T1-OPEN

Welcome to Implementing Security Policy Implementing Security Policy

as a Quality Processas a Quality ProcessLloyd Hasche (Modern Technologies Corp)

Jim Lightfoot (The James Group)

Jim Engelkes (The James Group)

Session Objectives

1. Explain how quality practices can enhance information security implementation

2. Have fun!

Introduction and Purpose

1. Why quality practices for Internet Security

2. Background

3. Requirement – Value added

Value Added

1. Quality is a value of the information process

2. Security is an attribute of Quality ( Denning)

3. People are the key agents of the quality process• Information Professionals need to apply quality

management techniques (Stylinanio and Kuman )

Quality Information Process

Vq = f ( Content, Open, Integrity)

Quality Attributes ( Dorothy Denning )

Utility Functionality Effort Speed Cost Reliability Security

Security must contribute to overall qualityand not degrade it

IT professional is the key

Dimensions of IS Quality Stakeholders Implementation Issues

• Customer focus• Process Approach• Leadership• Culture• Broad partnership and teamwork• Motivating the troops• Measurement and Constructive Feedback• Accountability for results & rewarding achievement• Self-assessment

Dimensions of IS QualityIn-Process Stakeholders

•Management•Process Owner•Process Participants

End-of-ProcessStakeholders

•Internal Customers•External Customers

InfrastructureQuality

AdministrationQuality

ServiceQuality

InformationQualityData

Quality

SoftwareQuality

Quality of Business Processes

Supported by

IS

Enterprise Quality

Information Systems Quality

Conclusion:

Quality practices are key to success in information security implementation

A Quote ...

“There is nothing more inefficient than doing efficiently that which should not be done at all.”

Peter Drucker

Quality Improvement Defined ...

“..... a strategic, integrated management system for achieving customer satisfaction which involves all managers and employees and uses quantitative methods to continuously improve an organization’s processes.”

Another Definition

Quality is what makes it possible for a customer to have a love affair with your product or service. Telling lies, decreasing the price or adding features can create a temporary infatuation. It takes quality to sustain a love affair.Therefore it is necessary to remain close to the person whose loyalty you wish to retain. You must ever be on the alert to understand what pleases the customer, for only customers define what constitutes quality. The wooing of the customer is never done.

Myron Tribus

Two Perspectives...

Hardware vs. Software

What are the functions of leadership?

Why We Need To Change

“The price of gaining knowledge is nothing compared to the cost of ignorance.”

Anonymous

Profit

(COPQ)

Theoretical costs i.e., Cost of

Doing the Right Things Right the

First time

Profit

(COPQ)

Theoretical costs i.e., Cost of

Doing the Right Things Right the

First time

Some Common Reactions

“It’s common sense.” “Good management produces good quality.” “I know all of this.” “I know my business; Don’t tell me how to do it.” “No need for change. We do it just fine now.” “Doesn’t apply to my area.” “We don’t produce products; We don’t have customers.” “There is no way to change.”

Traditional Management Philosophies

Taylorism Management by Objectives / Results (MBO /

MBR)

A Quote ...

“A high-priced man does just what he is told and with no back talk ... when your manager tells you to walk, you walk; when he tells you to sit down, you sit down ...”

FREDERICK TAYLOR

How many ideas have your XY’s generated?

Management by Results:The negative side

When standards are unattainable “games” are played and figures “juggled”

Fear tends to be the motivator Fosters “play it safe” or “blame it on them” behavior The organizational “box” becomes the customer Production that exceeds standards is stored so it can be

used another day Fight “fires”, but never understand the process that caused

the fire Exhorting the masses

Common Principles

DEMING - CROSBY - JURAN Internal and external customers define quality Management creates a quality culture Quality is prevention-based rather than inspection-based Systems and statistical thinking Team approach Continuous improvement of processes Education and training is vital An empowered workforce A paradigm shift

“Systems Thinking and Puzzles”

A Process is ...

“A series of sequentially oriented, repeatable operations having both a beginning and an end which generates either a product or service.”

– It can be any set of conditions, causes, or inputs that work together to produce a given result or output.

– Management is the ultimate owner of the process

Deming Nugget

“I burn the toast, Jim scrapes it, and by God, we get it out.”

Dr. W. Edwards Deming

The Current Process

- INCREASED COST - BURNOUT - DELAY- LACK OF PRIDE

94% of defects are caused by a common cause (the system)6% of defects are caused by special causes (people or events)

From “Out Of The Crisis” by W.E. Deming

DOWNSTREAM

FAIL

PROCESS

PRODUCT

REWORK

CUSTOMERPASS

SCRAP

INSPECTION

UPSTREAM

“We need to Change our Thinking”

OLD THINKING

Work on Results Short-Term Authoritarian Status Quo Fear Conformity to

Specifications Individuals Caused

Defects

OLD THINKING Work on Results Short-Term Authoritarian Status Quo Fear Conformity to

Specifications Individuals Caused

Defects

NEW THINKING Work on Processes Long-Term Participative Continuous

Improvement Open Atmosphere Customer Defined Process Caused Defects

NEW THINKING Work on Processes Long-Term Participative Continuous

Improvement Open Atmosphere Customer Defined Process Caused Defects

Open Book Management

If you want employees to act like owners you need to treat them like owners.

When Use of Measurement Drives Improvement ...

QUALITY QUALITY IMPROVEMENT IMPROVEMENT

AND AND PRODUCTIVITYPRODUCTIVITY

QUALITY QUALITY IMPROVEMENT IMPROVEMENT

AND AND PRODUCTIVITYPRODUCTIVITY

MEASUREMENTMEASUREMENTMEASUREMENTMEASUREMENT

When Desire for Improvement Drives Measurement ...

MEASUREMENTMEASUREMENTMEASUREMENTMEASUREMENTQUALITY QUALITY

IMPROVEMENT IMPROVEMENT AND AND

RODUCTIVITYRODUCTIVITY

QUALITY QUALITY IMPROVEMENT IMPROVEMENT

AND AND RODUCTIVITYRODUCTIVITY

Identify customers

InternalExternalUltimate

Tools to Determine Customer Requirements

COPIS Focus groups Personal interviews Surveys

Do surveys tell all?

Who wrote your survey? The most important numbers are unknown

Key Quality Characteristics (KQC)

Work with your customer to get an operational definition for the KQC.

If the customer wants your service or product on time as their KQC; what is on time?

Get your customer to help define on time.

Operational Definition

In the bleachers/Steve Moore

Customer Expectations

Levels of customer expectations about quality– ONE - Assumed

– TWO - Satisfied

– THREE - Delighted

– FOUR - ????

Process flow charts are used to ...

Understand a system or process Verify or clarify work processes Identify customers/supplier relationships Identify value-added work Identify potential problems or opportunities for

improvement Eliminate redundant steps

Value / Cost AddedValue Added Cost Added Only

File in Personal

record

File in Personal

record

TypeEval

TypeEval

Send toHR

Send toHR

CheckCheck

CheckCheck

CheckCheck

OriginatorOriginator

OK

OKNOT OK

NOT OK

NOT OK

CheckCheck

NOT OK

OK

“The Questioning Technique”

Analyze the process in its entirety, then ask the following questions about each task or step:

WHAT:– Why is it done at all? / Why is it necessary? / Why not eliminate

it? WHERE:

– Why is it done there? / Why not change the place? / Why not change the sequence? / Why not combine?

WHO:– Why does the person do it? / Why not change the person? / Why

not change the sequence? / Why not combine? HOW:

– Why is it done this way? / Why not do it a different way? / Why not improve it? / Why not make it easier?

Process Flow Chart DiagramDoes the damn

thing work?

Did you messwith it?

Can you blameanybody else !!!

No problem !!!

The hell with it

Don't mess with it

NO

YES

NO

YES

YES

YES

YES NO

NO

NO

Hide it!

Does anyone know? You dummy

Will you catch hell?

You poor victim !!!

“Paperwork Shuffle” Flowchart

A Quote

“It is a capital mistake to theorize before one has data.”

Arthur Conan Doyle

A Message To Leaders

“If I had to reduce my message to management to just a few words, I’d say it all had to do with understanding and reducing variation.”

W. Edward DemingW. Edward Deming

Basic Concepts

Variation is inherent in all processes Individual fluctuations are random in nature Stable processes fluctuate within predictable

boundaries Unstable processes do not fluctuate randomly There are two kinds

Example

The Traditional Approach to Data...

MONTH 1 Incidents: 8 Last Month: 10 Change: -20% (good) Comments: Good Job! Way to Go!

Congratulations! Awards and Promotions to follow...

The Traditional Approach to Data...

MONTH 2 Incidents: 11 Last Month: 8 Change: +38% (bad) Comments: Get it together! Get tough! No more

Mr. Nice Guy! Increase training! Threats and Warnings follow...

The Traditional Approach to Data...

MONTH 3 Incidents: 12 Last Month: 11 Change: +9% (bad) Comments: See attached trend analysis...

The “Big Gear” Syndrome

What happened?

I don’t know.I’ll go find out.

What are you doingabout this?

I’ll get back toyou with a plan.

What’s going on?Why did this happen?What are we going to do?

I’m looking!I’m looking!

We’re looking!We’re looking!

Trend Analysis

Comments: You have lost control of your people, didn’t you see it coming? Emergency Training! Reprimand! One more increase and you’re fired!

8

12

Month 1 Month 2 Month 3

Inci

den

ts

What a Traditional Manager might do...

Time in Weeks

You’re fired!

That’s better!

What are you doing about this?

Good job!

Watch out!

0

Co

mm

itm

ents

Met

(%

)

60

80

100

19 21 23 25 27 29 34 36 39 41 43

The present process may not be capable...

In here!

the Voice of the Process the Voice of the Boss

An Improvement is ...

A reduction in the degree of variation An adjustment (shift up or down) in the middle

value

The Paperwork Shuffle

HO

UR

S

OCCURRENCES

BEFORE60

50

40

30

20

10

0

The Paperwork Shuffle

HO

UR

S

AFTER7

6

5

4

3

2

1

OCCURRENCES

Some Good Reads...

The Fifth Discipline (Senge) The Fifth Discipline Field Book (Senge) The Power of Open Book Management (Shuster) Any book on the Malcolm Baldridge criteria

Questions?Questions?