Lean Security - Unified Vision

advertisement
Zachtgroen 17
2718 GM Zoetermeer
info@unifiedvision.nl
www.unifiedvision.nl
T +31 (0)79 3604268
Lean Security
Doing the right things, the right way!
Version 0.3 - 12th June, 2012
Lean Security
2
INTRODUCTION .......................................................................................................................................................3
ABOUT THIS DOCUMENT ..................................................................................................................................................3
COPYRIGHT...................................................................................................................................................................3
ABOUT THE AUTHOR .......................................................................................................................................................3
INTENDED AUDIENCE .......................................................................................................................................................3
THE NEED FOR SPEED.......................................................................................................................................................4
THE BASICS ..............................................................................................................................................................5
LEAN PRINCIPLES ............................................................................................................................................................5
SIX SIGMA PRINCIPLES .....................................................................................................................................................5
LEAN SIX SIGMA PRINCIPLES .............................................................................................................................................6
SECURITY MANAGEMENT PRINCIPLES...................................................................................................................................6
SECURITY OPERATIONS PRINCIPLES .....................................................................................................................................6
LEAN SECURITY MANAGEMENT SYSTEM ...............................................................................................................7
LEAN SECURITY MANAGEMENT DEFINITIONS .........................................................................................................................7
ESTABLISHING A LEAN SECURITY MANAGEMENT SYSTEM .........................................................................................................9
INITIATE AND EXECUTE THE PLAN PHASE...............................................................................................................................9
INITIATE AND EXECUTE THE DO PHASE .................................................................................................................................9
INITIATE AND EXECUTE THE CHECK PHASE .............................................................................................................................9
INITIATE AND EXECUTE THE ACT PHASE ................................................................................................................................9
INITIATE AND EXECUTE THE MANAGEMENT REVIEW ................................................................................................................9
SECURITY OPERATIONS ........................................................................................................................................ 10
ALWAYS BE PREPARED FOR MISHAPS ................................................................................................................................. 10
SIX SIGMA IN SECURITY CONTROL DESIGN .......................................................................................................................... 10
FROM “A TICK IN THE BOX” TO “OPERATIONAL EXCELLENCE” ................................................................................................... 10
EFFECTIVE SECURITY BASED ON MEASUREMENTS ................................................................................................................. 10
PROACTIVE MANAGEMENT OF SECURITY CONTROLS .............................................................................................................. 10
Lean Security
3
Introduction
About this document
This document aims to point out benefits from applying business process improvement techniques “Lean” and “Six Sigma” to
Security Management and Security Operations, in order to make Security more efficient and effective, to increase the contribution
of security to business objectives and to facilitate a better alignment of the business and security.
Copyright
This whitepaper is exempt from the general Unified Vision copyright and made freely available, yet attributable to Lean Security @
Unified Vision under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
About the author
Johan Bakker has a background of over 20 years in IT and Security & Continuity, a master's degree in Information and Knowledge
Technology and is a CISSP and ISSAP certified security professional. Johan started in IT in the late eighties and worked his way
through operations, programming, design, project management and architecture and from 1999 onwards performed R&D of
middleware, agent technology and service platforms at KPN Research. In 2001 Johan discovered the Information Security discipline
and has been hooked on this challenging topic ever since. From early 2008 until late 2011 Johan was Chief Information Security
Officer of Royal Dutch Telecom (KPN), being responsible for the Security and Continuity policy, its governance and compliance
reporting to the board of directors. Johan left KPN early 2012 to start up his own company, Unified Vision, which, together with a
number of partners and associates, provides ad interim and project management, consultancy, advice, training and coaching
services to organizations that are making the step from an ad-hoc approach to a controlled embedding of Security and Continuity in
their business processes.
Intended audience
The intended audience for this document are security executives, managers and officers that are looking at ways to improve the
effectiveness of what is it that they do, whilst putting less strain on the organization they do it in and increase their contribution to
the organization’s business objectives. The other way around, the document is as well intended for Lean Six Sigma belts and
champions that are aiming to apply their business process improvement skills to security. This document therefore explains the very
basics of both worlds in short, with the risk of shortcomings on either end, but with the intention to bring together experts from two
worlds that combined can achieve great benefits for their organizations.
Lean Security
4
The need for speed
Some Security organizations still have a hard time getting the business (and sometimes even IT) on board and create buy-in for what
it is that they do. Instead of explaining security to the business once more, we’ve tried that approach, the time has come to reflect
on ourselves; what we do, why we do it, how we do it and how we communicate about it with the rest of the organization.
Doing business is all about taking risk; an amount of business capital is deliberately put at risk in a business endeavor aiming to make
a profit. Without business risk, there will not be a profit and the money may as well safely reside in a bank account. We security
people claim we support the business by helping them to manage the information risk they run as part of their business. But do we
always? Or are we sometimes obstructing business by being naturally more risk averse than the business we aim to support? Are we
not sometimes trying to convince the business that information risk is “bad risk” that must be mitigated? Do we understand risk the
way the business understands risk and can we accept well enough that the business accepts certain risk as a part of doing business?
Apart from the communication, perception and buy-in challenge, the work we do is not always as effective as we would like it to be.
Despite the amount of time we spend on governance, policy, risk assessments, steering committees, compliance reporting, audits,
i.e. the stuff that we do a lot, practice shows this alone doesn’t provide solid guarantees that all the servers were timely patched
with the latest fixes, the applications were developed securely, the web portals are all up to standard, proper and industry-standard
crypto has been applied, security has been properly tested, etc, etc, i.e. the stuff that really matters!
High profile incidents in the media from the recent past show that, despite all good intentions and a lot of hard work, security is not
always providing a proper return of investment. In the end it all comes down to details and getting all the details right, all the time,
every time, were an attacker only needs to get it right once and is usually a step ahead of us. This requires operational excellence
based on sound procedures, measurements and facts, not just a tick in the box for compliance reasons.
So, what if we found a way to really make security contribute to the business objectives of the organization? What if the business
owners would perceive us as a business partner? What if we deployed effective security measures and were able to proof it, making
the money spent on security worthwhile?
This document explores such an approach and aims to help you achieve all this.
Lean Security
5
The basics
This chapter aims to merely introduce the various related disciplines and heavily draws on definitions and descriptions for these
given in Wikipedia. In each section the relevant link to the full Wikipedia article is provided as well for further reading.
Lean principles
Lean is a practice that considers the expenditure of resources for any goal other than the creation of value for the end customer to
be wasteful, and thus a target for elimination. Lean distinguishes the following types of waste; defects, overproduction,
transportation, waiting, inventory, motion and over-processing. Working from the perspective of the customer who consumes a
product or service, "value" is defined as any action or process that a customer would be willing to pay for. The main steps and goals
in applying Lean are:
Define “value” from the “customer” perspective, in terms of both what the customer wants and when
Determine what steps in the process or “value stream” add such “value” and remove or avoid all others that are “waste”
Base production on customer “pull”, i.e. produce only on request and prevent inventory
Create “flow” and eliminate delays by aligning the process steps
Continually and incrementally “improve” the process
In order to apply Lean to Security Management, we need to come up with a meaningful use of minimally the terms customer, value
and waste in the context of security. These are provided in the first section of the Lean Security Management chapter.
For further reading is referred to http://en.wikipedia.org/wiki/Lean_manufacturing
Six Sigma principles
Six Sigma is a practice that seeks to improve the quality of process outputs by identifying and removing the causes of defects (errors)
and minimizing variability in both manufacturing and business processes. It uses a set of quality management methods, including
statistical methods, and creates a special infrastructure of people within the organization ("Black Belts", "Green Belts", etc.) who are
experts in these methods. The term Six Sigma originated from terminology associated with statistical modeling. Six Sigma applies the
“DMAIC” project methodology that has five distinct phases:
Define the problem, the voice of the customer, and the project goals, specifically
Measure key aspects of the current process and collect relevant data
Analyze the data to investigate, verify cause-and-effect relationships and seek out root cause of the defect under investigation
Improve or optimize the current process based upon data analysis using various defined techniques
Control the future state process to ensure that any deviations from target are corrected before they result in defects
Six Sigma is investigated in this document in the Lean Security Operations chapter for use of its fact-based approach and statistical
modeling, in order to improve the effectiveness of security controls and allow for early detection and pro-active corrective action in
the case of deviating or defective security controls.
For further reading is referred to http://en.wikipedia.org/wiki/Six_sigma
Lean Security
6
Lean Six Sigma principles
Lean Six Sigma is a synergized approach of both the Lean and Six Sigma practice. Lean Six Sigma utilizes phases similar to that of Six
Sigma and comprises both the Lean's waste elimination approach as well as the Six Sigma fact-based, statistical approach.
For further reading is referred to http://en.wikipedia.org/wiki/Lean_Six_Sigma
Security management principles
The governing principle behind Information Security Management, or just Security Management as this document refers to it, is that
an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its
information assets, thus ensuring acceptable levels of information security risk. The Security Management System central to these
activities is a process that consists of the following activities, of which the PDCA part are the cyclic core:
Establish - determine goal, policy and scope of the Security Management System and implement the cyclic PDCA process
Plan - Determine risks to the information assets in scope and decide on the management of these risks
Do - Implement the planned risk mitigation measures, i.e. the security controls
Check - Evaluate the design, existence and effectiveness of security controls
Act - Correct any evaluation findings
Review – Periodically perform a Management Review of the Security Management System as a whole
A Security Management System should aim for a set of efficient, measureable, user friendly and effective security controls that, as a
cohesive system, adequately manage the risk of breaching the confidentiality, integrity and availability of information assets.
For further reading is referred to http://en.wikipedia.org/wiki/Information_security_management_system
Security operations principles
Conscious of the fact that the term Security Operations may be used differently in other contexts, for the purpose of this document
Security Operations is defined as the use and operation of security controls that were implemented in the organization as a result or
outcome of the Security Management System. Security controls may be of preventive, detective or corrective nature, each entailing
different operational characteristics.
Lean Security
7
Lean Security Management System
Lean Security Management definitions
In order to apply Lean principles to security management, we need to define what we believe a Lean Security Management System
should be and what the Lean terms “customer”, “value” and “waste” mean in the context of security.
Proposed definition of a Lean Security Management System
“A Lean Security Management system is an agile, integrated, effective and efficient process that, based on various
contextual inputs and a solid understanding of assets, threats & vulnerabilities and existing controls, results in
adequately managed security risk by means of necessary, adequate, usable, efficient and measurable security controls,
that are contributing to achieving business objectives.”
Who is the “Customer” of Security?
The customers of security are, depending on the nature of the organization and the products or services it provides, typically not the
commercial customer of the organization directly, but more often the business owners and the employees of the organization that
in turn provide products and/or services to the commercial customer. Therefore, it is up the business owner to translate commercial
customer requirements into security requirements, as much as it is up to Security Management to understand the security needs of
the business for being commercially successful and achieve its business objectives. This situation is depicted in the figure hereunder:
Figure 1 – the customer of security
The business owner may have to comply with certain security related legislation or regulation as well. If a regulator is looking after
compliance, this regulator may be considered an indirect “customer” of security as well, since the regulatory requirements will also
influence the business requirements for security.
Lean Security
8
What is “Value” of Security Management?
In Lean Security Management “Value” has a variable part, depending on specific needs and expectations of the organization, the
commercial customers and regulators, as well as a more generic part valid for every organization. In our opinion a Security
Management System provides optimal value to the organization if it:





actively supports achieving the business and compliance objectives of the organization (the variable part)
is an efficient, agile and integrated process, capable of dealing with a dynamic threat environment
consumes minimal time and resources
results in adequately managed security risk, in line with the risk appetite of the organization
provides only the necessary, yet adequate, user friendly, efficient and measurable security controls
What is “Waste” in Security Management?
In the table hereunder, seven types of “waste” are proposed that should be removed or avoided when implementing Lean Security
Management. The types of waste presented here were modeled along the lines of Lean, Lean IT and Lean Services and altered and
amended to fit Security Management. For each of the types of waste various arbitrary examples are provided for clarification
purposes, as well as the negative outcome for the business if they are not avoided or removed.
Type of Waste
Some examples
Business Outcome
Overproduction
Unnecessary security controls due to lacking risk
appetite, blame culture or mindless following of
standards. Over collection of system logs.
Unmonitored or poorly configured controls,
Inadequate paper controls to survive audits,
Too low a threshold in the deviation process
Reports that are not read or are not fit for purpose,
Poor security control requirements,
Misunderstood or misinterpreted KPI's
Elaborate theoretical risk assessment models,
Inefficient or duplicate audit & reporting processes,
Lacking proper tooling leading to manual labor
Policy misaligned with operational reality,
Control design neglects operational knowledge,
Employees spend time on inadequate controls
Lacking agility of the control framework, long cycles,
Long throughput times for authorizations,
Inefficient process for on/off-boarding of staff
Over-, underestimating risk resulting in
inadequate or expensive controls,
Applying wrong or inappropriate standards
Unnecessary high cost and waste of
resources
Defects
Unclear communication
Non-value added processing
Employee knowledge (unused)
Waiting
Inaccuracy
False sense of confidence under high costs
Miscommunication leading to unnecessary
high cost and waste of resources
Unnecessary high cost and overhead
Increased cost and overhead, increased
level of risk, talent leaving the company
Reduced flexibility, reduced productivity,
unnecessary high cost, increased level of
risk due to circumventions
Unnecessary high cost and/or overhead,
false sense of confidence
Lean Security
Establishing a Lean Security Management System
Initiate and execute the Plan phase
Initiate and execute the Do phase
Initiate and execute the Check phase
Initiate and execute the Act phase
Initiate and execute the Management review
9
Lean Security
Security operations
Always be prepared for mishaps
Six Sigma in Security Control design
From “a tick in the box” to “operational excellence”
Effective Security based on Measurements
Proactive management of Security controls
10
Download