T1-OPEN
Welcome to
Implementing Security Policy as a Quality Process
Lloyd Hasche (Modern Technologies Corp)
Jim Lightfoot (The James Group)
Jim Engelkes (The James Group)
Session Objectives
1. Explain how quality practices can enhance information security implementation
2. Have fun!
Introduction and Purpose
1. Why quality practices for Internet Security
2. Background
3. Requirement – Value added
Value Added
1. Quality is a value of the information process
2. Security is an attribute of Quality ( Denning)
3. People are the key agents of the quality process
• Information Professionals need to apply quality management techniques (Stylinanio and Kuman )
Quality Information Process
Vq = f ( Content, Open, Integrity)
Quality Attributes
( Dorothy Denning )
Utility
Functionality
Effort
Speed
Cost
Reliability
Security
Security must contribute to overall quality and not degrade it
IT professional is the key
Dimensions of IS Quality
Stakeholders
Implementation Issues
• Customer focus
•
Process Approach
• Leadership
•
Culture
• Broad partnership and teamwork
• Motivating the troops
•
Measurement and Constructive Feedback
• Accountability for results & rewarding achievement
•
Self-assessment
Dimensions of IS Quality
In-Process
Stakeholders
• Management
• Process Owner
• Process Participants
End-of-Process
Stakeholders
• Internal Customers
• External Customers
Infrastructure
Quality
Administration
Quality
Software
Quality
Information
Systems
Quality
Data
Quality
Service
Quality
Information
Quality
Enterprise
Quality
Quality of
Business
Processes
Supported by
IS
Conclusion:
Quality practices are key to success in information security implementation
A Quote ...
“There is nothing more inefficient than doing efficiently that which should not be done at all.”
Peter Drucker
Quality Improvement Defined ...
“..... a strategic , integrated management system for achieving customer satisfaction which involves all managers and employees and uses quantitative methods to continuously improve an organization’s processes .”
Another Definition
Quality is what makes it possible for a customer to have a love affair with your product or service. Telling lies, decreasing the price or adding features can create a temporary infatuation. It takes quality to sustain a love affair .
Therefore it is necessary to remain close to the person whose loyalty you wish to retain. You must ever be on the alert to understand what pleases the customer, for only customers define what constitutes quality. The wooing of the customer is never done .
Myron Tribus
Two Perspectives...
Hardware vs. Software
What are the functions of leadership?
Why We Need To Change
Profit
Profit
(COPQ)
Theoretical costs i.e., Cost of
Doing the Right
Things Right the
First time
(COPQ)
Theoretical costs i.e., Cost of
Doing the Right
Things Right the
First time
“The price of gaining knowledge is nothing compared to the cost of ignorance.”
Anonymous
Some Common Reactions
“It’s common sense.”
“Good management produces good quality.”
“I know all of this.”
“I know my business; Don’t tell me how to do it.”
“No need for change. We do it just fine now.”
“Doesn’t apply to my area.”
“We don’t produce products; We don’t have customers.”
“There is no way to change.”
Traditional Management
Philosophies
Taylorism
Management by Objectives / Results (MBO /
MBR)
A Quote ...
“A high-priced man does just what he is told and with no back talk ... when your manager tells you to walk, you walk; when he tells you to sit down, you sit down ...”
FREDERICK TAYLOR
How many ideas have your XY’s generated?
Management by Results:
The negative side
When standards are unattainable “games” are played and figures “juggled”
Fear tends to be the motivator
Fosters “play it safe” or “blame it on them” behavior
The organizational “box” becomes the customer
Production that exceeds standards is stored so it can be used another day
Fight “fires”, but never understand the process that caused the fire
Exhorting the masses
Common Principles
DEMING - CROSBY - JURAN
Internal and external customers define quality
Management creates a quality culture
Quality is prevention-based rather than inspection-based
Systems and statistical thinking
Team approach
Continuous improvement of processes
Education and training is vital
An empowered workforce
A paradigm shift
“Systems Thinking and Puzzles”
A Process is ...
“A series of sequentially oriented, repeatable operations having both a beginning and an end which generates either a product or service.”
– It can be any set of conditions, causes, or inputs that work together to produce a given result or output.
–
Management is the ultimate owner of the process
Deming Nugget
“I burn the toast, Jim scrapes it, and by
God, we get it out.”
Dr. W. Edwards Deming
The Current Process
R
E
A
M
U
P
S
T
PROCESS
PRODUCT
REWORK
PASS
INSPECTION
FAIL
CUSTOMER
SCRAP
S
T
R
E
D
O
W
N
A
M
- INCREASED COST - LACK OF PRIDE - BURNOUT - DELAY
94% of defects are caused by a common cause (the system)
6% of defects are caused by special causes (people or events)
From “Out Of The Crisis” by W.E. Deming
“We need to Change our Thinking”
OLD THINKING
Work on Results
Short-Term
Authoritarian
Status Quo
Fear
Conformity to
Specifications
Individuals Caused
Defects
NEW THINKING
Work on Processes
Long-Term
Participative
Continuous
Improvement
Open Atmosphere
Customer Defined
Process Caused Defects
Open Book Management
If you want employees to act like owners you need to treat them like owners.
When Use of Measurement
Drives Improvement ...
MEASUREMENT
QUALITY
IMPROVEMENT
AND
PRODUCTIVITY
When Desire for Improvement
Drives Measurement ...
QUALITY
IMPROVEMENT
AND
RODUCTIVITY
MEASUREMENT
Identify customers
Internal
External
Ultimate
Tools to Determine Customer
Requirements
COPIS
Focus groups
Personal interviews
Surveys
Do surveys tell all?
Who wrote your survey?
The most important numbers are unknown
Key Quality Characteristics
(KQC)
Work with your customer to get an operational definition for the KQC.
If the customer wants your service or product on time as their KQC; what is on time ?
Get your customer to help define on time .
Operational Definition
In the bleachers/Steve Moore
Customer Expectations
Levels of customer expectations about quality
– ONE - Assumed
– TWO - Satisfied
– THREE - Delighted
–
FOUR - ????
Process flow charts are used to ...
Understand a system or process
Verify or clarify work processes
Identify customers/supplier relationships
Identify value-added work
Identify potential problems or opportunities for improvement
Eliminate redundant steps
Value / Cost Added
Value Added Cost Added Only
Type
Eval
Originator
NOT OK
OK
Check
NOT OK
OK
Check
NOT OK
Check
Send to
HR
NOT OK
Check
File in
Personal record
OK
“The Questioning Technique”
Analyze the process in its entirety, then ask the following questions about each task or step:
WHAT :
– Why is it done at all? / Why is it necessary? / Why not eliminate it?
WHERE :
– Why is it done there? / Why not change the place? / Why not change the sequence? / Why not combine?
WHO :
– Why does the person do it? / Why not change the person? / Why not change the sequence? / Why not combine?
HOW :
–
Why is it done this way? / Why not do it a different way? / Why not improve it? / Why not make it easier?
Process Flow Chart Diagram
YES
Does the damn thing work?
Don't mess with it
NO
Does anyone know?
YES
Hide it!
You dummy
YES
NO
YES Did you mess with it?
NO
Will you catch hell?
You poor victim !!!
NO
NO
Can you blame anybody else !!!
YES
No problem !!!
The hell with it
“Paperwork Shuffle” Flowchart
A Quote
“It is a capital mistake to theorize before one has data.”
Arthur Conan Doyle
A Message To Leaders
“If I had to reduce my message to management to just a few words, I’d say it all had to do with understanding and reducing variation.”
W. Edward Deming
Basic Concepts
Variation is inherent in all processes
Individual fluctuations are random in nature
Stable processes fluctuate within predictable boundaries
Unstable processes do not fluctuate randomly
There are two kinds
Example
The Traditional Approach to
Data...
MONTH 1
Incidents: 8
Last Month: 10
Change: -20% (good)
Comments: Good Job! Way to Go!
Congratulations! Awards and Promotions to follow...
The Traditional Approach to
Data...
MONTH 2
Incidents: 11
Last Month: 8
Change: +38% (bad)
Comments: Get it together! Get tough! No more
Mr. Nice Guy! Increase training! Threats and
Warnings follow...
The Traditional Approach to
Data...
MONTH 3
Incidents: 12
Last Month: 11
Change: +9% (bad)
Comments: See attached trend analysis...
The “Big Gear” Syndrome
What happened?
What are you doing about this?
I don’t know.
I’ll go find out.
I’ll get back to you with a plan.
I’m looking!
I’m looking!
What’s going on?
Why did this happen?
What are we going to do?
We’re looking!
We’re looking!
Trend Analysis
12
8
Month 1 Month 2 Month 3
Comments: You have lost control of your people, didn’t you see it coming? Emergency Training! Reprimand! One more increase and you’re fired!
What a Traditional Manager might do...
Good job!
100
That’s better!
80
60
What are you doing about this?
Watch out!
You’re fired!
0
19 21 23 25 27 29 34 36 39 41 43
Time in Weeks
The present process may not be capable...
In here!
the Voice of the Process the Voice of the Boss
An Improvement is ...
A reduction in the degree of variation
An adjustment (shift up or down) in the middle value
The Paperwork Shuffle
BEFORE
30
20
10
0
60
50
40
OCCURRENCES
The Paperwork Shuffle
AFTER
4
3
2
1
7
6
5
OCCURRENCES
Some Good Reads...
The Fifth Discipline (Senge)
The Fifth Discipline Field Book (Senge)
The Power of Open Book Management (Shuster)
Any book on the Malcolm Baldridge criteria