Optimization of Security Investment, and Recent Examples (Series)

Part 1: Purposeless PDCA Cycle

Masatoshi Hirota
Senior Consultant

Ryosuke Miura
Consultant

July 29, 2009 (Wednesday)

1. Introduction

Information security investment, which had been rising as a part of compliance requirements, is currently in a decreasing trend due to the protracted economic crisis. Yet, companies still need to use and protect personal information and information assets, and maintain and enhance corporate value. This series introduces examples—from a long record of information security consulting—of optimizing investment and cutting costs by reexamining information security measures.

2. Example 1: Purposeless PDCA Cycle

The PDCA Cycle follows a four-stage process for continuous improvement: plan, do, check, and act. The following is an example of improving a PDCA cycle that lacked the goal of “continuous improvement.”

3. Background

Company A has been endeavoring to enhance information security measures for several years. Information security measures implemented by Company A include: 1. Established information security regulations years ago; regularly provides training and conducts internal inspection; 2. Introduced information security software (encryption and etc.) in clients’ computers. Despite these efforts, Company A has seen a spate of information security incidents such as lost equipment and mistaken e-mails. Company A is seeking to revise its information security regulations and improve the information security effectiveness.

4. Visualizing the current situation

By conducting gap and risk analysis, FRI visualized Company A’s current situation and, after grasping the specific problems, proposed an approach of revising information security regulations.

Gap analysis: Method to visualize the gap between the various standards and existing information security regulations.

Risk analysis: Method to evaluate the integrity, confidentiality, and availability of information assets, and calculate the risk value in terms of threat and vulnerability.

The gap analysis clearly defined the implementation of various measures (do) and internal assessment (check) as a PDCA cycle. Regarding the risk analysis results, however, information assets with high risk values were scattered, and adequate information measures were unimplemented.

The results of the analyses identified the absence of “act” of the PDCA cycle as Company A’s problem area. As a result, Company A is also not implementing information security measures suitable for the realities it faces. It follows the original process with passing internal assessment as the only goal, and the information security committee simply reports the results of this assessment. FRI changed the PDCA cycle from mere formality, adding detailed “plan” and “act” processes to the regulations as a way to implement a PDCA cycle for the purpose of continuous improvement. By adding these processes, Company A could invest judiciously in information security to address the weak points identified by the internal assessment.

5. Conclusion

Many companies are establishing information security regulations and introducing information security products. Risks related to information security, however, become more sophisticated and diverse every year, and the information assets and business patterns of companies are constantly changing. Even if measures were appropriate at the time of implementation, in a PDCA cycle without the goal of “improvement” the effectiveness sees a relative drop each year. To maintain the effectiveness and enhance the return on limited information security investment, it is necessary to reconfirm the efficacy of the “plan” and “act” processes, and reexamine so that continuous improvement becomes possible.

The next part of the series explains “selecting prohibitive rules” while touching on the effects of improved efficiency.