Six Sigma for Security, Part 5: Staying in Control

After you have moved through the define, measure, analyze, and improve stages of your Six Sigma for Security project, you are ready to move into the control phase. Your security operations should always operate in the control phase. If so, the control phase for Six Sigma is merely a matter of adding your improvements into your existing controls.

Here are some tools that you may find helpful in the control phase:

• Control matrices
• CTQ dashboards
• Control charts
• Performance graphs

The more of your metrics you can automate, the more successful you will be in the control phase. If you have to spend time every week or every month to pull data, manipulate it, and report on it, you will quickly stop measuring. Use Excel and Access extensively to make routine measurement and reporting a snap.

The control phase does not use the detailed analysis tools used earlier in the Six Sigma project. It only reports on the results. If you find that you are no longer meeting your targets in any CTQ goal, go back through the Six Sigma process again to see what caused the change. You may have something influencing the process causing variation, or the quantity of work may require you to re-examine resource allocation.

Have you made it this far through the Six Sigma for Security process? How has it worked for you?

Six Sigma for Security, Part 4: Making Improvements

You have made your security program measurable. You have identified problem areas that keep you from meeting targets in your critical to quality (CTQ) goals. Now it is time to move on to making improvements and measuring their effectiveness.

One of the great things about Six Sigma is that improvements are tied to specific metrics, with a goal to reduce variation and improve your average. To make this work, continue with your CTQ goals, tied to root causes for problems within those goals. Each improvement project should be tied to these root causes. This is the first stage of the project in which you get to look at solutions.

One of the easiest ways to identify the best improvement opportunities is brainstorming. For each root cause problem, work with a team to list as many solutions as possible. They don't have to be practical or affordable. Your goal is to find as many creative solutions as possible. When working with a team, ask the team not to place any value judgment on any of the solutions. Instead, rapidly throw out ideas and keep moving.

Next rank each improvement idea in each root cause area according to the following attributes, such as on a scale from 1 to 4:

• Ease - Rate each improvement on how easy it is to implement. You are looking for quick wins.
• Impact - Rate the likeliness of the solution solving the root cause problem. You may find good solutions, but they may not be for the problems you are trying to address. Make sure you are tying it to the root cause.
• Affordability - Rate how affordable this solution is.

Multiply the above factors together to create a score for each improvement idea. The top scores are your best choices to make measurable improvements. They combine positive impact with ease of implementation and affordability. By tackling improvement ideas starting with the highest score, you can use your limited resources in the most effective way.

After implementing each improvement, measure again and see if your CTQ metrics have improved. If they have improved dramatically, congratulations. You have found the best solution. If they have improved slightly, try moving down your list of improvements to see if the next solution will help.

It is important to note that not every idea on your improvement list should be implemented. Only the top scoring ideas. The other ideas have less impact, take too long, or are too expensive. After trying your top improvement ideas, discard your list and start over to find valuable solutions.

Finding the best, measurable improvement opportunities for security management departments is important. Companies keep security lean. Six Sigma for Security will help you to make the best use of your time and resources.

Six Sigma for Security, Part 3: Analyzing the Data

Making security measurable is only the beginning of Six Sigma for Security. The purpose of security metrics is not the metrics themselves but what you do with them. The next phase is to analyze the data and find opportunities for improvement.

The analysis phase is what makes Six Sigma stand out. In it you will use statistics to find where you can make improvements. There are two improvements in your measurements that are important: 1) average performance; and 2) variation.

Your average performance is an important measurement because it allows you to track and trend how well you are doing at protecting information assets. But performance may vary widely around an average. For example if your average turn around on a user termination is 15 days, it may be that half of your requests are 30 days. Some may even linger for 90 days. This is very wide variation around the 15 day average.

Your goal in the analysis phase is to quantify variation and identify factors that can positively influence your performance. This is accomplished by using a variety of statistical analysis tools.

One of the most popular and easy-to-use tools is Pareto analysis, which allows you to quickly find the biggest problem areas in your metrics. It also results in a distinctive chart that shows you frequency and a cumulative percentage to visually quantify the impact of improvements.

Analysis is one of the most challenging phases of Six Sigma. Until now the process has been very consistent and predictable. In this phase, you may try analyzing data one way, find nothing worthwhile, and try it again in several different ways. It is a trial and error process in which you don't stop until you find something of significance that can lead to improvement.

At the end of the analysis phase you should end up with root causes for problem areas in your security metrics. If you are confident that you have arrived at the root cause, you are ready to move on to the improvement phase.

Learn more about Six Sigma tools on Wikipedia.

Six Sigma for Security, Part 2: Measuring

After you have defined the Critical to Quality (CTQ) goals of your security program, the next step is to determine how to measure them. Creating a measurement plan for security is like creating a scoreboard. It allows you to gauge at any time how successful you are and your level of protection.

Keep in mind that at the outset of this Six Sigma project we determined that we would not just measure the results of security, which should be few and far between. Instead, we are focusing on measuring the level of protection.

In the measurement phase, we take the four CTQ goals and create a measurement plan for each. Here are sample metrics you may decide to capture.

Policy

• Annual review/approval of policy completed
• Percentage of policies with corresponding controls
• Number of policy exceptions documented
  

Process

• Percentage of controls followed as scheduled
• User access management SLAs
• Incident response times

Partnerships

• Number of security awareness sessions completed
• Number of monthly cross-department meetings completed
• Number of customer contacts made

Payoff

• Internal policy violations
• Security incidents resulting in loss
• Virus/malware incidents
• Compliance gaps

These measurements should get you started. To determine your measurements, brainstorm to create a list of everything that would be nice to measure. Then decide which three or four are the essential metrics. If you have more than three or four measurements for each CTQ, you will quickly be overwhelmed with data.

The next step in building your measurement plan is to identify the data source for each of the metrics. You may find that you don't have a good source of data for some. In these cases, consider ways to begin capturing it now. You may simply use a data collection worksheet to keep track. Keep it simple, but automate it whenever possible.

With your CTQ goals defined, your metrics for each determined, and your data sources identified, you are ready to begin collecting data. For some measurements, you will be able to retrieve historical data and begin your analysis immediately. For new data sources, you may need to capture data for a month or two before you have enough information for analysis.

Complete your measurement plan and capture data as soon as possible. This should be the quickest phase of the Six Sigma for Security project. It will establish a baseline that allows you to set your goals for improvement. It will also allow you to move into one of the most interesting phases -- analysis.

What are some of the metrics you are using to keep score for your CTQ goals?

Six Sigma for Security, Part 1: Defining Success

How do you measure the effectiveness of your security program? Unlike business metrics which have tangible goals, such as revenue growth, inventory reduction, and sales force effectiveness, security's goal is to prevent internal and external breaches. Your goal in security should be to have nothing to measure - no virus attacks, no external breaches, no successful social engineering attacks, no insider exploits.

Although measurement of security incidents and related losses has value, it is not sufficient for measurement of security effectiveness or for justifying the cost of security investment. It is important to have a different standard for making security measurable.

Instead of measuring loss, this article proposes measuring prevention. Security management changes over time, but it is generally accepted to consist of a set of best practices for prevention of business loss caused by security breaches. If you do well at following the standards established by ISO27001, ITIL, ISM3, or CoBIT, you will have exercised due care and will have have provided excellent protection for your information.

But how do you know how well you are doing in following these standards? This is where Six Sigma comes in. Six Sigma is an improvement process that is commonly used in manufacturing. In recent years it has been applied to various types of businesses. The goal of Six Sigma is to define how to measure success, measure the current performance, analyze the data to find root causes of problems, implement improvement projects and test their effectiveness, and move newly implemented processes and practices into a controlled phase. To remember this project life cycle, the acronym DMAIC is used. It stands for:

• Define
• Measure
• Analyze
• Improve
• Control

Applying Six Sigma to security management means walking through the DMAIC process. The most critical stage is the Define stage, where the Critical to Quality (CTQ) goals are defined. These goals are carried through the process and are used to measure success. For most uses of Six Sigma, CTQ goals are defined by finding the voice of the customer. In security management, because of the growing body of knowledge and best practices, they are easier to define.

Consider these four CTQ goals for measuring your security program. They are especially geared toward measuring how well you are performing standard best practices in security management.

1. Policy - Measuring the quality and enforceability of your security policies
2. Processes - Measuring how well you follow defined practices according to the standards you adopt
3. Partnerships - Measuring your efforts to build relationships with other departments and customers
4. Payoff - Measuring incidents and resulting business loss

With the CTQ goals of security defined, the next step is to create a plan for measuring them and begin capturing this data.

These CTQ goals for security are generic. Do they work for your security organization? Please share your comments.

Privacy on the Web, Part 4: How to Hide from Web Beacons

Why would I want to hide from web beacons and consolidated web traffic analysis? I don't have anything to hide. We each make decisions about how much privacy and security to give up to gain convenience. The settings in web browsers - to save passwords, accept third party cookies, and keep authenticated sessions persistent over many days and across many sites - make using the web easier. For some people this is an acceptable trade off. For others it is a more serious matter.

You may want to consider some privacy measures if you are:

• A regular user who wants to keep your web browsing habits out of the hands of marketers
• A parent who wants additional protection for your children online by hiding their IP address
• A member of the military or are involved in covert activities
• A citizen in a country that monitors the web and enforces information standards
• A whistle blower who wants to remain anonymous
  
• A journalist, writer, or blogger who publishes sensitive information
• An activist concerned about privacy
  

At the most basic level, hiding from web beacons is as easy as turning off cookies in your web browser. Unfortunately, many web sites won't work if you do not enable cookies. You can limit the exposure of your web browsing by clearing your cookies frequently, such as each time you close your web browser. This segments the trail of information about your web surfing habits and makes your browsing less identifiable across web sites and over a period of time.

This approach only helps to reduce your exposure to web beacons. It does not protect the normal web traffic that is part of the HTTP protocol. HTTP traffic is the network information that passes from your web browser, over the Internet, to a web server, and back again. It is what makes the web work. Each request contains your IP address and the page you are requesting. It also contains the web address of the web site you visited, if you clicked on a link to get there.

If you are really serious about web privacy and feel that you need to hide from web beacons and HTTP traffic analysis, you need a complete solution that bounces your web traffic off of several relays and manages cookies. One solution for this is Tor and Privoxy.

Tor is short for "The Onion Router". It uses relays distributed across the Internet to hide your HTTP traffic from the web sites you visit. When configured correctly, it provides a high degree of privacy on the web. It does not, however, provide protection from web beacons, which run from the content of the web pages, usually using Javascript.

Privoxy provides a flexible solution for handling of cookies and blocking various types of content. When used with Tor, it provides the content-level privacy from web beacons.

Both Tor and Privoxy are freely available, but they may require some time to learn and configure correctly. There are also commercial solutions available that may simplify the setup and configuration.

How much web anonymity is right for you? You need to decide the right balance of convenience and privacy for yourself. When writing this series of posts, I tried some of the measures described here, but found that I'm more in favor of convenience. I have gone back to allowing cookies, web beacons, and HTTP traffic that can be traced to me.

How much privacy is right for you? Please share your thoughts in the comments section.