|
|
|
|
|
|
|
|
|
|
|
|
|
|||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Visit and bookmark our web site today: http://www.WhittingtonAssociates.com This e-Newsletter is in
HTML format and may not be displayed properly by some email programs.
Please click on our web site address above to see the e-Newsletter with
its proper formatting.
Guidelines for the management of Trusted Third
Party services used to facilitate secure e-business communications are
contained in a new ISO technical report, ISO/TR
14516, Information Technology – Security Techniques – Guidelines
for the Use and Management of Trusted Third Party Services. The document
will enable businesses to identify the type and level of protection required
from TTPs and how to use those services to gain customer confidence and
increase e-business security. "Concerns about the security
of e-business expressed by those both in the business-to-consumer, as
well as, business-to-business markets have seen a growth in security technologies,"
said Ted Humphreys, convenor of the ISO working group that developed the
report. "Emerging standards and technical reports, such as, ISO/TR 14516
are aimed at helping to build a secure e-business environment that businesses
can trust and rely on." A TTP is a body that provides
one or more security services within IT systems such as time-stamping,
key management, certificate management, electronic notary public and non-repudiation.
These security services are supplied to organizations wishing to enhance
trust and business confidence in e-business and to facilitate secure communications
between trading partners. ISO/TR 14516 provides guidance
on the management, use, and deployment of TTP services and the establishment
of a TTP security policy. It is designed to help users identify the type
and level of protection required according to the type of service they
provide and the context within which the business application is operating.
For example, the level
of protection required for the authentication of administrative transactions
may be different from that required for financial transactions, which
may be different from that required in some healthcare applications. The new technical report
provides businesses with a security framework designed to establish assurance
that transactions and messages are being delivered to the intended recipient,
at the correct location, that messages are received in a timely and accurate
way. It also provides, in case of any dispute that may arise, with appropriate
methods for the creation and delivery of the required evidence for proof
of what happened. According to Ted Humphreys,
achieving adequate levels of business confidence in the use of e-business
is paramount to ensure long-term success and trust in e-business. "Ensuring
the right level of security is in place helps build this trust and protects
from a range of risk that businesses are likely to face. Building confidence
in e-business technologies and services will help businesses feel that
e-business can be relied upon to maintain customer and trading partner
commitments and contractual obligations." "Securing the e-business
environment requires businesses to implement the right combination of
technical controls and management guidance found in ISO/TR 14516 and in
other security standards such as:
Their implementation can bring us that much closer to establishing the right management infrastructure for trust in e-business."
In the December, 2003 newsletter, I identified
twelve ISO 9001:2000 clauses as the toughest requirements to understand
and meet with conforming practices. Clauses 4.1, 5.1, and 5.4.1 were addressed
in the past two newsletters. The organization shall determine, provide, and maintain the infrastructure needed to achieve conformity to product requirements. What is an infrastructure? According to the American Heritage Dictionary of the English Language, Fourth Edition, the term "infrastructure" began in 1927 to refer collectively to the roads, bridges, rail lines, and similar public works required for an industrial economy to function. Perhaps because of the its technical sound, people now use "infrastructure" to refer to any substructure or underlying system. In fact, ISO 9000:2000 defines it as a "system of facilities, equipment, and services needed for the operation of an organization". Without this underlying base or foundation, an organization would be unable to carry out the activities needed to deliver quality products and services. Although the infrastructure requirement is new to ISO 9001, it was always necessary, even if not directly stated. Since it wasn't a specified requirement, the functional areas responsible for the infrastructure may not have been subject to internal and external audits. These departments will now be part of the audit agenda. So, the first step is for management to determine what buildings, equipment, workspace, tools, and supporting services are being used (or required) to produce conforming products. Next, management must provide that infrastructure and begin planning for future needs. When we talk about workplace requirements, the line begins to blur between 6.3, Infrastructure, and 6.4, Work Environment. For manufacturing, you may have to consider the control of heat, humidity, light, air flow, noise, and vibration. For services, it may be adequate customer waiting areas and restrooms. Or, in the food and drink industry, there may be stringent requirements for sanitation and hygiene. For software development, it is a computing environment with the necessary equipment, networks, tools, and service level agreements. Since we must also "maintain" the infrastructure, an organization has to maintain its equipment and facilities. It could even imply contingency planning to identify and mitigate any risks. Of course, the maintenance type and frequency should be based on the criticality and usage of that part of the infrastructure. And, remember there may be environmental issues associated with the infrastructure, such as, conservation, pollution, waste, and recycling. Clause 6.3, Infrastructure, concludes with: Infrastructure includes, as applicable a) buildings, workspace, and associated utilities b) process equipment (both hardware and software), and c) supporting services (such as, transport or communication). This part of the requirement gives examples of the elements that make up an infrastructure, and thereby, help clarify what is meant be the term "infrastructure". The utilities mentioned could be electricity, water, natural gas, or compressed air. Remember the old requirement in clause 4.9 of ISO 9001:1994 to maintain equipment for continued process capability? Well, it has resurfaced in 6.3.b. Your organization must determine, provide, and maintain its process equipment (both hardware and software). Two examples are given for supporting services: 1) transport and 2) communication. However, don't overlook 3) information technology. In conclusion, it is important to note that by placing the infrastructure requirements under Resource Management, rather than Production and Service Provision, it must be in place to support all the processes of the system.
Manufacturing companies with design responsibility
will likely have an established design and development process. However,
clause 7.3 may be a tough new requirement for many service organizations.
Two of the registration scenarios in the guidance document were for service companies, and in both cases, they were viewed as design responsible and unable to exclude clause 7.3. Since service organizations decide on the new services to be offered, and then define the characteristics of those services, they are carrying out design and development. Unfortunately, many service firms were allowed to exclude design and be assessed against ISO 9002:1994 (instead of ISO 9001:1994). It is important for organizations to determine (with their registrar) if they carry out design and development activities and, therefore, must apply clause 7.3. If the answer is yes, the first step is to plan the design and development process and identify the necessary controls. Clause 7.3.1, Design and Development Planning, states: The organization shall plan and control the design and development of product. To understand this requirement, lets begin with an ISO 9000:2000 definition. Design and development is the set of processes that transforms requirements into specified characteristics or into the specification of a product, process, or system. But is there a difference between "design" and "development"? ISO 9000:2000, Note 1, states the terms are sometimes used synonymously and sometimes used to define different stages of the overall design process. In some organizations, "design" and "development", refer to the same activities. If that is the case, these groups typically use one term or the other, but not both terms together. In other words, they call it design or they call it development. However, in other situations, design and development may relate to different stages in the process. First, "design" activities may creatively define the characteristics of a product or service to meet customer requirements. Then, "development" activities would determine the best techniques for applying the design to produce the product or deliver the service. Use of "design and development" would be appropriate to address the combined activities. Your organization must establish a disciplined approach for the design and development process. The "plan" in 7.3 refers to defining the design and development process, as well as, the sequence and interaction of its activities. The "controls" are generally addressed by the requirements expressed in clauses 7.3.2 to 7.3.7. During the design and development planning, the organization shall determine a) the design and development stages b) the review, verification, and validation that are appropriate to each design and development stage, and c) the responsibilities and authorities for design and development Design and development processes can be grouped into stages, e.g., a preliminary (high-level) design stage and then a detailed (low-level) design stage. Typically, stages have "entry" criteria that must be satisfied to initiate the activities and "exit" criteria to be met before moving to the next stage. Reviews are often held at the end of a stage to see if the exit criteria has been met and to decide whether to proceed to the next stage or to repeat some activities of the current stage. An organization may decide on a multi-stage process for high-risk designs and abbreviated versions for lower-risk designs. Since it is a design process "plan", it can be revised using interim results to add or repeat a stage, to drop an unnecessary stage, or to change the activities within the stages. Design and development planning determines the appropriate review (7.5.4), verification (7.5.5), and validation (7.5.6) for each stage. A review formally checks the output of a stage to confirm it will meet the input requirements. The review also identifies any problems and develops solutions. For a simple design, one review may be sufficient. For a complex design, frequent reviews may be necessary to evaluate progress and manage the risk. ISO 9000:2000 defines "review" as the activity undertaken to determine the suitability, adequacy, and effectiveness of the subject matter to achieve established objectives. Verification ensures the results of the process (7.3 - Output) meet the requirements identified at the beginning of the process (7.3.2 - Input). For multi-stage projects, verification may be performed on a stage-by-stage basis. ISO 9000:2000 defines verification as the confirmation, through the provision of objective evidence, that specified requirements have been fulfilled. Validation checks that the final product or service meets, or is capable of meeting, the customer requirements when used in the intended environment. In some cases, this may be done at final test, or the customer may carry out the validation as an acceptance test. Validation occurs in the final design and development stage and relies upon prior successful verification. ISO 9001:2000 defines validation as the confirmation, through the provision of objective evidence, that the requirements for a specific intended use or application have been fulfilled. For both verification and validation, the plan should identify who carries out the activities, the methods to be used, how they will be performed, and what records are to be kept. In some industries, the planning for design and development is part of the overall project plan. When assigning responsibilities, the first assignment should be to name a process owner for the overall design and development process. That person can use the design and development plan to identify the different activities and decide on the remaining assignments. If the plan doesn't exist, their first task will be to help create it. The organization shall manage the interfaces between different groups involved in design and development to ensure effective communication and clear assignment of responsibilities. The larger the company, the more departments and people involved in the design and development process. Even in a small company with one designer, there will be other parties to consider, such as, customers, suppliers, and regulatory bodies. All these groups must be identified and their interfaces managed to ensure they are talking about the right subjects and sharing the appropriate information. The groups must clearly understand their responsibilities to avoid any overlapping or overlooked assignments. Managing the interfaces includes using the appropriate communication methods to keep them informed and to make timely decisions Remember that clause 7.3.3 requires the design and development output to include information for the purchasing, production, and service areas. These groups should be included in the interfaces and relationships to be defined and managed. Planning output shall be updated, as appropriate, as the design and development progresses. An active design and development "plan" is a document with a revision status, not a record with a retention period. Plans are just that, plans. You should expect that as stages complete, the results may require the plan to be revised. If the design and development process is well defined and managed, the organization is more likely to meet requirements on time and within budget. Before leaving this discussion, I should point out that the note in 7.1 says that 7.3 could be applied to the design and development of processes, not just products.
Have you ever struggled to locate a particular
term in ISO 9001:2000? For example, you know "outsource" is addressed
in the standard, but you may not recall where to find it. Well, I have
created an index for more than 300 terms used in ISO 9001:2000. The index
includes the pages and clauses for each term.
A framework for the detection of intrusions in computer
systems and networks are contained in a new ISO technical report, ISO/TR
15947, Information Technology – Security Techniques – IT
Intrusion Detection Framework. The document focuses on the security
principles behind the intrusion of computer systems by outsiders or trusted
employees, and how organizations can establish a framework to enable a
comprehensive intrusion detection system. "One of the problems that businesses have is
being able to detect when their systems are being intruded upon in order
that effective action can be taken to prevent harm or loss to their assets,"
said Ted Humphreys, convenor of the ISO working group that has developed
the report. "The development of ISO/TR 15947 is an important step forward
in dealing with the growing problem of intrusions and provides a good
basis for progressing solutions and implementations." Organizations are vulnerable to various kinds
of security threats, such as computer viruses, denial of service attacks,
and hackers. Typical misuse takes advantage of vulnerabilities in system
configuration, user neglect, and carelessness, as well as, design flaws
in software, protocols, and operating systems. Outsiders, as well as,
trusted insiders (disgruntled employees, trading partners, and temporary
employees) can exploit these vulnerabilities. "It is estimated that intentional attacks on
information systems are costing businesses worldwide around $15 billion
dollars each year and the cost is rising. In addition, there is the cost
of the loss or damage to the corporate reputation, brand names, customer
trust and loyalty, and of course, the price of stocks and shares," noted
Ted Humphreys. Intrusion detection is an important tool for
security management used to predict and identify intrusions in computer
systems and networks and to raise appropriate alarms during an intrusion
attempt. The system enables local collection of information on intrusions,
and subsequent consolidation and analysis, as well as, analysis of an
organization's normal IT patterns of behavior and usage. ISO/TR 15947 describes different methods and
combinations of methods of intrusion detection analysis, as well as, the
typical activities/actions that need to be taken to respond to the presence
of intrusions. It considers the different types of intrusions, including
those that are intentional or unintentional, legal or illegal, harmful
or harmless, as well as, unauthorized access by insiders and outsiders. The new technical report provides a generic
model of intrusion detection with examples of attempts to explicit system
vulnerabilities, the common types of input data that need to be considered,
and the resources required to establish an effective intrusion detection
capability. It is expected to assist IT managers with setting
up interoperable intrusion detection systems within their organizations
and facilitating collaboration among organizations worldwide where cooperation
is desired and/or essential to counter intrusion attempts.
To enroll in these public classes, go to Class Schedule at our web site, or call us at 800-404-7585. The classes taught by Larry Whittington are shown in gold. ISO 9001:2000 Lead Auditor (ANSI/RAB-NAP Accredited)
- BSI Management Systems
ISO 9001:2000 Internal Auditor (ANSI/RAB-NAP Accredited) - BSI Management Systems
ISO 9001:2000 Auditor Transition (RAB-Approved)
- Course developed by Larry Whittington
Implementing ISO 9001:2000 (for New Systems) -
Course developed by Larry Whittington
Understanding ISO 9001:2000
Understanding ISO 9001:2000 Requirements (Atlanta
Only - $295) - Course developed by Larry
Whittington
ISO 9001:2000 Conversion (for Existing Systems) - Course developed by Larry Whittington
Quality System Documentation (Revised for ISO 9001:2000)
- Course developed by Larry Whittington
The above public courses can be offered on-site at your facility. In addition, we offer the following unique on-site courses:
© 2000-2002 Whittington & Associates, LLC. All rights reserved. You may copy this e-Newsletter provided you copy it completely, do not change it, and include this copyright notice. |
|
|
|
|
|
|
