I think the trick is to go into it knowing that you probably won't be
able to achieve every goal, but you have to budget for adding controls
and have some level of acceptable risk for right now and then for 2
years from now. In the medical world, it's the same as triage followed
by long-term care.
That's how the Six-Sigma fits into the picture. You're defining the
requirements and then looking for places where you can get the most
change and security for the less cost. It's a methodology, and one of
many similar process-betterment methodologies, but one that the
business-folk can understand because it has much mind-share right now.
When it comes time for a "changing of the guard" and TQM comes back into
vogue or 6SL is replaced by something newer and shinier, I'm going to
latch onto that, too--anything to spread the security religion. =)
Cheers
--Mike
Michael J Smith, CISSP-ISSEP michael.j.smith (at) unisys (dot) com [email concealed]
Information Security Architect
703.419.3109 W
491.3109 N
703.855.0890 C
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
> -----Original Message-----
> From: Brad Bemis [mailto:bradleyb (at) bradleyb (dot) net [email concealed]]
> Sent: Thursday, February 09, 2006 9:56 PM
> To: Smith, Michael J.; thomas.jones (at) hushmail (dot) com [email concealed];
psrc (at) securityfocus (dot) com [email concealed]
> Subject: RE: Process Improvement for Security
>
> Agreed - right now we are focused on framework integration using
> COBIT, ITIL, ISO 17799, CMMI, and Lean Six-Sigma. They all compliment
> each other very very nicely.
>
> -----Original Message-----
> From: Smith, Michael J. [mailto:Michael.J.Smith (at) unisys (dot) com [email concealed]]
> Sent: Monday, January 30, 2006 10:14 AM
> To: thomas.jones (at) hushmail (dot) com [email concealed]; psrc (at) securityfocus (dot) com [email concealed]
> Subject: RE: Process Improvement for Security
>
> I know it's a little tangential, but I always equate these
> methodologies with Systems Security Engineering Capability Maturity
> Model (SSE-CMM).
> If you're into the whole Six Sigma/DMAIC approach, it's fairly easy to
> incorporate elements of SSE-CMM.
>
> http://www.sse-cmm.org/index.html
>
> HTH
> --Mike
>
> Michael J Smith, CISSP-ISSEP michael.j.smith (at) unisys (dot) com [email concealed] Information
> Security Architect
> 703.419.3109 W
> 491.3109 N
> 703.855.0890 C
> "Those who do not understand Unix are condemned to reinvent it,
> poorly."
>
> --Henry Spencer
>
> > -----Original Message-----
> > From: thomas.jones (at) hushmail (dot) com [email concealed] [mailto:thomas.jones (at) hushmail (dot) com [email concealed]]
> > Sent: Monday, January 30, 2006 10:58 AM
> > To: psrc (at) securityfocus (dot) com [email concealed]
> > Subject: Process Improvement for Security
> >
> > In line with my last post can anyone point me to a resource or does
> > anyone have any opinions on applying Six Sigma, balanced scorecards
> or
> > other business process techniques to information security ?
> >
> >
> >
> > Concerned about your privacy? Instantly send FREE secure email, no
> account
> > required
> > http://www.hushmail.com/send?lH0
> >
> > Get the best prices on SSL certificates from Hushmail
> > https://www.hushssl.com?lH5
>
able to achieve every goal, but you have to budget for adding controls
and have some level of acceptable risk for right now and then for 2
years from now. In the medical world, it's the same as triage followed
by long-term care.
That's how the Six-Sigma fits into the picture. You're defining the
requirements and then looking for places where you can get the most
change and security for the less cost. It's a methodology, and one of
many similar process-betterment methodologies, but one that the
business-folk can understand because it has much mind-share right now.
When it comes time for a "changing of the guard" and TQM comes back into
vogue or 6SL is replaced by something newer and shinier, I'm going to
latch onto that, too--anything to spread the security religion. =)
Cheers
--Mike
Michael J Smith, CISSP-ISSEP michael.j.smith (at) unisys (dot) com [email concealed]
Information Security Architect
703.419.3109 W
491.3109 N
703.855.0890 C
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
> -----Original Message-----
> From: Brad Bemis [mailto:bradleyb (at) bradleyb (dot) net [email concealed]]
> Sent: Thursday, February 09, 2006 9:56 PM
> To: Smith, Michael J.; thomas.jones (at) hushmail (dot) com [email concealed];
psrc (at) securityfocus (dot) com [email concealed]
> Subject: RE: Process Improvement for Security
>
> Agreed - right now we are focused on framework integration using
> COBIT, ITIL, ISO 17799, CMMI, and Lean Six-Sigma. They all compliment
> each other very very nicely.
>
> -----Original Message-----
> From: Smith, Michael J. [mailto:Michael.J.Smith (at) unisys (dot) com [email concealed]]
> Sent: Monday, January 30, 2006 10:14 AM
> To: thomas.jones (at) hushmail (dot) com [email concealed]; psrc (at) securityfocus (dot) com [email concealed]
> Subject: RE: Process Improvement for Security
>
> I know it's a little tangential, but I always equate these
> methodologies with Systems Security Engineering Capability Maturity
> Model (SSE-CMM).
> If you're into the whole Six Sigma/DMAIC approach, it's fairly easy to
> incorporate elements of SSE-CMM.
>
> http://www.sse-cmm.org/index.html
>
> HTH
> --Mike
>
> Michael J Smith, CISSP-ISSEP michael.j.smith (at) unisys (dot) com [email concealed] Information
> Security Architect
> 703.419.3109 W
> 491.3109 N
> 703.855.0890 C
> "Those who do not understand Unix are condemned to reinvent it,
> poorly."
>
> --Henry Spencer
>
> > -----Original Message-----
> > From: thomas.jones (at) hushmail (dot) com [email concealed] [mailto:thomas.jones (at) hushmail (dot) com [email concealed]]
> > Sent: Monday, January 30, 2006 10:58 AM
> > To: psrc (at) securityfocus (dot) com [email concealed]
> > Subject: Process Improvement for Security
> >
> > In line with my last post can anyone point me to a resource or does
> > anyone have any opinions on applying Six Sigma, balanced scorecards
> or
> > other business process techniques to information security ?
> >
> >
> >
> > Concerned about your privacy? Instantly send FREE secure email, no
> account
> > required
> > http://www.hushmail.com/send?lH0
> >
> > Get the best prices on SSL certificates from Hushmail
> > https://www.hushssl.com?lH5
>
[ reply ]