Root Causes of Nonconformities

Clients often ask how we categorize the root causes of nonconformities that we discover within the organization and the products and services we deliver.  We use the list below.

  1. Uncategorized (under investigation)
  2. Accidental loss of physical IT asset
  3. Theft or malicious interference with physical IT asset
  4. Malware attack
  5. Denial of service attack
  6. Failure or defective operation of physical IT asset
  7. Insecure configuration
  8. Phishing or social engineering
  9. Defect in 3rd party software
  10. Defect in our software
  11. Failure to follow authorised policies or procedures
  12. Utility service outage or defect
  13. Reported in error (not a nonconformity)
  14. Inadequate training
  15. Environmental (fire, flood, lightning, earthquake, etc.)
  16. Other

Because this set of reasons appears in pull-down lists we try to keep it to 16 or fewer, combining any newly identified causes with existing entries.  ‘Defect in our software’ covers a range of causes that include:

  • Coding error
  • Version misconfiguration of software components
  • Misunderstanding of requirement(s)

The ‘Reported in error’ category includes discovery of requirements never previously stated by the client and which could not be reasonably anticipated.

Cartoons for Information Security and Data Protection Awareness

Cartoons can form a valuable component of internal communications.  They can help break up text and emphasise important messages. We are satisfied customers of the Glasbergen Cartoon Service.  It offers a collection of high-quality, business-related cartoons that cover a wide range of topics including information security and data protection.  When we’ve licenced cartoons from them, we’ve been able to find excellent examples closely aligned to the messages we’ve wanted to focus on in-house.  A sample of data protection and information security cartoons can be found here.

 

Client Data Security

Mobile Devices

All Security Management Consultants LTD’s laptop computers and PCs contain disks that are encrypted using the BitLocker facility that forms part of the Windows Operating System.  Strong passwords are enforced for operating system logins.

All smartphones used by employees are protected by access control mechanisms and storage, including any SD cards, is encrypted.  This means that SD cards cannot be read in other devices.  By default, no client data is stored in SD cards.

Servers

All disk storage used in and attached to our physical servers are encrypted using the BitLocker facility that forms part of the Windows Server Operating System. Strong passwords are enforced for operating system logins.

Other than email (see below) and encrypted backups, no client data is stored in the virtual servers that we operate in-house or in ‘cloud’ services that we rent from trusted suppliers.  All of our virtual servers and the ‘cloud’ services that we use run on physical equipment that is located within the European Economic Area (EEA).

Backups

All backups of corporate information, including client communication are encrypted at source.  Encryption keys are held only by Security Management Consultants LTD and not shared with other parties unless a valid, lawful request is made by a relevant law enforcement agency or regulatory body.

In-house image backups of laptop, desktop and tablet computers are created once each day when they are connected to our internal network.  These are stored on the main Windows Server whose disks are all encrypted as described above.

Online, encrypted, incremental backups of new and changed files are created eight times per day for laptop and tablet computers.  This happens when they are connected to the internal network or, when out of the office, to the Internet using company-supplied mobile telephony equipment.

A subset of encrypted disks used for in-house server backups is held in our high-security data safe that has a 120 minute fire rating. The safe and servers are not co-located.

Backup tapes are no longer used and historical backup tapes have been disposed of securely.  We no longer have the ability to read or write magnetic tapes.

Email

Outgoing and incoming emails between clients and Security Management Consultants LTD pass through or temporarily reside within Microsoft-operated services located within the European Economic Area.  If sending sensitive information in an email we place it in an encrypted attachment and advise the recipient(s) of the key or passphrase separately.

Faxes

We no longer operate a physical fax machine and no longer advertise an incoming fax number.  If a client wishes to send a fax to us, they should contact us to obtain instructions for doing so securely.

Paper Records

For environmental and other reasons we are actively reducing the amount of paper that we create, transmit and store.  Incoming paper documents and records will normally be scanned into the relevant project folder structure and the masters shredded securely prior to recycling.  A small number of paper documents and records is held in a single, metal filing cupboard that is locked when not in use.

Retention Periods

By default, we retain documents and records associated with client assignments for three years following the completion of the most recent assignment for the client.  Exceptions are:

  • Financial records relating to the work are retained for 7 years.
  • Insurance certificates relating to the work are retained for 40 years.
  • Training records, where the training has resulted in the issuance of a formal certificate of ‘attendance and successful completion’, are retained for 10 years.  This is to allow trainees to request duplicate certificates if the originals have been lost.

 

Statement on GDPR

Business-to-Business Services

Security Management Consultants LTD provides only ‘business to business’ services. We do not provide services to consumers. Our clients are private limited companies, public limited companies and government agencies.

Person Identifiable Data (PID)

We do not store, process or transmit consumer data or person identifiable data (PID) for our own purposes or on behalf of clients except for PID relating to our current employees, former employees and client representatives as described below.

Employee Person Identifiable Data

We do store and process personal data relating to our current and former employees in accordance with the requirements of the current UK Data Protection Act and the General Data Protection Regulation (GDPR) that will officially come into force on 25 May 2018. This data is not shared with third parties except where required by law or necessary for the operation of our pension scheme.

Person Identifiable Data of Client Representatives

If we are a supplier to your business and need to communicate with you we will store the following information about you to allow us to carry out the work that we have been contracted to perform:

  • Name
  • Business email address
  • Business physical address or addresses where you normally work (if relevant to the work)
  • Business telephone number (if relevant to the work)
  • Business role title (if relevant to the work)
  • Details of planned and completed training that we have been contracted to deliver.

This data is not shared with third parties except where required by law.

Please see our ‘Client Data Security‘ post for details of how we keep client information safe.

Person Identifiable Data Relating to Prospective Clients

If you have contacted us because you are considering engaging us as a supplier to your business we will store the following information that you provide about yourself and your business colleagues to allow us to communicate with you:

  • Name
  • Business email address
  • Business physical address or addresses where you normally work (if relevant to the work)
  • Business telephone number (if relevant to the work)
  • Business role title (if relevant to the work)

This data is not shared with third parties except where required by law.

If you subsequently decide not to engage us as a supplier we will retain the associated information for a period of seven months following the end of the period of validity of the most recently submitted proposal or quote unless requested otherwise.  This is to facilitate submitting a subsequent proposal or quote should the same or similar requirement arise in the near future.

Receipt of Unsolicited Personal Information

If, unsolicited, a member of the public provides personal identifiable data (PID) to us we delete the data as soon as practicable and advise the sender of this using contact information they have provided.

Speculative Employment Enquiries

We do not retain unsolicited employment enquiries for future reference.

Data Protection Officer (DPO)

Please use the address stated on the Contact page to submit enquiries or make requests to exercise your applicable rights under the UK Data Protection Act and, from 25 May 2018, under the General Data Protection Regulation (GDPR).

Protection of Client Data

Please see our ‘Client Data Security‘ post for details of how we keep information relating to clients and prospective clients safe.