Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Process Improvement for Security

from [Brad Bemis] Network Security [Permanent Link]
Subject: RE: Process Improvement for Security
Date: Mon, 6 Feb 2006 21:06:31 -0800 
I just went through a week long Greenbelt training class on Lean
Six-Sigma.  

I can see some real potential in the process improvements steps, and
since my organization is adopting Lean Six-Sigma as its primary
process improvement/quality management model, it can also function as
a common language between IT and the Business.  It isn't really
anything new beyond general TQM, good business practices, and the
like, but it does do a good job of encapsulating everything.  The
measurements, metrics, and ability to represent data in charts,
graphs, and more are really quite impressive.  

In terms of usefulness, I am still somewhat unconvinced that it is a
'silver bullet' solution  - everything comes down to having good data
- meaningful data that can be used to serve a purpose.  The metrics
and measurements for information security have certainly come a long
way over the last few years, but a lot of the people and
process-oriented aspects of a security program (often the ones that
have the most significant impact) can be somewhat difficult to measure
in a meaningful way.      

A local company has been doing presentations on 'Security Kaizen' that
have also been pretty interesting - a quick google search should get
you pointed in the right direction.  It provides some interesting
ideas on metrics, measurements, process improvement, and security
program development.  Used in conjunction with the NIST Pub on
security metrics for technology systems, and a few other odds and ends
(like COBIT, ITIL, CMMI, ISO 17799, and the FFIEC IT Examiners
Handbook to name a few) you can probably put together a very nice data
collection method.  I've also come across a few pretty good articles
during my own google searching.      

                              


-----Original Message-----
From: thomas.jones@hushmail.com [mailto:thomas.jones@hushmail.com]
Sent: Monday, January 30, 2006 10:58 AM
To: psrc@securityfocus.com
Subject: Process Improvement for Security

In line with my last post can anyone point me to a resource or does 
anyone have any opinions on applying Six Sigma, balanced scorecards

or 

other business process techniques to information security ?



Concerned about your privacy? Instantly send FREE secure email, no

account

required
http://www.hushmail.com/send?lH0

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?lH5
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Cobit question, Devdas Bhagat
Next by Date:  Vendor connection, Casey DeBerry
Previous by Thread:  RE: Oracle Standard Operating Environment, Chris Fahey
Next by Thread:  RE: Process Improvement for Security, Mark Curphey
Indexes:  [Date] [Thread] [Top] [All Lists]