A BRIEF ARGUMENT FOR PCI DSS (OR ALEX’S 5S’S FOR LEAN INFORMATION SECURITY MANAGEMENT)
real quick: It might be worth noting that I wrote this the weekend before Heartland was announced.
So I was reading this excellent article on Taiichi Ohno and the Toyota Production System over at the Gemba weblog and something occurred to me; a potentially good reason for a company to use the PCI DSS as the basis for their ISMS.
Jack Jones has been reworking his essential value propositions of the CISO into the following:
- Align Risk to Organizational Risk Tolerance
- Create operational efficiencies
Regular readers will note that #1 there used to be “Reduce Risk” but there’s such a thing as too much risk reduction, so Jack’s updating it. I like the update, it sounds more like “aligning security to business objectives-y”.
Now when most people think about PCI, they think about “Security”. Mostly because they’re security professionals who have hitched their meal-wagon to PCI DSS. So they focus on PCI DSS being something that will help make you secure. This is obviously nonsense. There is no “secure”, there is only the reduction of the probable frequency with which you will be breached(1).
But what if there’s another reason to adopt PCI as a basis for your ISMS?
THE 5S’S
Japanese Lean management types talk about something called the “5S’s”. Popularized by Hiroyuki Hirano (but whose origins may come from Ford in the 20’s), the (Americanized version of) 5S’s are designed to eliminate waste in production. The 5S’s are:
Sort - remove all items from the workplace that are NOT needed for current production.
Set in Order - arranging needed items so that they are easy to find and put away. Items used often are placed closer to employee.
Shine - making sure everything is clean, functioning, and ready to go.
Standardize - the method you use to maintain the first 3S’s.
Sustain - making a habit of properly maintaining correct procedures.
OPTIMIZING PCI-DSS WORKFLOW
Now the idea around the 5S’s is to optimize a manufacturing work space, as that will help reduce operational costs. But take a good look at the last two “S’s”, Standardize and Sustain. They suggest that if you focus on building processes that emphasize these elements - increased operational efficiency will follow.
So could we say that the PCI DSS is allowing us to all Standardize the controls we have in our work place (the network)? We have different vendors and different rigor in implementation, but we are getting the beginnings of a homogenized environment of controls (Monoculture?) that could lead to the development of efficiencies. Moreover, in developing the right procedures and guidelines for sustainability, it will be easy to spot areas for further resource reduction in the resources required to maintain the controls specified by PCI DSS.
(note: this would also apply to any ISMS - as long as a significant sub-cultre/cottage industry arises from it. ISO 27001 might be another example.)
ALEX’S 5S’S FOR ISMS MANAGEMENT
Can we use the 5S’s in how we manage risk? I think so. Here’s something I put together that uses the spirit of the 5S’s from manufacturing and applies it to the CISO role:
SORT/SEGMENT - The idea here is to remove the extraneous so that you can have laser-beam focus on the systems that house the sensitive data itself. That’s segmenting networks (part of PCI DSS), controls that identify and remove (or prevent) critical data from appearing on undesirable systems (like laptops, home systems, or vendor systems).
SET IN ORDER - The Toyota employee has their relevant tools at hand to do the job. In Information Security, we should be making relevant control data accessible and easy to understand (SEIMs and GRC aren’t the only or even best solution here).
SIMPLIFY - Complexity is the enemy of security. Make the flow of sensitive data as simple to manage as possible.
STANDARDIZE - Create the processes and guidelines that allow the security department to operate in a consistent fashion. Everyone should know exactly what their responsibilities are and make transitioning staff easier if/when that happens. In the current state of the industry, we could also apply the “Standardize” concepts to metrics & definitions.
SUSTAIN - Develop the risk management capability metrics and measurements that allow you to understand if you are sustaining your processes, and to what level they are sustained (and then ideally, how that level of sustained process impacts your exposure to risk).
Many of these are common sense, but the best suggested practices I’ve seen are short on discussing why they should be effective (in either an inductive or deductive manner). This at least gives us a basis or even something as silly as a “mantra” to match these regulatory pressures to.
Finally, these aren’t a real replacement for what I believe is the most effective way to run a security department; an inductive, measured approach based on risk. But if you are forced to construct solutions based on an architecture for security management that is less than optimal, these concepts might just help you master the ISMS, rather than the other way around.
======================
(1)And we’re starting to see that we can expect at least one or two of the companies that have PCI pressures (regardless of “compliance” state of nature) being breached in any given year (roughly).
Patrick Florer Jan 27
Hi, Alex -
A couple of things for you to consider - still thinking about them myself.
Two ideas from the theory of constraints (from Wikipedia):
Convergence
The first principle: Convergence, also called “Inherent Simplicity” states that “The more complex a system is to describe, the simpler it is to manage.” Or that the more interconnected a system is the fewer degrees of freedom it has, and consequently the fewer points must be touched (managed) to impact the whole system. A corollary of this principle is that every organization has at least one constraint active in any given point of time (otherwise it would achieve infinite performance relative to its goal). The more complex and interconnected the organization is the fewer constraints it will have.
Consistency
The second principle: Consistency, also called “There are No Conflicts in Nature” states that “If two interpretations of a natural phenomenon are in conflict, one or possibly both must be wrong”. That is, when in an organization with a common goal, two parts are in conflict (or in a dilemma) this means that the reasoning that led to the conflict must contain at least one flawed assumption.
Re - monoculture: we would have all probably starved/died by now without the development of all sorts of mono-cultured foods and other products. Nevertheless, the elimination of diversity leaves us potentially vulnerable to the unexpected - the increased resistance strength of bacteria that has been driven by the overuse of antibiotics, for example.
Somehow this gets me thinking about defense in depth, normal distributions, tail events, randomness, and uncertainty.
Best –
Patrick
Alex Jan 27
Patrick,
I find the Convergence concept to be counter-intuitive, and therefore, fascinating. Must look into it.
Patrick Florer Jan 27
It’s a theory - would be nice to have empirical data to support it - I suspect that it exists. Goldratt, the originator of TOC, holds a PhD in Physics.
Patrick Florer Jan 27
just thought of an example for convergence: a human being -
the wrong word or deed at the wrong time or from the wrong person can create a lifetime of ill-will.
fyi - Goldratt’s new book is called “The Choice” - it came out in Oct, 2008 - I have a copy on the way.
Also, now that I think about it, I have seen inherent simplicity at work in a real world analysis that I can tell you about offline someday, if you are interested.
arrapleEffome Jul 19
???????. ???????. ????? ??????.
NejikFans Sep 5
????? ? ???????