Using Six Sigma to Determine Risk Management Focus. Joyce Zerkich, CPHIMS, MBA, PMP Project Manager/Scrum Master, RelWare

Size: px

Start display at page:

Download "Using Six Sigma to Determine Risk Management Focus. Joyce Zerkich, CPHIMS, MBA, PMP Project Manager/Scrum Master, RelWare"

Jerome Wilkinson
5 years ago
Views:

1 Using Six Sigma to Determine Risk Management Focus Joyce Zerkich, CPHIMS, MBA, PMP Project Manager/Scrum Master, RelWare

2 It is difficult to obtain agreement at times to fund If

3 Topic Focus This session will present a brief overview of using Six Sigma to formulate a Risk Management Plan you can explain to others

Introduction of Speaker Joyce Zerkich, PMP, MBA, CPHIMS 20 years experience focused on improving enterprise information technology delivery by

4 Introduction of Speaker Joyce Zerkich, PMP, MBA, CPHIMS 20 years experience focused on improving enterprise information technology delivery by means of strategic planning, risk management, security, change management, website development, EMR development, and program/project management

5 Session Objectives Six Sigma and DMAIC Brief Overview Tools to Use Write the Recommendation

6 What is Six Sigma? The short-term sigma levels correspond to the following long-term values: One Sigma = 690,000 DPMO = 31% efficiency Two Sigma = 308,000 DPMO = 69.2% efficiency Three Sigma = 66,800 DPMO = 93.32% efficiency Four Sigma = 6,210 DPMO = % efficiency Five Sigma = 230 DPMO = % efficiency Six Sigma = 3.4 DPMO = % efficiency

7 What is DMAIC? Define: Know the Requirements Measure: Current State and Future State Analyze: Understand the Gap between Current & Future State Improve: Plan to bridge the gap Control: Govern what must be done to maintain future state

8 It is all about continuous improvement Define Measure Analyze Improve Control What are The risks? What is the cost if it occurs? Rank all by cost, time, etc Prioritize what steps to take next As time moves on, update the plan

9 Session Objectives Six Sigma and DMAIC Brief Overview Tools to Use Write the Recommendation

Jul-00 Aug-00 Sep-00 Oct-00 Nov-00 Dec-00 Jan-01 Feb-01 Mar-01 Apr-01 May-01 Jun-01 Jul-01 Aug-01 Sep-01 Oct-01 Nov-01 Dec-01 Jan-02 Feb-02 Mar-02 Apr-02 May-02 Jun-02 Jul-02 Aug-02 Sep-02 Oct-02

10 Jul-00 Aug-00 Sep-00 Oct-00 Nov-00 Dec-00 Jan-01 Feb-01 Mar-01 Apr-01 May-01 Jun-01 Jul-01 Aug-01 Sep-01 Oct-01 Nov-01 Dec-01 Jan-02 Feb-02 Mar-02 Apr-02 May-02 Jun-02 Jul-02 Aug-02 Sep-02 Oct-02 Nov-02 Dec-02 Run Time - Sec These may be Tools You already use Voice of the Customer (VOC) Process Map Run Chart FMEA METAPHASE PERFORMANCE Monthly Average "omfcl" Run Times - Sec PDCMP1 PDCMP3 CARMP1 U1MP01 G1MP01 PDCMP2 Target Performance improvements on PDCMP1 & PDCMP3 resulting from moves to new hardw are. Target: <

11 Voice of the Customer Define Measure Analyze Improve Control What intrusions Can be eliminated That cause network failure? Voice of the Customer

12 Voice of the Customer How did we get the requirement? Requirement Voice of the Stakeholder Measure CTQ? Director, Security Packet transfer into and out of the corporate firewall 2 Yes Director, Security Network Failures 1 Yes Regulation Requirement Analysis Director, Security 3 No

13 Voice of the Customer(s) 2

14 Run Charts Define Measure Analyze Improve Control Voice of the Customer What do things really look like? Run Charts

15 IT Security utilizes the run chart to Measure many Types of data Which of the following key data elements does your organization collect? Viruses detected in user files 92.3% Viruses detected in messages 92.3% Invalid logins (failed password) 84.6% Intrusion attempts 84.6% Spam detected/filtered 76.9% Unauthorized website access (content filtering) 69.2% Invalid logins (failed username) 69.2% Viruses detected on websites 61.5% Unauthorized access attempts (internal) 61.5% Admin violations (unauthorized changes) 61.5% Intrusion successes 53.8% Unauthorized information disclosures 38.5% Spam not detected (missed) 38.5% Spam false positives 30.8% Other 23.1%

16 Process Map Define Measure Analyze Improve Control Voice of the Customer Run Charts Is the Risk Acceptable, Transferable, or Reducible? Process Map

Process Maps Process Map #1: packets from the public Internet into the firewall, through the DMZ, to the mail servers, to client Process Map #2: packets

17 Process Maps Process Map #1: packets from the public Internet into the firewall, through the DMZ, to the mail servers, to client Process Map #2: packets from the client, to mail servers, to DMZ through the firewall, to the public Internet Process Map #3: packets from the client, to mail servers, to other clients

18 Int/E xt Process Name: Prepared by: Document No: Customer Approved by: Revision Date: Location: Approved by: Supercedes: Area: R eq't ID C ustom er C ritical to Q uality Requirements (CTQ 's) Approved by: Measurement Method Sample Size Frequency W ho M easures W here R ecorded P age: D ecision R ule/ C orrective Action S O P R eference Im plem entation S igm a V alue D P M O FMEA Define Measure Analyze Improve Control Voice of the Customer Run Charts Process Map How are actions prioritized? FMEA Control Plan for Process Capability CTQ 's

19 FMEA

20 FMEA

21 Session Objectives Six Sigma and DMAIC Brief Overview Tools to Use Write the Recommendation

Int/E xt Process Name: Prepared by: Document No: Customer Approved by: Revision Date: Location: Approved by: Supercedes: Area: R eq't ID C ustom er C ritical to Q uality Requirements (CTQ 's)

22 Int/E xt Process Name: Prepared by: Document No: Customer Approved by: Revision Date: Location: Approved by: Supercedes: Area: R eq't ID C ustom er C ritical to Q uality Requirements (CTQ 's) Approved by: Measurement Method Sample Size Frequency W ho M easures W here R ecorded P age: D ecision R ule/ C orrective Action S O P R eference Im plem entation S igm a V alue D P M O Plan with Measures Define Measure Analyze Improve Control Voice of the Customer Run Charts Process Map FMEA Control Plan for Process Capability CTQ 's

23 Recommendation SAMPLE RISK ASSESSMENT OUTPUT REPORT: Scope: Eliminate intrusion into the system that has caused network failures Process: Transfer of packets into and out of the corporate firewall Out of Scope: Regulation requirement analysis Major threat to: Availability Possible threats: unauthorized internal access, unauthorized external access, "back door" access, computer virus, servers unavailable, WAN unavailable, no disaster recovery plan, no backups, lack of restoration backups, out-of-date backups, unattended workstations, or lack of user security awareness

24 Recommendation Impact rankings: High = system down for more than 5 minutes during EST business hours; loss of > $10M or more Medium = network down for 2-5 minutes during non-est business hours; loss of $5M Low = network down for 1 minute to 2 hours OR after working hours; loss of $1M or less Probability rankings: High = 50% or greater during the year Medium = 25% to 49% during the year Low = 1% to 24% during the year Process detailed: flowchart detailing packet transfers packets from the public Internet into the firewall, through the DMZ, to the mail servers, to client packets from the client, to mail servers, to other clients packets from the client, to mail servers, to DMZ through the firewall, to the public Internet

25 Recommendation Calculated Prioritized Mitigation Plans Costs (per 100 employees): Mitigation Next Steps Cost #1 Anti-virus Purchase etrust Intrusion/detection software $12,396 license fees $10,000 reporting software $ 9, HP Server $ 3,197.4 Norton ($159 per 5) Purchase lock-out software (web surfing prevention) $ 5,650 SurfControl Web 3-yrs High/High $41, hrs to load and test

26 Recommendation Mitigation Next Steps Cost #2 Policy Establish approved user responsibility policy 40 hours Purchase survey software and begin call center surveys $3,300 WebSurveyor, (2 lic. W annual $2,300 fee), 40 hours annually High/High $ hrs #3 Training Develop & Launch security awareness program with a 100 hours to develop, 50 hours to train "home & work" focus for all employees Develop & Launch soft skills training for all call-center employees HP care web training w 200 courses; $1057 per employee, $10,570 for 10 licenses High/High $10, hrs 20 hours per employee annually #4 Back-up data Develop and test data storage $285.7 (10 pkgs w 10 tapes), $2, Sony Tape Drive, 5 hrs weekly/2 High/Low $ hrs #5 Access Control Develop and test separation-of duties policies for all departments 80 hours to develop, 80 hours to launch, 40 hours to test/audit annually High/Low 200 hrs) #6 Recovery Plan Develop and test plan for IT Security 40 hours to develop/launch, 100 hrs to develop/launch, Medium/Low 170 hrs) launch to rest of the business, 30 hrs annually to test/audit #7 Network Metrics Purchase data collection and reporting $508 Crystal Business Objects software to analyze future issues for netw Medium/Low $ hrs 40 hrs to set up reports & learn #8 Phone Metrics Purchase data collection and reporting metrics 120 hours develop utilizing Microsoft Access since only 10 employees Low/Low 120 hrs #9 Project Management require administrative assistance documentation, meetings, etc. ½ admin head count Require: $35,000

27 Recommendation Proposed Project Implementation to mitigate risk: Launch prioritized mitigation plans 1-3 in first quarter, 4-6 in second quarter, and 7-8 in third quarter. Test Access control and recovery plan in fourth quarter annually. Review Network and phone metrics quarterly in year two and going forward along with any recommended changes. One year cycle plan with costs:

28 Closing Thoughts Follow DMAIC Use the Tools Write a human readable recommendation

29 More Information See the HIMSS MEPI Web Page for the tool kit:

30 More Information Burton Group, Burton Group, splay=full#19765 Burton Group, "Security Metrics: Horses for Courses", Fred Cohen, June 2005, splay=full#19736 ISO 17799:2005(E), page 5, Sections 4.1 and Overall Methodology

31 Questions For further information, please contact: Joyce Zerkich,

ACM Retreat - Today s Topics:

ACM Retreat - Today s Topics: Phase II Cyber Risk Management Services - What s next? Policy Development External Vulnerability Assessment Phishing Assessment Security Awareness Notification Third Party