Good stuff but a few questions.
1. I don't see (and I maybe missing this due to IE7 rendering and mature
eyes) key processes like ensuring organizations revue log files, ensuring
background checks are done on new staff starters etc. Are your processes at
a higher level than that?
2. I don't think there are any COTS systems to do the workflow yet (?) so I
imagine this is indeed a significant cost involved in codifying IS017799.
Have you heard about any sort of cost / time / benefit analysis?
3. If you cant measure the direct and indirect cost today (which is what you
imply or at least the way I am reading it) how can you make a call on the
fact you will get greater costs? Maybe the whole BPM market is really a BS
market but there are some impressive ROI models being brandished around on
BPM for other sectors and I struggle to think they don't apply to security.
We like to think we are *different* but we really aren't IMHO.
-----Original Message-----
From: Fred Cohen [mailto:fred.cohen@all.net]
Sent: Thursday, February 09, 2006 5:31 AM
To: Mark Curphey
Cc: 'Brad Bemis'; thomas.jones@hushmail.com; psrc@securityfocus.com;
security-management@securityfocus.com
Subject: Re: Process Improvement for Security
PRocess controls are increasingly being put in place through workflow
systems and these systems are starting to move toward codifying things like
ISO17799 but the level of customization required for an enterprise is very
substantial. It takes years of effort to get to this point. Certainly some
enterprises have achieved this. The core processes are reasonably described
in the "Enterprise Security Architecture" picture with drill-down on the
all.net Web site. But as you drive this into the detailed level, you find
that there are thousands of things to measure (and do) that go largely
unmeasured (and not done) today. The problem with getting security really
tied down like this is that the cost is prohibitive and that, while you will
get great security in terms of reduction in harmful incidents, you will also
get great costs. The goal of an enterprise is presumably to minimize (cost +
loss) associated with security issues.
Thus rather than get to a gold-plated security program, acceptance of small
risks is far less expensive than a process that leaves no holes. That's
where risk management has to come into play, and risk management seems to
say that doing security with a six-sigma approach leads to higher cost
without all that much lower loss.
FC
On Feb 8, 2006, at 10:44 PM, Mark Curphey wrote:
Brad
Interesting links, thanks. In my experience very few corporate
security functions have even defined what their processes are in a way
that then can be measured with any scheme like Six Sigma or otherwise
so while an interesting idea proposed it seems the first step is to
document / diagram the various processes. I would be interested if
anyone has a good list of the core processes they think are needed in
a commercial sec dept such as vuln management, continuity planning,
risk assessment, security monitoring etc? Maybe ISO17799 is sufficient
(I don't think so but) ......
-----Original Message-----
From: Brad Bemis [mailto:bradleyb@bradleyb.net]
Sent: Monday, February 06, 2006 9:07 PM
To: thomas.jones@hushmail.com; psrc@securityfocus.com;
security-management@securityfocus.com
Subject: RE: Process Improvement for Security
I just went through a week long Greenbelt training class on Lean
Six-Sigma.
I can see some real potential in the process improvements steps, and
since my organization is adopting Lean Six-Sigma as its primary
process improvement/quality management model, it can also function as
a common language between IT and the Business. It isn't really
anything new beyond general TQM, good business practices, and the
like, but it does do a good job of encapsulating everything. The
measurements, metrics, and ability to represent data in charts,
graphs, and more are really quite impressive.
In terms of usefulness, I am still somewhat unconvinced that it is a
'silver bullet' solution - everything comes down to having good data
- meaningful data that can be used to serve a purpose. The metrics
and measurements for information security have certainly come a long
way over the last few years, but a lot of the people and
process-oriented aspects of a security program (often the ones that
have the most significant
impact)
can be somewhat difficult to measure
in a meaningful way.
A local company has been doing presentations on 'Security Kaizen'
that have
also been pretty interesting - a quick google search should get you
pointed in the right direction. It provides some interesting ideas on
metrics, measurements, process improvement, and security program
development. Used in conjunction with the NIST Pub on security
metrics for technology systems, and a few other odds and ends (like
COBIT, ITIL, CMMI, ISO 17799, and the FFIEC IT Examiners Handbook to
name a few) you can probably put together a very nice data collection
method. I've also come across a few pretty good articles during my
own google searching.
-----Original Message-----
From: thomas.jones@hushmail.com [mailto:thomas.jones@hushmail.com]
Sent: Monday, January 30, 2006 10:58 AM
To: psrc@securityfocus.com
Subject: Process Improvement for Security
In line with my last post can anyone point me to a resource or does
anyone have any opinions on applying Six Sigma, balanced scorecards
or
other business process techniques to information security ?
Concerned about your privacy? Instantly send FREE secure email, no
account
required
http://www.hushmail.com/send?lH0
Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?lH5
-- This communication is confidential to the parties it is intended to serve
--
Security Posture securityposture.com tel/fax
University of New Haven unhca.com 925-454-0171
Fred Cohen & Associates all.net 572 Leona Drive
ASP Press asp-presss.com Livermore, CA 94550
