Quality management articles - Quality Matters Blog

Quality, Environment and Health & Safety in Gliding

2009-06-22T11:02:00.002+01:00

I recently joined a gliding club and with any luck, I should be solo by the end of the summer.

I couldn't help but notice a great deal of the standards (ISO9001, ISO14001 & ISO18001) apply in this discipline as well as in the workplace.

Quality (ISO9001) if you apply best practice and continual improvement then the gliding experience is good, but if the processes are badly applied it results in additional costs (more lessons) and poor customer satisfaction (particularly from other members of the gliding club). I have heard things like "that was a crap landing".

Environmental (ISO14001) A Clean glider performs much better than one covered in squashed insects and good cleaning means that the canopy is clear and not smeared. Environmentally friendly chemicals protect the fabric of the glider and its occupants.

Health and Safety (ISO18001) When I joined the club, a seasoned member mentioned that there were bold glider pilots and old glider pilots but there were no old bold glider pilots. Health and safety practices are essential to allow full enjoyment of this sport without additional risks. The same instructor mentioned that it was probably more dangerous driving to the club than it was flying as all good pilots (and trainees) follow a strict set of rules.

I thought a hobby like this would get me away from work but the principles I use and teach are very evident in this area.

My wife said that I shouldn't take any risks and in that I agree. Common sense and safe flying will be my by-words.

ISO9001 Terms and Conditions of Payment

2009-06-08T09:48:00.001+01:00

The current situation where banks and financial institutions are not lending to industry is causing serious damage to our economy. It has become clear that companies are delaying bill payment until the last possible moment and in turn this is causing cash flow shortages not seen even in the 80's recession.

The inevitable result is that organisations at the end of the purchase chain are being starved of cash and in some cases this cash-flow shortfall is putting viable companies out of business. I have noticed that some companies are unable to accept new orders because they do not have the cash to purchase raw material to service the orders.

The vast amount of cash advanced to the banking industry was designed to allow them to restart lending to industry; instead the banks used this cash to shore up their balance sheets instead of being made available to lend.

We are told that the borrowing by the Government will take up to twenty years to pay back. The pay-back time may be considerably longer if our mainstay industries are no longer there.

Companies that have ISO9001 in place are better placed to weather the downturn as they have a solid set of terms and conditions which include payment terms.
Remember those who shout loudest and have good control of their sales ledgers will the first to be paid; this may be the difference between survival and insolvency.

Data back-up for computer systems

2009-05-20T09:41:00.000+01:00

Like many businesses our computer system is backed up. This ensures that we able to restore vital information in the event of a computer failure or other problem which disables or destroys our servers or desktop/laptops.

We have always backed up regularly and then taken a copy of the back-up off site for security of data. Recently the system proved fallible because one person thought another person had done the back-up and to cut a long story short, no one had done it. Our business was at risk because we only had a week old copy off site. Fortunately nothing happened.

I decided that we couldn't rely on luck and next time we might not be so lucky.
My new bank, Barclays, was offering an automated back-up system, where the entire server was backed up and then an incremental back-up is taken daily and automatically; this means that all our data is available to restore and there is no element of human interaction required.

Is the data secure? Yes, it is encrypted to the same level as credit cards, 128-bit SSL encryption on transfers, 256-bit AES encryption on storage. It is mirrored to another data-centre for additional security.

No one else can access our data, not even the data-centre so we know that it meets our strict data requirements. It is also available to restore, if or when, we need it.

The first data save did take rather a long time, overnight in fact, but the incremental back-up is quick as it only saves changed files.
Is this expensive? No surprisingly it isn't and if or when we really need to restore data in an emergency it will be worth every penny.

Business Continuity - Illness

2009-05-05T10:29:00.002+01:00

The news that swine flu has crossed borders and is affecting an increasing number of countries is most unwelcome.

Organisations that have installed the management standard ISO14001 will have an Emergency Preparedness plan and those that have ISO27001 installed will have a Business Continuity plan in place to mitigate and offset the effects of an outbreak of illness within their companies. The threat of a pandemic could mean that staff are absent from work and those unaffected by the outbreak may not want to go into work just in case they catch the same illness.

The fear of catching the virus may mean that absence from work may be greater than it would be normally. The effects on a company with no advance plan in place may mean that the company is unprepared and may not actually survive the outbreak.

The economic downturn coupled with the pandemic may be the last straw for the unprepared organisation.

UPS - Uninterruptable Power Supply

2009-04-20T09:30:00.002+01:00

What is a UPS?

A UPS is a device connected between then mains electricity supply and your Computer Server or PC. It has two main functions:

It filters the mains supply to remove spikes which can cause failures; these spikes can be a thousand volts or more and last for a brief time; it is during this spike time that real damage can be caused to electronic components.
It takes over the supply of mains in the event that the mains electricity fails or worse goes into a state known as a brown out; this is where the supply falls to an unacceptably low level; it is during this time that disks can crash and data in memory is lost or corrupted.

Recently we suffered a momentary power failure at the building where my office is located. I heard a groan of complaint from other people in the building as their computers stopped working and any work was lost.

All my office equipment is connected to a UPS so all we could hear was the bleep, bleep of the warning signal telling us that the UPS was working correctly. We know that once this signal starts we have 10 minutes of usable time before then system batteries are exhausted. This allows time to complete the piece of work being carried out and shut the system sown in an orderly manner.

Are these UPS devices expensive? No, a couple of hundred pounds. Worth every penny when I hear the bleep, bleep, bleep.

April Fool's Joke?

2009-03-30T08:49:00.002+01:00

There has been a certain amount of publicity recently about the CONFICKER super worm which has infected hospitals, Royal Navy warships, industry and the latest news from a leaked memo says that our Parliament has also been infected.

The conficker worm spreads through several update mechanisms, a well-known Windows vulnerability and tainted USB drives being just two. Once it secures a foothold on an infected network, the worm can spread widely across network shares by exploiting weak password security, a major factor in its high prevalence within corporate systems.

Researchers have reverse engineered the worm and it is apparent that an event is targeted for April 1st (April Fools day) and while most April Fool's jokes are harmless this one may not be.

Conficker has been polling 250 different domain names every day to download and run an update program. On April 1st, the latest version of Conficker will start to poll 500 out of 50,000 domains a day to do the same thing. What effect that will have is at present unknown.

How can you protect your systems from the Conficker worm? This can be achieved through good security practices, including those defined in ISO27001:2005, The information Security Standard.

If you are worried about your systems and suspect that yours are infected there are a number of good detection tools available.

One indication that you may be infected is the inability to connect to various security web-sites, Conficker prevents your system gaining access.

We employ several layers of protection, including McAfee anti virus, anti spam/malware and email filtering so I was not unduly worried, but we did run a scan of all our systems just to be on the safe side.

We ran http://support.f-secure.com/enu/home/onlineservices/fsec/fsec.shtml, which is a free scan and this confirmed we were conficker free.

Don't be caught out and be an April Fool

It Isn't rocket science!

2009-03-17T16:10:00.004Z

I visit a fair number of businesses each year and I am often surprised by the real lack of security for computer systems. Many businesses either don't know about security or think that a security incident won't affect them.

Here are 10 basic security precautions for Windows machines :

Always set the option to force a user to press CTL-ALT-DEL before logging on
Passwords should be at least six characters long and contain letters and numbers
Don't use your name, your partners name or the name of a pet as a password
Don't write the password on a post-it note and stick it to the screen or under the keyboard
Passwords should be changed regularly
Don't share your password with anyone
Use ant-ivirus software and keep it up to date
Use an anti-spyware programme regularly
Turn on the inbuilt firewall (Windows XP and later machines)
When leaving the desktop or laptop unattended, lock the system by pressing the windows button and L

Simple steps can save real problems

Disability Discrimination Act

2009-03-04T20:21:00.003Z

A little while ago I was called by a man who claimed that he was having difficulty accessing my website and on further investigation it turned out that he was visually impaired. Apparently, and I must admit I was totally unaware of this requirement, all web-sites which offer goods or services to then public must take into account that some people wishing to access these sites may have disabilities.

I discussed this with Debbie Harrison of DVH Design, who looks after my website, and she has done a great deal of research and is in the process of upgrading my website to comply with this requirement.

Some people have difficulty reading the standard font used on sites and it should be possible for a user to select an enlarged font or a greatly enlarged font. In addition I understand that some users find difficulty reading black on a light background so the user should be able to select a different colour background.

The other requirement is for the user to be able to use a keyboard instead of a mouse.

I ran an internal quality auditing course some years ago where three partially sighted men from Action for Blind People, attended. They requested that I provide the written material for them in 36 point Times Roman instead of 12 point as had been the case for other delegates. This was easily provided and all three delegates not only passed then course but said that they had really enjoyed the two day.

It is a pity that those of us who have no such disabilities do not automatically think of those less fortunate and make then necessary adjustments need to allow easy access to our material.

I am certainly no expert but if you need any help with this may I suggest that you contact Debbie at DVH Design

Data Protection

2009-02-11T09:51:00.001Z

Following hard on the heels of the loss of 25 million child benefit records the Government agency, HMRC is to introduce some strict measures to prevent this type of loss in future; some would say this is shutting the stable door but better late than never is what I say.

The new measures put data protection firmly on the map for Government, no longer can they simply download data onto a DVD and put it in the post; measures actually prevent this taking place; equally the ubiquitous memory stick is barred.

Government is catching up quickly on the rest of us who had these sort of preventive measures in place already and were speechless when then loss occurred. It was even more surprising that the first batch of disks went missing and a second and third set were sent before someone owned up to it.

It is interesting to note that the revised ISO9001:2008 now mentions the protection of both intellectual property and personal data under the clause 7.5.4 Customer property. It is an indication of just how important this type of data protection is and how we should all treat it.

The Data Protection act covers personal data for living people only; it does not cover company data, unless this data applies to a person within that company.

Revealing person data in contravention of the act makes the person releasing then data personally liable. They cannot claim vicarious liability (putting the blame onto the company). If the data commissioner prosecutes it can be very serious, with custodial sentences for serious breaches.

Efficiency and the Credit Crunch

2009-01-28T21:57:00.004Z

You probably think that these two items, efficiency and credit crunch have little in common, but you would be wrong. Any downturn in the economy will put some businesses over the edge into insolvency but a sound business can, with some help, often capitalise on the opportunities available.
Here are a few ways to increase efficiency as well as saving money:

Look at your expenditure on energy - you have been meaning to replace those tungsten light bulbs with the more efficient energy saving bulbs - do it now;
Look at windows and doors - is there a draught coming through? - buy some draught excluders and you will save on heating;
Get people to dress for winter - summer clothes are for summer;
Get people to boil only enough water for hot drinks to serve immediate needs;
Check the office thermostat - one degree down will save a considerable amount of money without freezing everyone;
Look at your energy supplier - can you get a better deal?
If you use a company car or your own car to visit customers, plan your route to minimise the distance and combine visits if possible;

There are other ways to increase efficiency:

These include working from home if possible, video conferencing instead of face to face meetings and better planning of schedules.

If cash-flow is a problem and your Bank won't help then ask your suppliers if you can extend your credit terms.

Order only what you need, buffer stocks are costly in terms of space used and cash tied up.
And finally get someone who is not involved in your business to review your systems. A consultant may cost you a few hundred pounds but may identify improvements that will help you through then tough times. Remember a good consultant will be able to advise you on best practice and will be up to date with the latest technology and methods.

ISO9001, the Quality Standard can guide you to accepted best practice

ISO14001, the Environmental Standard can help you reduce pollution and save energy.

There are many more efficiency savings but using just these few can have a significant effect on your business.

Happy New Year

2009-01-04T10:23:00.002Z

We, at Quality Matters Limited, wish our readers a very happy and prosperous New Year.

For those seeking methods to secure a successful future we are pleased to give an outline of the most common standards in use today:

ISO9001:2008 The most recognisable standard. This is a Quality Management Standard and addresses best practice for all processes within a business, be it small, medium or large. This is often an entry point to many tenders. Without 9001 you may not get past the starting gate;

ISO14001:2004 The Environmental Management Standard. This standard is used to show that you are protecting the environment, as well as saving money, by using practices that ensure your aspects (anything that interacts with the environment) are as kind to the planet as possible. You should be able to demonstrate that you take care not to pollute and use energy as efficiently as possible. This is often the second entry point to tenders and contracts that specify environmental protection as a requirement;

ISO27001:2005 The Information Security Management Standard. This standard is fast becoming the standard that companies are seeking. Those holding data or information that requires protection can show that the systems in place can ensure data is confidential, integrity is protected and available to authorised users;

BSOHSAS 18001:2007 The Occupational Health and Safety Standard. This standard will provide the evidence that Health and Safety procedures are established and operated to ensure staff are protected from potential accidents and are fully engaged in this process.

There are other standards that apply to specific areas:

Food Safety (ISO22000)
IT Service Management (ISO20000)
BRC (British Retail Consortium Standard)
BBA ( British Board of Agreement Product Standard)

It is important that these standards are tested on a regular basis for continued suitability and conformance. This requires Internal Audit to be carried out.

Quality Matters is able to provide Professional Internal Auditor Training at an acceptable cost to allow your staff to carry out this function. See our Website for our next course venue and date.

These standards will prove that you are ahead of the competition and are following Industry best practice.

Security and the Credit Crunch

2008-12-23T21:22:00.002Z

The credit crunch has made the criminal fraternity even more determined to separate us from our hard earned cash.

Some of the latest scams are cleverer than ever; take the email currently doing the rounds, it says the most destructive virus ever is coming so email this warning to everyone you know, If you receive an email from someone you know with POSTCARD FROM HALLMARK, do not open it otherwise your hard disk will be totally erased. It is a hoax of course but people have been forwarding this email to their entire address book, unfortunately they have been sending the email to their address book as cc rather than then hidden bcc. The effect is that millions of email addresses are circulating the internet. Then bad guys then harvest these emails and use them as direct targeted email. This may entice us to part with passwords etc.

Emails sent from our banks asking for log-in and passwords to re-activate an account are again spurious as no bank would ever ask for this information in an email.

Prize winning emails which only require us to give bank details, full name, date of birth and usually a mother’s maiden name risk us being victims to identity fraud.

The one I think is particularly clever is the email supposedly from the HMRC saying that I had overpaid my tax and if I would care to send them my bank details they would credit the amount directly into my account.

And finally a word of caution about credit and debit cards; never let your credit or debit card out of your sight. If a chip and pin machine is used always insert the card yourself and NEVER tell the shop or other supplier your pin number. If you buy online always check that you are entering your details into a secure web-site. If there is a padlock shown and the site is https and not http.

I hope you can spend your money on those you choose and not let the criminals steal it.

Happy Christmas shopping.

ISO9001 Quality Management Standard

2008-11-18T20:51:00.003Z

This standard was last updated in the year 2000 and should have been reviewed last year but this was delayed until 2008.

The main changes in IS9001:2008 are as follows:

Clause 0.2 (Process approach)
Text added to emphasise the importance of processes being capable of
achieving desired outputs

Clause 1.1 (Scope)

Clarification that product also includes intermediate product
Information regarding statutory, regulatory and legal requirements

Clause 4.1 (General requirements)

Notes added to explain more about outsourcing
Types of control that may be applied to outsourced processes
Relationship to clause 7.4 (Purchasing)
Clarification that outsourced processes are still responsibility of the organisation and must be included in the quality management system

Clause 4.2.1 (Documentation)

Clarification that QMS documentation also includes records
Documents required by the standard may be combined
ISO 9001 requirements may be covered by more than one documented Procedure

Clause 4.2.3 (Document control)
Clarification that only external documents relevant to the QMS need to be
Controlled

Clause 4.2.4 (Control of records)
Editorial changes only (better alignment with ISO 14001)

Clause 5.5.2 (Management representative)
States that this must be a member of the organisation's own management

Clause 6.2.1 (Human resources)
Clarification that competence requirements are relevant for any personnel who
are involved in the operation of the quality management system

Clause 6.3 (Infrastructure)
Includes information systems as example

Clause 6.4 (Work environment)
Clarifies that this includes conditions under which work is performed and Includes (for example physical, environmental and other factors such as noise,
Temperature, humidity, lighting, or weather)

Clause 7.2.1 (Customer related processes)
Clarifies that post-delivery activities may include:

Actions under warranty provisions
Contractual obligations such as maintenance services
Supplementary services such as recycling or final disposal

Clause 7.3.1 (Design & development planning)
Clarifies that design and development review, verification and validation have
distinct purposes. These may be conducted and recorded separately or in any combination as suitable for the product and the organisation

Clause 7.3.3 (Design & development outputs)
Clarifies that information needed for production and service provision includes
preservation of the product

Clause 7.5.4 (Customer property)
Explains that both intellectual property and personal data should be considered
as customer property

Clause 7.6 (Now called Control of Monitoring and Measuring equipment)
Explanatory notes added regarding the use of computer software:
"Confirmation of the ability of computer software to satisfy the intended
application would typically include its verification and configuration management
to maintain its suitability for use."

Clause 8.2.1 (Customer satisfaction)
Note added to explain that monitoring of customer perception may include input
from sources such as customer satisfaction surveys, customer data on delivered
product quality, user opinion surveys, lost business analysis, compliments, and
dealer reports

Clause 8.2.3 (Monitoring / Measurement of process)
Note added to clarify that when deciding on appropriate methods, the organisation should consider impact on the conformity to product requirements and on the effectiveness of the quality management system.

The changes are so minor and no new requirements have been introduced that little effort will be required by users of the standard to achieve certification to the 2008 standard.

Health & Safety & BS OHSAS 18001

2008-11-03T20:13:00.002Z

My office is in a Business Park but on of my windows looks out on to some houses. Last week I was treated to an exhibition of all the things that builders shouldn't do.

Let me explain, the householder has sensibly decided to have cavity wall insulation installed but the workmen who arrived to do the job were rather cavalier in their attitude to health and safety. At one point one of them was standing on the apex of the attached garage leaning precariously out while holding a masonry drill; as he attempted to drill holes in the outer wall he kept losing his balance and I am amazed that he didn't fall. Some of the places he needed to drill were too high even for him and he proceeded to get a ladder from his van. Instead of using a scaffold tower, as required by law; he climbed up the ladder using one hand while dragging the electric drill with the other. I expected that, at the very least, his partner would have held the bottom of the ladder but no, he was preparing the equipment for injecting the foam insulation.

I am fairly sure that these two were not operating their company health and safety policies but were just lazy.

I had to go out to visit a client so I do not know how it all ended. I hope that it did not end in tears.

It is hardly surprising to know that the majority of industrial accidents occur on building sites and most involve some sort of powered tool.

I wish these two lads a long and healthy life but if their performance recently was anything to go by, I think that very optimistic. While I realise that youth seem to think they are totally invulnerable, I was young once myself after all, the safeguards offered by the modern health and safety legislation are not designed to restrict personal freedom, they can, and often do, save lives.

Before undertaking any work of this type they should have carried out a risk assessment, not a huge job given then task in hand. Then they should have used the correct protective equipment and safe working practices.

Environmental Measures and Common Sense

2008-10-20T21:24:00.005+01:00

Readers of this blog will know that I always advocate environmentally friendly measures and it is becoming increasingly clear that these measures are becoming the norm rather that the exception.

Measure 1 - I drive a Hybrid car - Not only does this car give me a good miles per gallon figure, it is comfortable, I pay only £15 per year road tax and I am exempt from congestion charges;

Measure 2 - By reducing my speed from 70 to 65 miles per hour, I have found that I now get between 55-60 miles per gallon. With fuel cost now becoming a significant expense this is a considerable saving.

Measure 3 - By reducing the thermostat by one to two degrees my heating bill will be reduced; it may not offset the huge rises in energy costs but it must go part way.

Measure 4 - I now turn off lights that are really not needed during the day; I open the blinds to let in natural daylight. The savings may not be great but contribute to then overall saving even with energy saving lighting.

Measure 5 - No equipment is left on standby; to do so would be wasting energy and money.

Measure 6 - If I feel cold; I put on a jumper rather than turning up the heat; I am often staggered to see people in summer clothes complaining about feeling chilly.

Measure 7 - I have changed Banks- not only because my previous Bank gave me such rotten service but my new Bank is within walking distance. No Car needed.

Measure 8 - We recycle as much as we can to reduce our impact on the environment.

Measure 9 - We buy in season food to reduce then air miles that our food travels; some of our food has travelled 10's of miles rather than hundreds.

Measure 10 - We buy our goods and services locally, wherever we can to reduce our carbon footprint.

Am I a crank, or just gloating at saving money (and the Planet)? I suspect that 10 years ago I may have been considered a crank but nowadays I am perfectly normal, and richer.

Data Security & You

2008-10-06T20:11:00.001+01:00

There has been considerable interest, and dismay, at the number of times sensitive data has been lost or stolen, indeed the amount of data lost seems directly proportional to the technological advances in devices and perhaps the stupidity or arrogance of their owners.

Desktop computers - these are sitting on our desks giving access to vast amounts of data, yet many people get up and leave their desks without a thought to the risk they are taking. I always lock my desk computer before leaving it, even for a few minutes, because I understand that a moments inattention could put my data at risk and seriously damage my reputation as a security conscious individual.

Laptop computers - these are becoming smaller and smaller. My latest acquisition has an 8.9 inch screen, no hard drive and is small enough to slip into my briefcase. The down side of this is that it is even easier to lose. I encrypt my data so that would not be a problem but the loss of the thing would be very inconvenient. The data is, however, safe.

Memory sticks and SDHC cards - probably the greatest threat to data known today. These tiny devices can hold giga bytes of data and yet can slip easily into a pocket. These devices should always be encrypted, but sadly many are not. All my data sticks have the ability to lock and encrypt data.

Mobile phones and PDA devices - most people do not activate the pin number lock to prevent unauthorised access and a s such they risk having their phone numbers taken, their email contacts list taken and if secret pin numbers and passwords are stored, then these are at risk. Add to that the ability of many devices to access business based systems and email remotely then it is easy to see what a major security threat these unprotected devices can pose.

I use a pin to protect my PDA and have set a pin to protect the sim card as well. If my device was lost or stolen, I can send it a text message which locks the PDA and no amount of fiddling will unlock it, even if a new sim card is inserted and the factory defaults enabled.

A recent survey mounted by the BBC shows just how many electronic devices are left in cabs. The number is staggering. The value of data and equipment is vast.

Moral - keep devices safe, encrypt data, activate pin numbers on phones and PDAs.

A Directors' brief on ISO27001 Information Security Management

2008-09-23T20:40:00.003+01:00

It is generally accepted that information is the greatest asset any organisation has under its control. Managing Directors are aware that the supply of complete and accurate information is vital to the survival of their organisations.

Today more and more organisations are realising that information security is a critical business function. It is not just an IT function but covers:

Governance;
Risk Management;
Physical Security;
Business Continuity;
Regulatory and Legislative Compliance.

Information Security

Business has been transformed by the use of IT systems, indeed it has become central to delivering business efficiently. The use of bespoke packages, databases and email have allowed businesses to grow while encouraging remote communication and innovation.

Most businesses rely heavily on IT but critical information extends well beyond computer systems. It encompasses knowledge retained by people, paper documents as well as traditional records held in a variety of media. A common mistake when incorporating an information security system is to ignore these elements and concentrate only on the IT issues.

Information security is a whole organisation matter and crosses departmental boundaries. It is more than just keeping a small amount of information secret; your very success is becoming more dependent upon the availability and integrity of critical information to ensure smooth operation and improved competitiveness.

C I A

Confidentiality
Integrity
Availability

These are the three requirements for any ISMS.

Managing Directors' Perspective

Your vision is central to organisational development; driving improvements in all areas of the business to create value. With information technology being key to so many change programmes, effective information security management systems are a prerequisite to ensuring that systems deliver on their business objectives. Your leadership can help create the appropriate security culture to protect your business.

Organisations are increasingly being asked questions about ISO 27001, particularly by national or local government, professional and the financial sector. This is being driven by adoption of the standard as part of their legal and regulatory obligations. In some areas this is becoming a tender requirement.

Others are seeing a competitive advantage in leading their sector and using certification in information security management to develop customer/ client confidence and win new business. With public concern over security issues at an all time high, there is a real need to build effective marketing mechanisms to show how your business can be trusted.

You will certainly be aware of your responsibilities for effective governance, and be answerable for damaging incidents that can affect organisational value. The risk assessment, which is the foundation of the standard is designed to give you a clear picture of where your risks are and to facilitate effective decision making. This translates into risk management, not simply risk reduction and therefore replaces the feeling many directors have of risk ignorance in this area. This will help you understand the potential risks involved with the deployment of the latest information technologies and will enable you to balance the potential downside with the more obvious benefits.

Whether, as part of compliance, such as required by Professional Bodies, Sarbanes Oxley, Data Protection Act, or as part of an effective governance, information security is a key component of operational risk management. It enables the formulation of effective risk analysis and measurement, combined with transparent reporting of ongoing security incidents to refine risk decisions.

Giving values to the impact security incidents can have on your business is vital. Analysis of where you are vulnerable allows you to measure the probability that you will be hit by security incidents with direct financial consequences.

An added benefit of the risk assessment process is that it gives you a thorough analysis of your information assets, how they can be impacted by attacks on their confidentiality, integrity and availability, and a measure of their real value to your business.

Although the detail within the risk assessment process can be complex, it is also possible to translate this into clear priorities and risk profiles that the Board can make sense of, leading to more effective financial decision making.

Business Continuity

How well would you cope if a disaster affected your business?

This could be from some natural cause such as flood, storm or worse from fire, terrorism or other civil unrest. The areas not often considered are sickness, failure of utilities or technology breakdown.

Business continuity planning in advance of a disaster can mean the difference between survival or extinction of the business.

Many of the businesses affected by the Bunsfield Fuel Depot disaster never recovered. Those with an effective business continuity plan have emerged like the phoenix from the ashes.

Many businesses claim to have a plan but if the plan is untested or ill prepared then it is bound to fail.

ISO27001 states that a fully planned and tested BCP should be in place to prepare for and be able to deal with, such an emergency.

ISO 27001 Sections

Security policy - This provides management direction and support for information security.
Organisation of assets and resources - To help manage information security within the organisation.
Asset classification and control - To help identify assets and protect them appropriately.
Human resources security - To reduce the risks of human error, theft, fraud or misuse of facilities.
Physical and environmental security - To prevent unauthorised access, damage and interference to business premises and information.
Communications and operations management - To ensure the correct and secure operation of information processing facilities.
Access control - To control access to information
Information systems acquisition, development and maintenance - To ensure that security is built into information systems.
Information security incident management -To deal effectively with any identified security incident.
Business continuity management - To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters.
Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirement.

Security and Banks

2008-09-08T21:56:00.004+01:00

I have just been through a most frustrating time with my bank. It all started when my landlord increased the rent and service charges for our offices in Tolleshunt Major; I went online, accessed my account and tried to amend the standing order to take account of the increased charges; a message told me that I couldn't do this on line but to contact the help desk.

I rang the help desk and was asked the usual security questions and one answer was rejected. I re-iterated that my answer was correct and the lady re-entered it only to have it rejected again. She obviously had entered it incorrectly as I had entered the same information to get online in the first place. I said that she must have entered the information incorrectly as I was on line. The next thing she says that the system has locked me out and she would have to pass me through to the online team. I expected the online team to unlock my account, but no; They would send me a form which I could complete and return to them and I would get an activation code to get me going again.

A week later the form arrived and I signed the appropriate part and sent it back. Four days later I received a letter telling me that they had had some technical problems with my log in and here was a temporary activation code which would be ok for a few weeks but they would need to change my customer number and supply me a new activation code for that new number. The activation code did not work so I telephoned again only to be told that they should not have sent the temporary activation code and had cancelled it before it arrived.

I asked when I could expect the new information and activation code; a few days was the response. A few days later the new customer number arrived and then the following day a new activation code.

With much trepidation I entered the new customer number and activation code; so far so good. I was then asked for a 4 digit pin number and a complex password. The password was accepted but the pin number was rejected. I telephoned yet again only to be told that any pin number cannot have a repeated number in it nor consecutive numbers. My pin number did have two numbers the same in the sequence but not sequential. I had used then same pin number for some time but change my password frequently. This was not good enough for NatWest. I was told either I used all their security requirements or I couldn't use their on line system at all. I protested saying that my security was ok two weeks ago before they messed up my access but not now. I asked if the Bank's security was more important than customer service. The sheer indifference shown by the chap on the other end of the phone left me in no doubt that I could do what I liked but they would not move at all.

This was the final straw in a saga that goes back months and included wrongly debiting my account with amounts that bore no relation to the printed cheques that my sage system had prepared, deducting income tax from the interest paid on business deposit account and then taking three months to repay it.

My branch bank manager keeps apologising but cannot do anything with the bureaucracy that is the bank.

Apparently I am an ideal customer, never pestering the bank staff, never exceeding my overdraft, never complaining about the charges levied. Prepare few cheques and carry out most of my banking online so there is little for the bank to administer . Our deposit account has a reasonable balance in it and my Gold Business card, used for business expenses is never over the agreed limit. So why treat me so badly? Perhaps it is a sign of the times where Banks have a virtual stranglehold on their customers, make an obscene amount of money and employ morons in call centres.

I am actively seeking another bank to handle my business banking; will I be able to find a good bank? I don’t know but surely customer service cannot be a bad as that I have been subjected to.

It is also strange that Quality Matters sets up secure systems including ISO27001 and we always advocate good security but we recognise, as do most institutions, that security is a trade off between total security where nothing gets done and lax security where systems are at severe risk. We know that there is a compromise point where good security also allows users to get on with their business. The balance seems to be lost on my bank.

Security gone mad.

The Credit Crunch and how to survive it

2008-08-25T13:08:00.001+01:00

When times get hardand it becomes difficult to maintain business levels and make money, the credit crunch and slow down in the economy is particularly unwelcome. So what can you do about it? You can work 'smarter' rather than harder, streamline your business, seek out inefficiencies and rectify them.

ISO9001, the quality management standard, has always been a method to incorporate best practice within any organisation. It brings in measures of customer satisfaction, which are essential during hard times, these help businesses to improve their attractiveness to customers and help to target new ones. The very last thing that any business wants is to have goods returned or services to be carried out again free of charge.

Continual improvement is also highlighted, as is the reduction of errors and mistakes. The Standard, if properly implemented, brings any business improved efficiency and better control of the quality of products and services.

The added advantage of a good quality management system is that an external authority is certifying that the systems employed by the business are effective and meet the requirements set out by the international standards organisation.

These include:

Documentation Requirements

Quality Manual
Control of Documents
Control of Records

Management Responsibility

Customer Focus
Quality Policy
Planning
Responsibility, Authority and Communication
Internal Communication
Management Review

Resource Management

Provision of Resources
Human Resources
Competence, Awareness and Training
Infrastructure
Work Environment

Product & Service Delivery

Planning of Product Realisation
Customer-Related Processes
Design and development
Purchasing
Product Provision & Service Delivery
Preservation of Product
Control of Monitoring and Measuring Equipment

Measurement, Analysis and Improvement

Measuring Customer Satisfaction
Internal Audit
Monitoring & Measurement of Processes
Monitoring & Measurement of Product or Service
Control of Nonconforming Product
Continual Improvement
Corrective Action
Preventive Action

If these elements are established and operated then the company is in the best position to weather the storms ahead.

Internal Quality / Environmental Auditing

2008-08-06T18:47:00.002+01:00

The ISO 9000 and ISO 14001 series of International Standards emphasise the importance of auditing as a management tool for monitoring and verifying the effective implementation of an organisation's policy for quality and/or environmental management.

A Quality or Environmental Audit is a systematic, independent examination of a quality or environmental management system. These audits are typically performed at defined intervals and ensure that the organisation has clearly defined internal quality or environmental monitoring procedures linked to effective action. The checking determines if the management system complies with applicable regulations or standards.

It is not enough to put a quality or environmental system into place; it must be tested on a regular basis, to ensure it is working, . . . . . . . . . . . . AUDITING.

The checks will include:

The management system documentation; does it adequately define the needs of the business?

The documented procedures and processes; are they practical, understood and being followed?

The training; is it adequate?

The timing and frequency of audits will vary depending on the importance of a particular part of the system but is predetermined and recorded. The audits are carried out by responsible persons independent of the activity being audited.

It is useful to have an audit programme spanning a set period.

The results of audits must be documented and should include the following:

The non-conformities found;

The corrective action required;

The agreed time for corrective action to be carried out.

Persons conducting audits should be properly trained to carry out the task objectively and effectively. Clearly, it is essential that everyone carrying out internal auditing should audit to the same standard.

Quality Matters has been providing these certificated courses since 1992 and are
designed to provide professional training in the principles and practice of audits of management systems for compliance with ISO 9001:2000, ISO14001:2004 and other standards.

The methodology employed is that set out in the Standard for quality and environmental management systems auditing ISO 19011:2002

The course is not IRCA registered but meets the training requirements of all the certification bodies for competence of Internal Auditors

Delegates who successfully complete the course will have sufficient knowledge of, and skills in, audit techniques to carry out internal audits of quality and/or environmental systems in their own organisations.

The twice yearly courses (April and November) are run locally in Colchester, Essex but bespoke courses can be arranged to be run in-house.

Next course 20 + 21 November 2008

For details and booking on this cost effective course, please see our Internal Audior Course page

ISO27001 Laptop Security

2008-07-28T20:39:00.001+01:00

More and more details are emerging concerning lax security of data and I am becoming increasingly concerned at the absence of even basic precautions to prevent unauthorised disclosure of data.

There have been laptops stolen, lost or simply forgotten at airports which contain sensitive information. Not long ago a Cabinet Minister had a desktop computer stolen, which had data not normally allowed outside Whitehall. The Minister concerned told the Press that it was safe as it was protected by a password. There was incredulity among those present as passwords are so easily overcome. One wag even enquired if the password was 'PASSWORD'.

Desktops and laptops often store system passwords in cmos which is a volatile store chip within the computer and is kept alive by a small coin type battery on the motherboard. This same chip holds the date and other start-up data. If you remove the battery and leave it for a few minutes, this data is lost and the password is removed. The other type of start-up password is held in an encrypted form on hard disk.

It is relatively easy to boot the computer from a CD or alternative operating system, access the password files and delete them. Rebooting the computer in the normal way shows that the password has been removed.

I am no computer expert, but this easy routine is readily available on the internet and it beggars belief that anyone, let alone, those in Government think that their data is secure when 'protected' in this flimsy way.

In my job I travel widely and I have a laptop which is protected by a password but the data I carry is on a separate removable drive which is encrypted at file level so that even if the drive was stolen and put into another laptop the data could not be accessed.

I use Folder Lock to secure my data. There are many other programmes available but I like this one.

Folder Lock is a fast file-security program that can password-protect, lock, hide and encrypt any number of files, folders, drives, pictures and documents in seconds. Protected files are hidden, undeletable, inaccessible and highly secure. It hides files from anyone other than the authorised user, safeguards them from viruses, trojans, worms and spy ware, and even protects them from networked PCs, cable users and hackers. Files can also be protected on USB Flash Drives, Memory Sticks, CD-RW, floppies and notebooks. Protection works even if files are taken from one PC to another on a removable disk, without the need to install any software. It locks files in Windows, DOS and even Safe Modes.

I know that my sensitive files are protected and that my Clients data is protected.

BS OHSAS 18001:2007 Occupational Health & Safety Management

2008-07-15T16:13:00.000+01:00

There has been a considerable increase in the number of enquiries that I have received for BS OHSAS 18001 certification. It seems that businesses are increasingly aware of the need not only to meet current legislation but to keep employees safe and morale high by demonstrating the 'OH' part (Occupational Health) as well as the safety element.

I have been offering Quality, Environmental and information security consultancy for many years but it became clear that I would need to include Health & Safety Management Consultancy as part of the service offered to Clients.

I enrolled in the BSI Certificate on Occupational Health & Safety Course, which is a distance learning system. There are eight modules provided on 3 CDs. Each module is concluded by an assignment. The assignments are marked by A BSI Tutor and the next module is commenced. The course material, both on the CD and in paper format was very good and gave me all the information I needed to pass the assignments. My Tutor was very complimentary about my assignments and there was only one instance where I needed to resubmit information.

Last Friday I received my Certificate and I am delighted that my knowledge has been greatly improved. I can see that the Standard 18001 is not just about Safety but also encompasses Health and wellbeing.

All in all I am very pleased with the result.

Integrated Management Systems

2008-06-30T18:54:00.004+01:00

The old favorite ISO9001, quality Management Standard, is often combined with ISO14001, Environmental Management Standard and more and more a three way integration is being called for. The third element is BS OHSAS 18001, Occupational Health & Safety Standard. The advantage of having a truly integrated system is that there are elements of all three Standards that are similar or the same:

All three Standards have a document control requirement;

The control of records is specified in all three Standards;

Training, competence & awareness is seen in all three Standards;

All three Standards have a requirement for internal auditing;

Management review is seen as the lynch pin for all the Standards;

Monitoring and measuring devices are used in each Standard;

Continual Improvement is key to all three;

Corrective action and Preventive Action are prime requirements.

It is clear with this amount of synergy, the effort in putting the standards into place can be greatly reduced, as can the costs. The benefits to the organisation can be immense and the incorporation of an integrated management system says a great deal about you:

It says in clear and unequivocal terms that you care about the quality of your products and/or services.

You care about the degree to which your customers are satisfied.

You care about the environment and the effect your operation is having on the planet.

You care about the health, safety and welfare of your employees, contractors and visitors.

And finally that you are sufficiently confident to get these systems externally tested and certificated.

Many Companies looking to place contracts and purchase goods are looking for organisations that have ISO9001 and increasingly have green credentials as well and look after their staff and can demonstrate it.

An Integrated System is the answer.

Environmentally sound and safe as well

2008-06-16T09:57:00.004+01:00

I drive many thousands of miles each year and to protect the environment I purchased a Honda Hybrid car in May 2007. This car uses a small petrol engine and an electric motor in an integrated propulsion unit.

The car returns some 45-50MPG and in addition is exempt from the London congestion charge. There is also a considerable saving in the car tax disc which is only £15 per year. All in all, I have been delighted with this car and recommended it to others.

Honda engineering also saved my life this week when I was involved in a crash which wrote off the car. The car was badly damaged but the driver's protection cell remained fully intact. My fear was that the car would catch fire, particularly with the high power batteries used within the car. My fears were unfounded. The Fire and Rescue Service cut the roof off the car so that they could slide me out on a spinal board. There was some concern that I may have had a whiplash injury. The Paramedics cut my suit off so that they could put a canula into my arm ready for any actions the hospital may need to carry out. The ambulance service took some Polaroid photographs of the scene and I was amazed that after being checked over at the hospital I was able to leave with no more that a bruise where the seat belt had been.
Had my car been an old one or one of a less robust nature then I doubt whether I would be writing this blog

Will I buy another Honda Hybrid?

I have already bought a new one to replace my one year old friend. I can drive it with confidence, knowing that in addition to doing my bit for the planet, Honda is doing all it can to ensure that I am safe in my car and even if the worst happens I have the best chance of surviving.

Thank you Honda

Security of Passwords ISO27001

2008-06-02T18:26:00.001+01:00

Each year, just before the INFOSEC (Information Security Exhibition) a test is carried out to asses the level of security placed upon workplace passwords.

This year your password could be exchanged for a chocolate bar. It is still shocking that some 64% of people challenged outside Liverpool Street railway station in Central London, were prepared to give their passwords away for a paltry chocolate bar. The findings were further segmented when the split of sexes was added into the equation; more of those giving away their passwords were women.

Where the questions were extended to ask for telephone numbers, place of work and dates of birth in exchange for the chance to win a holiday then results were down but still more women than men gave their details but only just.

The only crumb of consolation is that the total numbers prepared to compromise their personal or work security is down on last year by about 20%.

Government and big business continues to exhibit a less than satisfactory level of care with our security; indeed another case where there had been a problem with email attachments resulted in a disc being sent by normal post. The disc contained important information but was only protected by a basic password, which the company admitted, could be broken in a matter of minutes. The disc did not arrive.

It is not known how many of the security details given away at Liverpool Street Station were genuine and how many were simply wrong, but working on the 70:30 principle a good number were genuine. It is fortunate that details obtained were not used for any unauthorised use.... but they could have been.

Vigilance is required to ensure security of all our systems