| What Shall We Do About...?

Just count to three...

Disclaimer:
All views expressed on this site are my own and do not represent the opinions of any entity whatsoever with which I have been, am now or will be affiliated.

Engagement:
Contracted to complete an internal audit on a main distribution centre for an overseas Client, who intended to bring the offices and warehousing into their certification scope

Brief:
  • Review position to move forward with certification.
  • Check that all documentation was current or required refining.
  • Verify employee awareness and responsibilities where understood.
  • Visit the secure site and walk through the security system they had established, review internal audit, certification, and accreditation reports.
Company:
Logistics centre for Europe supporting customers in all sectors, including configuration of PC’s and Servers to a base build. The headquarters have held ISO 27001 for 10 years. The security Director had released all security policies, procedures and work instructions, all audits in the local office and warehouse conducted internally. Online awareness programme in place with records kept of training.

Day of the audit:
Opening meeting with the management team and their information security consultant to go through how the review would take place and how reporting would work. I agreed to give them an overview of my findings and allow 30 days for them to provide any extra evidence after a headquarters review

…I would like to know are position to move forward with formal accreditation, I do not visit that often, but everything has been sent over and the audit reports are very positive…
Outcome Good Points:
The base ISMS documents where in place and could easily be adapted to any location and office size.
  • Finance and HR managed their systems and had their own IT administrator with an isolated network.
  • Logistics was the primary revenue stream, with continuously monitored and control in place.
Outcome Bad Points:
  • The ISMS documents had not been modified or adapted to the local environment. “…we were given them with very few instructions on what was required…”
  • The local risk and issues log was last updated in 2015 and had not been updated since that time. "...we are not sure what to do with it, it does not reflect our location and services we provide..."
  • Internal audits concentrated on quality, no training had been given to the team and they had not been given a budget to engage a security auditor.
  • Obviously with no resource they had not updated the statement of applicability. “…can you explain it to us please?…”
  • No management review had been undertaken for the ISMS. “...can you explain it to us please? …”
  • Improvement plan and process was available in a software tool, but not used for security. “…could we use this system?…”
  • Operational day-to-day risks and issues not captured “…we are too busy looking at GDPR at the moment…”
  • Customer information is it isolated? “…we have an isolated environment for sales, however once you are granted access you can see every level of customer (retail to law enforcement) and every purchase they have made, including delivery addresses, contact and purchase codes...”
  • The IT was not available for the three days on site. “…they had not been told of my arrival and had a very limited resource …”
  • Change control, patching and release. “…not established…”

  • Customer build was an interesting one, they had an isolated build server with secure configurations on it for some very important and secure customers, I asked the following questions.
    1. Is it networked? “…No, are customers demand total isolation…”
    2. Do you back-up the server? “…Yes…”
    3. Do you back-up the configuration files for the server and for customer builds? “…Yes…”
    4. Would it be possible to see where you store the backups? “…Yes…”
    5. My guide points to the server build rack. “…it’s there…”
      I had to ask the stupid question, you mean you build and backup on the same device? “…yes, we have done what was asked…”

Overall
I have considered what may have caused the problems:
  • Local team was isolated from the headquarters security team and therefore best practice.
  • Very little understanding of a Management System.
  • Weak internal and external audit findings had done them no favours.
  • Weak process checks and conducted by the operational teams themselves.
  • Customer contact centre monitoring and oversight was not established.

Just in case your interested
They decided to take an additional 12 months to resolve the findings, after they had completed the GDPR work, they did not see this as parallel project.
I will only use your Details to make contact, once any work is completed I will destroy the information

3 DAVENPORT PARK ROAD, STOCKPORT, SK2 6JU, UK