There are some folk who will tell you that you cant buy a newpaper without
an ISO 9000 and when you get your certificate you can only buy a newspaper
produced by a publisher who has ISO 9000 and vended by someone who holds a
certificate.
ISO 9000 is a quality management methodology/certification system which is
replacing national systems from folk like NIST in the US and BSI in the UK.
Like the earlier systems, ISO 9000 is great for Government procurement
officials (because it potentially reduces the number of Open Procurement
vendors and provides yet another tick box for procurement documents) and for
consultants (most corporations would have difficulty in producing all the
required documentation without help unless they simply stopped doing
business while they prepared for evaluation)
Like the old BSI BS5750 system, ISO 9000 does not really impose any special
constraints. The company has to formally document how it works. Small
companies may pay anything up to US$50K to produce this documentation, but
at the end of the process they may continue to work exactly as they always
did, with the same personnel, plant & machinery. If you call in to an auto
tyre shop which now displays a nice shiny ISO 9000 certificate you may not
notice any difference from your previous visit except their prices have gone
up and the manager has a new bookcase to hold his umpteen volumes of
procedure manuals (you will probably also notice that these manuals are the
only documents in the shop which are not covered with dirty finger prints).
If the ISO 9000 system works correctly, it is possible that some companies
will not be able to connect to the Internet. That isnt a function directly
of ISO 9000, but the way the enterprise produces and implements its
enterprise policy with the attendant risk policy. At the other extreme, a
company could hold ISO 9000 and not even require a firewall.
What is probably more significant is the current bureaucratic drift on data
protection and evaluation criteria and their relationship to ISO 9000.
There are now active moves by several governments to MANDATE given minimum
levels of security for every user of IT equipment who has to register under
data protection regulations. As data protection regulations are now set to
expand across the user base that means potentially EVERY IT user including
the home computer user. The mandated security levels will be expressed in
criteria terms and probably require that the security functionality has been
evaluated and certified under ITSEC or whatever. It will probably not accept
vendor 'designed to meet' claims.
As people like NIST and BSI are now closely involved in criteria
development, it is likely that a vendor will have to achieve ISO 9000 even
though some ITSEC Commercial Licensed Evaluation Facilities have already
stated publicly that they often have more problems with products supplied by
BSI/ISO certified developers. It could therefore follow that a company which
has achieved ISO 9000 will have to meet all data protection requirements
including the use of certified security technology and even to have his
systems accredited. This could mean that he will not be able to link to the
Internet or any other Information Super Highway unless he fits certified
network security systems. This could mean that most existing firewalls will
have to be replaced with certified firewalls (but certified firewalls dont
currently exist) or the user cuts his Internet links.
Fortunately we have not yet reached this level of government involvement in
our communications habits, but the question is - how long will it continue?
Ian J-B.
----------
From: firewalls-owner
To: duperret; lavondes
Cc: firewalls
Subject: Re: ISO 9000 Requirements & Firewalls
Date: 16 December 1994 14:51
> Some time, I overheard the opinion that you can't be on the net and obtain
> or keep ISO 9000 certification. I don't have the faintest idea why that
> should be, but then I don't know much about ISO 9000 except that it means
> *lots* of paperwork before, during and after :-)
>
> Does anyone have an idea ?
Yeah - the above is bunk, I'm afraid!
ISO 9000 has nothing to do with whether you're on the net or not...
Ross
--
Ross Parker | KotHFJ '88 FJ1200, '64 Matchless G80CS (500cc)
MPR Teltech Ltd. | Who cares if Mikey doesn't like 'em!
Burnaby, B.C., Canada | "Lisp has all the visual appeal of oatmeal
parker @
mprgate .
mpr .
ca | with fingernail clippings mixed in" -- Larry Wall
|
|
