Professional services - concluding phase

Having introduced this blog series and covered information risks applicable to the preliminary and operational phases of a professional services engagement, it's time to cover the third and final phase when the engagement and business relationship comes to an end.

Eventually, all relationships draw to a close. Professional services clients and providers go their separate ways, hopefully parting on good terms unless there were unresolved disagreements, issues or incidents (hinting at some information risks).

It is worth considering what will/might happen at the end of a professional services engagement as early as the preliminary pre-contract phase. Some of the controls need to be predetermined and pre-agreed in order to avoid or mitigate potentially serious risks later-on. Straightforward in principle ... and yet easily neglected in the heady rush of getting the engagement going. This is not unlike a couple drawing up their "pre-nup" before a wedding, or a sensible organisation making suitable business continuity arrangements in case of severe incidents or disasters ahead.

A potentially significant information risk in the concluding phase stems from the inappropriate retention by either party of [access to] confidential information obtained or generated in the course of the engagement - whether commercially sensitive or personal information. Imagine the implications of, say, a law firm being hit by a ransomware attack, office burglary or insider incident, giving miscreants access to its inadequately-secured client casework files and archives. Meta-information about the engagement, assignment/s and contracts may also be commercially-sensitive, for instance if the supplier deliberately under-priced the contract to secure the business and gain a foothold in the market, only to find it uneconomic to deliver the contracted services - a decidedly embarrassing situation if disclosed.

Information risks in this phase are amplified if the relationship ends in dispute, perhaps leading either party to complain bitterly about and criticise the other (whether truly justified or not). Reputations are at stake here, with the potential to cause brand damage that harms future business opportunities. Conversely, if things went well, there is value to be gained from positive references, case studies, endorsements etc. ... with further implications for the way the engagement is managed in the earlier phases. In other words, the way information risks are handled can lead to beneficial, neutral or detrimental business outcomes.

On an even more positive note, there are opportunities to draw out and learn the lessons from professional services relationships. What went well and is worth repeating if the opportunity arises? What went badly and should be avoided if possible? From either organisation's risk management perspective, what have we learnt about our threats, vulnerabilities, impacts and controls? What incidents could/should have been avoided or mitigated? As with post-incident reviews and audits, simply posing and answering such questions achieves little unless changes are then made to improve strategies, policies and procedures.

In the ethical dimension, as mentioned previously, the alignment and closeness that engenders trust between client and provider also makes them more vulnerable to exploitation, as guards are dropped. The professional services security guideline I am drafting will touch on aspects such as reminding those involved of reasonable and persistent ethical expectations going forward. At the very least, simply refusing to discuss the details of prior business arrangements is better than raising old wounds.

That's it from me for this blog series. I have more to say about the risks, controls, assurance, compliance, governance etc. for business services, and plenty of pragmatic advice to impart, but you'll have to wait for the guideline ... which may yet emerge as an ISO27k standard, complete with simplified checklists for each phase. Who knows?

Professional services - operational phase

Following-on from the preliminary phase I covered yesterday, the longest phase of most professional services engagements is the part where the services are delivered. With the contractual formalities out of the way, the supplier starts the service, providing consultancy support or specialist advice. The client receives and utilises the service. Both 'sides' are important to both parties, since a professional service that isn't delivered and used doesn't generate value for the client, and is unlikely to lead to repeat business - such as additonal assignments:

Deliberately taking a simplistic view once again, I have represented 'assignments' (which may be projects, jobs, tasks or whatever) as discrete pieces of work, each with a beginning, middle and end: 

 

Things are never so neat and tidy in practice. Some assignments may never really get off the ground, and some gradually diminish or peter out rather than coming to an abrupt end. On-again-off-again assignments are challenging to plan and resource. Assignments may blend into each other or split apart. If the same supplier resources (mostly people) are involved in multiple assignments, possibly for multiple clients, the work rate on each one may be reduced - and likewise for a busy client, juggling multiple activities and competing priorities.

 

[The guideline could address the lifecycle of each assignment within an engagement, as well as the overall lifecycle. I doubt the benefit would offset the added complexity, though.] 

Information risk-relevant aspects that deserve proactive attention include changes, incidents, performance and quality of service, and compliance. I plan to describe basic processes associated with each of those, briefly, in the guideline. Incident management, for example, should protect the interests of client and provider both separately and together, so communication and collaboration may be key.

Maintaining management's focus on information risk during this phase may involve: 

• Opportunistically pointing out information risk-related concerns, issues with controls, compliance obligations, improvement opportunities etc.;
• Incorporating information risk and security metrics into reporting (begging the question 'What metrics?'); 
• Making information risk a standing agenda item for relationship management meetings, progress meetings, project meetings or whatever; 
• Emphasizing mutual interest in minimizing incidents, wherever possibly collaborating to reduce the probability and impact; 
• Reviews and audits to confirm the effectiveness of key controls, identify concerns and provide assurance. 

It helps if such activities were discussed and agreed in the preliminary phase, perhaps being noted in the contract and incorporated into policies and procedures ... which means the guideline will be a worthwhile prompt. The same point applies to the concluding phase that I'll blog about tomorrow: knowing that there may be important information risk-related activities ahead through to the far end of a professional services engagement is something worth bearing in mind from the outset. Forewarned is four-armed, or something.

EU to standardise on ISO 31000 and ISO/IEC 27005?

"Risk management procedures are fundamental processes to prepare organisations for a future cybersecurity attack, to evaluate products and services for their resistance to potential attacks before placing them on the market, and to prevent supply chain fraud" says ENISA in the report "RISK MANAGEMENT STANDARDS - Analysis of standardisation requirements in support of cybersecurity policy" published in March 2022.

Not to be left behind, ENISA - originally the European Network and Information Security Agency (an official agency of the EU) - leapt aboard the cyber bandwagon, rebranding itself "The European Union Agency for Cybersecurity" when it became a permanent EU agency under the European Cybersecurity Act, regulation (EU) 2019/881.

Despite the vague title, RISK MANAGEMENT STANDARDS in fact primarily concerns "risk management [and] security of ICT products, ICT services and ICT processes" where 'risk' means "any reasonably identifiable circumstance or event having a potential adverse effect on the security of network and information systems." Apparently, "The main goal of risk management is (in general) to protect ICT products (software, hardware, systems, components, services) and business assets, and minimise costs in cases of failures. Thus it represents a core duty for successful business or IT management." In other words, the ENISA document revolves around IT risks, primarily, although it does casually mention 'enterprise risk management' which takes in operational, market, supply chain, project, strategic and other risks. 

Unfortunately, I haven't dug deep enough yet to reveal actual defiinitions of key terms such as "cybersecurity" or "sector". Evidently, we are supposed to just know what they mean. It doesn't help that the cited "Methodology for Sectoral Cybersecurity Asssessments 2021" official download appears to be broken, but consulting another source I see that it doesn't even define those terms anyway. Furthermore, an embedded diagram suggests an unconventional interpretation of 'risk' and 'exposure', while 'threat' seemingly disregards unintentional and untargeted threats such as generic malware, accidents and storms:

 

 

RISK MANAGEMENT STANDARDS outlines a wide range of [IT] risk management standards and 'methodologies' (methods), primarily relating to cybersecurity. Aside from the usual suspects (ISO/IEC 27005, ISO 31000, BS 7799-3, SP800-39 and BSI Germany Standard 200-3 based on IT-Grundschutz), it reminds us of other less-well-known approaches such as EBIOS, MEHARI, FAIR, CRAMM and FINSEC, 'sector-specific' guidance from ISO/IEC, ETSI, CEN CENELEC, OWASP and others, and mentions 'global registers' (vulnerability databases) such as MITRE CVE, NVD and CNNVD.

RISK MANAGEMENT STANDARDS provides scant coverage of critical infrastructures at the global, EU, national and organisational levels, while defence industry and IT supply chain risks are barely even mentioned. It appears to be focused on the generic IT and Internet security version of 'cybersecurity'.

RISK MANAGEMENT STANDARDS suggests that, despite standardisation, the proliferation of approaches in this area is confusing and unhelpful. Organisations use different approaches analyse, measure and address risks in different ways, leading to different information security controls for essentially the same risks.

"The following results can be observed in several organisations:

1. Lack of coordination and alignment between the divisions responsible for business risk management or information security management and ICT staff regarding risk management;

2. Lack of conformity with regard to risk management language and the application of risk management between the divisions responsible for business risk management or information security management and ICT staff."

Conversely, given the inherently uncertain nature of 'risk', and the muddle of poorly-defined terms in this area, perhaps it is a good thing that different approaches are available and no single approach predominates. So long as each approach reveals useful and valid information, collectively building a reasonably complete picture that leads to appropriate actions being taken to address the risks, that's a rational counter-argument, right?

Anyway, RISK MANAGEMENT STANDARDS essentially recommends standardising on ISO 31000 and/or ISO/IEC 27005 through EU regulations. 

Given the report's weak, biased analysis, the pickle that ISO/IEC 27005 is in at the moment, and the emphasis on yet more regulatory mandates, I'm not convinced ENISA has selected the best approach.

PS  There are numerous abbreviations, few hyperlinked references (not even for ENISA's own reports) and some annoying inconsistencies in RISK MANAGEMENT STANDARDS (e.g. there is no "ISO/IEC 31000" since it is an ISO standard, not ISO plus IEC, and the current version of ISO/IEC 27002 is the 2022 edition, not 2013 or 2014 as stated at least once).

Professional services - preliminaries

Yesterday I proposed a guideline on the information risk, security and privacy aspects of professional services. I introduced a simplistic 3-phase model for the business relationship through which one or more professional services assignments are delivered and consumed. 

Today, I'm exploring the preliminary phase.

Before professional services are delivered, client and provider form a business relationship. They determine the professional services required and offered, and of course negotiate the commercial arrangements. They also have the opportunity to decide how the services are to be provided, and how both the assignment/s and the business relationship are to be managed.

Contracting is an important control in its own right with significant information and commercial risks associated. The contract may for instance:

• Be inappropriate for either organisation, the relationship and/or the professional service/s; 
• Be informal, undocumented, invalid and hence unenforceable;
• Bypass or shortcut due process;
• Be uneconomic for either party; 
• Be unfair, biased and perhaps unethical;
  
• Lead to problems if an assignment fails or the whole relationship turns sour, perhaps as a result of an incident.
  

Contracting is a chance for both organisations to think forward, discuss and agree the governance, management, compliance, security/privacy, control and assurance needed for the remainder of the professional services lifecycle (both phases!). It may be infeasible, later on, to modify the terms or specify additional requirements and the associated arrangements for integrity, confidentiality, incident management etc., especially if relationship issues arise.

Also at this stage, client and provider conduct some form of due diligence checks on each other, exploring factors such as solvency, competence, qualifications, certifications and reputations. 

The manner in which both parties participate in this phase can be a valuable predictive indicator - a big clue as to how things are likely to pan out later e.g.:

• Appreciation of the each party's capabilities and concerns, plus their common interests in making a commercial success of the planned assignment/s and the business relationship as a whole;
  
• The willingness to discuss, and flexibility in resolving any issues, perhaps even modifying the provider's 'standard contract terms and conditions' or re-wording service descriptions;
• The professionalism and competence of those involved, plus their authority to make various decisions and commitments;
• The nature of the communications - style, formality, speed, depth/volume, quality, relevance etc.;
• More generally, the quality of the budding relationship: are things setting off on a positive note, or are there already potentially worrying signs that perhaps ought to be addressed now and monitored specifically in due course - assuming it goes ahead? Is there a cultural fit, here, or a misfit?
  

There's quite a lot going on in this phase, important stuff with potentially significant information risk, security and privacy implications. Consider, for instance, an organisation appointing an HR specialist to provide various HR support services (recruitment, background checks, employment contracts, disciplinary actions, HR advice on legal requirements etc.). The commercial aspects and details of the professional services typically dominate the discussions, while the information risks and controls may be downplayed or even neglected. The client may simply presume that the supplier knows what they are doing in the HR space, and will do whatever is required e.g. to comply with employment laws and regs, while the supplier may presume they are only required to deliver whatever is formally specified, with anything else (such as data privacy controls for GDPR compliance) requiring a contract variation (assuming they are capable and agree to do it, which is not guaranteed). The very fact that the client needs specialist professional services clearly suggests a lack of expertise in this area, a power imbalance and a vulnerability that the provider may actively exploit ... which doesn't bode well for the relationship ahead.

 

Given all that, I believe I can offer pragmatic advice in the form of a straightforward outline of the main aspects, coupled with simple checklists for the client and provider to work through at each phase, both independently and in some cases together. Would such a guideline and checklist be of interest to your organisation? Do let me know. Maybe you can help me draft and refine one!

Information risk and security for professional services

When you acquire or provide professional services, how do you address the associated information risks? I have in mind consultancy, advisory and other specialist services such as:

• Building and construction services e.g. architecture, surveying;
• Business services e.g. marketing and sales, strategy and management consulting, auditing, quality consulting;
• Engineering services e.g. electrical and electronic design, materials science, measurement and calibration;
• Financial services e.g. book-keeping and accounting, investment, tax and insurance advice, credit-checking;
• Human resources services e.g. recruitment, employment disputes, mentoring and training;
• IT and telecommunications services e.g. Internet services, cloud computing, technical support and advice, outsourced development, datacentre facilities;
• Legal services e.g. commercial and family law, contracting, disputes, compliance, forensics, prosecution and defence, intellectual property protection;
• Security services e.g. information risk and security consulting, IT auditing, digital forensics, identity and background checking, surveillance;
• ... and others.
  

Professional services are information-centric: with some exceptions, information is the raw material, the purpose, the work product, the key deliverable. Through assignments, jobs, projects or tasks, professional services clients and providers exchange, generate and utilize information.

Thinking about the list of services, imagine what might happen if the information was:

• Inaccurate, incomplete, inappropriate, out of date, mistaken, misleading or misinterpreted ('bad advice').
• Disclosed or used inappropriately (e.g. if confidential business or personal information was leaked to and exploited by third parties).
• Withheld or unavailable for some reason (e.g. if a consultant fell sick or a laptop was lost or stolen).

In theory, clients and providers should proactively identify, evaluate and address information risks relating to or arising from professional services in order to avoid, reduce or limit the damage arising from such incidents ... but how many actually do that in practice? is it sufficient to 'trust the professionals'?

Large, mature organisations typically have the experience and experts on hand to ensure that appropriate controls are incorporated into the contracts plus the associated relationship and assignment management processes. Small, immature organisations may not have that luxury, and hence may have little option but to accept whatever the counterparty suggests/requires. Guess whose interests they are most likely to protect!

I am currently drafting a guideline on information security, privacy, governance, compliance and other controls to mitigate unacceptable information risks in professional services. Being a pragmatist, I am keen to promote practical, conventional and well-proven measures that are worthwhile for all types and sizes of organisation - good practices you could say. Not being a specialist in all the topic areas which professional services address (e.g. legal services), I propose to stick to generic guidance that is relevant to all types of professional services, leaving clients and providers to figure out the specifics - particularly on what 'bad advice' means in their context.

At this point, my suggestion is to separate out activities that are appropriate before the work commences, while it is happening, and after it is completed:

The guidance will describe various activities the client and provider can do separately and together to ensure things go well, principally concerning the information risk aspects.

What do you think? Do you agree such guidance would be worthwhile? Is there any relevant guidance already out there that I should know about and reference in the guideline? Does the proposed lifecycle approach make sense, or is there something better? Feedback, criticism and creative suggestions are very welcome, especially at this early stage. Please comment below or email me: Gary@isect.com 

I feed on your energy. Your comments spur me on. Say nothing and I might just forget the whole thing and find better things to do with my time ...