05
Dec
09

Six Sigma, PCI And Security

First, this is not a security metrics article.  So, if you are looking for that sort of thing, this is not it.

Do you remember Six Sigma?  It has gone a bit underground, but is still big in manufacturing and distribution.  Six Sigma is defined as executing a given business process with only as much as 3.4 defects or errors per million executions of the process.  That is 99.99966% accuracy or higher.  I have stated in previous postings that security requires 100% compliance.  To come as close to 100% as possible, security is structured in layers (i.e., defense in depth) so that as long as each layer operates at Six Sigma levels or better and that those layers overlap, you should be able to achieve close to 100%.

One of the complaints you hear about the PCI standards is that a lot of it is focused on policies, standards and procedures and that documentation does not lead to security.  Six Sigma experts will point out that if you do not have formally documented policies, standards and procedures, there is no way to achieve the necessary levels of consistency to ensure your organization’s security.  Such documentation is the foundation on top of which you build everything else.  Without a solid foundation, Six Sigma cannot be achieved.

Then there is the training involved.  Six Sigma has taught organizations that training is another critical component if you expect to achieve it.  If you are not training your personnel in all of your policies, standards and procedures and the rationale of why those are important, your employees are just going to blow them off.  And if you are not training them regularly, then they will very quickly forget all about them.  These people are key to the success of your security program because, for the most part, they are the root cause of why security has failures.  Statistics point to the fact that at least 65% of all breaches were the result of human errors or other human causes.  If you are not addressing the human factor in your security program, then you are doomed to fail.

I like to use the airline industry as a prime example of how well documented policies, standards and procedures can make a significant difference.  Airlines have policies, standards and procedures for everything regarding the flying and maintenance of an airplane and they rigidly enforce them, they have to, to stay in business.  Over time, airlines found that human error was reason for most of the devastating crashes.  By instituting very rigid policies, standards and procedures, the airline industry was able to make air travel safer than driving your own car.  It is the same with security.  If you create a highly documented set of policies, standards and procedures just like the airlines and you rigidly enforce the following of that documentation, you likely reduce your risk of suffering a breach or other security incident almost down to zero.  I say almost, because there are people out there that, if they set their mind to breaching your security, they will do whatever it takes to get the job done, no matter what barriers you put in their way.

So what typically causes security failures?  There are a number of issues that lead to security failures, but these seem to be the most common.

  • Someone cuts corners to get something done to meet a deadline.
  • Someone disables a security measure or mis-configures it.
  • Someone does not understand why a particular process is important and therefore just ignores it.
  • Someone encounters an incident and does not know what to do, so they wing it.

The first three issues are all the result of limited or no training.  If people do not understand their role and the reason why their role is important, they will very easily regard their part as inconsequential and therefore not important.  And while you have defense in depth, if enough people take this attitude, the depth of your security does not matter.

This leads to the problem of keeping people engaged.  This is one of the biggest problems in security these days.  Do you realize that airports have been at the security advisory level of High since 2003?  That has been over six years.  Does anyone remember why or, for that matter, care?  No, because people are no longer engaged.  This problem is particularly true for people that monitor for security alerts.  A lot of the reason that security technology initiatives fail is not due to the technology, it is due to the fact that the technology was not tuned properly to weed out enough of the chaff so that the real alerts would shine through.  As a result, people start to ignore all the alerts because there are so many false positives to research before they get to the real issues .

The last bullet is a real sticky issue as it is exceptions to those well defined processes where every organization runs into trouble.  It is the lack of definitive procedures for handling every exception where organizations fall apart.  The rationale you hear for this time and again is, “we cannot anticipate every possible exception.”  While this statement is very true, you can have a group of very well trained personnel that can handle those exceptions on a case-by-case basis.  If this sounds familiar, it should.  This is exactly how help desks are structured.  For security, Level 1 researches basic security issues such as locked accounts, denied access requests, service failures and the like,  Level 2 researches items that Level 1 is unable to resolve or get answers as well as notifying users of new threats.  And those Level 3 people – they are the “propeller heads” that can do anything related to your security infrastructure.  Typically, Level 3 people are the ones that implement and maintain your security infrastructure.

At the end of the day, all of your security technology is only as protective as the people that interact with it.  A lot of organizations keep searching for technological solutions to solve all of their security problems.  Unfortunately, they miss the human part of the equation and the fact that it is the humans that are fallible and will be the most likely reason that all of their precious technology gets defeated.  So, get your documentation in order, train the staff until it hurts and enforce everything.

Advertisements

1 Response to “Six Sigma, PCI And Security”


  1. December 22, 2009 at 10:45 AM

    Great post! I’m sure we all have stories of how our credit card number was misused as part of the human equation. Maybe you’ve signed up for a new membership at the gym but the credit card system was down. The employee may ask to write down your credit card on a postit in order to process it later when the system is back up. It might be a state of the art gym with fancy technology and PCI compliance, but the human equation can break all that down in no time.

    I work for a software company that provides products to contact centers. We are constantly adding features to make it easier for our customers to be PCI compliant. At the end of the day it comes down to documented policies, standards and procedures. I know of a number of contact centers that do not allow their agents to even have a pen at their desk (they don’t want them to have any way to write down credit card numbers). That is one policy they have implemented to combat the human part of the equation.

    There is an increasing trend to allow for work at home agents. Documenting policies, standards, and procedures is an important and critical first step, but it is not the only one. There is still a need to track and enforce. I can’t tell my home agents not to keep pens at their desk – well, I could but it wouldn’t mean anything if I couldn’t enforce it.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Announcements

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

December 2009
M T W T F S S
« Nov   Jan »
 123456
78910111213
14151617181920
21222324252627
28293031  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,814 other followers


%d bloggers like this: