Data Privacy, Heartbleed and A Growing Energy Footprint: 2014 May Be A Bit Challenging For ICT Quality
As our readers know, we certify clients in the telecommunications and ICT industry to quality standards such as TL 9000, ISO 90001, ISO 14001 and ISO 27001. We also help many of these clients solve their recycling and e-waste objectives by helping them obtain R2/RIOS certifications.
Much has happened in first quarter of 2014 that impacts the ICT industry in the areas of network quality, data security, environmental sustainability and recycling. Each of these business practices are subject to constant transformation and in some instances, are under assault. The reality is the environment is at stake, electronics waste is piling up, spying is the “new norm” and foreign hackers are chipping away at our US data fortresses. What is an ICT supplier to do in 2014? Implement quality standards to mitigate these risks.
What makes our work in ICT so interesting is that these areas often intersect, requiring more complex and thoughtful quality frameworks to be implemented within organizations. For example, as everything moves to the cloud, not only is data security an issue (ISO 27001), there have been serious discussions about the increasing energy footprint of the digital economy and ICT in general. This presents a bit of a quandary for suppliers who are also committed to energy reduction and sustainability practices through their EMS (ISO 14001) while shifting more of their services to the cloud. Can you effectively balance the goals and objectives of an ISMS and an EMS simultaneously? We believe that you can.
If you’re sitting on the fence with regard to implementing any of these standards or if you’re considering whether it’s time to add an additional quality framework in your organization, here are some factors to consider and a Q1 update on what’s in play for these quality standards.
ISO 27001: Could the Hearbleed bug be good for Internet security?
Q1 2014 has been plagued with numerous data hacks involving retailers like Target, Michael’s and a host of other vendors whose POS systems were compromised with very sophisticated malware. Verizon just published a study regarding the increase in espionage hacking from Eastern Europe. The continued revelations of Edward Snowden are the gift that keeps on giving and have forced many in ICT to examine the true value of privacy as practice of “data security”.
These headaches have been compounded by the recent Heartbleed Bug (a flaw in OpenSSL). It’s a bit unnerving to learn that the trusted “padlock of https” was been left essentially unlocked for quite some time. Many articles in the past few weeks illustrate how the NSA likely knew for at least two years about this massive flaw. The agency’s reported decision to keep the bug secret may have renewed the heated debate over the security of the Internet in general, which certainly impacts the entire ICT industry. This recent article by re/code demonstrates how Heartbleed’s worst-case scenario has already been proven possible. And what about the cloud? As providers utilize or shift to IaaS, PaaS, SasS and SECasS, what are the known and unknown risks? Is any data communication or transaction really secure?
Some IT experts have illustrated how the Heartbleed bug may have been a real wake-up call for information and Internet security. The breach could be viewed as a great test of vulnerability management and incident response. What have you done in your organization to protect your company and your customers against this type of threat? At a bare minimum, establish rules for what is allowed and not allowed on your network. Here is a great link to an ISO 27001 Google Group thread discussing responses to Heartbleed utilizing this ISMS.
If you don’t think ISO 27001 matters, here’s one company’s attempt at going on the offensive with positive public relations regarding their ISMS. Snap Survey explains how client data has been unaffected by the Heartbleed bug, due to their ISO 27001 certification. Consider implementing ISO 27001 today.
ISO 14001: Preventing pollution, eco-efficiency and life cycle thinking in the next revision?
We can attest to the value of ISO 14001 from the clients we’ve led to certification. Sustainability and environmental stewardship are no longer buzzwords. All reputable brands and corporations (not just ICT organizations) are implementing environmental benchmarks and reporting processes.
ISO recently conducted a survey of the environmental management system standard ISO 14001. The survey was designed in part to get a better idea of what organizations see as the main benefits of ISO 14001 and what could be improved, as the standard is currently being revised. According to the survey results, the most important issues that required more attention were:
• reducing and controlling pollution
• strategies for efficient use of resources and reducing waste and pollution
• evaluating the environmental aspects related to the life cycle of products and services
You can obtain a copy of all survey data and reports at ISO. The standard revision is currently at draft phase and the goal is to “future proof” ISO 14001 to address all elements of environmental management, including energy efficiency and energy reduction. Energy reduction has been the subject many technical articles with regard to the ICT industry, with some pointing out the Internet is far from green.
The energy requirement of a growing “digital” economy (telecom, data centers) appears to be placing an increased demand on the power grid at a time where energy reduction is the preferred trend. Potential conflict? Perhaps. That’s why it is very important for ICT companies to examine energy reduction and implement an EMS like ISO 14001 to set goals and objectives for environmental management. Want some ICT best practices guidance? AT&T and the Environmental Defense Fund (EDF) are releasing their best practices and a toolkit that other companies can use to assess performance at their own facilities.
R2/RIOS: How are you dealing with e-waste?
This leads to the subject of e-waste and recycling. Environmental management has many tentacles. Specific to the ICT supply chain, many of our clients who are certified to the TL 9000 (the telecommunications quality standard) are now required to address electronic waste and recycling, either in their own organizations or as a requirement of doing business as a Tier 1 supplier. There are multiple ways to meet this objective and we’ve been writing about this on our blog since 2011.
The two prevailing approaches are R2/RIOS and e-Stewards. In our industry, we are assisting more clients with R2/RIOS certifications and you will soon see this as a new practice area on our website.
In fact, a recent article from GreenBiz addresses how e-waste is now a serious problem in the developing world and another provides a quick breakdown on the current rules of recycling electronic waste. We see this trend continuing and we know that most of our ICT clients will be forced to address this issue internally and with corporate customers in 2014 and beyond. Consider obtaining a R2/RIOS certification as a potential solution.
As you can see, ICT quality has many layers outside of general quality and network quality (which is well managed through TL 9000 and ISO 9001 certification). TL 9000 is expanding to deal with network security and next generation technologies. However, ICT quality intersects with other important business quality challenges.
How will you deal with data security, energy management and e-waste? Consider the additional standards we’ve outlined!
For more information on ISO 14001, ISO 27001 and R2/RIOS ertification please contact us at email@example.com.