Transcript Quality Control Tools Training

Welcome to
Implementing Security Policy
as a Quality Process
Lloyd Hasche (Modern Technologies Corp)
Jim Lightfoot (The James Group)
Jim Engelkes (The James Group)
T1-OPEN
Session Objectives
1. Explain how quality practices can enhance
information security implementation
2. Have fun!
Introduction and Purpose
1. Why quality practices for Internet Security
2. Background
3. Requirement – Value added
Value Added
1. Quality is a value of the information process
2. Security is an attribute of Quality ( Denning)
3. People are the key agents of the quality process
• Information Professionals need to apply quality
management techniques (Stylinanio and Kuman )
Quality Information Process
 Vq = f ( Content, Open, Integrity)
Quality Attributes
( Dorothy Denning )
 Utility
 Functionality
 Effort
 Speed
 Cost
 Reliability
 Security
Security must contribute to overall quality
and not degrade it
IT professional is the key
 Dimensions of IS Quality
 Stakeholders
 Implementation Issues
•
•
•
•
•
•
•
•
•
Customer focus
Process Approach
Leadership
Culture
Broad partnership and teamwork
Motivating the troops
Measurement and Constructive Feedback
Accountability for results & rewarding achievement
Self-assessment
Dimensions of IS Quality
In-Process
Stakeholders
•Management
•Process Owner
•Process Participants
End-of-Process
Stakeholders
•Internal Customers
•External Customers
Infrastructure
Quality
Administration
Quality
Information
Systems
Software
Quality
Quality
Data
Quality
Service
Quality
Information
Quality
Quality of
Business
Processes
Supported by
IS
Enterprise
Quality
Conclusion:
 Quality practices are key to success in
information security implementation
A Quote ...
 “There is nothing more inefficient than
doing efficiently that which should not
be done at all.”
Peter Drucker
Quality Improvement Defined ...
“..... a strategic, integrated
management system for achieving
customer satisfaction which
involves all managers and
employees and uses quantitative
methods to continuously improve
an organization’s processes.”
Another Definition
Quality is what makes it possible for a customer to have
a love affair with your product or service. Telling lies,
decreasing the price or adding features can create a
temporary infatuation. It takes quality to sustain a love
affair.
Therefore it is necessary to remain close to the person
whose loyalty you wish to retain. You must ever be on
the alert to understand what pleases the customer, for
only customers define what constitutes quality. The
wooing of the customer is never done.
Myron Tribus
Two Perspectives...
Hardware vs. Software
What are the functions of
leadership?
Why We Need To Change
Profit
Profit
(COPQ)
(COPQ)
Theoretical costs
i.e., Cost of
Doing the Right
Things Right the
First time
Theoretical costs
i.e., Cost of
Doing the Right
Things Right the
First time
“The price of gaining knowledge is nothing
compared to the cost of ignorance.”
Anonymous
Some Common Reactions
 “It’s common sense.”
 “Good management produces good quality.”
 “I know all of this.”
 “I know my business; Don’t tell me how to do it.”
 “No need for change. We do it just fine now.”
 “Doesn’t apply to my area.”
 “We don’t produce products; We don’t have customers.”
 “There is no way to change.”
Traditional Management
Philosophies
 Taylorism
 Management by Objectives / Results (MBO /
MBR)
A Quote ...
 “A high-priced man does just what he
is told and with no back talk ... when
your manager tells you to walk, you
walk; when he tells you to sit down,
you sit down ...”
FREDERICK TAYLOR
How many ideas have your XY’s
generated?
Management by Results:
The negative side
 When standards are unattainable “games” are played and






figures “juggled”
Fear tends to be the motivator
Fosters “play it safe” or “blame it on them” behavior
The organizational “box” becomes the customer
Production that exceeds standards is stored so it can be
used another day
Fight “fires”, but never understand the process that caused
the fire
Exhorting the masses
Common Principles










DEMING - CROSBY - JURAN
Internal and external customers define quality
Management creates a quality culture
Quality is prevention-based rather than inspection-based
Systems and statistical thinking
Team approach
Continuous improvement of processes
Education and training is vital
An empowered workforce
A paradigm shift
“Systems Thinking and Puzzles”
A Process is ...
“A series of sequentially oriented, repeatable
operations having both a beginning and an end
which generates either a product or service.”
– It can be any set of conditions, causes, or inputs that
work together to produce a given result or output.
– Management is the ultimate owner of the process
Deming Nugget
 “I burn the toast, Jim scrapes it, and by
God, we get it out.”
Dr. W. Edwards Deming
The Current Process
U PROCESS
P
S
T
PRODUCT
R
E
A
M REWORK
- INCREASED COST
PASS
INSPECTION
FAIL
- LACK OF PRIDE
D
CUSTOMER O
W
N
S
T
R
E
A
SCRAP
M
- BURNOUT
- DELAY
94% of defects are caused by a common cause (the system)
6% of defects are caused by special causes (people or events)
From “Out Of The Crisis” by W.E. Deming
“We need to Change our Thinking”







OLD THINKING
Work on Results
Short-Term
Authoritarian
Status Quo
Fear
Conformity to
Specifications
Individuals Caused
Defects







NEW THINKING
Work on Processes
Long-Term
Participative
Continuous
Improvement
Open Atmosphere
Customer Defined
Process Caused Defects
Open Book Management
 If you want employees to act like owners you need
to treat them like owners.
When Use of Measurement
Drives Improvement ...
MEASUREMENT
QUALITY
IMPROVEMENT
AND
PRODUCTIVITY
When Desire for Improvement
Drives Measurement ...
QUALITY
IMPROVEMENT
AND
RODUCTIVITY
MEASUREMENT
Identify customers



Internal
External
Ultimate
Tools to Determine Customer
Requirements
 COPIS
 Focus groups
 Personal interviews
 Surveys
Do surveys tell all?
 Who wrote your survey?
 The most important numbers are unknown
Key Quality Characteristics
(KQC)
 Work with your customer to get an operational
definition for the KQC.
 If the customer wants your service or product on
time as their KQC; what is on time?
 Get your customer to help define on time.
Operational Definition
In the bleachers/Steve Moore
Customer Expectations
 Levels of customer expectations about quality
– ONE - Assumed
– TWO - Satisfied
– THREE - Delighted
– FOUR - ????
Process flow charts are used to ...
 Understand a system or process
 Verify or clarify work processes
 Identify customers/supplier relationships
 Identify value-added work
 Identify potential problems or opportunities for
improvement
 Eliminate redundant steps
Value / Cost Added
Value Added
Cost Added Only
Type
Eval
Originator
NOT OK
Check
OK
NOT OK
Check
OK
NOT OK
Check
Send to
HR
File in
Personal
record
NOT OK
Check
OK
“The Questioning Technique”


Analyze the process in its entirety, then ask the following
questions about each task or step:
WHAT:
– Why is it done at all? / Why is it necessary? / Why not eliminate
it?

WHERE:
– Why is it done there? / Why not change the place? / Why not
change the sequence? / Why not combine?

WHO:
– Why does the person do it? / Why not change the person? / Why
not change the sequence? / Why not combine?

HOW:
– Why is it done this way? / Why not do it a different way? / Why
not improve it? / Why not make it easier?
Process Flow Chart Diagram
Does the damn
thing work?
YES
NO
Don't mess
with it
YES
NO
Does anyone
know?
Did you mess
with it?
You dummy
NO
YES
YES
Hide it!
Will you
catch hell?
You poor victim !!!
NO
NO
Can you blame
anybody else !!!
YES
No problem !!!
The hell with
it
“Paperwork Shuffle” Flowchart
A Quote
 “It is a capital mistake to theorize before
one has data.”
Arthur Conan Doyle
A Message To Leaders
 “If I had to reduce my message to management to
just a few words, I’d say it all had to do with
understanding and reducing variation.”
W. Edward Deming
Basic Concepts
 Variation is inherent in all processes
 Individual fluctuations are random in nature
 Stable processes fluctuate within predictable
boundaries
 Unstable processes do not fluctuate randomly
 There are two kinds
Example
The Traditional Approach to
Data...
MONTH 1
 Incidents: 8
 Last Month: 10
 Change: -20% (good)
 Comments: Good Job! Way to Go!
Congratulations! Awards and Promotions to
follow...
The Traditional Approach to
Data...
MONTH 2
 Incidents: 11
 Last Month: 8
 Change: +38% (bad)
 Comments: Get it together! Get tough! No more
Mr. Nice Guy! Increase training! Threats and
Warnings follow...
The Traditional Approach to
Data...
MONTH 3
 Incidents: 12
 Last Month: 11
 Change: +9% (bad)
 Comments: See attached trend analysis...
The “Big Gear” Syndrome
What happened?
What are you doing
about this?
I don’t know.
I’ll go find out.
I’ll get back to
you with a plan.
What’s going on?
Why did this happen?
What are we going to do?
I’m looking!
I’m looking!
We’re looking!
We’re looking!
Incidents
Trend Analysis
12
8
Month 1 Month 2 Month 3

Comments: You have lost control of your people, didn’t
you see it coming? Emergency Training! Reprimand! One
more increase and you’re fired!
Commitments Met (%)
What a Traditional Manager
might do...
Good job!
That’s better!
100
80
Watch out!
What are you doing
about this?
60
You’re fired!
0
19
21
23
25
27
29
34
Time in Weeks
36
39
41
43
The present process may not be
capable...
In here!
the Voice of the Process
the Voice of the Boss
An Improvement is ...
 A reduction in the degree of variation
 An adjustment (shift up or down) in the middle
value
The Paperwork Shuffle
60
BEFORE
HOURS
50
40
30
20
10
0
OCCURRENCES
The Paperwork Shuffle
7
AFTER
6
5
4
3
2
1
OCCURRENCES
Some Good Reads...
 The Fifth Discipline (Senge)
 The Fifth Discipline Field Book (Senge)
 The Power of Open Book Management (Shuster)
 Any book on the Malcolm Baldridge criteria
Questions?