Security Policy Management Process within Six Sigma Framework

This paper presents a management process for creating adaptive, real-time security policies within the Six Sigma (6σ) framework. A key challenge for the creation of a management process is the integration with models of known Industrial processes. One of the most used industrial process models is Six Sigma which is a business management model wherein customer centric needs are put in perspective with business data to create an efficient system. The security policy creation and management process proposed in this paper is based on the Six Sigma model and presents a method to adapt security goals and risk management of a computing service. By formalizing a security policy management process within an industrial process model, the adaptability of this model to existing industrial tools is seamless and offers a clear risk based policy decision framework. In particular, this paper presents the necessary tools and procedures to map Six Sigma DMAIC (Define-Measure-Analyze-Improve-Control) methodology to security policy management.

[1]  Nora Cuppens-Boulahia,et al.  Semantic context aware security policy deployment , 2009, ASIACCS '09.

[2]  Martín Tanco,et al.  Manufacturing industries need Design of Experiments (DoE) , 2007, World Congress on Engineering.

[3]  Lars Grunske,et al.  Probabilistic Model-Checking Support for FMEA , 2007, Fourth International Conference on the Quantitative Evaluation of Systems (QEST 2007).

[4]  Jeroen de Mast,et al.  The CTQ flowdown as a conceptual model of project objectives , 2007 .

[5]  Luigi V. Mancini,et al.  Towards a formal model for security policies specification and validation in the selinux system , 2004, SACMAT '04.

[6]  David N. Card,et al.  Myths and Strategies of Defect Causal Analysis , 2006 .

[7]  M. J. McDonald,et al.  Quality prediction and mistake proofing: An LDRD final report , 1998 .

[8]  Walt Scacchi,et al.  Process Models in Software Engineering , 2001 .

[9]  Karen A. Scarfone,et al.  A Complete Guide to the Common Vulnerability Scoring System Version 2.0 | NIST , 2007 .

[10]  P. E. Barringer Process Reliability and Six-Sigma , 2000 .

[11]  Victor E. Sower,et al.  Cost of quality usage and its relationship to quality system maturity , 2007 .

[12]  Jared D. DeMott,et al.  Fuzzing for Software Security Testing and Quality Assurance , 2008 .

[13]  Binshan Lin,et al.  Information Technology and Six Sigma Implementation , 2007, J. Comput. Inf. Syst..

[14]  Massimo Lazzaroni,et al.  A tool for quality controls in industrial process , 2009, 2009 IEEE Instrumentation and Measurement Technology Conference.

[15]  Eugene H. Spafford,et al.  PFIRES: a policy framework for information security , 2003, CACM.

[16]  D. Hickey Distritrack: Automated Average-Case Analysis , 2007 .

[17]  David M. Ferrin,et al.  Six Sigma and simulation, so what's the correlation? , 2002, Proceedings of the Winter Simulation Conference.

[18]  Dianxiang Xu,et al.  Threat-driven modeling and verification of secure software using aspect-oriented Petri nets , 2006, IEEE Transactions on Software Engineering.

[19]  Terry Anthony Byrd,et al.  Information security policy: An organizational-level process model , 2009, Comput. Secur..

[20]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.