The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/411912
WWW.ILTANET.ORG 27 These common security risks are often addressed within a proper desktop management program. Leveraging the Six Sigma framework to design this program forces it to be thoroughly vetted and designed to implement the appropriate controls. Let's walk through the very basic process of password resets to show how Six Sigma tools could be leveraged to maximize security. To be clear, re-engineering a discreet process of this scope normally would not be done independently but would be part of a broader initiative. We are zeroing in on this sub-process to show how Six Sigma works. One of the more common approaches to password resets is to provide a portal where users unable to access their corporate email accounts can request that a temporary password be sent to an alternative email address. During the first phase of a Six Sigma initiative, the project team maps steps of the existing processes. The password reset process map might look something like this: In subsequent project phases, the team evaluates the risk inherent in the process using tools like the Failure Modes and Effects Analysis (FMEA). The FMEA evolved from work done at NASA where the interest in preventing failures is extremely high. The FMEA identifies "failure modes" as ways in which processes could fail. For each process step, the project team evaluates what could go wrong. As failure modes are identified, they are evaluated across three different dimensions, typically on a scale of one to five: • The severity of the failure • The likelihood of occurrence • The probability anyone would detect the failure These three numbers are then multiplied to calculate a risk priority number (RPN): RPN = Severity * Occurrence * Detection Failure modes are prioritized in descending order based on their RPN. Those with higher RPNs are put at the top of the list, either the process is re-engineered or a control plan is put in place to mitigate the risk. Looking back to our password reset process, there are a few potential failure modes in step two. For example, a user's alternative email address could be compromised, or a hacker sniffing network traffic could intercept the unencrypted temporary password. user clicks "forgot password" link system emails temp password to alternate email user logs in with temporary password user resets password meeting requirements 1 2 3 4 Process Step: System emails temp password to alternative email Failure Mode: Temporary password has been intercepted by unauthorized user Effect of the Failure: Unauthorized user is able to gain access to the network Severity: 5 Cause: Alternative email account has been compromised Occurrence: 2 Current Controls: None Detection: 3 RPN 5 * 2 * 3 = 30 Remediation: Force user to answer challenge questions to initiate reset process The table below demonstrates what the FMEA output might look like for the scenario with the compromised alternative email account: Because Six Sigma forces practitioners to evaluate processes in a formal way and identify and prioritize risks systematically, it allows organizations to ensure all parts of processes are scrutinized and vetted by relevant stakeholders.