Whiteboard: How to Improve Your IT Security Policy: A Six Sigma Approach

Karen Avery Avatar

Updated on:

You have a security policy. But is it effective? For many companies, chances are the answer is no; more likely, it is slowing down service, increasing costs and disrupting day-to-day operations. No wonder that compliance is not what it should be. In truth, having a policy that’s not aligned with business needs may be worse than having none at all. The illusion of security is no match for the real thing.

How do you make sure your security policy is assignable, executable, enforceable and measurable—as it must be to be effective? One approach is to apply the Six Sigma methodology used to improve quality to managing IT security. By paying attention to the customer—the people whom a process or product is supposed to benefit—the Six Sigma approach identifies where security falls short, singles out the causes and makes it possible to measure whether you’re making progress in solving the problem. (The term Sigma is used to mean deviations from the norm, or defects; Six Sigma means only 3.4 defects per million products or process cycles.)

In this whiteboard, Gary Lynch and Karen Avery of Booz Allen Hamilton show readers how to apply one of the most important Six Sigma tools, the “DMAIC” process (define, measure, analyze, improve, control), to troubleshoot and improve their security policy. The whiteboard uses the example of a fictitious pharmaceutical company that is struggling to enforce its security rules. By applying Six Sigma, CIOs like our “Jane Doe” can not only discover the reasons their security policy isn’t working, but also identify what’s needed to make it far more effective.

The whiteboard comprises four PDF pages that can be printed out on standard 8.5″ X 11″ paper. Download now.


After printing the pages, arrange the segments to fashion the whiteboard. You can also download a single-page whiteboard, suitable for screen viewing, or printing on poster board.