Upload
vicente-aceituno-canal
View
2.543
Download
0
Embed Size (px)
Citation preview
Process Management
Foundations of Information Security Series
Vicente Aceituno @vaceituno(c)Inovement Europe 2015
Vicente Aceituno
[email protected] - Skype: vaceitunoLinkedin - linkedin.com/in/vaceitunoInovement Europe - inovement.esVideo Blog - youtube.com/user/vaceitunoBlog - ism3.comTwitter - twitter.com/vaceitunoPresentations - slideshare.net/vaceituno/presentationsArticles - slideshare.net/vaceituno/documents
Advantages of using a MethodEvery task is performed consistently
independently of who performs itImprovements are identified, quickly
spread among the team, and never lostAudits become painless as everything is
documented and archived
Advantages of using a MethodReplacing members of the team takes
little effort and is fastIt becomes possible to switch tasks
around, normally towards the people who have the minimal skills to perform them
More freedom for the work team, for holidays, attending events and courses, which improves motivation and performance, and lowers rotation
Processes
A set of recurrent tasks that contribute towards the same specific value for the organization.
Process Approach
Inputs Process(People, Tools, Knowledge)
Outputs(Deliverables)
Heat,Waste
Energy,Supplies
Environmental Conditions
Process ApproachFocus on objective outcomes that can be managed and therefore, improved
Processes are implemented using knowledge and tools
Processes are managed using metrics represented in reports
Processes vs ProjectsIn projects there are fewer opportunities for improvement and build knowledge as many tasks are performed only once
Projects finish, processes, in principle, live for as long as the organization does
Definition of the structure,
behaviour and boundaries of a type of system,
and the set of rules that it
follows, making it possible to
explain past behaviour, and predict future
behaviour of the system.
Knowledge
Process Deliverables
Record activity Measure progress and
success Less dependencies Better communication Reminder
Process ImplementationName: Something that prevents confusion with other processes. If it short and descriptive, all the better
Process ImplementationValue: What is the process good for, the "Why“
It makes it more clear the distribution of responsibilities
It makes it possible to introduce improvements. How can you improve if the value provided is undefined?
It makes a more efficient use of resources, as allocation of people and budget goes towards a specific goal, the value
Process ImplementationInputs: Trigger activities in the process
Outputs: Results of the process, normally deliverables
Process Roles
Defined roles guarantee that everyone knows his responsibilities, and there are no unassigned responsibilities
Every task performed needs one person or team that is responsible to carry it out
Knowledge management can be implemented using documents
Every type and instance of document should be easy to create, update, distribute, archive and find
Knowledge
Procedures (WhoHow)
Checklists (WhoHow)
Templates (LookAndFeel)
Forms (WhoHow)
KnowledgePlans (HowOften)Schedules
(WhenWhere)Agreements (Who)Reports (What)
This type of document traditionally is a mix goals, priorities, forms, procedures, rules, responsibilities, plans and agreements, with a combination of high and low level perspectives
We are avoiding policies when possible, keeping them for compliance reasons when necessary
Policies
Procedures Capture and reuse
lessons learnt Improve
productivity and quality
Less dependencies of individual talent
Produce deliverables
ProceduresSpecify tasks of a process in detail (1 of 2):What the procedure is forWho can apply it, who can change itResponsibilities for compliance with the procedure
Scope of the procedure (who and where)When the process starts and finishes
ProceduresSpecify tasks of a process in detail (2 of 2):Step by step description of tasks (who, what, when)
Acceptable task completion timesHow to solve and escalate conflicts/exceptions
Related forms and communication channels
TemplatesGeneral layout and format of type of document
Helps that everyone can read everyone else's documents with little effort
It prevents people from wasting time formatting
AgreementsSpecify commitments and responsibilities: Acceptable Use AgreementNon Disclosure AgreementThird Party Code of ConnectionInsurance PolicyContracts
Standalone Documents- KnowledgeProblems
Create: How do you name it? Where do you store it? What is the relationship with the rest of the documents?
Update: Does the update influence where the document is stored, named or the relationship with the rest of docs? How do you retire the older version? How do you kill local copies?
Distribute: How do you make everyone aware of the novelties?
Archive: When and where do you store them? How do you identify older versions?
Find: How do you know if there is a existing document that covers you need?
Wiki- KnowledgeSolutions
Create: The name of every page arises naturally from the context of another page. No need to make a decision of where to store it. The relationship with the rest of the documents is explicit by links
Update: Updates are immediately available, no need to retire older versions, there are no local copies
Distribute: Everyone accesses the updated version without even thinking about it
Archive: Changes history is a built in feature. Comparing versions is very simple
Find: Easy to follow links, easy to search by content
What can’t be measured can’t be managed
William Thomson (Lord Kelvin): “I often say that when you can measure what you are speaking about, and express it in numbers, you know something about it; but when you cannot express it in numbers, your knowledge is of a meagre and unsatisfactory kind; it may be the beginning of knowledge, but you have scarcely, in your thoughts, advanced to the stage of science, whatever the matter may be.
Why use metrics?Detect Anomalies (Incidents)Determine Success (KGIs, SLAs, UCs)Determine TrendsDetermine performance and user of resources (KPIs)Determine how changes in the process affect the performance
Determine if changes in the environment affect the performance
Find bottlenecks and points of diminishing returns
Why use metrics?Continuous improvement: Achieving higher value with the same resources or achieving the same value with fewer resources
Maturity: A measure of the ability to improve often over time, it is all about working smart, not hard. Don’t get busy, get productive
Metrics A quantitative measurement that can be interpreted in the context of a series of previous or equivalent measurements
Using MetricsObjectives Analysis
Inventory of ActivityValue Analysis
Inventory of Inputs and OutputsDefine Metrics
Design Data CollectionDesign Visualization
Design Archival of DataInterpretation
InvestigationAction
Define MetricsDescription of what is measuredHow is the metric measuredHow often is the measurement takenHow are the thresholds calculatedBest possible value of the metricUnits of measurementCategoriesRelated Objectives
InterpretationThe Interpretation of any metric can be:
In comparison with past values: Normal or Abnormal
In comparison with past values: Increase or Decrease
InterpretationThe Interpretation of any metric, when there is a correlation between metric and value can be:
In comparison with a threshold: Satisfactory or Unsatisfactory
In comparison with past values: Better or WorseIn comparison with third parties: Better or Worse (Benchmark)
Activity MetricsTiming, age and number of:Inputs (I)Outputs (O)Resources (R) - Where R can be hours, persons or monetary
units
Load MetricsWhen the process has limits in terms of Inputs, Outputs and Resources, outputs in comparison with maximum or minimum outputs:(O/Omax) - Proportion of outputs in comparison with the limit
(Omax-O)(R/Rmax) - Proportion of resources reserved for the process in
actual use(Rmax-R)
Scope MetricsWhen the process has limits in terms of inputs, outputs and resources, inputs in comparison with maximum or minimum inputs:(I/Imax) – Proportion of the scope sampled
(Imax-I)
Efficacy MetricWhen every input produces one output is outputs in comparison with inputs:(O/I) – Proportion of inputs that produce an output
The interpretation of Efficacy in a period is:In comparison with a threshold: Available or Unavailable
Efficiency MetricsProportion of the number of outputs and the available resources for this process in actual use. (O/R) (I/R)
Quality MetricsWhen Input, Outputs and Resources have variable value, measure of the fitness for purpose of the outputs(Ov/Ovmax)(Iv/Ivmax)(Rv/Rvmax)
Practice matching with documentation - Audit Report
Practice matching with a standard - Certification Report
Capability for continuous improvement - Maturity Assessment
Outputs matching test Inputs - Test Report
Process Implementation - Reports
Value - Goal Assessment ReportChanges in priorities in response to changed
availability of resources, in the environment, or needs of the business - Strategy Report
Progress or activity - Performance ReportPossible causes of incidents - Risk Assessment
Process Implementation - Reports
1. Better Value and more efficient use of Resources is a result of
2. Management decisions based on3. Reports, that give you an4. Interpretation of5. Metrics that count and compare6. Deliverables (inputs and outputs), produced and
archived using 7. Procedures created as part of8. Knowledge Management
SUMMARY