This is cache of http://riskmanagementinsight.com/riskanalysis/?p=568. Cache is the snapshot of article that we took when we index feed.
To see original page click here.
We are not affiliated with the authors of this article and not responsible for its content.
A BRIEF ARGUMENT FOR PCI DSS (OR ALEXS 5SS FOR LEAN INFORMATION SECURITY MANAGEMENT)
2009-01-27 13:56:44 by Alex in RiskAnalys.is
 

real quick:  It might be worth noting that I wrote this the weekend before Heartland was announced.

So I was reading this excellent article on Taiichi Ohno and the Toyota Production System over at the Gemba weblog and something occurred to me; a potentially good reason for a company to use the PCI DSS as the basis for their ISMS.

Jack Jones has been reworking his essential value propositions of the CISO into the following:

  1. Align Risk to Organizational Risk Tolerance
  2. Create operational efficiencies

Regular readers will note that #1 there used to be “Reduce Risk” but there’s such a thing as too much risk reduction, so Jack’s updating it. I like the update, it sounds more like “aligning security to business objectives-y”.

Now when most people think about PCI, they think about “Security”. Mostly because they’re security professionals who have hitched their meal-wagon to PCI DSS. So they focus on PCI DSS being something that will help make you secure.  This is obviously nonsense.  There is no “secure”, there is only the reduction of the probable frequency with which you will be breached(1).

But what if there’s another reason to adopt PCI as a basis for your ISMS?

THE 5S’S

Japanese Lean management types talk about something called the “5S’s”. Popularized by Hiroyuki Hirano (but whose origins may come from Ford in the 20’s), the (Americanized version of) 5S’s are designed to eliminate waste in production.  The 5S’s are:

Sort - remove all items from the workplace that are NOT needed for current production.

Set in Order - arranging needed items so that they are easy to find and put away. Items used often are placed closer to employee.

Shine - making sure everything is clean, functioning, and ready to go.

Standardize - the method you use to maintain the first 3S’s.

Sustain - making a habit of properly maintaining correct procedures.

OPTIMIZING PCI-DSS WORKFLOW

Now the idea around the 5S’s is to optimize a manufacturing work space, as that will help reduce operational costs. But take a good look at the last two “S’s”, Standardize and Sustain. They suggest that if you focus on building processes that emphasize these elements - increased operational efficiency will follow.

So could we say that the PCI DSS is allowing us to all Standardize the controls we have in our work place (the network)? We have different vendors and different rigor in implementation, but we are getting the beginnings of a homogenized environment of controls (Monoculture?) that could lead to the development of efficiencies. Moreover, in developing the right procedures and guidelines for sustainability, it will be easy to spot areas for further resource reduction in the resources required to maintain the controls specified by PCI DSS.

(note: this would also apply to any ISMS - as long as a significant sub-cultre/cottage industry arises from it. ISO 27001 might be another example.)

ALEX’S 5S’S FOR ISMS MANAGEMENT

Can we use the 5S’s in how we manage risk? I think so. Here’s something I put together that uses the spirit of the 5S’s from manufacturing and applies it to the CISO role:

SORT/SEGMENT - The idea here is to remove the extraneous so that you can have laser-beam focus on the systems that house the sensitive data itself. That’s segmenting networks (part of PCI DSS), controls that identify and remove (or prevent) critical data from appearing on undesirable systems (like laptops, home systems, or vendor systems).

SET IN ORDER - The Toyota employee has their relevant tools at hand to do the job. In Information Security, we should be making relevant control data accessible and easy to understand (SEIMs and GRC aren’t the only or even best solution here).

SIMPLIFY - Complexity is the enemy of security. Make the flow of sensitive data as simple to manage as possible.

STANDARDIZE - Create the processes and guidelines that allow the security department to operate in a consistent fashion. Everyone should know exactly what their responsibilities are and make transitioning staff easier if/when that happens. In the current state of the industry, we could also apply the “Standardize” concepts to metrics & definitions.

SUSTAIN - Develop the risk management capability metrics and measurements that allow you to understand if you are sustaining your processes, and to what level they are sustained (and then ideally, how that level of sustained process impacts your exposure to risk).

Many of these are common sense, but the best suggested practices I’ve seen are short on discussing why they should be effective (in either an inductive or deductive manner).  This at least gives us a basis or even something as silly as a “mantra” to match these regulatory pressures to.

Finally, these aren’t a real replacement for what I believe is the most effective way to run a security department; an inductive, measured approach based on risk.  But if you are forced to construct solutions based on an architecture for security management that is less than optimal, these concepts might just help you master the ISMS, rather than the other way around.

======================

(1)And we’re starting to see that we can expect at least one or two of the companies that have PCI pressures (regardless of “compliance” state of nature) being breached in any given year (roughly).

 
Tags: pci, pci dss, security, information security, 5ss, alexs 5ss, risk, organizational risk tolerance, align risk