Good stuff but a few questions.

1. I don't see (and I maybe missing this due to IE7 rendering and mature
eyes) key processes like ensuring organizations revue log files, ensuring
background checks are done on new staff starters etc. Are your processes at
a higher level than that?

2. I don't think there are any COTS systems to do the workflow yet (?) so I
imagine this is indeed a significant cost involved in codifying IS017799.
Have you heard about any sort of cost / time / benefit analysis?

3. If you cant measure the direct and indirect cost today (which is what you
imply or at least the way I am reading it) how can you make a call on the
fact you will get greater costs? Maybe the whole BPM market is really a BS
market but there are some impressive ROI models being brandished around on
BPM for other sectors and I struggle to think they don't apply to security.
We like to think we are *different* but we really aren't IMHO.
-----Original Message-----
From: Fred Cohen [mailto:fred.cohen (at) all (dot) net [email concealed]]
Sent: Thursday, February 09, 2006 5:31 AM
To: Mark Curphey
Cc: 'Brad Bemis'; thomas.jones (at) hushmail (dot) com [email concealed]; psrc (at) securityfocus (dot) com [email concealed];
security-management (at) securityfocus (dot) com [email concealed]
Subject: Re: Process Improvement for Security

PRocess controls are increasingly being put in place through workflow
systems and these systems are starting to move toward codifying things like
ISO17799 but the level of customization required for an enterprise is very
substantial. It takes years of effort to get to this point. Certainly some
enterprises have achieved this. The core processes are reasonably described
in the "Enterprise Security Architecture" picture with drill-down on the
all.net Web site. But as you drive this into the detailed level, you find
that there are thousands of things to measure (and do) that go largely
unmeasured (and not done) today. The problem with getting security really
tied down like this is that the cost is prohibitive and that, while you will
get great security in terms of reduction in harmful incidents, you will also
get great costs. The goal of an enterprise is presumably to minimize (cost +
loss) associated with security issues.
Thus rather than get to a gold-plated security program, acceptance of small
risks is far less expensive than a process that leaves no holes. That's
where risk management has to come into play, and risk management seems to
say that doing security with a six-sigma approach leads to higher cost
without all that much lower loss.

FC

On Feb 8, 2006, at 10:44 PM, Mark Curphey wrote:

> Brad
>
> Interesting links, thanks. In my experience very few corporate
> security functions have even defined what their processes are in a way
> that then can be measured with any scheme like Six Sigma or otherwise
> so while an interesting idea proposed it seems the first step is to
> document / diagram the various processes. I would be interested if
> anyone has a good list of the core processes they think are needed in
> a commercial sec dept such as vuln management, continuity planning,
> risk assessment, security monitoring etc? Maybe ISO17799 is sufficient
> (I don't think so but) ......
>
> -----Original Message-----
> From: Brad Bemis [mailto:bradleyb (at) bradleyb (dot) net [email concealed]]
> Sent: Monday, February 06, 2006 9:07 PM
> To: thomas.jones (at) hushmail (dot) com [email concealed]; psrc (at) securityfocus (dot) com [email concealed];
> security-management (at) securityfocus (dot) com [email concealed]
> Subject: RE: Process Improvement for Security
>
> I just went through a week long Greenbelt training class on Lean
> Six-Sigma.
>
>
> I can see some real potential in the process improvements steps, and
> since my organization is adopting Lean Six-Sigma as its primary
> process improvement/quality management model, it can also function as
> a common language between IT and the Business. It isn't really
> anything new beyond general TQM, good business practices, and the
> like, but it does do a good job of encapsulating everything. The
> measurements, metrics, and ability to represent data in charts,
> graphs, and more are really quite impressive.
>
> In terms of usefulness, I am still somewhat unconvinced that it is a
> 'silver bullet' solution - everything comes down to having good data
> - meaningful data that can be used to serve a purpose. The metrics
> and measurements for information security have certainly come a long
> way over the last few years, but a lot of the people and
> process-oriented aspects of a security program (often the ones that
> have the most significant
> impact)
> can be somewhat difficult to measure
> in a meaningful way.
>
> A local company has been doing presentations on 'Security Kaizen'
> that have
> also been pretty interesting - a quick google search should get you
> pointed in the right direction. It provides some interesting ideas on
> metrics, measurements, process improvement, and security program
> development. Used in conjunction with the NIST Pub on security
> metrics for technology systems, and a few other odds and ends (like
> COBIT, ITIL, CMMI, ISO 17799, and the FFIEC IT Examiners Handbook to
> name a few) you can probably put together a very nice data collection
> method. I've also come across a few pretty good articles during my
> own google searching.
>
>
>
>> -----Original Message-----
>> From: thomas.jones (at) hushmail (dot) com [email concealed] [mailto:thomas.jones (at) hushmail (dot) com [email concealed]]
>> Sent: Monday, January 30, 2006 10:58 AM
>> To: psrc (at) securityfocus (dot) com [email concealed]
>> Subject: Process Improvement for Security
>>
>> In line with my last post can anyone point me to a resource or does
>> anyone have any opinions on applying Six Sigma, balanced scorecards
> or
>> other business process techniques to information security ?
>>
>>
>>
>> Concerned about your privacy? Instantly send FREE secure email, no
> account
>> required
>> http://www.hushmail.com/send?lH0
>>
>> Get the best prices on SSL certificates from Hushmail
>> https://www.hushssl.com?lH5
>
>
>
>

-- This communication is confidential to the parties it is intended to serve
--
Security Posture securityposture.com tel/fax
University of New Haven unhca.com 925-454-0171
Fred Cohen & Associates all.net 572 Leona Drive
ASP Press asp-presss.com Livermore, CA 94550

[ reply ]