Jump to content

  • Quick Navigation
Photo

SQF - Necessity to include Cyber Attacks in Requirements of Crisis Management ?

Share this

  • You cannot start a new topic
  • Please log in to reply
16 replies to this topic
- - - - -

Bartholamew

    Grade - Active

  • IFSQN Associate
  • 9 posts
  • 0 thanks
0
Neutral

  • United States
    United States

Posted 20 February 2020 - 07:10 PM

I'm currently participating in our annual SQF audit at a satellite facility that mainly performs repacking with occasional food-contact activities. The auditor has taken a firm stance on issuing a non-conformance due to the fact that our crisis management plan doesn't include specific procedures for a cyber attack (section 2.1.5). I don't disagree that a cyber attack could be included in the crisis management plan, but my team feels that a cyber attack would not impact their ability to provide a continuous supply which meets quality and safety requirements.

 

This isn't something that I've encountered during audits of our other facilities which are much higher risk; needless to say, there's an opportunity to review our policies and make them more robust to address evolving risks, but I don't feel that the auditor's stance is aligned with the spirit of the requirement.

 

Is this something that we should push back on?



SQFconsultant

    SQFconsultant

  • IFSQN Fellow
  • 4,629 posts
  • 1135 thanks
1,125
Excellent

  • United States
    United States
  • Gender:Male
  • Interests:Just when I thought I was out - They pulled me back in!!!

Posted 20 February 2020 - 07:18 PM

Push back and challenge the finding.


All the Best,

 

All Rights Reserved,

Without Prejudice,

Glenn Oster.

Glenn Oster Consulting, LLC -

SQF System Development | Internal Auditor Training | eConsultant

 

 

Martha's Vineyard Island, MA - Restored Republic

http://www.GCEMVI.XYZ

http://www.GlennOster.com

 

774.563.7048


The Food Scientist

    Grade - FIFSQN

  • IFSQN Fellow
  • 1,057 posts
  • 268 thanks
208
Excellent

  • United States
    United States
  • Gender:Female
  • Interests:Food Science, Nature, SQF, Learning, Trying out new foods, Sarcasm.

Posted 20 February 2020 - 07:42 PM

A cyber attack can definitely be a threat to your food supply. Its part of food defense and crisis management (at least in my programs). What if someone hacked into your systems? Passwords? Revealed all your confidential information? What would you do? 


Everything in food is science. The only subjective part is when you eat it. - Alton Brown.


SQFconsultant

    SQFconsultant

  • IFSQN Fellow
  • 4,629 posts
  • 1135 thanks
1,125
Excellent

  • United States
    United States
  • Gender:Male
  • Interests:Just when I thought I was out - They pulled me back in!!!

Posted 20 February 2020 - 07:47 PM

I'd respectfully ask for an OIP.


All the Best,

 

All Rights Reserved,

Without Prejudice,

Glenn Oster.

Glenn Oster Consulting, LLC -

SQF System Development | Internal Auditor Training | eConsultant

 

 

Martha's Vineyard Island, MA - Restored Republic

http://www.GCEMVI.XYZ

http://www.GlennOster.com

 

774.563.7048


QAGB

    Grade - PIFSQN

  • IFSQN Principal
  • 685 posts
  • 262 thanks
115
Excellent

  • Earth
    Earth

Posted 20 February 2020 - 07:54 PM

When I worked in manufacturing, there was no way we could really conduct business as usual if we lost net service due to cyber attacks. 

EVERYTHING was tied to our network, and if our network went down, so did we. The only good news was that we had multiple server backups if someone really cared to mess around with our server, but if our internet went down for some reason, we sat and looked at each other until the network was operational again. 

 

Of course operations could still run, but we couldn't make/retrieve COAs for outgoing product or get to our data.

 

If you feel it's not tied to your business as usual plan, then you could certainly push back. However, I've always thought cyber attacks to be tied into security, business, and crisis management.


Edited by QAGB, 20 February 2020 - 07:56 PM.


Thanked by 1 Member:

Hank Major

    Grade - SIFSQN

  • IFSQN Senior
  • 317 posts
  • 101 thanks
33
Excellent

  • United States
    United States

Posted 20 February 2020 - 08:30 PM

In one of my Disaster Recovery plans, which has passed two auditors, I just describe how the data is backed up, the email is web-based, and how management is prepared to run over to Office Depot and buy replacement computers.



Thanked by 1 Member:

tadelong

    Grade - MIFSQN

  • IFSQN Member
  • 89 posts
  • 12 thanks
13
Good

  • Canada
    Canada

Posted 21 February 2020 - 08:17 PM

I include it as an option but have actually no fears about it being a problem. The only reason I have included it is because I am running out of "challenges" to cover.



MsMars

    Grade - PIFSQN

  • IFSQN Principal
  • 606 posts
  • 194 thanks
151
Excellent

  • United States
    United States
  • Gender:Female

Posted 24 February 2020 - 09:38 PM

Are cyber attacks specifically mentioned? Asking because I haven't been familiar with the code in a couple of years.  This seems like an extremely specific request to me and from what I remember of the requirements for this section IMO I don't believe this would warrant a finding.  Depending on how the rest of your audit goes, I'd consider challenging it.    

 

A cyber attack does have very profound effects on day-to-day business in ways you can't even imagine and very likely on food safety. I don't wish it upon my worst enemy.



tadelong

    Grade - MIFSQN

  • IFSQN Member
  • 89 posts
  • 12 thanks
13
Good

  • Canada
    Canada

Posted 25 February 2020 - 03:04 PM

 I do actually wish it upon my worst enemy, he deserves it.

 That said, we had a virus during peak season a few years back and it was a crushing blow to just be down for a single day. In 2019 we were hit by Hurricane Dorian and while power was restored in short order, our email was down for two weeks. It turns out when one of Bell's old email servers died they just decided to leave it dead. We were probably the only client whose email was still using it. Without question it put quite a severe strain on our business. We had to operate with cell phones only, calling in to our mailbox as able - and even those were down for a few days. A cyber attack that freezes your entire system... well you'd probably just pay them off (which is what I understand most large companies do do, just on the DL).



BostonCream

    Grade - MIFSQN

  • IFSQN Member
  • 72 posts
  • 22 thanks
11
Good

  • Canada
    Canada

Posted 25 February 2020 - 03:22 PM

BRC specifically pointed out cyber attack in their crisis program, but I don't see SQF mention it at all in the guidance. Yes it can affect food safety, but it's unreasonable to give a NC for something that the code didn't mention and we didn't think of...



SQFconsultant

    SQFconsultant

  • IFSQN Fellow
  • 4,629 posts
  • 1135 thanks
1,125
Excellent

  • United States
    United States
  • Gender:Male
  • Interests:Just when I thought I was out - They pulled me back in!!!

Posted 25 February 2020 - 03:57 PM

BRC specifically pointed out cyber attack in their crisis program, but I don't see SQF mention it at all in the guidance. Yes it can affect food safety, but it's unreasonable to give a NC for something that the code didn't mention and we didn't think of...

 

Well, there are a number of ways to look at things when you are an Auditor as this could easily go under known threats.

 

I had an interesting exchange with an owner of a company one day while doing their first SQF audit....

 

Me - watching an employee on the line picking his nose... frankly he was really getting into it!

Me - I express this to the owner.

Owner: the SQF Code says nothing about picking noses.

 

Yup, it ain't in there, he had a point.


Edited by SQFconsultant, 25 February 2020 - 03:58 PM.

All the Best,

 

All Rights Reserved,

Without Prejudice,

Glenn Oster.

Glenn Oster Consulting, LLC -

SQF System Development | Internal Auditor Training | eConsultant

 

 

Martha's Vineyard Island, MA - Restored Republic

http://www.GCEMVI.XYZ

http://www.GlennOster.com

 

774.563.7048


Charles.C

    Grade - FIFSQN

  • IFSQN Moderator
  • 20,542 posts
  • 5662 thanks
1,544
Excellent

  • Earth
    Earth
  • Gender:Male
  • Interests:SF
    TV
    Movies

Posted 25 February 2020 - 04:38 PM

Well, there are a number of ways to look at things when you are an Auditor as this could easily go under known threats.

 

I had an interesting exchange with an owner of a company one day while doing their first SQF audit....

 

Me - watching an employee on the line picking his nose... frankly he was really getting into it!

Me - I express this to the owner.

Owner: the SQF Code says nothing about picking noses.

 

Yup, it ain't in there, he had a point.

 

Hi SQF,

 

What was he then doing with his hands ?

 

3.4.1.1  All personnel engaged in any feed handling, preparation or processing operations shall ensure that products and materials are handled and stored in such a way as to prevent damage or product contamination.

(Hopefully a uniform with no pockets)


Kind Regards,

 

Charles.C


SQFconsultant

    SQFconsultant

  • IFSQN Fellow
  • 4,629 posts
  • 1135 thanks
1,125
Excellent

  • United States
    United States
  • Gender:Male
  • Interests:Just when I thought I was out - They pulled me back in!!!

Posted 25 February 2020 - 04:52 PM

Charles - someday you might get my dry sense of humor.

 

Of course it wasn't ok and yes he was directly handling food and yes, they failed the audit.

 

His job by the way was to make sure the shucked oyster meat was positioned correctly on the half-shell - thus he had to use his index finger on his left hand (he was left handed)  to move the oyster meat around - this of course being the same finger he used for picking his nose.

 

I guess if he had used his left index finger for the nose thing and his right index flnger for the oysters it would have just been a major!

 

Another reason not to eat ready to slurp oysters on the half shell that come from a factory.


All the Best,

 

All Rights Reserved,

Without Prejudice,

Glenn Oster.

Glenn Oster Consulting, LLC -

SQF System Development | Internal Auditor Training | eConsultant

 

 

Martha's Vineyard Island, MA - Restored Republic

http://www.GCEMVI.XYZ

http://www.GlennOster.com

 

774.563.7048


Charles.C

    Grade - FIFSQN

  • IFSQN Moderator
  • 20,542 posts
  • 5662 thanks
1,544
Excellent

  • Earth
    Earth
  • Gender:Male
  • Interests:SF
    TV
    Movies

Posted 25 February 2020 - 06:15 PM

Hi SQFC,

 

Auditors got humour ?

 

Attached File  disbe.jpg   5.35KB   0 downloads

 

 


Kind Regards,

 

Charles.C


AC2018

    Grade - MIFSQN

  • IFSQN Member
  • 174 posts
  • 50 thanks
32
Excellent

  • United States
    United States
  • Gender:Female

Posted 07 July 2021 - 05:52 PM

My SQF auditor just issued a NC for not having addressed a cyber attack as well.I thought it was a good idea for a test but didn't realize I needed to address it in my plan.

 

I will take the NC and get it added but being from a small company, we can easily function without our "systems". Mostly everything we do is on paper and our only system would be internet access/emails. We have a back up server that everything (emails, documents, etc.) is on that can easily be switched out and we will be back up and running in no time. For these reasons I never considered a cyber attack as a real threat to shutting us down unlike if our electricity or water was shut off or a tornado came through our town. 

 

Luckily, it's an easy add to the program and I get a freebie scenario for next year  :sleazy:



YNA QA

    Grade - MIFSQN

  • IFSQN Member
  • 97 posts
  • 17 thanks
26
Excellent

  • United States
    United States
  • Gender:Female
  • Location:Kentucky
  • Interests:Crochet, Reading, Animals, Football

Posted 07 July 2021 - 08:43 PM

We added Cyber Attack to our Crisis Management Plan not to long ago after a possible incident.  Auditors since have loved the change, and stated that CBs were looking for this in plans because it was becoming a more prevalent issue. 

 

Unless it causes you to fail, I wouldn't challenge it.  I think its a valid point by an auditor. Unless you have exact copies of all required programs/paperwork in hardcopy, then you are looking at lost production, or limited production, and possibly production without critical food safety guidance materials.   Cyber attacks can lock out entire systems, and that includes allergen matrices, formulas, CCP criteria, etc (unless available in hardcopy).  

 

A recent auditor threated an NC because I didn't have every single document, program, form available as a hardcopy.  He said if he came to audit and the power went out, then he couldn't do his job, thereby meaning I wasn't following the SQF code of allowing my auditor to audit.  Even when saying that I had a laptop with 8 hours of battery life with a copy of the SQF/HACCP programs and a back-up generator he still wanted to give me a NC.  I talked him out of it but he said its the first question he asks, and most people immediately get an NC. 

 

I once had an auditor ask me how employees knew not to add random particles in a non-SQF certified area of the plant to food products.  They specifically asked if I had trained employees not to go to other areas of the plant, grab handfuls if items, and walk back to the certified areas and add them to the food products (completely unprovoked, it was her first year auditing and I think she was a little too excited).  My response was "do I need to train people not to spit in the food, or lick the surface they work on before they start packaging".  She laughed and considered it seriously and then realized I was messing with her and she calmed down some.  Glad she had some sense of humor.



Thanked by 1 Member:

AC2018

    Grade - MIFSQN

  • IFSQN Member
  • 174 posts
  • 50 thanks
32
Excellent

  • United States
    United States
  • Gender:Female

Posted 08 July 2021 - 11:52 AM

Agreed! And that was the auditors point as well. We are seeing cyber attacks more and more often so I totally agree with him on having it. I just didn't think it would affect us enough to consider writing it into the plan. All the important documents we use on a regular basis are printed out and kept in storage trays. We keep a months worth printed at a time so no issue there. I think for us it would be mostly the internet access/access to our local drive where everything is stored. Which again, we have a back up stored daily and kept off site. So we are prepared and know what to do it just wasn't written down so I don't feel too terrible about it. 

 

Oh wow! yeah, most people rely on access to their internal drives and internet so I can see where that  auditor is coming from. We have our whole program in hard copy form including all of our product specifications, CCP monitoring form, Cleaning forms, etc. I think it's always a good back up to have everything in hard copy form. 





Share this

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users