IT Security – How to make long term improvements
By Nadya Bartol, Michele Moss and Keith Phillips
New technology enables businesses to deliver more and improved products and services to meet changing market demands. As vendors continue to improve existing technologies and develop new ones, data security can fall by the wayside. When new technology is introduced and existing technology is improved, new vulnerabilities often surface before old ones can be mitigated, creating a perpetual game of catch-up.
More organizations are turning to established process improvement methodologies, such as Capability Maturity Model Integration (CMMI) and Lean Six Sigma (LSS), to manage and continuously improve development and deployment of information systems. Recently, these processes have been initiated to ensure the implementation of information security.
CMMI is a collection of industry best practices that provide organizations with elements essential to acquire or develop products and services effectively. LSS is a process-improvement methodology and collection of tools designed to help improve productivity, reduce inefficiencies and eliminate waste. To ensure business objectives are achieved, government and industry organizations are increasingly integrating CMMI, LSS or other process improvement methodologies with IT security throughout the project lifecycle.
CMMI and LSS focus on processes that are repeated often enough to generate predictable results. IT security implementations that do not use repeatable processes risk mitigating the same risks several times because they lack a way to maintain and monitor best practices once they are implemented. This was articulated in draft National Institute of Standards and Technology (NIST) special publication (800-39), Managing Risk from Information Systems. It describes how to apply the Risk Management Framework to the phases of a system development life cycle to ensure that information security is tightly integrated into the organization’s mission.
Carnegie Mellon University’s Software Engineering Institute has sought to address the security considerations involved with process improvement. Whether, and how, process improvement practices can improve IT security were questions discussed at a panel at the 2007 Software Engineering Process Group conference. The participants from U.S. Government and industry strongly agreed that process improvement practices can enable lasting improvements in IT security. The panel agreed that security conscious process improvement and systems development can help organizations address security challenges. These challenges include delivering better software, proving to regulators that IT security has been considered throughout the entire systems development lifecycle and ensuring that process improvement, cost control and security are addressed throughout requirements, design and implementation phases.
IT security is an evolving field that gets more complex and expensive as the threats and challenges increase. By integrating traditional process-improvement methods with IT security considerations, organizations establish the foundation to deliver security continuously throughout the lifecycle. Comprehensive planning early-on delivers enduing results.
Nadya Bartol is a Senior Associate at Booz Allen Hamilton and a leader in the firm’s information security performance measurement, process improvement and standards work. She can be reached at: .
Michele Moss, CISSP, is an Associate at Booz Allen Hamilton who focuses on assisting organizations with maturing practices leveraging the CMMI and SSE-CMM. She can be contacted at: .
Keith Phillips is a Principal at Booz Allen Hamilton and a leader in the firm's Lean Six Sigma and continuous process improvement work. He can be contacted at: .
- Add your comment
- trackback url: http://www.gsnmagazine.com/cms/trackback/687-2
