To view the full ILTA Peer to Peer article, click here.
The Project Management Institute defines risk as “an uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives.” Unpredictability in any direction — the hallmark of risk — is undesirable. Law firms often seek to bolster technology in order to lessen unpredictability, but it is not necessarily the technology that needs to be improved. It is time to dig deeper and use the power of Six Sigma to correct the root of the problem in your practice — the underlying processes that the technology supports.
Six Sigma is a statistically driven and disciplined framework that aims to improve processes, minimize errors/defects and reduce variations. An expert trained in the Six Sigma process governs both individual steps and the process as a whole by using a structured project plan that acts as a blueprint for implementing Six Sigma initiatives toward the goal of predictability. Six Sigma can be initiated both for new processes (i.e., design for Six Sigma) and for existing processes (i.e., improvement projects).
SIX SIGMA AND RISK MANAGEMENT
Protecting sensitive data is not only part of client expectations but mandated by ethics rules, creating the utmost accountability and pressure on law firms to implement preventive measures. According to the 2013 ILTA Technology Survey, security and risk management are among the top concerns for law firms, which handle sensitive client information, business strategies and intellectual property. This puts them at higher risk of inadvertently exposing sensitive data than companies in many other industries. Law enforcement has long worried that law firms are not doing enough to guard against intrusions by hackers. In fact, in 2011, the Federal Bureau of Investigation began organizing meetings with top law firms in major cities to highlight the issue of computer security and corporate espionage, according to “Law Firms Are Pressed on Security for Data,” an article that appeared in The New York Times in March 2014.
The Six Sigma methodology works directly to mitigate this risk. It provides a proven formula for achieving predictable outcomes as well as risk management tools to quantify and prioritize risks. IT departments that leverage the Six Sigma framework take a disciplined approach to managing change in their environments. Where risks are present, corresponding controls are implemented to ensure that processes are put in place to mitigate and offset those risks. In addition, the risks and controls are documented and vetted by key stakeholders, a feature which is foundational to any mature risk management program.
Whether they come internally or externally, risks to information security are always present and ever-changing. It is often the seemingly obvious and mundane areas of the IT environment that create the most risk, such as inadequate password policies or users running out-of-date software. While these gaps seem glaring to any seasoned security professional, they still persist in the legal services industry.
These common security risks are often addressed within a proper desktop management program. Leveraging the Six Sigma framework to design this program forces it to be thoroughly vetted and designed to implement the appropriate controls. Let’s walk through the very basic process of password resets to show how Six Sigma tools could be leveraged to maximize security. To be clear, re-engineering a discreet process of this scope normally would not be done independently but would be part of a broader initiative. We are zeroing in on this sub-process to show how Six Sigma works.
One of the more common approaches to password resets is to provide a portal where users unable to access their corporate email accounts can request that a temporary password be sent to an alternative email address. During the first phase of a Six Sigma initiative, the project team maps steps of the existing processes. The password reset process map might look something like this:
In subsequent project phases, the team evaluates the risk inherent in the process using tools like the Failure Modes and Effects Analysis (FMEA). The FMEA evolved from work done at NASA where the interest in preventing failures is extremely high. The FMEA identifies “failure modes” as ways in which processes could fail. For each process step, the project team evaluates what could go wrong. As failure modes are identified, they are evaluated across three different dimensions, typically on a scale of one to five:
- The severity of the failure
- The likelihood of occurrence
- The probability anyone would detect the failure
These three numbers are then multiplied to calculate a risk priority number (RPN):
RPN = Severity * Occurrence * Detection
Failure modes are prioritized in descending order based on their RPN. Those with higher RPNs are put at the top of the list, either the process is re-engineered or a control plan is put in place to mitigate the risk.
Looking back to our password reset process, there are a few potential failure modes in step two. For example, a user’s alternative email address could be compromised, or a hacker sniffing network traffic could intercept the unencrypted temporary password.
Many risk management organizations establish RPN thresholds that require teams to implement controls or re-engineer processes for high-risk failure modes. If the organization in our example chose to implement risk mitigation for any RPN over 27, then the process would be re-engineered with an additional step to mitigate the risk by presenting challenge questions to the user, creating a two-factor authentication mechanism: something you have (i.e., access to the alternative email account) and something you know (i.e., answers to the challenge questions). The new password reset process would now have a new step two added to the workflow:
This simplistic example uses an easy-to-understand vulnerability to illustrate the tools that Six Sigma provides. The real value of the framework is derived when the tools are used to design processes with many moving parts and less obvious failure modes. Because Six Sigma forces practitioners to evaluate processes in a formal way and identify and prioritize risks systematically, it allows organizations to ensure all parts of processes are scrutinized and vetted by relevant stakeholders.
This article was first published in ILTA’s Fall 2014 issue of Peer to Peer titled “Security Is Everyone’s Business” and is reprinted here with permission. For more information about ILTA, visit www.iltanet.org.