segregation of duties

Labour Leak – Closing the Stable Door

This blog article is one of several albeit the first published on the labourleak. It focuses on fixing the problems identified and implied in the #labourleak in a holistic way. It looks at the controls, briefly on why they failed, how the private sector manages, the question of Union collusion, IT standards & controls, the disciplinary process, the NEC and if genuine professionalism can possibly improve the quality and honesty of the decisions taken by the Labour Party; it concludes by proposing that the rules be changed to place a duty on all role holders to conform to the Nolan Principles, and that whistle blowers have better protection, but on the way recommends that the Labour Party use a series of external certifications, ask the Auditors to to inspect that payments and receipts are handled according to the Party's financial control rules, increase the professionalism of the staff and NEC committees, all of this to guarantee to its members and staff that good practice and not arbitrary actions are the guiding principles of judgement and decision.

Can’t make it up

A note on LinkedIn on why managements need IT usage policies to prove their compliance and to act legally and fairly towards their employees. I suggest that ISO27001 is useful as a technical standard and COBIT as an organisational one.

This was written in the light of a couple of cases I had to deal with as an accompanying rep. or as an advisor.

You can’t claim that users are not performing if you can’t prove the IT systems work as documented. You can’t pursue a conduct disciplinary against people operating a policy. You can’t fulfil FOI or SAR requests if the data retention policy is suspect. You can’t be sure that corruption has not occurred if there is inadequate segregation of duties.

Having policy will help the organisation answer the following questions. Is our software supported? Why and how was that data deleted? What should be logged? Who has permission to read, amend and run these programs and/or this data? Are our vendors signed up to our IT security goals? Why do you not know this?

This is all defined in these standards, and the GDPR makes certification to good practice evidence of good will. ISO27001 and COBIT are the big boys in town to prove technical and organisational protection.

You can’t make it up anymore. …

Democracy Review I

This is a submission for Labour’s Democracy Review, since the hub is, still, not available, I am posting this to my blog, I will send it to the review via email in 7 days, please free to comment over the next seven days. …

Toxic Combinations

I have written a piece about Segregation of Duties and Toxic Combinations on my linkedin blog. The bulk of the article talks about how to organise staff roles and responsibilities to meet the standard admin/developer segregation of duties rules in IT organisations but it also talks about the need to apply segregation of duties in the justice system. I say a bit more here and comment on lessons for the Labour Party.

In the world of police and justice, the need for a segregation of duties has been long understood. It is known that an uncontrolled police force is the mark of a totalitarian society. In most democracies, the police investigate a crime identifying witnesses and evidence, independent prosecutors take the decision to prosecute, and courts hear the case with the role of Judge who issues penalties, and jury who assess the facts and determine guilt being an additional separation of duties. Measures are taken to eliminate conflicts of interest by having judges step down if there is a conflict of interest, for instance if they are a participant in the case as either complainant/defendent or a witness, and to ensure that crimes committed within each of these roles cannot be covered up. Whether the Independent Police Complaints Commission, the Bar Association, the Judicial Appointments and Conduct Ombudsman or their international equivalents are enough is a question for debate, but their existence is a crucial part of the defence of justice.

In the febrile atmosphere of the Labour Party today, the lack of control over the General Secretary and his staff together with the failure to adopt a modern segregation of duties, means the General Secretary acts as investigator, and prosecutor. He is also the employing manager of the Regional Directors who often also act as Judge & Jury. This growing and serious problem is, in many cases, compounded by a lack of grievance and whistle-blower processes. The aggressive use of the complaints process and the often, dual role of complainants and role holders in the process is also a problem. The Chakrabarti report saw the lack of professional lawyers, a legally qualified Head of Legal, partly as a skills issue but a professional lawyer’s strong binding to act both as an officer of the court and to preserve their professional registration would be a significant advance to what we have today, a bunch of people trained in the worst of student and trade union politics where winning counts for more than justice and there is no accounting of collateral damage. …

Segregation of Duties

Another thought on Labour’s rules, anyone with a conviction for breach of election law requires special permission from the NEC, to become a candidate for elected office. This may put Iain McNicol, the Party General Secretary in a difficult position since the Electoral Commission have decided that Labour broke the law when reporting its election campaign expenditure. Fortunately for him, this rule does not apply to being an Officer of the Party, but it does expose once again the fact that the complaints and disciplinary procedure needs review and a reinforcement of the segregation of duties. Apart from the weaknesses identified by the Chakrabarti report, we can see that we need a specific process for complaining about the General Secretary. …