Interesting links, thanks. In my experience very few corporate security
functions have even defined what their processes are in a way that then can
be measured with any scheme like Six Sigma or otherwise so while an
interesting idea proposed it seems the first step is to document / diagram
the various processes. I would be interested if anyone has a good list of
the core processes they think are needed in a commercial sec dept such as
vuln management, continuity planning, risk assessment, security monitoring
etc? Maybe ISO17799 is sufficient (I don't think so but) ......
-----Original Message-----
From: Brad Bemis [mailto:bradleyb (at) bradleyb (dot) net [email concealed]]
Sent: Monday, February 06, 2006 9:07 PM
To: thomas.jones (at) hushmail (dot) com [email concealed]; psrc (at) securityfocus (dot) com [email concealed];
security-management (at) securityfocus (dot) com [email concealed]
Subject: RE: Process Improvement for Security
I just went through a week long Greenbelt training class on Lean Six-Sigma.
I can see some real potential in the process improvements steps, and since
my organization is adopting Lean Six-Sigma as its primary process
improvement/quality management model, it can also function as a common
language between IT and the Business. It isn't really anything new beyond
general TQM, good business practices, and the like, but it does do a good
job of encapsulating everything. The measurements, metrics, and ability to
represent data in charts, graphs, and more are really quite impressive.
In terms of usefulness, I am still somewhat unconvinced that it is a 'silver
bullet' solution - everything comes down to having good data
- meaningful data that can be used to serve a purpose. The metrics and
measurements for information security have certainly come a long way over
the last few years, but a lot of the people and process-oriented aspects of
a security program (often the ones that have the most significant impact)
can be somewhat difficult to measure
in a meaningful way.
A local company has been doing presentations on 'Security Kaizen' that have
also been pretty interesting - a quick google search should get you pointed
in the right direction. It provides some interesting ideas on metrics,
measurements, process improvement, and security program development. Used
in conjunction with the NIST Pub on security metrics for technology systems,
and a few other odds and ends (like COBIT, ITIL, CMMI, ISO 17799, and the
FFIEC IT Examiners Handbook to name a few) you can probably put together a
very nice data collection method. I've also come across a few pretty good
articles
during my own google searching.
> -----Original Message-----
> From: thomas.jones (at) hushmail (dot) com [email concealed] [mailto:thomas.jones (at) hushmail (dot) com [email concealed]]
> Sent: Monday, January 30, 2006 10:58 AM
> To: psrc (at) securityfocus (dot) com [email concealed]
> Subject: Process Improvement for Security
>
> In line with my last post can anyone point me to a resource or does
> anyone have any opinions on applying Six Sigma, balanced scorecards
or
> other business process techniques to information security ?
>
>
>
> Concerned about your privacy? Instantly send FREE secure email, no
account
> required
> http://www.hushmail.com/send?lH0
>
> Get the best prices on SSL certificates from Hushmail
> https://www.hushssl.com?lH5
Interesting links, thanks. In my experience very few corporate security
functions have even defined what their processes are in a way that then can
be measured with any scheme like Six Sigma or otherwise so while an
interesting idea proposed it seems the first step is to document / diagram
the various processes. I would be interested if anyone has a good list of
the core processes they think are needed in a commercial sec dept such as
vuln management, continuity planning, risk assessment, security monitoring
etc? Maybe ISO17799 is sufficient (I don't think so but) ......
-----Original Message-----
From: Brad Bemis [mailto:bradleyb (at) bradleyb (dot) net [email concealed]]
Sent: Monday, February 06, 2006 9:07 PM
To: thomas.jones (at) hushmail (dot) com [email concealed]; psrc (at) securityfocus (dot) com [email concealed];
security-management (at) securityfocus (dot) com [email concealed]
Subject: RE: Process Improvement for Security
I just went through a week long Greenbelt training class on Lean Six-Sigma.
I can see some real potential in the process improvements steps, and since
my organization is adopting Lean Six-Sigma as its primary process
improvement/quality management model, it can also function as a common
language between IT and the Business. It isn't really anything new beyond
general TQM, good business practices, and the like, but it does do a good
job of encapsulating everything. The measurements, metrics, and ability to
represent data in charts, graphs, and more are really quite impressive.
In terms of usefulness, I am still somewhat unconvinced that it is a 'silver
bullet' solution - everything comes down to having good data
- meaningful data that can be used to serve a purpose. The metrics and
measurements for information security have certainly come a long way over
the last few years, but a lot of the people and process-oriented aspects of
a security program (often the ones that have the most significant impact)
can be somewhat difficult to measure
in a meaningful way.
A local company has been doing presentations on 'Security Kaizen' that have
also been pretty interesting - a quick google search should get you pointed
in the right direction. It provides some interesting ideas on metrics,
measurements, process improvement, and security program development. Used
in conjunction with the NIST Pub on security metrics for technology systems,
and a few other odds and ends (like COBIT, ITIL, CMMI, ISO 17799, and the
FFIEC IT Examiners Handbook to name a few) you can probably put together a
very nice data collection method. I've also come across a few pretty good
articles
during my own google searching.
> -----Original Message-----
> From: thomas.jones (at) hushmail (dot) com [email concealed] [mailto:thomas.jones (at) hushmail (dot) com [email concealed]]
> Sent: Monday, January 30, 2006 10:58 AM
> To: psrc (at) securityfocus (dot) com [email concealed]
> Subject: Process Improvement for Security
>
> In line with my last post can anyone point me to a resource or does
> anyone have any opinions on applying Six Sigma, balanced scorecards
or
> other business process techniques to information security ?
>
>
>
> Concerned about your privacy? Instantly send FREE secure email, no
account
> required
> http://www.hushmail.com/send?lH0
>
> Get the best prices on SSL certificates from Hushmail
> https://www.hushssl.com?lH5
[ reply ]