10 replies to this topic

[AC2018]

Hello all, we recently went through our edition 9 SQF audit. We have a CA for not including a cyber attack in our crisis management program that I have submitted corrective and preventative action steps for. I thought what I included was very thorough but the comment is saying there is no documents uploaded to support preventive action. I included the crisis management plan document that includes we have assessed the potential for a cyber attacked and a walk through scenario of how we would handle this. I then included looking at other unlikely but potential scenarios like civil unrest or an epidemic which were also not previously included. What other preventative action can be submitted? Are they looking for more preventative action regarding the cyber attack? Or for the CA itself? I am just very confused at what else I can show to prove preventative action. Thanks! 

[Scampi]

do you mind including actual quotes from your CB with the identifying info blacked out or removed?

[AC2018]

Sure, 

 

Reviewer comments:

There is no documentation uploaded to support your preventive action. Also, recommend using 5 why system to determine the correct preventive action.

 

 

 

I completed a lengthy root cause which really goes in depth as to why it wasn't included originally. Corrective action was an explanation of adding the scenario into the existing program after assessing the scenario and potential outcomes. Preventative action was additionally assessing the program and adding in other unlikely but potential scenarios. I included the updated program with the submission. 

 

I can include my exact responses if that would help more than the summary provided above. 

 

Thanks!

[Scampi]

A) I would reach out to the CB (not the auditor) for clarification

 

B)  They cannot tell you what root cause method(s) to use so I would argue that comment   Here's the guidance   https://www.sqfi.com...ce-Document.pdf              it only says "such as...........5 whys"...........

 

C)  it sounds like they want to see the actual mock crisis record for a cyber attack---but that wasn't what the non conformance was issued for so I'd argue that as well

 

Is your business actually susceptible to a cyber attack?  Or are they just using the term de jour because of the recent cyber attack at the meat plant???

 

Sounds like your auditor is uninformed and under educated----------speak directly to the technical manager at your CB for a resolution

[olenazh]

Scampi nailed it completely! I would do the same.

[AC2018]

I appreciate all of the input. This really helps me because I thought everything I submitted was accurate and enough to have this accepted and I was just really stumped when I read that comment.. 

 

I would say that it is highly unlikely. We are a very small business (30 employees total) that repacks food and non food items for a few select customers. Our internal systems aren't anything crazy and are pretty old school. We have everything in place to handle a cyber attack if it were to happen, just didn't have it written out in the plan specifically. Which is what I explained in our root cause analysis. 

 

It was brought up in the audit because of all of the recent cyber attacks happening. 

 

Thanks again for the input!! 

Edited by AC2018, 15 July 2021 - 02:34 PM.

[MDaleDDF]

This whole thing seems odd to me.  Just today the President of the United States offered 10 million dollars for info leading to those committing cyber attacks.  

If the federal government can't do anything, what on earth are we supposed to do?!?!?!?!   Lol.....

[AC2018]

Hahahah valid point. 

[AC2018]

Update for anyone who is interested: 

 

I contacted the reviewer and what they are looking for is that we will review the list of scenarios annually and determine if there are any others that should be added. 

 

I had in the program already that the whole program would be reviewed, tested, etc. but not specifically calling out the list of scenarios to be reviewed. 

 

 

 

Thank you all for your help and a boost to my self-esteem when you were all on the same page I was! 

[Scampi]

WOW!!!!!!!!!!  

 

They be crazy...........we review the entire plan every year and then choose one as a mock crisis..........we do not list which will be reviewed when

 

 

Glad you were able to get clarity on what they were after!

Edited by Scampi, 15 July 2021 - 05:22 PM.

[AC2018]

Yeah same here. 

 

Just one more thing to add to the program...