Questions the DPA should ask their I.T department
in Company News
This overview continues the Eazi Security series on practical considerations for Designated Persons Ashore (DPA’s) to ensure full compliance with Resolution MSC 428(98) on maritime cyber security.
It is generally accepted that it is legitimate and sensible for the DPA to delegate some of the safety management (ISM) tasks to others within the Company. However, the DPA is not able to delegate their responsibility “to ensure the safe operation of each ship” and “monitor…..aspects of the operation of each ship” (ISM Code Section 4).
We have mentioned in previous blogs that some technical aspects of cyber security maybe outside the scope of a DPA’s expertise. This is through no fault of the DPA, they tend to be expert in on-board operational matters and have a good “feel” for what is safe and unsafe on board. It may be that the finer points of digital security, and the associated technical jargon, is somewhat outside of their expertise.
This makes managing the effective compliance of the forthcoming changes to the ISM Code (MSC 428(98) – cyber security) – for which the DPA is responsible – much harder than previous changes. Most DPA’s will be relying on the Company’s IT Department to deliver the systems and control measures that satisfy an external ISM auditor.
In short the DPA remains responsible for all aspects of the ISM code but may not have all the necessary cyber security knowledge and experience to ensure compliance. In this case the DPA will be required to show that there is sufficient oversight of the IT Department. There are many questions the DPA could ask of their IT Department to ensure that they are monitoring and thereby complying with the requirements of the ISM Code. Some of the DPA’s questions may even be answered by their IT Department, although to what extent and clarity is, in our humble opinion, widely variable.
Here are five questions we would suggest that the DPA ask (preferably with answers in writing for evidence to the ISM auditor) to satisfy themselves that their IT Department is aware of the requirements of MSC 428(98) and are managing the risks appropriately:-
Also, have the procedures which may work ashore been adapted/tested to ensure that they work on board the vessel. Particular reference to the off-line environment on-board should be explored. And do the procedures cover all of the IT functions on board. Particularly integrated bridge systems and their interfaces?
When was the last drill where a server ashore was actually restored? Or do the IT team only ever do desktop exercises where they talk through a scenario but don’t actually physically go through the process. It is amazing what problems come to light when you physically do it (someone does know how to get into that server room after hours – now where do we keep that spare key? Sound familiar, we’ve seen it happen).
It might also be worth looking at any management of change process the IT Department are following to implement the changes as a consequence of the new ISM Code requirements. Does the IT Department have a change process plan? How is it being recorded? What involvement do you as DPA have in it? Are you up to speed with it? And, what documentary evidence can you present to the external ISM auditor that evidences compliance with MSC 428(98)?
Questions often lead to more questions and as a DPA your role is to monitor and ensure. With regard to answers, we would suggest that when the external ISM auditor asks “…and what are you doing about cyber security?” perhaps it is best not to answer “I’ve left all of that to the IT Department”.
If you wish to know more about Eazi Security and their world leading cyber security software solutions please contact Mr David Clayden Email David.email@example.com Tel +44 (0)7711 351463 Web www.eazisecurity.com