Zachtgroen 17 2718 GM Zoetermeer info@unifiedvision.nl www.unifiedvision.nl T +31 (0)79 3604268 Lean Security Doing the right things, the right way! Version 0.3 - 12th June, 2012 Lean Security 2 INTRODUCTION .......................................................................................................................................................3 ABOUT THIS DOCUMENT ..................................................................................................................................................3 COPYRIGHT...................................................................................................................................................................3 ABOUT THE AUTHOR .......................................................................................................................................................3 INTENDED AUDIENCE .......................................................................................................................................................3 THE NEED FOR SPEED.......................................................................................................................................................4 THE BASICS ..............................................................................................................................................................5 LEAN PRINCIPLES ............................................................................................................................................................5 SIX SIGMA PRINCIPLES .....................................................................................................................................................5 LEAN SIX SIGMA PRINCIPLES .............................................................................................................................................6 SECURITY MANAGEMENT PRINCIPLES...................................................................................................................................6 SECURITY OPERATIONS PRINCIPLES .....................................................................................................................................6 LEAN SECURITY MANAGEMENT SYSTEM ...............................................................................................................7 LEAN SECURITY MANAGEMENT DEFINITIONS .........................................................................................................................7 ESTABLISHING A LEAN SECURITY MANAGEMENT SYSTEM .........................................................................................................9 INITIATE AND EXECUTE THE PLAN PHASE...............................................................................................................................9 INITIATE AND EXECUTE THE DO PHASE .................................................................................................................................9 INITIATE AND EXECUTE THE CHECK PHASE .............................................................................................................................9 INITIATE AND EXECUTE THE ACT PHASE ................................................................................................................................9 INITIATE AND EXECUTE THE MANAGEMENT REVIEW ................................................................................................................9 SECURITY OPERATIONS ........................................................................................................................................ 10 ALWAYS BE PREPARED FOR MISHAPS ................................................................................................................................. 10 SIX SIGMA IN SECURITY CONTROL DESIGN .......................................................................................................................... 10 FROM “A TICK IN THE BOX” TO “OPERATIONAL EXCELLENCE” ................................................................................................... 10 EFFECTIVE SECURITY BASED ON MEASUREMENTS ................................................................................................................. 10 PROACTIVE MANAGEMENT OF SECURITY CONTROLS .............................................................................................................. 10 Lean Security 3 Introduction About this document This document aims to point out benefits from applying business process improvement techniques “Lean” and “Six Sigma” to Security Management and Security Operations, in order to make Security more efficient and effective, to increase the contribution of security to business objectives and to facilitate a better alignment of the business and security. Copyright This whitepaper is exempt from the general Unified Vision copyright and made freely available, yet attributable to Lean Security @ Unified Vision under a Creative Commons Attribution-ShareAlike 3.0 Unported License. About the author Johan Bakker has a background of over 20 years in IT and Security & Continuity, a master's degree in Information and Knowledge Technology and is a CISSP and ISSAP certified security professional. Johan started in IT in the late eighties and worked his way through operations, programming, design, project management and architecture and from 1999 onwards performed R&D of middleware, agent technology and service platforms at KPN Research. In 2001 Johan discovered the Information Security discipline and has been hooked on this challenging topic ever since. From early 2008 until late 2011 Johan was Chief Information Security Officer of Royal Dutch Telecom (KPN), being responsible for the Security and Continuity policy, its governance and compliance reporting to the board of directors. Johan left KPN early 2012 to start up his own company, Unified Vision, which, together with a number of partners and associates, provides ad interim and project management, consultancy, advice, training and coaching services to organizations that are making the step from an ad-hoc approach to a controlled embedding of Security and Continuity in their business processes. Intended audience The intended audience for this document are security executives, managers and officers that are looking at ways to improve the effectiveness of what is it that they do, whilst putting less strain on the organization they do it in and increase their contribution to the organization’s business objectives. The other way around, the document is as well intended for Lean Six Sigma belts and champions that are aiming to apply their business process improvement skills to security. This document therefore explains the very basics of both worlds in short, with the risk of shortcomings on either end, but with the intention to bring together experts from two worlds that combined can achieve great benefits for their organizations. Lean Security 4 The need for speed Some Security organizations still have a hard time getting the business (and sometimes even IT) on board and create buy-in for what it is that they do. Instead of explaining security to the business once more, we’ve tried that approach, the time has come to reflect on ourselves; what we do, why we do it, how we do it and how we communicate about it with the rest of the organization. Doing business is all about taking risk; an amount of business capital is deliberately put at risk in a business endeavor aiming to make a profit. Without business risk, there will not be a profit and the money may as well safely reside in a bank account. We security people claim we support the business by helping them to manage the information risk they run as part of their business. But do we always? Or are we sometimes obstructing business by being naturally more risk averse than the business we aim to support? Are we not sometimes trying to convince the business that information risk is “bad risk” that must be mitigated? Do we understand risk the way the business understands risk and can we accept well enough that the business accepts certain risk as a part of doing business? Apart from the communication, perception and buy-in challenge, the work we do is not always as effective as we would like it to be. Despite the amount of time we spend on governance, policy, risk assessments, steering committees, compliance reporting, audits, i.e. the stuff that we do a lot, practice shows this alone doesn’t provide solid guarantees that all the servers were timely patched with the latest fixes, the applications were developed securely, the web portals are all up to standard, proper and industry-standard crypto has been applied, security has been properly tested, etc, etc, i.e. the stuff that really matters! High profile incidents in the media from the recent past show that, despite all good intentions and a lot of hard work, security is not always providing a proper return of investment. In the end it all comes down to details and getting all the details right, all the time, every time, were an attacker only needs to get it right once and is usually a step ahead of us. This requires operational excellence based on sound procedures, measurements and facts, not just a tick in the box for compliance reasons. So, what if we found a way to really make security contribute to the business objectives of the organization? What if the business owners would perceive us as a business partner? What if we deployed effective security measures and were able to proof it, making the money spent on security worthwhile? This document explores such an approach and aims to help you achieve all this. Lean Security 5 The basics This chapter aims to merely introduce the various related disciplines and heavily draws on definitions and descriptions for these given in Wikipedia. In each section the relevant link to the full Wikipedia article is provided as well for further reading. Lean principles Lean is a practice that considers the expenditure of resources for any goal other than the creation of value for the end customer to be wasteful, and thus a target for elimination. Lean distinguishes the following types of waste; defects, overproduction, transportation, waiting, inventory, motion and over-processing. Working from the perspective of the customer who consumes a product or service, "value" is defined as any action or process that a customer would be willing to pay for. The main steps and goals in applying Lean are: Define “value” from the “customer” perspective, in terms of both what the customer wants and when Determine what steps in the process or “value stream” add such “value” and remove or avoid all others that are “waste” Base production on customer “pull”, i.e. produce only on request and prevent inventory Create “flow” and eliminate delays by aligning the process steps Continually and incrementally “improve” the process In order to apply Lean to Security Management, we need to come up with a meaningful use of minimally the terms customer, value and waste in the context of security. These are provided in the first section of the Lean Security Management chapter. For further reading is referred to http://en.wikipedia.org/wiki/Lean_manufacturing Six Sigma principles Six Sigma is a practice that seeks to improve the quality of process outputs by identifying and removing the causes of defects (errors) and minimizing variability in both manufacturing and business processes. It uses a set of quality management methods, including statistical methods, and creates a special infrastructure of people within the organization ("Black Belts", "Green Belts", etc.) who are experts in these methods. The term Six Sigma originated from terminology associated with statistical modeling. Six Sigma applies the “DMAIC” project methodology that has five distinct phases: Define the problem, the voice of the customer, and the project goals, specifically Measure key aspects of the current process and collect relevant data Analyze the data to investigate, verify cause-and-effect relationships and seek out root cause of the defect under investigation Improve or optimize the current process based upon data analysis using various defined techniques Control the future state process to ensure that any deviations from target are corrected before they result in defects Six Sigma is investigated in this document in the Lean Security Operations chapter for use of its fact-based approach and statistical modeling, in order to improve the effectiveness of security controls and allow for early detection and pro-active corrective action in the case of deviating or defective security controls. For further reading is referred to http://en.wikipedia.org/wiki/Six_sigma Lean Security 6 Lean Six Sigma principles Lean Six Sigma is a synergized approach of both the Lean and Six Sigma practice. Lean Six Sigma utilizes phases similar to that of Six Sigma and comprises both the Lean's waste elimination approach as well as the Six Sigma fact-based, statistical approach. For further reading is referred to http://en.wikipedia.org/wiki/Lean_Six_Sigma Security management principles The governing principle behind Information Security Management, or just Security Management as this document refers to it, is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk. The Security Management System central to these activities is a process that consists of the following activities, of which the PDCA part are the cyclic core: Establish - determine goal, policy and scope of the Security Management System and implement the cyclic PDCA process Plan - Determine risks to the information assets in scope and decide on the management of these risks Do - Implement the planned risk mitigation measures, i.e. the security controls Check - Evaluate the design, existence and effectiveness of security controls Act - Correct any evaluation findings Review – Periodically perform a Management Review of the Security Management System as a whole A Security Management System should aim for a set of efficient, measureable, user friendly and effective security controls that, as a cohesive system, adequately manage the risk of breaching the confidentiality, integrity and availability of information assets. For further reading is referred to http://en.wikipedia.org/wiki/Information_security_management_system Security operations principles Conscious of the fact that the term Security Operations may be used differently in other contexts, for the purpose of this document Security Operations is defined as the use and operation of security controls that were implemented in the organization as a result or outcome of the Security Management System. Security controls may be of preventive, detective or corrective nature, each entailing different operational characteristics. Lean Security 7 Lean Security Management System Lean Security Management definitions In order to apply Lean principles to security management, we need to define what we believe a Lean Security Management System should be and what the Lean terms “customer”, “value” and “waste” mean in the context of security. Proposed definition of a Lean Security Management System “A Lean Security Management system is an agile, integrated, effective and efficient process that, based on various contextual inputs and a solid understanding of assets, threats & vulnerabilities and existing controls, results in adequately managed security risk by means of necessary, adequate, usable, efficient and measurable security controls, that are contributing to achieving business objectives.” Who is the “Customer” of Security? The customers of security are, depending on the nature of the organization and the products or services it provides, typically not the commercial customer of the organization directly, but more often the business owners and the employees of the organization that in turn provide products and/or services to the commercial customer. Therefore, it is up the business owner to translate commercial customer requirements into security requirements, as much as it is up to Security Management to understand the security needs of the business for being commercially successful and achieve its business objectives. This situation is depicted in the figure hereunder: Figure 1 – the customer of security The business owner may have to comply with certain security related legislation or regulation as well. If a regulator is looking after compliance, this regulator may be considered an indirect “customer” of security as well, since the regulatory requirements will also influence the business requirements for security. Lean Security 8 What is “Value” of Security Management? In Lean Security Management “Value” has a variable part, depending on specific needs and expectations of the organization, the commercial customers and regulators, as well as a more generic part valid for every organization. In our opinion a Security Management System provides optimal value to the organization if it: actively supports achieving the business and compliance objectives of the organization (the variable part) is an efficient, agile and integrated process, capable of dealing with a dynamic threat environment consumes minimal time and resources results in adequately managed security risk, in line with the risk appetite of the organization provides only the necessary, yet adequate, user friendly, efficient and measurable security controls What is “Waste” in Security Management? In the table hereunder, seven types of “waste” are proposed that should be removed or avoided when implementing Lean Security Management. The types of waste presented here were modeled along the lines of Lean, Lean IT and Lean Services and altered and amended to fit Security Management. For each of the types of waste various arbitrary examples are provided for clarification purposes, as well as the negative outcome for the business if they are not avoided or removed. Type of Waste Some examples Business Outcome Overproduction Unnecessary security controls due to lacking risk appetite, blame culture or mindless following of standards. Over collection of system logs. Unmonitored or poorly configured controls, Inadequate paper controls to survive audits, Too low a threshold in the deviation process Reports that are not read or are not fit for purpose, Poor security control requirements, Misunderstood or misinterpreted KPI's Elaborate theoretical risk assessment models, Inefficient or duplicate audit & reporting processes, Lacking proper tooling leading to manual labor Policy misaligned with operational reality, Control design neglects operational knowledge, Employees spend time on inadequate controls Lacking agility of the control framework, long cycles, Long throughput times for authorizations, Inefficient process for on/off-boarding of staff Over-, underestimating risk resulting in inadequate or expensive controls, Applying wrong or inappropriate standards Unnecessary high cost and waste of resources Defects Unclear communication Non-value added processing Employee knowledge (unused) Waiting Inaccuracy False sense of confidence under high costs Miscommunication leading to unnecessary high cost and waste of resources Unnecessary high cost and overhead Increased cost and overhead, increased level of risk, talent leaving the company Reduced flexibility, reduced productivity, unnecessary high cost, increased level of risk due to circumventions Unnecessary high cost and/or overhead, false sense of confidence Lean Security Establishing a Lean Security Management System Initiate and execute the Plan phase Initiate and execute the Do phase Initiate and execute the Check phase Initiate and execute the Act phase Initiate and execute the Management review 9 Lean Security Security operations Always be prepared for mishaps Six Sigma in Security Control design From “a tick in the box” to “operational excellence” Effective Security based on Measurements Proactive management of Security controls 10