Journal of Information Security, 2012, 3, 49-58 doi:10.4236/jis.2012.31006 Published Online January 2012 (http://www.SciRP.org/journal/jis) Security Policy Management Process within Six Sigma Framework Vijay Anand, Jafar Saniie, Erdal Oruklu Department of Electrical and Computer Engineering, Illinois Institute of Technology, Chicago, USA Email: [email protected] Received October 13, 2011; revised November 30, 2011; accepted December 16, 2011 ABSTRACT This paper presents a management process for creating adaptive, real-time security policies within the Six Sigma 6σ framework. A key challenge for the creation of a management process is the integration with models of known Indus- trial processes. One of the most used industrial process models is Six Sigma which is a business management model wherein customer centric needs are put in perspective with business data to create an efficient system. The security pol- icy creation and management process proposed in this paper is based on the Six Sigma model and presents a method to adapt security goals and risk management of a computing service. By formalizing a security policy management process within an industrial process model, the adaptability of this model to existing industrial tools is seamless and offers a clear risk based policy decision framework. In particular, this paper presents the necessary tools and procedures to map Six Sigma DMAIC (Define-Measure-Analyze-Improve-Control) methodology to security policy management. Keywords: Security Management; Security Process; Policy; Threat; Six Sigma 1. Introduction ment is generally referred to as a security policy process. A security policy process model given in [3] identifies A security policy [1] management process is necessary various phases of a security policy creation and updates. for refining existing policies or creating new policies as threats and computing services evolve. Security policy Most of the policy creation models have a clear security creation process gives an insight onto the quantification goal perspective of creating or enhancing security poli- of risk. For high level management where it is necessary cies. Some models [4] are created by taking into consid- to make risk based decisions, this process provides a way eration what security professionals had to say about the to manage risk as threats change. There is always a need various aspects of technology that needs to be addressed to maintain consumer trust for a successful computing before a policy is created. service. A measure of an effective security policy crea- We propose to adapt the security policy creation proc- tion process is the evaluation of risk. In this paper, we ess into a business management system wherein the effi- review existing policy creation models and propose our cacy of the policy management and risk based decisions model based on Six Sigma 6 [2] with quantification can be easily quantified in the current models. For a pol- of the risk factors. We contend that threats have a direct icy management model to be effective in an industrial implication on policies which are countermeasures to setting, it needs to be based on an industrial process. In- threats. Therefore, the efficacy of security policies needs stitutionalizing any process has inherent cost [5] on us- to be measured against the modeled and analyzed threats age of tools, learning curve to use the process effectively in the security policy management system. As threats and integrating the process into the system. Hence, an evolve so must the security policies since there is a direct effective integration of a security policy management correlation between threats and security policy. process into an existing industrial process allows other There have been various processes proposed to create processes to be integrated with security policy; thereby security policies for a secure system. The various aspects enhancing the effectiveness of the industrial system as a of the security policy creation models are 1) understand- whole. In this paper, we use the Six Sigma model to base ing threats for policy creation; 2) a monitoring process our security policy management process due to its wide- for existing internal or external threats; and 3) policy spread acceptance and effectiveness in an industrial set- operations in the system. ting. Our key contributions are: In the current literature, the security policy manage- Creation of a security policy management process Copyright © 2012 SciRes. JIS 50 V. ANAND ET AL. with an explicit feedback mechanism so as to control 5) Controls threat mitigation with security policy imple- the deployment of security policies with evolving mentation to guarantee the quality of service for gaining threats, customer trust. Using the Six Sigma process model for the security policy management process to ease integration with 3. Security Policy Management Process industrial processes, 3.1. Existing Security Policy Creation Quantification of risk in security policy management Processes for making decisions. Existing security policy creation processes identify the 2. Six Sigma in a Nutshell need to have a feedback mechanism in order to draft new policies. The two widely recognized processes are PFIRES The implementation of Six Sigma is generally done in (Policy Framework for Interpreting Risk in e-Business two different approaches either for improving a product Security [3]) and the organizational process model [4] or creating a new product. For making changes to exist- which initiate the following steps for security policy ing processes, the process used in Six Sigma is called creation: DMAIC (Define-Measure-Analyze-Improve-Control). The Assess: Assessment phase is a trigger to evaluate se- DMAIC project methodology has five phases: [6] curity policies which is initiated by either: 1) Creation Define: This step involves the quantification of high- of new model or addition of a new feature such that level project goals and the process used. the input/output characteristics of a computing service Measure: This step involves the quantification of im- is altered leading to changes in the risk factors; or 2) portant methods used in a current process from which Consequence of the review and management of ex- relevant data is collected. isting policies affecting the risk parameters of the Analyze: This step involves the identification of the computing service. For either of the above cases, the causality effect between the process and factors in- reference for policy changes are existing policies and fluencing the process. the assumptions made during the institutionalization Improve: This step involves the optimization of the of the policies. In the organizational process [4] model, current process. this phase is blended in the task of Policy Awareness, Control: This step involves the correction to any de- Policy Review and Risk Assessment. viation associated with a particular process before it Plan: Planning phase is where the requirements and results into defects. strategy of rolling out a new security policy is created. For new products, the DMADV (Define-Measure-Ana- This phase outlines the high level requirements of secu- lyze-Design-Verify) system is generally used. The DMADV rity policies for later implementation. In the organiza- project methodology features five phases: tional process [4] model this is primarily done in Pol- Define design goals that are consistent with customer icy Development. demands and the enterprise strategy. Deliver: Deliver phase is when the actual implemen- Measure and identify CTQs (characteristics that are tation of the policy is undertaken. The design of various Critical to Quality), product capabilities, production control structures based on requirements is deter- process capability, and risks. mined. The implementation part of the security policy Analyze to develop and design alternatives, create a updates is also integrated in this phase. high-level design and evaluate design capability to Operate: Operate phase is persistent in which various select the best design. external and internal businesses, regulatory and tech- Design details, optimize the design, and plan for de- nology trends affecting the security policies are moni- sign verification. tored and analyzed. Verify the design, set up pilot runs, implement the The above policy management mechanisms, although production process and hand it over to the process they are theoretically effective, do not integrate into owners. known business processes such that effective decision In our approach, the security policy management within making can be achieved from a management standpoint. the Six Sigma framework 1) Defines security goals and They also lack correlation with known security tools quantifies digital assets, 2) Measures and assesses vari- such that effectiveness of a policy mechanism can be ous threats to digital assets and quantifies risk, 3) Ana- quantified for risk analysis. In the proposed security lyzes the overall security goals with the identification of management framework we integrate security policy the diversity of external and internal factors affecting the management within Six Sigma processes and correlate assets of a computing service, 4) Improves designs and security tools with each phase of the management pro- optimizes the security policies with evolving threats, and cess. Copyright © 2012 SciRes. JIS V. ANAND ET AL. 51 3.2. Causality Framework for Security ξ ξ Policy Management Ѕ Г Г Ѕ Г Г Ѕ For a Six Sigma implementation, there is a need to estab- K K lish a causal analysis [7] which is true for other process improvement methodologies. We make a case for causal- ity with respect to security policy and threats. We pro- Where ξ = The set of all executions pose that the objective of a security policy creation is to Г = Set of threats, known and unknown counter threats as shown in Figure 1. ГK = Set of known Threats S = Set of security policies created to counter threats For any security policy creation process, the objective S ⋂ГK = ГK and Г⋃ГK = ГK for an ideal situation is to counter all known (real world and modeled) threats. Figure 1.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages10 Page
-
File Size-