Welcome to Implementing Security Policy as a Quality Process

1
Welcome to Implementing Security Policy as a
Quality Process

• Lloyd Hasche (Modern Technologies Corp)
• Jim Lightfoot (The James Group)
• Jim Engelkes (The James Group)

T1-OPEN
2
Session Objectives

• 1. Explain how quality practices can enhance
  information security implementation
• 2. Have fun!

3
Introduction and Purpose

• 1. Why quality practices for Internet Security
• 2. Background
• 3. Requirement Value added

4
Value Added

• 1. Quality is a value of the information process
• 2. Security is an attribute of Quality (
  Denning)
• 3. People are the key agents of the quality
  process
• Information Professionals need to apply quality
  management techniques (Stylinanio and Kuman )

5
Quality Information Process

• Vq f ( Content, Open, Integrity)

6
Quality Attributes ( Dorothy Denning )

• Utility
• Functionality
• Effort
• Speed
• Cost
• Reliability
• Security
• Security must contribute to overall quality
• and not degrade it

7
IT professional is the key

• Dimensions of IS Quality
• Stakeholders
• Implementation Issues
• Customer focus
• Process Approach
• Leadership
• Culture
• Broad partnership and teamwork
• Motivating the troops
• Measurement and Constructive Feedback
• Accountability for results rewarding
  achievement
• Self-assessment

8
Dimensions of IS Quality

• In-Process Stakeholders
• Management
• Process Owner
• Process Participants
• End-of-Process
• Stakeholders
• Internal Customers
• External Customers

Administration Quality
Infrastructure Quality
Service Quality
Information Systems Quality
Quality of Business Processes Supported by IS
Software Quality
Information Quality
Data Quality
Enterprise Quality
9
Conclusion

• Quality practices are key to success in
  information security implementation

10
A Quote ...

• There is nothing more inefficient than doing
  efficiently that which should not be done at
  all.
• Peter Drucker

11
Quality Improvement Defined ...

• ..... a strategic, integrated management
  system for achieving customer satisfaction which
  involves all managers and employees and uses
  quantitative methods to continuously improve an
  organizations processes.

12
Another Definition

• Quality is what makes it possible for a customer
  to have a love affair with your product or
  service. Telling lies, decreasing the price or
  adding features can create a temporary
  infatuation. It takes quality to sustain a love
  affair.
• Therefore it is necessary to remain close to the
  person whose loyalty you wish to retain. You
  must ever be on the alert to understand what
  pleases the customer, for only customers define
  what constitutes quality. The wooing of the
  customer is never done.
• Myron Tribus

13
Two Perspectives...

• Hardware vs. Software

14
What are the functions of leadership?
15
Why We Need To Change
The price of gaining knowledge is nothing
compared to the cost of ignorance. Anonymous
16
Some Common Reactions

• Its common sense.
• Good management produces good quality.
• I know all of this.
• I know my business Dont tell me how to do
  it.
• No need for change. We do it just fine now.
• Doesnt apply to my area.
• We dont produce products We dont have
  customers.
• There is no way to change.

17
Traditional Management Philosophies

• Taylorism
• Management by Objectives / Results (MBO / MBR)

18
A Quote ...

• A high-priced man does just what he is told and
  with no back talk ... when your manager tells you
  to walk, you walk when he tells you to sit
  down, you sit down ...
• FREDERICK TAYLOR

19
How many ideas have your XYs generated?
20
Management by ResultsThe negative side

• When standards are unattainable games are
  played and figures juggled
• Fear tends to be the motivator
• Fosters play it safe or blame it on them
  behavior
• The organizational box becomes the customer
• Production that exceeds standards is stored so it
  can be used another day
• Fight fires, but never understand the process
  that caused the fire
• Exhorting the masses

21
Common Principles

• DEMING - CROSBY - JURAN
• Internal and external customers define quality
• Management creates a quality culture
• Quality is prevention-based rather than
  inspection-based
• Systems and statistical thinking
• Team approach
• Continuous improvement of processes
• Education and training is vital
• An empowered workforce
• A paradigm shift

22
Systems Thinking and Puzzles
23
A Process is ...

• A series of sequentially oriented, repeatable
  operations having both a beginning and an end
  which generates either a product or service.
• It can be any set of conditions, causes, or
  inputs that work together to produce a given
  result or output.
• Management is the ultimate owner of the process

24
Deming Nugget

• I burn the toast, Jim scrapes it, and by God, we
  get it out.
• Dr. W. Edwards Deming

25
The Current Process
D O W N S T R E A M
CUSTOMER
PASS
PROCESS
U P S T R E A M
PRODUCT
INSPECTION
FAIL
REWORK
SCRAP
- INCREASED COST
- BURNOUT
- DELAY
- LACK OF PRIDE
94 of defects are caused by a common cause (the
system) 6 of defects are caused by special
causes (people or events) From Out Of The
Crisis by W.E. Deming
26
We need to Change our Thinking

• OLD THINKING
• Work on Results
• Short-Term
• Authoritarian
• Status Quo
• Fear
• Conformity to Specifications
• Individuals Caused Defects

• NEW THINKING
• Work on Processes
• Long-Term
• Participative
• Continuous Improvement
• Open Atmosphere
• Customer Defined
• Process Caused Defects

27
Open Book Management

• If you want employees to act like owners you need
  to treat them like owners.

28
When Use of Measurement Drives Improvement ...
QUALITY IMPROVEMENT AND PRODUCTIVITY
MEASUREMENT
29
When Desire for Improvement Drives Measurement ...
QUALITY IMPROVEMENT AND RODUCTIVITY
MEASUREMENT
30
Identify customers

• Internal
• External
• Ultimate

31
Tools to Determine Customer Requirements

• COPIS
• Focus groups
• Personal interviews
• Surveys

32
Do surveys tell all?

• Who wrote your survey?
• The most important numbers are unknown

33
Key Quality Characteristics (KQC)

• Work with your customer to get an operational
  definition for the KQC.
• If the customer wants your service or product on
  time as their KQC what is on time?
• Get your customer to help define on time.

34
Operational Definition
In the bleachers/Steve Moore
35
Customer Expectations

• Levels of customer expectations about quality
• ONE - Assumed
• TWO - Satisfied
• THREE - Delighted
• FOUR - ????

36
Process flow charts are used to ...

• Understand a system or process
• Verify or clarify work processes
• Identify customers/supplier relationships
• Identify value-added work
• Identify potential problems or opportunities for
  improvement
• Eliminate redundant steps

37
Value / Cost Added
Value Added
Cost Added Only
38
The Questioning Technique

• Analyze the process in its entirety, then ask the
  following questions about each task or step
• WHAT
• Why is it done at all? / Why is it necessary? /
  Why not eliminate it?
• WHERE
• Why is it done there? / Why not change the place?
  / Why not change the sequence? / Why not combine?
• WHO
• Why does the person do it? / Why not change the
  person? / Why not change the sequence? / Why not
  combine?
• HOW
• Why is it done this way? / Why not do it a
  different way? / Why not improve it? / Why not
  make it easier?

39
Process Flow Chart Diagram
40
Paperwork Shuffle Flowchart
41
A Quote

• It is a capital mistake to theorize before one
  has data.
• Arthur Conan Doyle

42
A Message To Leaders

• If I had to reduce my message to management to
  just a few words, Id say it all had to do with
  understanding and reducing variation.

W. Edward Deming
43
Basic Concepts

• Variation is inherent in all processes
• Individual fluctuations are random in nature
• Stable processes fluctuate within predictable
  boundaries
• Unstable processes do not fluctuate randomly
• There are two kinds

44
Example
45
The Traditional Approach to Data...

• MONTH 1
• Incidents 8
• Last Month 10
• Change -20 (good)
• Comments Good Job! Way to Go! Congratulations!
  Awards and Promotions to follow...

46
The Traditional Approach to Data...

• MONTH 2
• Incidents 11
• Last Month 8
• Change 38 (bad)
• Comments Get it together! Get tough! No more
  Mr. Nice Guy! Increase training! Threats and
  Warnings follow...

47
The Traditional Approach to Data...

• MONTH 3
• Incidents 12
• Last Month 11
• Change 9 (bad)
• Comments See attached trend analysis...

48
The Big Gear Syndrome
49
Trend Analysis

• Comments You have lost control of your people,
  didnt you see it coming? Emergency Training!
  Reprimand! One more increase and youre fired!

50
What a Traditional Manager might do...
51
The present process may not be capable...
In here!
the Voice of the Process
the Voice of the Boss
52
An Improvement is ...

• A reduction in the degree of variation
• An adjustment (shift up or down) in the middle
  value

53
The Paperwork Shuffle
54
The Paperwork Shuffle
AFTER

HOURS
OCCURRENCES
55
Some Good Reads...

• The Fifth Discipline (Senge)
• The Fifth Discipline Field Book (Senge)
• The Power of Open Book Management (Shuster)
• Any book on the Malcolm Baldridge criteria

56
Questions?