Welcome to the SecAware blog

I spy with my beady eye ...

21 Apr 2022

Information risk and security for professional services

When you acquire or provide professional services, how do you address the associated information risks? I have in mind consultancy, advisory and other specialist services such as:

  • Building and construction services e.g. architecture, surveying;
  • Business services e.g. marketing and sales, strategy and management consulting, auditing, quality consulting;
  • Engineering services e.g. electrical and electronic design, materials science, measurement and calibration;
  • Financial services e.g. book-keeping and accounting, investment, tax and insurance advice, credit-checking;
  • Human resources services e.g. recruitment, employment disputes, mentoring and training;
  • IT and telecommunications services e.g. Internet services, cloud computing, technical support and advice, outsourced development, datacentre facilities;
  • Legal services e.g. commercial and family law, contracting, disputes, compliance, forensics, prosecution and defence, intellectual property protection;
  • Security services e.g. information risk and security consulting, IT auditing, digital forensics, identity and background checking, surveillance;
  • ... and others.

Professional services are information-centric: with some exceptions, information is the raw material, the purpose, the work product, the key deliverable. Through assignments, jobs, projects or tasks, professional services clients and providers exchange, generate and utilize information.

Thinking about the list of services, imagine what might happen if the information was:

  • Inaccurate, incomplete, inappropriate, out of date, mistaken, misleading or misinterpreted ('bad advice').
  • Disclosed or used inappropriately (e.g. if confidential business or personal information was leaked to and exploited by third parties).
  • Withheld or unavailable for some reason (e.g. if a consultant fell sick or a laptop was lost or stolen).

In theory, clients and providers should proactively identify, evaluate and address information risks relating to or arising from professional services in order to avoid, reduce or limit the damage arising from such incidents ... but how many actually do that in practice? is it sufficient to 'trust the professionals'?

Large, mature organisations typically have the experience and experts on hand to ensure that appropriate controls are incorporated into the contracts plus the associated relationship and assignment management processes. Small, immature organisations may not have that luxury, and hence may have little option but to accept whatever the counterparty suggests/requires. Guess whose interests they are most likely to protect!

I am currently drafting a guideline on information security, privacy, governance, compliance and other controls to mitigate unacceptable information risks in professional services. Being a pragmatist, I am keen to promote practical, conventional and well-proven measures that are worthwhile for all types and sizes of organisation - good practices you could say. Not being a specialist in all the topic areas which professional services address (e.g. legal services), I propose to stick to generic guidance that is relevant to all types of professional services, leaving clients and providers to figure out the specifics - particularly on what 'bad advice' means in their context.

At this point, my suggestion is to separate out activities that are appropriate before the work commences, while it is happening, and after it is completed:

The guidance will describe various activities the client and provider can do separately and together to ensure things go well, principally concerning the information risk aspects.

What do you think? Do you agree such guidance would be worthwhile? Is there any relevant guidance already out there that I should know about and reference in the guideline? Does the proposed lifecycle approach make sense, or is there something better? Feedback, criticism and creative suggestions are very welcome, especially at this early stage. Please comment below or email me: Gary@isect.com 

I feed on your energy. Your comments spur me on. Say nothing and I might just forget the whole thing and find better things to do with my time ...

1 comment:

  1. I stumbled on this while reading your 27002 review Gary. I was talking to my colleagues about this very subject about a week ago. Noticing the rise of questionable tactics around US CMMC adoption and the sales tactics promising "compliance" in weeks, etc. I think you're spot on when you suggest is requires an ISO Standard of its own and I think you should propose it to SC-27.