Welcome to the SecAware blog

I spy with my beady eye ...

26 Jul 2019

NBlog July 26 - process control trumps document control

Departments that have an ISO 9000-type approach to quality assurance, or any other mature ‘management system’, typically have standard ways of managing documents involving things such as:
  • Document lifecycles from cradle-to-grave: how does the need for a new document arise? How does that happen, in practice? Who determines and specifies the requirements or objectives etc.?
  • Document ownership, accountabilities and responsibilities: who is in charge? Who has the final say? 
  • Classification of documents, even if only by name [policies, procedures, guidelines etc.], with implications on authorization, use, assurance, disclosure etc.;
  • Structured document review, update, authorization and release processes;
  • Standard, consistent document formats and styles – preferably emphasizing readability and utility – perhaps using templates with mandatory and optional elements;
  • Maintained and managed inventory of [important] documents, with some sort of overall architecture or framework – an important control, often neglected*;
  • Standardized document naming and referencing, ideally with a way to identify draft, current and deprecated/retired documents i.e. versions and dates;
  • Controlled release and deployment processes, including ways to ‘withdraw’ deprecated documents and other change management elements such as awareness and training for new ones;
  • Assurance and compliance aspects: for processes that are or include key controls, how do you ensure that they are operating correctly and effectively?
That’s potentially a massive amount of red tape/costly overhead, hinting at a more strategic perspective: focus on key processes, making sure they are well controlled (which includes but goes beyond the documentation) while relaxing control over lesser ones, consciously allowing them to drift a little. That in turn implies a means of identifying those ‘key' processes. Particularly in the ISO27k context, the obvious mechanism to do so is risk assessment – which I’ve already hinted at in the form of document classification.

Another strategic aspect is innovation and creativity: if everything possible is tied down too tightly, there’s no wiggle room for people to explore and try out new approaches, even if those might be in the organization’s best interest. It might be worth leaving some latitude for innovative, creative approaches, or at least mechanisms to allow this under certain circumstances (e.g. studies and trials that, if successful, may lead to changes in the document-related processes). 

A simple example is the use of diagrams such as process flow charts, decision trees and mind maps to illustrate, summarise and lead people through processes, supplementing or reducing the words. Another is the use of electronic documents and displays in various formats – the electronic checklists now being used by many commercial pilots for example, plus automated process controls and electronic mimic panels in manufacturing, 'mission control', cockpits and other contexts where the information presented to the operator depends on the dynamic situation on the plant/equipment at that moment. 

* Just this morning, I was reading an insightful piece by Michael Rasmussen of 20/20 GRC about management getting into a panic when someone finally notices that they have accumulated hundreds or thousands of policies across the organization as a whole, all different types and statuses, with no central inventory and hence little to no control. It’s a mess! Think about it: even within the information risk and security areas, how many of us can say, for sure, what policies, procedures and guidelines we have in place right now, which ones are due for or undergoing review, which have/have not been officially authorized and released etc.? Expand that across HR, Finance, Ops and so on, and the scalability and control problems are obvious. “Use a Document Management System” might seem like a sensible solution, but the same issue applies: must the entire organization use the same DMS? Or if different DMSs exist, do they interoperate? How do we ensure they are internally and externally consistent?

No comments:

Post a Comment