1 / 56

Welcome to Implementing Security Policy as a Quality Process

Welcome to Implementing Security Policy as a Quality Process. Lloyd Hasche (Modern Technologies Corp) Jim Lightfoot (The James Group) Jim Engelkes (The James Group). T1-OPEN. Session Objectives. 1. Explain how quality practices can enhance information security implementation 2. Have fun!.

heaton
Download Presentation

Welcome to Implementing Security Policy as a Quality Process

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Welcome toImplementing Security Policy as a Quality Process Lloyd Hasche (Modern Technologies Corp) Jim Lightfoot (The James Group) Jim Engelkes (The James Group) T1-OPEN

  2. Session Objectives 1. Explain how quality practices can enhance information security implementation 2. Have fun!

  3. Introduction and Purpose 1. Why quality practices for Internet Security 2. Background 3. Requirement – Value added

  4. Value Added 1. Quality is a value of the information process 2. Security is an attribute of Quality ( Denning) 3. People are the key agents of the quality process • Information Professionals need to apply quality management techniques (Stylinanio and Kuman )

  5. Quality Information Process • Vq = f ( Content, Open, Integrity)

  6. Quality Attributes ( Dorothy Denning ) • Utility • Functionality • Effort • Speed • Cost • Reliability • Security Security must contribute to overall quality and not degrade it

  7. IT professional is the key • Dimensions of IS Quality • Stakeholders • Implementation Issues • Customer focus • Process Approach • Leadership • Culture • Broad partnership and teamwork • Motivating the troops • Measurement and Constructive Feedback • Accountability for results & rewarding achievement • Self-assessment

  8. Dimensions of IS Quality • In-Process Stakeholders • Management • Process Owner • Process Participants • End-of-Process • Stakeholders • Internal Customers • External Customers Administration Quality Infrastructure Quality Service Quality Information Systems Quality Quality of Business Processes Supported by IS Software Quality Information Quality Data Quality Enterprise Quality

  9. Conclusion: • Quality practices are key to success in information security implementation

  10. A Quote ... • “There is nothing more inefficient than doing efficiently that which should not be done at all.” PeterDrucker

  11. Quality Improvement Defined ... “..... a strategic, integrated management system for achieving customer satisfaction which involves all managers and employees and uses quantitativemethods to continuously improve an organization’s processes.”

  12. Another Definition Quality is what makes it possible for a customer to have a love affair with your product or service. Telling lies, decreasing the price or adding features can create a temporary infatuation. It takes quality to sustain a love affair. Therefore it is necessary to remain close to the person whose loyalty you wish to retain. You must ever be on the alert to understand what pleases the customer, for only customers define what constitutes quality. The wooing of the customer is never done. Myron Tribus

  13. Two Perspectives... • Hardware vs. Software

  14. What are the functions of leadership?

  15. Profit Profit (COPQ) (COPQ) Theoretical costs i.e., Cost of Doing the Right Things Right the First time Theoretical costs i.e., Cost of Doing the Right Things Right the First time Why We Need To Change “The price of gaining knowledge is nothing compared to the cost of ignorance.” Anonymous

  16. Some Common Reactions • “It’s common sense.” • “Good management produces good quality.” • “I know all of this.” • “I know my business; Don’t tell me how to do it.” • “No need for change. We do it just fine now.” • “Doesn’t apply to my area.” • “We don’t produce products; We don’t have customers.” • “There is no way to change.”

  17. Traditional Management Philosophies • Taylorism • Management by Objectives / Results (MBO / MBR)

  18. A Quote ... • “A high-priced man does just what he is told and with no back talk ... when your manager tells you to walk, you walk; when he tells you to sit down, you sit down ...” FREDERICK TAYLOR

  19. How many ideas have your XY’s generated?

  20. Management by Results:The negative side • When standards are unattainable “games” are played and figures “juggled” • Fear tends to be the motivator • Fosters “play it safe” or “blame it on them” behavior • The organizational “box” becomes the customer • Production that exceeds standards is stored so it can be used another day • Fight “fires”, but never understand the process that caused the fire • Exhorting the masses

  21. Common Principles • DEMING - CROSBY - JURAN • Internal and external customers define quality • Management creates a quality culture • Quality is prevention-based rather than inspection-based • Systems and statistical thinking • Team approach • Continuous improvement of processes • Education and training is vital • An empowered workforce • A paradigm shift

  22. “Systems Thinking and Puzzles”

  23. A Process is ... “A series of sequentially oriented, repeatable operations having both a beginning and an end which generates either a product or service.” • It can be any set of conditions, causes, or inputs that work together to produce a given result or output. • Management is the ultimate owner of the process

  24. Deming Nugget • “I burn the toast, Jim scrapes it, and by God, we get it out.” Dr. W. Edwards Deming

  25. The Current Process D O W N S T R E A M PASS CUSTOMER PROCESS U P S T R E A M PRODUCT INSPECTION REWORK FAIL SCRAP - INCREASED COST - LACK OF PRIDE - BURNOUT - DELAY 94% of defects are caused by a common cause (the system) 6% of defects are caused by special causes (people or events) From “Out Of The Crisis” by W.E. Deming

  26. OLD THINKING Work on Results Short-Term Authoritarian Status Quo Fear Conformity to Specifications Individuals Caused Defects NEW THINKING Work on Processes Long-Term Participative Continuous Improvement Open Atmosphere Customer Defined Process Caused Defects “We need to Change our Thinking”

  27. Open Book Management • If you want employees to act like owners you need to treat them like owners.

  28. When Use of Measurement Drives Improvement ... QUALITY IMPROVEMENT AND PRODUCTIVITY MEASUREMENT

  29. When Desire for Improvement Drives Measurement ... QUALITY IMPROVEMENT AND RODUCTIVITY MEASUREMENT

  30. Identify customers • Internal • External • Ultimate

  31. Tools to Determine Customer Requirements • COPIS • Focus groups • Personal interviews • Surveys

  32. Do surveys tell all? • Who wrote your survey? • The most important numbers are unknown

  33. Key Quality Characteristics (KQC) • Work with your customer to get an operationaldefinition for the KQC. • If the customer wants your service or product ontime as their KQC; what is on time? • Get your customer to help define on time.

  34. Operational Definition In the bleachers/Steve Moore

  35. Customer Expectations • Levels of customer expectations about quality • ONE - Assumed • TWO - Satisfied • THREE - Delighted • FOUR - ????

  36. Process flow charts are used to ... • Understand a system or process • Verify or clarify work processes • Identify customers/supplier relationships • Identify value-added work • Identify potential problems or opportunities for improvement • Eliminate redundant steps

  37. Originator Type Eval NOT OK Check OK NOT OK Check OK NOT OK Check Send to HR NOT OK Check File in Personal record OK Value / Cost Added Value Added Cost Added Only

  38. “The Questioning Technique” • Analyze the process in its entirety, then ask the following questions about each task or step: • WHAT: • Why is it done at all? / Why is it necessary? / Why not eliminate it? • WHERE: • Why is it done there? / Why not change the place? / Why not change the sequence? / Why not combine? • WHO: • Why does the person do it? / Why not change the person? / Why not change the sequence? / Why not combine? • HOW: • Why is it done this way? / Why not do it a different way? / Why not improve it? / Why not make it easier?

  39. Does the damn thing work? NO YES Don't mess with it Did you messwith it? YES Does anyone know? You dummy NO NO YES Will you catch hell? YES Hide it! You poor victim !!! NO NO Can you blameanybody else !!! The hell with it YES No problem !!! Process Flow Chart Diagram

  40. “Paperwork Shuffle” Flowchart

  41. A Quote • “It is a capital mistake to theorize before one has data.” Arthur Conan Doyle

  42. A Message To Leaders • “If I had to reduce my message to management to just a few words, I’d say it all had to do with understanding and reducing variation.” W. Edward Deming

  43. Basic Concepts • Variation is inherent in all processes • Individual fluctuations are random in nature • Stable processes fluctuate within predictable boundaries • Unstable processes do not fluctuate randomly • There are two kinds

  44. Example

  45. The Traditional Approach to Data... MONTH 1 • Incidents: 8 • Last Month: 10 • Change: -20% (good) • Comments: Good Job! Way to Go! Congratulations! Awards and Promotions to follow...

  46. The Traditional Approach to Data... MONTH 2 • Incidents: 11 • Last Month: 8 • Change: +38% (bad) • Comments: Get it together! Get tough! No more Mr. Nice Guy! Increase training! Threats and Warnings follow...

  47. The Traditional Approach to Data... MONTH 3 • Incidents: 12 • Last Month: 11 • Change: +9% (bad) • Comments: See attached trend analysis...

  48. What happened? What are you doing about this? I don’t know. I’ll go find out. I’ll get back to you with a plan. What’s going on? Why did this happen? What are we going to do? We’re looking! I’m looking! We’re looking! I’m looking! The “Big Gear” Syndrome

  49. 12 Incidents 8 Month 1 Month 2 Month 3 Trend Analysis • Comments: You have lost control of your people, didn’t you see it coming? Emergency Training! Reprimand! One more increase and you’re fired!

  50. Good job! That’s better! 100 80 Commitments Met (%) Watch out! What are you doing about this? 60 You’re fired! 0 19 21 23 25 27 29 34 36 39 41 43 Time in Weeks What a Traditional Manager might do...

More Related