PRocess controls are increasingly being put in place through workflow
systems and these systems are starting to move toward codifying
things like ISO17799 but the level of customization required for an
enterprise is very substantial. It takes years of effort to get to
this point. Certainly some enterprises have achieved this. The core
processes are reasonably described in the "Enterprise Security
Architecture" picture with drill-down on the all.net Web site. But as
you drive this into the detailed level, you find that there are
thousands of things to measure (and do) that go largely unmeasured
(and not done) today. The problem with getting security really tied
down like this is that the cost is prohibitive and that, while you
will get great security in terms of reduction in harmful incidents,
you will also get great costs. The goal of an enterprise is
presumably to minimize (cost + loss) associated with security issues.
Thus rather than get to a gold-plated security program, acceptance of
small risks is far less expensive than a process that leaves no
holes. That's where risk management has to come into play, and risk
management seems to say that doing security with a six-sigma approach
leads to higher cost without all that much lower loss.
FC
On Feb 8, 2006, at 10:44 PM, Mark Curphey wrote:
> Brad
>
> Interesting links, thanks. In my experience very few corporate
> security
> functions have even defined what their processes are in a way that
> then can
> be measured with any scheme like Six Sigma or otherwise so while an
> interesting idea proposed it seems the first step is to document /
> diagram
> the various processes. I would be interested if anyone has a good
> list of
> the core processes they think are needed in a commercial sec dept
> such as
> vuln management, continuity planning, risk assessment, security
> monitoring
> etc? Maybe ISO17799 is sufficient (I don't think so but) ......
>
> -----Original Message-----
> From: Brad Bemis [mailto:bradleyb (at) bradleyb (dot) net [email concealed]]
> Sent: Monday, February 06, 2006 9:07 PM
> To: thomas.jones (at) hushmail (dot) com [email concealed]; psrc (at) securityfocus (dot) com [email concealed];
> security-management (at) securityfocus (dot) com [email concealed]
> Subject: RE: Process Improvement for Security
>
> I just went through a week long Greenbelt training class on Lean
> Six-Sigma.
>
>
> I can see some real potential in the process improvements steps,
> and since
> my organization is adopting Lean Six-Sigma as its primary process
> improvement/quality management model, it can also function as a common
> language between IT and the Business. It isn't really anything new
> beyond
> general TQM, good business practices, and the like, but it does do
> a good
> job of encapsulating everything. The measurements, metrics, and
> ability to
> represent data in charts, graphs, and more are really quite
> impressive.
>
> In terms of usefulness, I am still somewhat unconvinced that it is
> a 'silver
> bullet' solution - everything comes down to having good data
> - meaningful data that can be used to serve a purpose. The metrics
> and
> measurements for information security have certainly come a long
> way over
> the last few years, but a lot of the people and process-oriented
> aspects of
> a security program (often the ones that have the most significant
> impact)
> can be somewhat difficult to measure
> in a meaningful way.
>
> A local company has been doing presentations on 'Security Kaizen'
> that have
> also been pretty interesting - a quick google search should get you
> pointed
> in the right direction. It provides some interesting ideas on
> metrics,
> measurements, process improvement, and security program
> development. Used
> in conjunction with the NIST Pub on security metrics for technology
> systems,
> and a few other odds and ends (like COBIT, ITIL, CMMI, ISO 17799,
> and the
> FFIEC IT Examiners Handbook to name a few) you can probably put
> together a
> very nice data collection method. I've also come across a few
> pretty good
> articles
> during my own google searching.
>
>
>
>> -----Original Message-----
>> From: thomas.jones (at) hushmail (dot) com [email concealed] [mailto:thomas.jones (at) hushmail (dot) com [email concealed]]
>> Sent: Monday, January 30, 2006 10:58 AM
>> To: psrc (at) securityfocus (dot) com [email concealed]
>> Subject: Process Improvement for Security
>>
>> In line with my last post can anyone point me to a resource or does
>> anyone have any opinions on applying Six Sigma, balanced scorecards
> or
>> other business process techniques to information security ?
>>
>>
>>
>> Concerned about your privacy? Instantly send FREE secure email, no
> account
>> required
>> http://www.hushmail.com/send?lH0
>>
>> Get the best prices on SSL certificates from Hushmail
>> https://www.hushssl.com?lH5
>
>
>
>
-- This communication is confidential to the parties it is intended
to serve --
Security Posture securityposture.com tel/fax
University of New Haven unhca.com 925-454-0171
Fred Cohen & Associates all.net 572 Leona Drive
ASP Press asp-presss.com Livermore, CA 94550
systems and these systems are starting to move toward codifying
things like ISO17799 but the level of customization required for an
enterprise is very substantial. It takes years of effort to get to
this point. Certainly some enterprises have achieved this. The core
processes are reasonably described in the "Enterprise Security
Architecture" picture with drill-down on the all.net Web site. But as
you drive this into the detailed level, you find that there are
thousands of things to measure (and do) that go largely unmeasured
(and not done) today. The problem with getting security really tied
down like this is that the cost is prohibitive and that, while you
will get great security in terms of reduction in harmful incidents,
you will also get great costs. The goal of an enterprise is
presumably to minimize (cost + loss) associated with security issues.
Thus rather than get to a gold-plated security program, acceptance of
small risks is far less expensive than a process that leaves no
holes. That's where risk management has to come into play, and risk
management seems to say that doing security with a six-sigma approach
leads to higher cost without all that much lower loss.
FC
On Feb 8, 2006, at 10:44 PM, Mark Curphey wrote:
> Brad
>
> Interesting links, thanks. In my experience very few corporate
> security
> functions have even defined what their processes are in a way that
> then can
> be measured with any scheme like Six Sigma or otherwise so while an
> interesting idea proposed it seems the first step is to document /
> diagram
> the various processes. I would be interested if anyone has a good
> list of
> the core processes they think are needed in a commercial sec dept
> such as
> vuln management, continuity planning, risk assessment, security
> monitoring
> etc? Maybe ISO17799 is sufficient (I don't think so but) ......
>
> -----Original Message-----
> From: Brad Bemis [mailto:bradleyb (at) bradleyb (dot) net [email concealed]]
> Sent: Monday, February 06, 2006 9:07 PM
> To: thomas.jones (at) hushmail (dot) com [email concealed]; psrc (at) securityfocus (dot) com [email concealed];
> security-management (at) securityfocus (dot) com [email concealed]
> Subject: RE: Process Improvement for Security
>
> I just went through a week long Greenbelt training class on Lean
> Six-Sigma.
>
>
> I can see some real potential in the process improvements steps,
> and since
> my organization is adopting Lean Six-Sigma as its primary process
> improvement/quality management model, it can also function as a common
> language between IT and the Business. It isn't really anything new
> beyond
> general TQM, good business practices, and the like, but it does do
> a good
> job of encapsulating everything. The measurements, metrics, and
> ability to
> represent data in charts, graphs, and more are really quite
> impressive.
>
> In terms of usefulness, I am still somewhat unconvinced that it is
> a 'silver
> bullet' solution - everything comes down to having good data
> - meaningful data that can be used to serve a purpose. The metrics
> and
> measurements for information security have certainly come a long
> way over
> the last few years, but a lot of the people and process-oriented
> aspects of
> a security program (often the ones that have the most significant
> impact)
> can be somewhat difficult to measure
> in a meaningful way.
>
> A local company has been doing presentations on 'Security Kaizen'
> that have
> also been pretty interesting - a quick google search should get you
> pointed
> in the right direction. It provides some interesting ideas on
> metrics,
> measurements, process improvement, and security program
> development. Used
> in conjunction with the NIST Pub on security metrics for technology
> systems,
> and a few other odds and ends (like COBIT, ITIL, CMMI, ISO 17799,
> and the
> FFIEC IT Examiners Handbook to name a few) you can probably put
> together a
> very nice data collection method. I've also come across a few
> pretty good
> articles
> during my own google searching.
>
>
>
>> -----Original Message-----
>> From: thomas.jones (at) hushmail (dot) com [email concealed] [mailto:thomas.jones (at) hushmail (dot) com [email concealed]]
>> Sent: Monday, January 30, 2006 10:58 AM
>> To: psrc (at) securityfocus (dot) com [email concealed]
>> Subject: Process Improvement for Security
>>
>> In line with my last post can anyone point me to a resource or does
>> anyone have any opinions on applying Six Sigma, balanced scorecards
> or
>> other business process techniques to information security ?
>>
>>
>>
>> Concerned about your privacy? Instantly send FREE secure email, no
> account
>> required
>> http://www.hushmail.com/send?lH0
>>
>> Get the best prices on SSL certificates from Hushmail
>> https://www.hushssl.com?lH5
>
>
>
>
-- This communication is confidential to the parties it is intended
to serve --
Security Posture securityposture.com tel/fax
University of New Haven unhca.com 925-454-0171
Fred Cohen & Associates all.net 572 Leona Drive
ASP Press asp-presss.com Livermore, CA 94550
[ reply ]