Continuous improvement

In the future, continuous-improvement activities will concentrate on improving the structure of the access-control data itself. The granularity of the data that administrators have to deal with will be reduced by packaging

low-level access rights into commonly required functional groupings. These groupings will then be assigned to business roles. The underlying idea is to reduce the task of administering access rights to one of assigning business roles to users. As this is expected to involve a repackaging of all of the bank’s applications, it will be achieved gradually. Prioritization will be used to decide the order in which applications are aligned with this new standard.

The effect of improvement measures will be followed using the following metrics:

◗ Percentage of urgent requests per week;

◗ Number of requests processed per platform per week;

◗ Number of dormant accounts at the end of each calendar month;

◗ Percentage backlog per week;

◗ Number of outstanding audit points.

The percentage of urgent requests per week will be used to ensure that this facility is not abused. Once this exceeds the 5% limit agreed with the business, it will be reported to stakeholders, who are then expected to cor-rect the situation. Over time, the percentage of urgent requests should gradually diminish.

The number of requests per platform per week and the percentage back-log per week are indicators of how demand is changing and how well the procedure is coping with this change. By following these metrics it should be possible to anticipate problems and react accordingly (by requesting tem-porary help, for instance).

A dormant account is an account that is still enabled, but is no longer in active use. The number of dormant accounts and the number of outstanding audit points indicate how effective the procedure is at any given time. Both are expected to decrease as the procedure is improved.

Finally, feedback will be requested at regular intervals from stakeholders in order to ensure that staff members are comfortable with the procedure, both from a usability and a performance point of view.

7.6 Summary

Stable processes must support a reasonable level of productivity and satisfy the expectations of those staff members who work with them. In addition, processes will only remain stable in the face of changing requirements if they are flexible with respect to functional changes and are capable of scal-ing to meet projected volumes. When attemptscal-ing to improve processes, it is helpful to decompose the process as a whole into its constituent procedures and supporting controls. The approach is then to prioritize procedures in terms of the issues they present and to improve those procedures most in need of attention.

7.6 Summary 177

Methods for improving procedures aim to improve some combination of productivity, adaptability, or acceptance. The major factors influencing pro-ductivity are effectiveness, efficiency, and cycle time. Effectiveness is often described as “doing the right thing,” whereas efficiency is “doing the thing right.” The cycle time of an activity measures how quickly inputs are trans-formed into outputs. Improving adaptability, on the other hand, involves introducing new flexibility or rendering the procedure more scalable.

Finally, acceptance is strongly driven by cultural issues and the ease with which the procedure can be understood. Several techniques have been pre-sented for improving each of these aspects of a procedure.

The example of the authorization and access-control procedure of The Secure Bank was used to illustrate how to apply these ideas in practice. This involved identifying improvement measures and prioritizing them based on criteria agreed with stakeholders. In this example, user acceptance was by far the most important prioritization criterion, but this will vary from organization to organization. The implementation of the main ideas was carried out gradually in order to allow staff the time to become accustomed to the changes and to minimize risk. The entire process took 2 years to com-plete, but it should be born in mind that this was a complex and highly visi-ble procedure.

References

[1] “Quality-Based Problem-Solving/Process Improvement,” September 2003, http://www.brecker.com/quality.htm.

[2] “Six Sigma Questions and Answers Q and A,” September 2003, http://www.

isixsigma.com/library/content/c010204a.asp.

[3] Malhotra, Y., “Business Process Redesign: An Overview,” September 2003, http://www.brint.com/papers/bpr.htm.

[4] “Business Process Revolution,” September 2003, http://www.iec.org/online/

tutorials/bus_proc.

[5] “Business Process Improvement: A Draft Methodology for UNE,” September 2003, http://www.une.edu.au/unesis/pdfs/bpi_methodolgy.pdf.

[6] Caudle, S. L., “Reengineering for Results: Keys to Success from Government Experience, Section 1: Reengineering for Results: Six Critical Success Factors,”

September 2003, http://www.defenselink.mil/nii/bpr/bprcd/3002.htm.

[7] Carter, W. L., “The Biggest Mistake Companies Make When Implementing TQM/Process Improvements,” September 2003, http://www.firstbiz.com/

cartwi01.htm.

[8] Dolan, T., “Best Practices In Process Improvement,” Quality Progress, Vol. 36, No. 8, 2003, pp. 23–28.

[9] “Lessons Learned from High-Performing Organizations in the Federal Government,” September 2003, http://www.defenselink.mil/nii/bpr/bprcd/

5556.htm.

[10] “Changing Management Culture: Models and Strategies to Make it Happen:

Stage 4: Transition,” September 2003, http://www.tbs-sct.gc.ca/cmo_mfc/

Toolkit2/GCC/cmc08_e.asp.

[11] Truby, C., “Business Process Improvement: A Proactive Way To Improve Margins,”The Quality Management Forum,Vol. 29, No. 3, 2003, pp. 1, 12–13.

[12] Donovan, M., “Improving Manufacturing Cycle Time,” September 2003, http://www.lionhrtpub.com/IM/IMsubs/IM-5-95/cycle.html.

[13] Ligon, G. D., and J. Grayson, “Reducing Cycle Time and Increasing Data Quality for Student Assessments,” September 2003, http://www.educationadvisor.com/

ocio2001/Reducing%20Cycle%20Time%20and%20Improving%20Data%20 Quality.doc.

[14] Sifonis, J., and D. Bisha, “Change, Culture and Social Networks,” September 2003, http://business.cisco.com/prod/tree.taf%3Fasset_id=103198&ID=85947

&public_view=true&kbns=1.html.

[15] Trader-Leigh, K., “Managing Resistance To Change,” September 2003, http://www.asaenet.org/sections/exec/article/1,2261,53937,00.html?headern ame=Executive+IdeaLink&searchstring=.

[16] de Jager, P., “Resistance To Change: A New View Of An Old Problem,”

September 2003, http://www.humboldt.edu/~campbell/p403rdg_orgchg2.htm.

[17] Raynaud, M., “Confusions and Acquisitions: Post-Merger Culture Shock and Some Remedies,” September 2003, http://www.synergy-associates.com/

cultural/Products/Post%20Merger%20Culture%20Shock.pdf.

[18] Karnatz, J., “Merger Culture,” September 2003, http://www.insight-mag.com/

insight/00/09/art-03.htm.

[19] Tomko, C., “Culture Does Matter When Firms Complete a Merger,” September 2003, http://columbus.bizjournals.com/columbus/stories/2002/09/02/focus6 .html.

[20] “Three Universal Methods of Reducing Complexity,” October 2003, http://www.compapp.dcu.ie/~renaat/ca2/ca214/ca214vii.html.

[21] Latva-Koivisto, A. M., “Finding a Complexity Measure For Business Process Models,” October 2003, http://www.hut.fi/~alatvako/Kompleksisuuserikoistyo _2001-02-13.PDF.

7.6 Summary 179

Building an IT security