e-Newsletter

 
August, 2005

Visit and bookmark our web site today: http://www.WhittingtonAssociates.com

This e-Newsletter is in HTML format and may not be displayed properly by some email programs. Please click on our web site address above to see the e-Newsletter with its proper formatting.
August Articles
 Atlanta Classes

 
BOOKS: See recommended ISO 9001, Auditing, and Six Sigma books at:
http://www.whittingtonassociates.com/v2/books.shtml


ARTICLES: Click on a title to jump to the article:

1. Revised ISO 17025 for Testing and Calibration Labs

2. Authorized SCAMPI Appraisals of CMMI Practices

3. Industry Guidelines for ISO 9001:2000

4. Computer Sabotage: An Insider Threat

5. Special Audit Guidance in QE19011S-2004

6. Second Edition of SPC Manual from AIAG

7. Classes: August, 2005 - October, 2005


Call us at 1-800-404-7585 for these 1-day onsite classes:

  • AS9100B: Requirements Beyond ISO 9001:2000
  • ISO 9001:2000 Auditor Update - The Process Approach
  • Understanding ISO/TS 16949:2002 Requirements

To see previous articles, go to Newsletter Archives.

To avoid this newsletter being rejected, or placed in a junk folder, please add <Larry@WhittingtonAssociates.com> to your address book or accepted list.

 
Students attending a class in Atlanta receive a 20% discount on future Atlanta classes.

ISO 9001:2000 Lead Auditor
August 15-19, 2005
October 17-21, 2005

ISO 9001:2000 Internal Auditor
September 27-29, 2005

Understanding ISO 9001:2000 Requirements
August 22, 2005
November 14, 2005

Quality System Documentation
August 23-24, 2005
November 15-16, 2005

Implementing ISO 9001:2000
August 25-26, 2005
November 17-18, 2005

Green Belt Certification
August 8-10, 2005
September 14-16, 2005

Black Belt Certification 
Group 17 (3 weeks): August 15-19
+ September 19-23 + October 17-21

See Training Classes in Other Cities

1. Revised ISO 17025:2005 for Testing and Calibration Labs

A second edition has been published of ISO 17025, the ISO standard acknowledged as the international benchmark for approving the competence of the testing and calibration laboratories that play a vital role in trade, in product development and manufacturing, and in protection of the consumer.

ISO 17025:2005, General requirements for the competence of testing and calibration laboratories, replaces the 1999 edition which has been used to "accredit" (approve) some 25,000 laboratories worldwide that test products and samples, and calibrate precision instruments. However, the influence of ISO 17025 is even greater than this figure might suggest since many countries make its use a legal requirement. In addition, documents derived from it are used by laboratories in specific sectors, such as, medicine and microbiology.

ISO Secretary-General Alan Bryden commented: "ISO 17025 benefits business, government, and society at large. Confidence in the competence of laboratories is frequently needed by businesses when testing new products, or ensuring that finished products are fit for sale, by government regulators and trade officials that require assurance about domestic or imported products before they can be placed on the market, or for ensuring the quality and reliability of testing and analysis relating to environmental, health, or safety hazards."

ISO 17025:2005 contains all of the requirements that testing and calibration laboratories need to meet in order to demonstrate to customers and regulators that they operate a sound management system which puts them in full control of their processes, are technically competent, and are able to generate technically valid results. Accreditation bodies that recognize the competence of testing and calibration laboratories will use the standard as the basis for their accreditation.

"Dependable testing and calibration laboratories are ones that have been duly accredited as competent and ISO 17025:2005 is the laboratory accreditation standard that, like the edition it replaces, will be counted on by business and governments worldwide," declared Peter van Leemput, who led the ISO group of experts that carried out the work.

The new 2005 edition results from the amendment of ISO 17025:1999 to ensure its compatibility with the requirements of ISO 9001:2000. This became necessary because of the generalized adoption of quality management systems conforming to ISO 9001:2000, including many of the organizations that testing and calibration laboratories serve.

It also seeks to clarify that while compatible, the two standards are not inter-changeable. Although both standards can be used by laboratories as a framework for providing their customers with confidence that they are managing their activities, only ISO 17025 can be used to demonstrate the technical competence specific to laboratories.

Laboratories may choose to be accredited to ISO 17025, or be certified to ISO 9001:2000, or both, but the processes of accreditation and certification would still be two separate actions, although highly facilitated - both for the laboratories and the assessors - by the consistency now ensured between the two standards.

There are no essential changes to the technical requirements. The modifications relate mainly to the management requirements in the document to reflect the content of ISO 9001:2000, especially in a greater emphasis on the responsibilities of top management, on the need to demonstrate a commitment to continually improve the effectiveness of the management system, on customer satisfaction, and on internal and customer communication about the management system.

Peter van Leemput summed it up up: "Laboratories that have described and controlled their processes within the laboratory - as already required by the 1999 edition of ISO 17025 - will only have minor adjustments to make to their existing procedures to ensure that the new orientations in the management requirements are fulfilled."

The International Laboratory Accreditation Cooperation (ILAC) has set a transition period of two years from date of publication of the new edition, May 12, 2005, for accredited laboratories to comply with the standard's requirements.

2. Capability Maturity Model Integrated (CMMI)

Some of you have noticed that we offer CMMI consulting, and have asked, "What is CMMI?"

For more than 20 years, the Software Engineering Institute (SEI) has had the national mandate to advance the state of the practice of software engineering and to serve as a national resource in software engineering and technology. The SEI is a federally funded research and development center sponsored by the U.S. Department of Defense and operated by Carnegie Mellon University.

CMMI (Capability Maturity Model Integrated) is a process improvement framework developed by the SEI to enable organizations to improve productivity and overall product quality. CMMI provides a set of best practices to improve their ability to manage the development, acquisition, and maintenance of products and services to gain maximum efficiency, profitability, and customer satisfaction.

The CMMI product suite enables an organization to select one or more of the disciplines, such as CMMI for System Engineering, Software Engineering, Integrated Product and Process Development, or Supplier Sourcing. The built-in flexibility of CMMI offers the opportunity for an organization to tailor the framework to its business environment, and thus gain the maximum return on its enterprise-wide process improvement investment, including the significant improvement on predictability of the critical measures of cost, schedule, performance, and stakeholder satisfaction.

CMMI provides two representations to allow for flexibility in the organization's process improvement program. The staged representation provides a step-by-step approach to improve from ad hoc to more predictable, effective, and controlled processes. The continuous representation allows the organization to focus on capabilities within the process areas that will maximize improvement benefits for the organization.

Staged Representation
If you choose the staged representation for your organization, expect that the model will do the following:

  • Provide a proven sequence of improvements, beginning with basic management practices and progressing through a predefined and proven path of successive levels
  • Permit comparisons across and among organizations based on ratings (called "maturity levels") of large groups of related best practices
  • Provide a single rating that summarizes appraisal results and allows comparisons among organizations
Continuous Representation
If you choose the continuous representation for your organization, expect that the model will do the following:
  • Allow you to select the order of improvement that best meets your business objectives by first prioritizing and mitigating the organization's areas of highest risk
  • Enable comparisons across and among organizations based on ratings called "capability levels" of small groups of related best practices (or based on equivalent staging*)
  • Afford an easy comparison of process improvement to ISO because the organization of best practices is similar to ISO 15504

*Note: Equivalent staging is used to relate the ratings from the continuous representation (capability levels) to the ratings resulting from the staged representation (maturity levels). Equivalent staging enables the results of appraisals using the continuous representation to be translated into maturity levels, thereby enabling those using the continuous representation to achieve a maturity level rating. Maturity levels are typically used for benchmarking progress among organizations, enterprises, and projects, and are used as a measure of quality by some organizations.

The process maturity and/or capability of an organization can be assessed via a Standard CMMI Appraisal Method for Process Improvement (SCAMPI).

Mini-Appraisal (SCAMPI C)

When beginning a process improvement journey, or when moving to the next level of your current process improvement plan, it is important to determine your starting point. Every organization has a quality system in place, or they wouldn't be in business. Many organizations fail to really examine their process status prior to beginning their process improvement program. They pick a model and use it like a requirements document, regardless of whether it works well for their organization. 

It is important to determine what your organizational culture and business needs are as you either begin, or continue, your process improvement journey. By determining your current strengths and weaknesses, you can build on your strengths to help fill the process gaps and generally attain process success faster and less stressfully. Therefore, we recommend conducting a SCAMPI C when an organization is beginning its process improvement journey, or midway between formal assessments (to keep the organization on the right track). 

The way we conduct our SCAMPI C, it is designed to provide detailed appraisal results with minimal corporate investment. The SCAMPI C consists of the same basic steps of the more formal appraisals (plan and prepare, conduct, and report), yet it is scaled down to reduce the impact to the organization and its resources. 

Organizations just beginning their process improvement journey can use the SCAMPI C to determine, minimize, or control the degree of change to the organization, while using the positive results to jump start the process improvement program. Organizations currently engaged in their process improvement program can use the SCAMPI C to verify that improvements that have been made resulted in maximum benefit to the organization, and to determine the areas requiring attention if they are to achieve their next process improvement goal. 

The SCAMPI C appraisal typically takes between 3 to 5 days. Its findings and recommendations are based on the expert judgment of the appraisal leader. Our SEI authorized appraisal leader, Barbara Hilden, follows a SCAMPI C method which is tailored to fit the needs of your organization. The level of detail used to assess each area of the model is not as thorough as it would be in a more formal appraisal. In general, the results of the SCAMPI C tend to be more judgmental than those of the more formal appraisal, as she often uses her extensive experience in the field to make calls on areas where documentation is not as well defined as it should be, or where processes are inappropriate for the organization.

The SCAMPI C includes:

  • An appraisal plan, including a definition of the organizational appraisal objectives
  • An opening briefing, summarizing the appraisal objectives, process maturity concepts, and the SCAMPI C method
  • A review of "organizational" documents (policies, procedures, guidelines, training materials, etc.)
  • A review of "project" documents (project plans, CM plans, QA plans, Risk Management Plans, Requirements Traceability Matrices, etc.)
  • Interviews with management and practitioners
  • A complete appraisal findings presentation.
The final findings presentation is delivered to a sponsor-selected audience upon conclusion of the site visit. Complete appraisal results are produced using an appraisal tool, and if desired, improvement action plans can also be produced.

Standard CMMI Appraisal Method for Process Improvement (SCAMPI)

The Standard CMMI Appraisal Method for Process Improvement (SCAMPI) is designed to provide benchmark quality ratings relative to the CMMI models. It is applicable to a wide range of appraisal usage modes, including both internal process improvement and external capability determinations. SCAMPI satisfies all the Appraisal Requirements for CMMI (ARC) requirements for a Class A appraisal method and can support the conduct of ISO 15504 assessments.

SCAMPI v1.1 enables a sponsor to:
  • gain insight into an organization's engineering capability by identifying the strengths and weaknesses of its current processes
  • relate these strengths and weaknesses to the CMMI model
  • prioritize improvement plans
  • focus on improvements (correct weaknesses that generate risks) most beneficial to the organization given its current level of maturity or process capabilities
  • derive capability level ratings, as well as, a maturity level rating
  • identify development/acquisition risks relative to capability/maturity determinations

The SCAMPI typically takes around 3 months to complete, including planning, preparation, and execution. Additional time may be required to produce a final written report. The SCAMPI is completed in three phases: 1) planning and preparing, 2) conducting, and 3) reporting the results.  

Phase 1: Plan and Prepare for the Appraisal 

During this phase, the appraisal leader works with the appraisal sponsor and technical point of contact to determine the appraisal inputs and develop the appraisal plan as required by the SCAMPI.  During this phase the appraisal input and plan will be developed to include:

  • Appraisal purpose and parameters
  • Appraisal scope (CMMI and Organizational)
  • Planned method tailoring
  • Appraisal outputs and constraints
  • Appraisal activities, resources, and schedule
  • Appraisal risks
  • Logistical requirements and arrangements for conducting the appraisal
The appraisal input and plan are developed iteratively with other preparation activities that are completed during this phase.  These activities include:
  • Conducting team training
  • Collecting objective evidence by the organization
  • Conducting appraisal readiness reviews as appropriate, including:
- Organizational structure, roles and responsibilities
- Project profiles for proposed past and current projects
- Project profiles for proposed past and current projects
- Process improvement plans and process documentation
- Other information that will aid in the successful completion of the appraisal
  • Preparing the opening presentation and any other necessary presentations
Because of the significant investment and logistical planning involved, considerable iteration and refinement of planning activities should be expected. Preparation activities conducted by the appraised organization are critical to the efficient execution of the SCAMPI appraisal. Analysis of preliminary objective evidence provided by the appraised organization plays a critical role in setting the stage for the appraisal execution. If substantial data are missing at this point, subsequent appraisal activities can be delayed, or even canceled, if the judgment is made that continuing appraisal activities will not be sufficient to make up for the deficiency. 
 
The outputs from the planning and preparation phase take the form of information documented in the appraisal input, appraisal plan, and/or opening presentation, and various worksheets and/or databases retained by the team members for use in conducting the appraisal phase.

Phase 2: Conduct the Appraisal

During this phase, the appraisal team focuses on collecting data from the appraised organization to judge the extent to which the model is implemented. The conduct of this phase varies depending on the scope of the appraisal and the characteristics of the appraised organization. The steps completed by the appraisal team during this phase include:
  • Orientation to the site and the logistical arrangements for the appraisal
  • Opening presentations by the appraisal team and the organization
  • Document reviews
  • Management and practitioner interviews
  • Data consolidation
  • Draft findings preparation and presentations
  • Follow on interviews and final document reviews, as needed

Phase 3: Report the Appraisal Results

During this phase, the appraisal team focuses on reporting the results of the appraisal to both the organization and the CMMI Steward (SEI) as required. The steps completed by the appraisal team during this phase include:

  • Preparing and presenting final findings
  • Participating in executive sessions, as required
  • Forwarding the agreed to appraisal record to the CMMI steward (SEI)

Appraisal Readiness Review

An Appraisal Readiness Review will determine if your organization is prepared for the planned formal appraisal. We review an inventory of the objective evidence and determine if sufficient objective evidence is available to proceed with the appraisal as it is currently planned.      

During the readiness review the appraisal team reviews:

  • Compliance Matrix Responses
  • Organizational Documents
  • Project Documents
  • Process Asset Libraries
  • Process Databases
This review is a required part of the SCAMPI methodology and typically takes place in conjunction with the team training during the final preparation for the appraisal. Early readiness reviews can be scheduled as needed early in the planning phase. If it is found that insufficient objective evidence is available for the appraisal to proceed as planned, a re-planning effort is done with the appraisal leader, the appraisal technical point of contact, and the appraisal sponsor.

Consulting Services

We collaborate with your organization to compliment and support your process improvement staff. We do this through our skills and expertise, along with guidance and monitoring, to enable successful implementation of your process improvement program. This approach will allow your organization to maximize the benefits from the process improvement program, while minimizing your dependence on outside consultants. 

We provide process improvement, model orientations, and tools support for your organization, and work with you in selecting the optimum methods for process improvement depending on your needs, areas of technology, and your client base. 

We evaluate your organization and its existing processes using a compliance tool, and develop a tailored process improvement approach that fits your needs. From those identified needs, we will work with you to prioritize the improvements that will provide the maximum payback in the shortest period of time, without losing sight of the long-range process improvement goals. From these prioritized actions, we will assist you in developing your Process Improvement Plan (PIP). 

We assist you in setting up and training your Process Improvement organization, including your Engineering Process Group, Training Group, and Quality Assurance Group. We will work with these people to analyze, design, review, and implement needed policies, standards, and procedures. We will also train and assist your staff in assessing progress against the Process Improvement Plan. And, we will ensure that Management is kept informed of progress at every step of the journey.
 
 
Appraisal Services

We provide both formal and informal appraisals tailored to fit your organization's needs. These appraisals are designed to determine the maturity and/or capability of your organization. Each appraisal is "custom fit" to your organization to ensure all requirements are fully met. We work with your organization to ensure your business needs and the requirements of your clients are fully understood and appropriately incorporated into the conduct of the appraisal. We also provide mini-appraisals, risk assessments, and appraisal readiness reviews to assist your organization in preparing for a formal appraisal.

One of our Associates, Barbara Hilden, is authorized by the Software Engineering Institute (SEI) as an appraisal leader for both Software Capability Evaluation (SCE) and Standard CMMI Appraisal Method for Process Improvement (SCAMPI).  We can provide the type of appraisal that fits your business needs.

We conduct cost-effective appraisals to minimize the impact on your organization while maximizing the objective results of the appraisal. Our reputation for high standards, ethical conduct, and quality appraisal results are known throughout the community. We work to ensure that the findings are easily understood and can be used to improve your processes. 

CMMI Consultant

Barbara Hilden has over nineteen years of experience in the computer industry. She is an authorized SCAMPI Lead Assessor and CMMI Instructor, Lead Evaluator (SCE V3.0), and ISO 9001 Internal Auditor. She has implemented process improvement initiatives, including CMMI, SW CMM, SA CMM, and ISO 9001. She has led or participated in over 40 formal appraisals and multiple audits and mini-appraisals for the SW-CMM, the FAA-iCMM, ISO 9001, EIA/IS 731 SE CM, and the CMMI in a wide variety of organizations from very small to global organizations.

SCE, SCAMPI, SCAMPI Lead Assessor, SCAMPI Lead Appraiser, and SEI are service marks of Carnegie Mellon University.
® Capability Maturity Model, CMM, and CMMI are registered in the U.S. Patent & Trademark Office by Carnegie Mellon University.

3. Industry Guidelines for ISO 9001:2000

In addition to the primary set of quality management system standards:
  • ISO 9000:2000 Fundamentals and Vocabulary
  • ISO 9001:2000 Requirements
  • ISO 9004:2000 Guidelines for Performance Improvement
there are industry guidelines for quality management systems:
  • IWA 1 - Guidelines for Process Improvements in Health Care Organizations
  • IWA 2 - Guidelines for the Application of ISO 9001:2000 in Education
  • ISO 90003 - Guidelines for the Application of ISO 9001:2000 to Computer Software
  • ISO 15161 - Guidelines on the Application of ISO 9001:2000 for the Food and Drink Industry
  • ISO/DIS 16106 - Transport Packages for Dangerous Goods - Guidelines for the Application of ISO 9001
You can order these documents at: Industry requirements for quality management systems based on ISO 9001:2000 include:
  • AS9100 - Aerospace - Requirements
  • ISO 13485 - Medical Devices - Requirements for Regulatory Purposes
  • ISO/TS 16949 - Automotive Suppliers - Particular Requirements for the Application of ISO 9001:2000
  • TL 9000 - Telecommunication - Requirements - Release 3.0
  • TL 9000 - Telecommunication - Measurements - Release 3.5
  • ISO/TS 29001 - Petroleum, Petrochemical, and Natural Gas Industries - Requirements for Product and Service Supply Organizations
You can order these documents at:
4. Computer Sabotage: An Insider Threat

According to recent research, employees and contractors are perpetrating more cyber security attacks than ever to harm organizations intentionally.

Computer security threats have challenged IT management, administrators, and auditors since the beginning of the high-tech age. Although much has been published on external threats, such as viruses, worms, and hackers, statistics are not as clear regarding the prevalence of cases perpetrated by insiders. 

To help organizations gain a better understanding of insider risks, the CERT Coordination Center released its Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors. The goal of the study, conducted in coordination with the U.S. Secret Service National Threat Assessment Center, was to address insider threat from a human resources, corporate security, and information security perspective. The study focused on user intent to misuse computer resources to harm organizations.

In the study, researchers reviewed 49 cases of computer sabotage perpetrated by insider activities that caused a financial loss to the organization, negatively impacted business operations, or damaged the organization's reputation. The cases involved current or former employees or contractors who intentionally misused or exceeded authorized access to systems data. In addition, the cases included incidents in which there were unauthorized attempts to view, disclose, retrieve, delete, change, or compromise information.

FOCUS ON DETECTION AND PREVENTION

Researchers reviewed details of the cases under investigation, focusing on incident detection and insider identification. Information was reviewed about pre-incident planning and communication; nature of harm to the organization; law enforcement and organizational response; and insider background, history, technical expertise, and interests.

Some of the key findings in the study included:

Preparation

  • A negative work-related event triggered most insiders' actions.
  • The majority of insiders planned their activities in advance.
  • The majority of insiders compromised computer accounts, created unauthorized backdoor accounts, or used shared accounts in their attacks.
  • Remote access was used to conduct the majority of attacks.
  • The majority of attacks were accomplished using company computer equipment.

Detection

Most of the insider attacks were detected when there was a noticeable irregularity in the data system, or systems became unavailable. For example:

  • System logs were the most prevalent means to identify insiders.
  • Most insiders took steps to conceal their identities and activities.
  • Most of the incidents were detected by nonsecurity personnel.
  • In many cases, forensic examinations were used to identify the insider and gather supporting evidence.

Study results found that in 80 percent of the cases reviewed, a supervisor, coworker, or subordinate observed concerning or inappropriate behavior by the perpetrator prior to the incident, such as excessive tardiness, truancy, arguments with coworkers, or poor job performance. In 31 percent of the cases studied, the insider had a record of disciplinary actions within the organization prior to the incident.

The study also found that 58 percent of the insiders communicated their negative feelings to others (coworkers, family, and friends) by revealing their grievances either verbally or through e-mail. In 20 percent of the cases, the insider made a direct threat about harming the organization or an individual. In addition, in 62 percent of the cases, insiders had developed plans to perpetrate the incident, such as stealing backup copies, sabotaging backup processes, or installing backdoor access to secured accounts. In 37 percent of the cases, the insider's planning activity was noticeable, either online or offline.

RED FLAGS TO WATCH

As with any process, policies and procedures are effective only when they are monitored and enforced adequately. Risk and control awareness by employees, supervisors, and internal auditors can help deter insider threats similar to those reviewed in the following study cases.

Sharing account passwords. A shared account used to manage a company's voicemail system required a password for administrative access. Because the company overlooked changing the password to the account upon termination of one of its employees, the disgruntled ex-employee was able to access the account remotely and made changes that directed certain customers to a pornographic telephone service.

In another incident, an employee who had privileged access to an application used to maintain client Web sites was terminated and his access disabled upon termination. Because department employees occasionally shared their passwords among the team for testing purposes, he was able to log into the application by using his supervisor's username and password, and make malicious, embarrassing changes to client Web sites.

Unprotected screensavers. A contractor, who was not escorted when visiting an organization's network operations center, was able to access consoles that were left logged on without password-protected screensavers. He then deleted system files, a database, and all software from three of the company's servers.

Premise access to terminated employees. An insider with system administrator privileges was terminated from a research project that used a single, stand-alone computer to document data. Although the employee's access card to the building was disabled immediately, he returned to the office after working hours, where another employee let him into the building who believed the "employee's" access card had malfunctioned. The insider then deleted research data the office had been working on for 18 months.

Inadequate separation of duties. A programmer was given system administrator access, although system administration was not his responsibility. He used that access to plant a logic bomb on the organization's network that interrupted customer access to the organization's systems.

Noncompliance with two-person rule. When the sole system administrator of an organization was terminated without warning, he initially refused to divulge the system administrator passwords. Prior to leaving the building, he changed the passwords for all user accounts preventing anyone in the organization from logging into the company's systems. He also changed the IP address of the Web server so no one could access the organization's Web site. Furthermore, after revealing the administrator passwords to the organization two days later, he remotely accessed a backdoor account he previously created to run a password sniffer on the organization's network, which enabled him to obtain a list of employee passwords.

Absence of procedural and technical controls for system administrators. Management disabled access to a network administrator's computer and remote access accounts after he was reprimanded for behavioral issues. When returning to work the next day, the disgruntled employee gained physical access to a restricted workstation, logged in with a root password, and planted a time bomb that deleted all files on three company servers days later. Two days following recovery, the servers were sabotaged again in the same manner, and recovery consultants discovered a destructive script on three of the company's file servers that was scheduled to run at 3 a.m. every Wednesday. During the investigation, the company learned that the insider had discovered a backdoor on 20 restricted workstations where he could gain root access.

BEST PRACTICES

Based on the case study, CERT recommends proactive strategies that can be implemented by all company personnel to mitigate insider threats, which include information security and human resources best practices such as:

  • Monitoring to ensure system access is disabled timely and completely following an employee termination.
  • Establishing formal grievance procedures as an outlet for insider complaints.
  • Creating a reporting process when a colleague notices or suspects concerning behavior.
  • Enforcing comprehensive password policies and computer account management practices.
  • Using configuration management practices to detect logic bombs and malicious code.
  • Monitoring system log activity.
  • Establishing and monitoring procedural and technical controls for system administrator and privileged system functions.
  • Providing layered security for remote access.
  • Monitoring compliance with backup procedures and testing recovery processes.
  • Ensuring procedures are in place to disable temporary employee and contractor access as thoroughly as that of permanent employees.
The study also suggests organizations should recognize employees sometimes share their passwords with coworkers for convenience, knowing it is a violation of policy. To be safe, companies should remind coworkers of a departed employee to change their passwords if there is the slightest chance they may have shared a password with the employee. A termination checklist also should be used to ensure procedures are in place to terminate physical access to the facility, as well as, notify the guard station or reception area of the employee's termination or resignation.

The complete report is available for download from CERT's Web site, www.cert.org/archive/pdf/insidercross051105.pdf. Established in 1988, the CERT Center provides Internet security expertise through a federally funded research and development center operated by the Software Engineering Institute at Carnegie Mellon University.

This article was originally published in ITAudit, Vol. 8, June 15, 2005, published by The Institute of Internal Auditors Inc. See www.theiia.org/itaudit.
 
5. Special Audit Guidance in QE19011S-2004  

Many of you receiving this newsletter are auditors. Depending on when you were trained, you may have received a copy of ISO 10011 (now withdrawn), or its replacement,  ISO 19011:2002, Guidelines for Quality and/or Environmental Management Systems Auditing. All RABQSA-certified auditor training courses are now based on ISO 19011.

In the USA, we have another source of audit guidance, ANSI/ISO/ASQ QE19011S-2004. It contains the full text of ISO 19011:2002, along with supplemental text intended for organizations with simple systems. The additional guidance is provided for small organizations that may wish to consider its application to the full range of audit activities (first, second, and third-party audits), and for any users that wish to apply the standard to internal (first party) audits and external supplier (second-party) audits.

Since the definition of a "small" organization may vary, the concept of a small organization in the supplement relates not only to the size of the organization, but also to the complexity of the management system, the complexity of the product and processes, the organization’s regulatory environment, and the effectiveness of communications within the organization.

Therefore, the guidance given for small organizations may also apply to larger organizations with simple management systems, simple products and processes, little regulatory impact, and good communications processes among the personnel, functions, and management levels.

For example, ISO 19011 states in clause 6.3 that the auditee's documentation should be reviewed prior to the on-site audit. After providing additional guidance, the standard goes on to say the document review might be deferred until the on-site audit, if this is not detrimental to the effectiveness of the conduct of the audit.

QE19011S expands on 6.3 by stating that once initial conformity of the documents has been established, an internal audit team may only need to review those documents in which changes have been made since the last audit of the area, unless the audit criteria change. The supplement adds that documents specific to a particular area, e.g., work instructions, can be reviewed while auditing that area rather than during a separate document review.

An electronic version of QE19011S-2004 can be downloaded for an ASQ member price of $72.00 at <http://e-standards.asq.org/perl/catalog.cgi?item=T19011SE>.
 
6. Second Edition of SPC Manual from AIAG

The Statistical Process Control Reference Manual, second edition, is now available. This reference manual, published by DaimlerChrysler Corporation, Ford Motor Company and General Motors Corporation, provides an approach to the fundamentals of statistical process control (SPC) based on use in the automotive industry. The manual also establishes a basis for understanding more advanced SPC methods. 

The SPC Reference Manual, Second Edition, has an improved flow and: 

  • Reinforces the need for a systemic approach to analysis of variation in data
  • Addresses additional control chart methods and tools, and
  • Expands and improves coverage of the capability analysis of non-normal data

The Statistic Process Control is available from AIAG at a price of $15 for members and $45 for non-members. To purchase, visit the AIAG Online Store at www.aiag.org. You can also order through AIAG customer service at 248-358-3003.

7. Class Schedule: August, 2005 - October, 2005

To enroll in these public classes, you can click on the course title, go to Class Schedule at our web site, or call us at 800-404-7585.

Classes taught by Larry Whittington are shown in yellow.

ISO 9001:2000 Lead Auditor (RABQSA Certified) - BSI Management Systems
Initial course version developed by Larry Whittington 
August September October
01-05  Anaheim, CA 12-16  Chicago, IL 03-07  Reston, VA
08-12  New York, NY 19-23  Pittsburgh, PA 17-21  Atlanta, GA
15-19  Atlanta, GA 26-30  Phoenix, AZ 17-21  Houston, TX
15-19  Dallas, TX   - - 24-28  San Diego, CA
22-26  Reston, VA   - - 31-04  Orlando, FL
29-02  Las Vegas, NV   - -   - -

ISO 9001:2000 Internal Auditor (RABQSA Certified) - BSI Management Systems
Initial course version developed by an Associate at Whittington & Associates
August September October
09-11  Reston, VA 27-29  Atlanta, GA 11-13  Roanoke, VA
30-01  San Jose, CA 27-29  Memphis, TN 18-20  Reston, VA

Implementing ISO 9001:2000
Course developed by Larry Whittington

August September October
25-26  Atlanta, GA 20-21  Reston, VA 25-26  Reston, VA

Understanding ISO 9001:2000

September October
19  Reston, VA 24  Reston, VA

Understanding ISO 9001:2000 Requirements (Atlanta Only - $295)
Course developed by Larry Whittington

August November
22  Atlanta, GA 14  Atlanta, GA

Quality System Documentation (ISO 9001:2000)
Course developed by Larry Whittington
August October
23-24  Atlanta, GA 27-28  Reston, VA

The above public courses can be offered on-site at your facility. In addition, we offer these on-site courses:

  • ISO 9001:2000 Auditor Update - The Process Approach (1 Day) - Course developed by Larry Whittington
  • Understanding ISO/TS 16949:2002 Requirements (1 Day) - Course developed by Larry Whittington
  • Internal Quality Auditing (2 Days) - Course developed by Larry Whittington (based on ISO 19011)
  • AS9100B: Requirements Beyond ISO 9001:2000  (1 Day) - Course developed by Larry Whittington
To arrange an economical on-site class, please call us at 800-404-7585.  

© 2000-2005 Whittington & Associates, LLC. All rights reserved.
You may copy this e-Newsletter provided you copy it completely, do not change it, and include this copyright notice.
-top-

Copyright © 2000 - 2007  Whittington & Associates, LLC.
All Rights Reserved.
242 Highlands Drive, Woodstock, GA 30188
770-517-7944 or fax 770-517-7945
Site by Frogtown Media Web Design

 
Whittington & Associates provides training, consulting and auditing services for quality systems based on
ISO 9001, ISO/TS16949, TL9000, AS9100, ISO 13485, as well as, ISO 27001, ISO 20000, ISO 22000, and ISO 14001.
Send this page to a friend