T1-OPEN Implementing Security Policy as a Quality Process Welcome to Implementing Security Policy as...
-
Upload
tamsyn-hoover -
Category
Documents
-
view
219 -
download
0
Transcript of T1-OPEN Implementing Security Policy as a Quality Process Welcome to Implementing Security Policy as...
T1-OPEN
Welcome to Implementing Security Policy Implementing Security Policy
as a Quality Processas a Quality ProcessLloyd Hasche (Modern Technologies Corp)
Jim Lightfoot (The James Group)
Jim Engelkes (The James Group)
Session Objectives
1. Explain how quality practices can enhance information security implementation
2. Have fun!
Introduction and Purpose
1. Why quality practices for Internet Security
2. Background
3. Requirement – Value added
Value Added
1. Quality is a value of the information process
2. Security is an attribute of Quality ( Denning)
3. People are the key agents of the quality process• Information Professionals need to apply quality
management techniques (Stylinanio and Kuman )
Quality Attributes ( Dorothy Denning )
Utility Functionality Effort Speed Cost Reliability Security
Security must contribute to overall qualityand not degrade it
IT professional is the key
Dimensions of IS Quality Stakeholders Implementation Issues
• Customer focus• Process Approach• Leadership• Culture• Broad partnership and teamwork• Motivating the troops• Measurement and Constructive Feedback• Accountability for results & rewarding achievement• Self-assessment
Dimensions of IS QualityIn-Process Stakeholders
•Management•Process Owner•Process Participants
End-of-ProcessStakeholders
•Internal Customers•External Customers
InfrastructureQuality
AdministrationQuality
ServiceQuality
InformationQualityData
Quality
SoftwareQuality
Quality of Business Processes
Supported by
IS
Enterprise Quality
Information Systems Quality
A Quote ...
“There is nothing more inefficient than doing efficiently that which should not be done at all.”
Peter Drucker
Quality Improvement Defined ...
“..... a strategic, integrated management system for achieving customer satisfaction which involves all managers and employees and uses quantitative methods to continuously improve an organization’s processes.”
Another Definition
Quality is what makes it possible for a customer to have a love affair with your product or service. Telling lies, decreasing the price or adding features can create a temporary infatuation. It takes quality to sustain a love affair.Therefore it is necessary to remain close to the person whose loyalty you wish to retain. You must ever be on the alert to understand what pleases the customer, for only customers define what constitutes quality. The wooing of the customer is never done.
Myron Tribus
Why We Need To Change
“The price of gaining knowledge is nothing compared to the cost of ignorance.”
Anonymous
Profit
(COPQ)
Theoretical costs i.e., Cost of
Doing the Right Things Right the
First time
Profit
(COPQ)
Theoretical costs i.e., Cost of
Doing the Right Things Right the
First time
Some Common Reactions
“It’s common sense.” “Good management produces good quality.” “I know all of this.” “I know my business; Don’t tell me how to do it.” “No need for change. We do it just fine now.” “Doesn’t apply to my area.” “We don’t produce products; We don’t have customers.” “There is no way to change.”
A Quote ...
“A high-priced man does just what he is told and with no back talk ... when your manager tells you to walk, you walk; when he tells you to sit down, you sit down ...”
FREDERICK TAYLOR
Management by Results:The negative side
When standards are unattainable “games” are played and figures “juggled”
Fear tends to be the motivator Fosters “play it safe” or “blame it on them” behavior The organizational “box” becomes the customer Production that exceeds standards is stored so it can be
used another day Fight “fires”, but never understand the process that caused
the fire Exhorting the masses
Common Principles
DEMING - CROSBY - JURAN Internal and external customers define quality Management creates a quality culture Quality is prevention-based rather than inspection-based Systems and statistical thinking Team approach Continuous improvement of processes Education and training is vital An empowered workforce A paradigm shift
A Process is ...
“A series of sequentially oriented, repeatable operations having both a beginning and an end which generates either a product or service.”
– It can be any set of conditions, causes, or inputs that work together to produce a given result or output.
– Management is the ultimate owner of the process
The Current Process
- INCREASED COST - BURNOUT - DELAY- LACK OF PRIDE
94% of defects are caused by a common cause (the system)6% of defects are caused by special causes (people or events)
From “Out Of The Crisis” by W.E. Deming
DOWNSTREAM
FAIL
PROCESS
PRODUCT
REWORK
CUSTOMERPASS
SCRAP
INSPECTION
UPSTREAM
“We need to Change our Thinking”
OLD THINKING
Work on Results Short-Term Authoritarian Status Quo Fear Conformity to
Specifications Individuals Caused
Defects
OLD THINKING Work on Results Short-Term Authoritarian Status Quo Fear Conformity to
Specifications Individuals Caused
Defects
NEW THINKING Work on Processes Long-Term Participative Continuous
Improvement Open Atmosphere Customer Defined Process Caused Defects
NEW THINKING Work on Processes Long-Term Participative Continuous
Improvement Open Atmosphere Customer Defined Process Caused Defects
When Use of Measurement Drives Improvement ...
QUALITY QUALITY IMPROVEMENT IMPROVEMENT
AND AND PRODUCTIVITYPRODUCTIVITY
QUALITY QUALITY IMPROVEMENT IMPROVEMENT
AND AND PRODUCTIVITYPRODUCTIVITY
MEASUREMENTMEASUREMENTMEASUREMENTMEASUREMENT
When Desire for Improvement Drives Measurement ...
MEASUREMENTMEASUREMENTMEASUREMENTMEASUREMENTQUALITY QUALITY
IMPROVEMENT IMPROVEMENT AND AND
RODUCTIVITYRODUCTIVITY
QUALITY QUALITY IMPROVEMENT IMPROVEMENT
AND AND RODUCTIVITYRODUCTIVITY
Key Quality Characteristics (KQC)
Work with your customer to get an operational definition for the KQC.
If the customer wants your service or product on time as their KQC; what is on time?
Get your customer to help define on time.
Customer Expectations
Levels of customer expectations about quality– ONE - Assumed
– TWO - Satisfied
– THREE - Delighted
– FOUR - ????
Process flow charts are used to ...
Understand a system or process Verify or clarify work processes Identify customers/supplier relationships Identify value-added work Identify potential problems or opportunities for
improvement Eliminate redundant steps
Value / Cost AddedValue Added Cost Added Only
File in Personal
record
File in Personal
record
TypeEval
TypeEval
Send toHR
Send toHR
CheckCheck
CheckCheck
CheckCheck
OriginatorOriginator
OK
OKNOT OK
NOT OK
NOT OK
CheckCheck
NOT OK
OK
“The Questioning Technique”
Analyze the process in its entirety, then ask the following questions about each task or step:
WHAT:– Why is it done at all? / Why is it necessary? / Why not eliminate
it? WHERE:
– Why is it done there? / Why not change the place? / Why not change the sequence? / Why not combine?
WHO:– Why does the person do it? / Why not change the person? / Why
not change the sequence? / Why not combine? HOW:
– Why is it done this way? / Why not do it a different way? / Why not improve it? / Why not make it easier?
Process Flow Chart DiagramDoes the damn
thing work?
Did you messwith it?
Can you blameanybody else !!!
No problem !!!
The hell with it
Don't mess with it
NO
YES
NO
YES
YES
YES
YES NO
NO
NO
Hide it!
Does anyone know? You dummy
Will you catch hell?
You poor victim !!!
A Message To Leaders
“If I had to reduce my message to management to just a few words, I’d say it all had to do with understanding and reducing variation.”
W. Edward DemingW. Edward Deming
Basic Concepts
Variation is inherent in all processes Individual fluctuations are random in nature Stable processes fluctuate within predictable
boundaries Unstable processes do not fluctuate randomly There are two kinds
The Traditional Approach to Data...
MONTH 1 Incidents: 8 Last Month: 10 Change: -20% (good) Comments: Good Job! Way to Go!
Congratulations! Awards and Promotions to follow...
The Traditional Approach to Data...
MONTH 2 Incidents: 11 Last Month: 8 Change: +38% (bad) Comments: Get it together! Get tough! No more
Mr. Nice Guy! Increase training! Threats and Warnings follow...
The Traditional Approach to Data...
MONTH 3 Incidents: 12 Last Month: 11 Change: +9% (bad) Comments: See attached trend analysis...
The “Big Gear” Syndrome
What happened?
I don’t know.I’ll go find out.
What are you doingabout this?
I’ll get back toyou with a plan.
What’s going on?Why did this happen?What are we going to do?
I’m looking!I’m looking!
We’re looking!We’re looking!
Trend Analysis
Comments: You have lost control of your people, didn’t you see it coming? Emergency Training! Reprimand! One more increase and you’re fired!
8
12
Month 1 Month 2 Month 3
Inci
den
ts
What a Traditional Manager might do...
Time in Weeks
You’re fired!
That’s better!
What are you doing about this?
Good job!
Watch out!
0
Co
mm
itm
ents
Met
(%
)
60
80
100
19 21 23 25 27 29 34 36 39 41 43
An Improvement is ...
A reduction in the degree of variation An adjustment (shift up or down) in the middle
value
Some Good Reads...
The Fifth Discipline (Senge) The Fifth Discipline Field Book (Senge) The Power of Open Book Management (Shuster) Any book on the Malcolm Baldridge criteria