Process Management

Foundations of Information Security Series

Vicente Aceituno @vaceituno(c)Inovement Europe 2015

Vicente Aceituno

vac@zenobia.es - Skype: vaceitunoLinkedin - linkedin.com/in/vaceitunoInovement Europe - inovement.esVideo Blog - youtube.com/user/vaceitunoBlog - ism3.comTwitter - twitter.com/vaceitunoPresentations - slideshare.net/vaceituno/presentationsArticles - slideshare.net/vaceituno/documents

ContentsMethodProcessKnowledge ManagementMetricsReports

ContentsMethodProcessKnowledge ManagementMetricsReports

Method

The complete definition of how to make repeatable a complex activity…

Method

…Especially if several people collaborate to perform it

Advantages of using a MethodEvery task is performed consistently

independently of who performs itImprovements are identified, quickly

spread among the team, and never lostAudits become painless as everything is

documented and archived

Advantages of using a MethodReplacing members of the team takes

little effort and is fastIt becomes possible to switch tasks

around, normally towards the people who have the minimal skills to perform them

More freedom for the work team, for holidays, attending events and courses, which improves motivation and performance, and lowers rotation

ContentsMethodProcessesKnowledge ManagementMetricsReports

Processes

A set of recurrent tasks that contribute towards the same specific value for the organization.

Process Approach

Inputs Process(People, Tools, Knowledge)

Outputs(Deliverables)

Heat,Waste

Energy,Supplies

Environmental Conditions

Process ApproachFocus on objective outcomes that can be managed and therefore, improved

Processes are implemented using knowledge and tools

Processes are managed using metrics represented in reports

Processes vs ProjectsIn projects there are fewer opportunities for improvement and build knowledge as many tasks are performed only once

Projects finish, processes, in principle, live for as long as the organization does

Definition of the structure,

behaviour and boundaries of a type of system,

and the set of rules that it

follows, making it possible to

explain past behaviour, and predict future

behaviour of the system.

Knowledge

Process Deliverables

Record activity Measure progress and

success Less dependencies Better communication Reminder

Deliverables - Reports

Process ImplementationName: Something that prevents confusion with other processes. If it short and descriptive, all the better

Process ImplementationDescription: What the process does in general terms

Process ImplementationValue: What is the process good for, the "Why“

It makes it more clear the distribution of responsibilities

It makes it possible to introduce improvements. How can you improve if the value provided is undefined?

It makes a more efficient use of resources, as allocation of people and budget goes towards a specific goal, the value

Process ImplementationInputs: Trigger activities in the process

Outputs: Results of the process, normally deliverables

Process Roles

Defined roles guarantee that everyone knows his responsibilities, and there are no unassigned responsibilities

Every task performed needs one person or team that is responsible to carry it out

ContentsMethodProcessKnowledge Management

MetricsReports

WhatWhoWhenHowWhyWhere

Knowledge

Knowledge management can be implemented using documents

Every type and instance of document should be easy to create, update, distribute, archive and find

Knowledge

ProceduresChecklistsTemplatesForms

KnowledgePlansSchedulesAgreementsReports

Procedures (WhoHow)

Checklists (WhoHow)

Templates (LookAndFeel)

Forms (WhoHow)

KnowledgePlans (HowOften)Schedules

(WhenWhere)Agreements (Who)Reports (What)

This type of document traditionally is a mix goals, priorities, forms, procedures, rules, responsibilities, plans and agreements, with a combination of high and low level perspectives

We are avoiding policies when possible, keeping them for compliance reasons when necessary

Policies

Procedures Capture and reuse

lessons learnt Improve

productivity and quality

Less dependencies of individual talent

Produce deliverables

ProceduresSpecify tasks of a process in detail (1 of 2):What the procedure is forWho can apply it, who can change itResponsibilities for compliance with the procedure

Scope of the procedure (who and where)When the process starts and finishes

ProceduresSpecify tasks of a process in detail (2 of 2):Step by step description of tasks (who, what, when)

Acceptable task completion timesHow to solve and escalate conflicts/exceptions

Related forms and communication channels

TemplatesGeneral layout and format of type of document

Helps that everyone can read everyone else's documents with little effort

It prevents people from wasting time formatting

FormsUsed to organize and collect information

PlansHow often or under what circumstances each type will the outputs (deliverables) be generated

SchedulesWhen will the outputs (deliverables) be generated

AgreementsSpecify commitments and responsibilities: Acceptable Use AgreementNon Disclosure AgreementThird Party Code of ConnectionInsurance PolicyContracts

Standalone Documents- KnowledgeProblems

Create: How do you name it? Where do you store it? What is the relationship with the rest of the documents?

Update: Does the update influence where the document is stored, named or the relationship with the rest of docs? How do you retire the older version? How do you kill local copies?

Distribute: How do you make everyone aware of the novelties?

Archive: When and where do you store them? How do you identify older versions?

Find: How do you know if there is a existing document that covers you need?

Wiki- KnowledgeSolutions

Create: The name of every page arises naturally from the context of another page. No need to make a decision of where to store it. The relationship with the rest of the documents is explicit by links

Update: Updates are immediately available, no need to retire older versions, there are no local copies

Distribute: Everyone accesses the updated version without even thinking about it

Archive: Changes history is a built in feature. Comparing versions is very simple

Find: Easy to follow links, easy to search by content

ContentsMethodProcessKnowledge ManagementMetricsReports

What can’t be measured can’t be managed

William Thomson (Lord Kelvin): “I often say that when you can measure what you are speaking about, and express it in numbers, you know something about it; but when you cannot express it in numbers, your knowledge is of a meagre and unsatisfactory kind; it may be the beginning of knowledge, but you have scarcely, in your thoughts, advanced to the stage of science, whatever the matter may be.

Why use metrics?Detect Anomalies (Incidents)Determine Success (KGIs, SLAs, UCs)Determine TrendsDetermine performance and user of resources (KPIs)Determine how changes in the process affect the performance

Determine if changes in the environment affect the performance

Find bottlenecks and points of diminishing returns

Why use metrics?Continuous improvement: Achieving higher value with the same resources or achieving the same value with fewer resources

Maturity: A measure of the ability to improve often over time, it is all about working smart, not hard. Don’t get busy, get productive

UnitsScaling

NominalOrdinalIntervalRatio

Normalization

Measurement

Metrics A quantitative measurement that can be interpreted in the context of a series of previous or equivalent measurements

Using MetricsObjectives Analysis

Inventory of ActivityValue Analysis

Inventory of Inputs and OutputsDefine Metrics

Design Data CollectionDesign Visualization

Design Archival of DataInterpretation

InvestigationAction

Objectives Analysis

Inventory of Activity

Value Analysis

Inventory of Inputs, Outputs (and Subproducts)

yes, deliverables

Define MetricsDescription of what is measuredHow is the metric measuredHow often is the measurement takenHow are the thresholds calculatedBest possible value of the metricUnits of measurementCategoriesRelated Objectives

Design Data Collection

Design Visualization (Reports)

Design Data Archival

Reports and DashBoards

Interpretation

55

InterpretationThe Interpretation of any metric can be:

In comparison with past values: Normal or Abnormal

In comparison with past values: Increase or Decrease

InterpretationThe Interpretation of any metric, when there is a correlation between metric and value can be:

In comparison with a threshold: Satisfactory or Unsatisfactory

In comparison with past values: Better or WorseIn comparison with third parties: Better or Worse (Benchmark)

Diagnosis

58

Types of Metrics

Activity MetricsTiming, age and number of:Inputs (I)Outputs (O)Resources (R) - Where R can be hours, persons or monetary

units

Load MetricsWhen the process has limits in terms of Inputs, Outputs and Resources, outputs in comparison with maximum or minimum outputs:(O/Omax) - Proportion of outputs in comparison with the limit

(Omax-O)(R/Rmax) - Proportion of resources reserved for the process in

actual use(Rmax-R)

Scope MetricsWhen the process has limits in terms of inputs, outputs and resources, inputs in comparison with maximum or minimum inputs:(I/Imax) – Proportion of the scope sampled

(Imax-I)

Efficacy MetricWhen every input produces one output is outputs in comparison with inputs:(O/I) – Proportion of inputs that produce an output

The interpretation of Efficacy in a period is:In comparison with a threshold: Available or Unavailable

Efficiency MetricsProportion of the number of outputs and the available resources for this process in actual use. (O/R) (I/R)

Quality MetricsWhen Input, Outputs and Resources have variable value, measure of the fitness for purpose of the outputs(Ov/Ovmax)(Iv/Ivmax)(Rv/Rvmax)

Contents

MethodProcessMetricsReports

ReportsDocuments that reflect a summary and interpretation of the results of a process

Practice matching with documentation - Audit Report

Practice matching with a standard - Certification Report

Capability for continuous improvement - Maturity Assessment

Outputs matching test Inputs - Test Report

Process Implementation - Reports

Value - Goal Assessment ReportChanges in priorities in response to changed

availability of resources, in the environment, or needs of the business - Strategy Report

Progress or activity - Performance ReportPossible causes of incidents - Risk Assessment

Process Implementation - Reports

1. Better Value and more efficient use of Resources is a result of

2. Management decisions based on3. Reports, that give you an4. Interpretation of5. Metrics that count and compare6. Deliverables (inputs and outputs), produced and

archived using 7. Procedures created as part of8. Knowledge Management

SUMMARY

Follow the Foundations of Information Security Series by joining the Linkedin O-ISM3 Group at: tiny.cc/osim3LG

Learn Advanced Information Security Management, joining us at an O-ISM3 Course: tiny.cc/osim3