and fix those that are broken.

This costs money and time, and companies may lose business because of it. No-one says it’s easy.

I have now made a post on my linkedin blog, which while repeating some of that I say here, looks at the MOJ Guidance and their six principles and offers some important definitions of pertaining to bribery.  I highlight the concept of ‘improper behaviour’ from within the legislation. …

Google, the GDPR and Brexit

Google, the GDPR and Brexit

Google are going to move their UK users data from Ireland to the USA. I wrote a little note on my linkedin blog. I headline it as

Google are moving UK data from Ireland to the US … what does this say about UK/EU/US dataflows and ompliance with the GDPR and the world’s data protection laws.

I also point out the need for robust legal redress to comply with the GDPR, which the UK and USA may not meet and that the UK will lose access to the US Privacy Shield arrangements. I note that the UK will lose its member state privileges and powers under the GDPR when the transition period ends and that RIPA 2016 and the immigration exception of the DPA 2018 may cause the Commission some problems with respect to “Adequacy”.

I note that model clauses and binding corporate rules will remain in place and I wonder if this is a business opportunity for a European based phone operating system author as people choose to withdraw from Android? Nokia? Canonical? …

HRMS, a distressed purchase?

I was provoked by this on Hackernoon, and wrote a little piece on HRMS systems. I have just come back from a Trade Union course on Employment Law and wonder whether the US based systems built for Silicon Valley behemoths are suitable for UK based SMEs. I reference the Gartner MQ which seems to have come on in the last two years; google it, you can get to see it from one of the companies in the top right quadrant but I like their functional breakdown.

I state that a “person” data model is key and finish with the following quote,

HR functions need to define their mission statement, somewhere between “stop the staff suing us”, and “delivering a self-actualising company”; only then can the needs of the software be defined and developed, bought or rented.

 …

Banks Eh?

Banks Eh?

Have you got outraged over FATCA yet? Over the last quarter, I have received several pieces of correspondence from different banks asking me to certify that I have no income that the US Government might be interested in. It goes to show just how poor, the Banks’ whole person/customer knowledge is. …

The customer is, and shall be king

I have posted an article on my linkedin blog, which looks at the future of banking technology particularly as it applies to their technical debt in the data centre. It argues that customer intimacy is key. I say,

So the incumbent players have to re-modernise their systems, build fit for purpose customer relationship management systems i.e. KYC and cope with the business disruption that new software driven competitors are developing, on top of which margins in retail financial services are very low.

 …

Have the US killed their cloud business?

As the proof that Governments are spying on social media users is found, we should all take measures to make it hard. I am sure that they’ll try and outlaw encryption next, but they might have a problem with that since it’ll kill e-commerce. Talking of killing e-commerce, a number of commentators, including David Kirkpatrick posting at linkedin are asking if this will cause Europeans and their Governments to withdraw from the US cloud providers.

The Swedish Government, for instance have already decided to abandon Google’s web services. …